Postfix + opendkim install but dkim not signed out mail
Hi, I've install postfix + opendkim.
I follow some blog I found to configure everything.
Well in fact I've got 2 domains that i have generate keys for each.
The TXT for the domain i put on my dns record TXT by default.
In fact when i test send an email to my @gmail, my spf and dmarc just pass. But the dkim never appear on my mail so it take like a junk mail.
How should I correct the situation ?
If someone could have an idea i am ready to take it.
Postfix:
I put those lines
DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Opendkim:
/etc/opendkim/
create those files KeyTable SigningTable TrustedHosts
There an folder name "keys" inside where I put the private and public key of my 2 domains. Each are in a folder with there name( domain1.com and domain2.com for example)
KeyTable
default._domainkey.domain1.com domain1.com:/etc/opendkim/keys/domain1.com/mail.private
default._domainkey.domain2.com domain2.com:/etc/opendkim/keys/domain2.com/mail.private
SigningTable
*@domain1.com default._domainkey.domain1.com
*@domain2.com default._domainkey.domain2.com
TrustedHost (I tried put localhost at first but it seem not working so i removed it)
*.domain1.com
*.domain2.com
10 Replies
@spaceham007 writes:
DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
Opendkim:
/etc/opendkim/
Reading your post, it sounds like you only did half the job…that your configuration in /etc/opendkim/opendkim.conf is not correct. For example, does the Socket directive in /etc/opendkim/opendkim.conf match what's in the postfix(8) smtpd_milters parameter? e.g.;
Socket inet:localhost:8891
Also, do you have more than one domain/selector specified in the non-keys portion of /etc/opendkim/opendkim.conf?
I'll bet you didn't make any changes at all to /etc/opendkim/opendkim.conf (if you did, you don't mention them)…that's the glue that binds all this together. See:
https://askubuntu.com/questions/438756/using-dkim-in-my-server-for-multiple-domains-websites
and
man 5 opendkim.conf
-- sw
First the opendkim.conf is on the folder /etc/…. so maybe i have to change for /etc/opendkim/
Second this is what i add at the end of this file
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:localhost:8891
For more information I've ot that in /etc/postfix/main.cf
DKIM
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
mynetworks_style = subnet
mailbox_command = procmail -a "$EXTENSION"
@spaceham007 --
You write
First the opendkim.conf is on the folder /etc/…. so maybe i have to change for /etc/opendkim/
So is mine…a senior moment…my bad…
I'm assuming the opendkim(8) milter is running:
stevewi@dave:~$ ps -ef | grep opendkim
opendkim 1023 1 0 Dec05 ? 00:00:15 /usr/sbin/opendkim -x /etc/opendkim.conf
If not, you have to start it:
# makes it start at system boot (only do this once)
#
sudo systemctl enable opendkim
#
#
sudo systemctl start opendkim
#
# errors reported here
What I don't see is any configuration that connects your domains to signing keys (this is from my opendkim(8) configuration):
Domain mydomain.net
Selector mailkey
The DNS TXT record specified by Selector (mailkey.domainkey.mydomain.net) tells postfix(1)/opendkim(8) where to find the public signing key. Caveat: I only have one domain so you might have another mechanism to do this because you have more than one…
You write:
home_mailbox = Maildir/
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
mynetworks_style = subnet
mailbox_command = procmail -a "$EXTENSION"
None of this has anything to do with opendkim(8)… I'm not saying it that you don't need it for other stuff but you don't need it for opendkim(8).
In particular:
mailbox_command = procmail -a "$EXTENSION"
procmail is obsolete… It had it's last stable release in 2001. It doesn't work with MIME messages. See:
https://en.wikipedia.org/wiki/Procmail
You should be using dovecot(1) pigeonhole instead… pigeonhole is the dovecot(1) implementation of the sieve mail filtering language:
sieve is standard and procmail has a number of security deficiencies that will never be fixed.
Also, since postfix(1) runs chrooted to (typically) /var/spool/postfix, your reference to procmail really means /var/spool/postfix/procmail. I'll bet you a month's pay that's not where procmail lives…
-- sw
In fact i've see that when I do your command
root@localhost:/etc# ps -ef | grep opendkim
opendkim 127900 1 0 22:32 ? 00:00:00 /usr/sbin/opendkim -x /etc/opendkim.conf
opendkim 127901 127900 0 22:32 ? 00:00:00 /usr/sbin/opendkim -x /etc/opendkim.conf
root 128851 127104 0 22:35 pts/0 00:00:00 grep --color=auto opendkim
In other word I just got my ubuntu 20.04 to be use to send output mail only with dkim.
But it seem not workin properly. I try diffents thing but maybe I just forgot something.
What about this?
What I don't see is any configuration that connects your domains to signing keys (this is from my opendkim(8) configuration):
Domain mydomain.net
Selector mailkey
The DNS TXT record specified by Selector (mailkey.domainkey.mydomain.net) tells postfix(1)/opendkim(8) where to find the public signing key.
-- sw
Domain spacehamagent.com
Selector default
Domain domain2.com
Selector default
*** Because I have multiple domain I need to do like this on the opendkim.conf ? (Right!?)
I create TXT record with what I've got and put it like this
Is that suppose to work with "default._domainkey.spacehamagent.com"
I create this one too if i use your logic
mail.domainkey.spacehamagent.com
Is there something I can do just to be sure that I have everything… really i am lost.
here the full file opendkim.conf i've got
================
This is a basic configuration that can easily be adapted to suit a standard
installation. For more advanced options, see opendkim.conf(5) and/or
/usr/share/doc/opendkim/examples/opendkim.conf.sample.
Log to syslog
Syslog yes
Required to use local socket with MTAs that access the socket as a non-
privileged user (e.g. Postfix)
UMask 007
Sign for example.com with key in /etc/dkimkeys/dkim.key using
selector '2007' (e.g. 2007._domainkey.example.com)
Domain example.com
KeyFile /etc/dkimkeys/dkim.key
Selector 2007
Commonly-used options; the commented-out versions show the defaults.
Canonicalization simple
Mode sv
SubDomains no
Socket smtp://localhost
#
## Socket socketspec
#
## Names the socket where this filter should listen for milter connections
## from the MTA. Required. Should be in one of these forms:
#
## inet:port@address to listen on a specific interface
## inet:port to listen on all interfaces
## local:/path/to/socket to listen on a UNIX domain socket
#
Socket inet:8892@localhost
Socket local:/run/opendkim/opendkim.sock
Socket inet:8891@localhost
PidFile filename
default (none)
#
Name of the file where the filter should write its pid before beginning
normal operations.
#
PidFile /run/opendkim/opendkim.pid
Always oversign From (sign using actual From and a null From to prevent
malicious signatures header fields (From and/or others) between the signer
and the verifier. From is oversigned by default in the Debian pacakge
because it is often the identity key used by reputation systems and thus
somewhat security sensitive.
OversignHeaders From
ResolverConfiguration filename
default (none)
#
Specifies a configuration file to be passed to the Unbound library that
performs DNS queries applying the DNSSEC protocol. See the Unbound
documentation at http://unbound.net for the expected content of this file.
The results of using this and the TrustAnchorFile setting at the same
time are undefined.
In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
unbound package
ResolverConfiguration /etc/unbound/unbound.conf
TrustAnchorFile filename
default (none)
#
Specifies a file from which trust anchor data should be read when doing
DNS queries and applying the DNSSEC protocol. See the Unbound documentation
at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
Userid userid
default (none)
#
Change to user "userid" before starting normal operation? May include
a group ID as well, separated from the userid by a colon.
#
AutoRestart Yes
AutoRestartRate 10/1h
UMask 002
Syslog yes
SyslogSuccess Yes
LogWhy Yes
Canonicalization relaxed/simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
UserID opendkim:opendkim
Socket inet:12301@localhost
#
Domain spacehamagent.com
Selector mail
================
You write:
I create TXT record with what I've got and put it like this. Is that suppose to work with "default._domainkey.spacehamagent.com"
I create this one too if i use your logic
mail.domainkey.spacehamagent.com
I decided to use mail.domainkey.mydomain.net as the selector for the TXT record containing single public signing key for my single domain. Since you have more than one domain, your configuration WILL be different.
RE: your configuration file post
What do you expect me to do with this? First, it's unreadable. Second, postfix(1) is a mighty and complex beast and I can't diagnose your problem based on the (poorly formatted) content of a configuration file and nothing else. There are at least 3 moving parts in this particular machine (DNS, postfix(1) and opendkim(1) )…
I can only tell you that I think your configuration is wrong/deficient and what I think you should look for. The rest is up to you. Because I don't know what you've done and I don't have access to your system (nor do I want it), I can't give you any more than that.
-- sw
P.S. Have you looked in postfix(1)'s log destination (/var/log/mail.log) for any clues? Have you increased opendkim(8)'s verbosity in logging it's actions (using the LogResults and LogWhy configuration directives)? Have you tested your configuration with
opendkim-testkey -d spacehamagent.com -s mail -vvv
Yeap we are here to learn… it's true.
Well officially a good part of what i done seem to be wrong.
I will continue searching how it suppose to work..