I just configured opendkim and postfix and it is supossed to be signing my emails but it doesn't.
I used /usr/sbin/opendkim-testkey to test the keys and it seems to be ok with them but the mails I send to check-auth@verifier.port25.com keep saying:
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: pass
DKIM check: neutral
Sender-ID check: pass
SpamAssassin check: ham
Any ideas? I got postfix configuration file like this:
# OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = , inet:127.0.0.1:8891, inet:127.0.0.1:12768
non_smtpd_milters = $smtpd_milters
I did check my log files tons of times and nothing seems to be wrong. I am using Centos 6.
Also this is my opendkim.conf
## BASIC OPENDKIM CONFIGURATION FILE
## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
## BEFORE running OpenDKIM you must:
## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
## - generate keys for your domain (if signing)
## - edit your DNS records to publish your public keys (if signing)
## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
## CONFIGURATION OPTIONS
# Specifies the path to the process ID file.
PidFile /var/run/opendkim/opendkim.pid
# Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
# Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
# messages.
Mode v
# Log activity to the system log.
Syslog yes
# Log additional entries indicating successful signing or verification of messages.
SyslogSuccess yes
# If logging is enabled, include detailed logging about why or why not a message was
# signed or verified. This causes an increase in the amount of log data generated
# for each message, so set this to No (or comment it out) if it gets too noisy.
LogWhy yes
# Attempt to become the specified user before starting operations.
UserID opendkim:opendkim
# Create a socket through which your MTA can communicate.
Socket inet:8891@localhost
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
Umask 002
# This specifies a text file in which to store DKIM transaction statistics.
# OpenDKIM must be manually compiled with --enable-stats to enable this feature.
#Statistics /var/spool/opendkim/stats.dat
## SIGNING OPTIONS
# Selects the canonicalization method(s) to be used when signing messages.
Canonicalization relaxed/relaxed
# Domain(s) whose mail should be signed by this filter. Mail from other domains will
# be verified rather than being signed. Uncomment and use your domain name.
# This parameter is not required if a SigningTable is in use.
#Domain example.com
# Defines the name of the selector to be used when signing messages.
Selector mail
# Specifies the minimum number of key bits for acceptable keys and signatures.
MinimumKeyBits 1024
# Gives the location of a private key to be used for signing ALL messages. This
# directive is ignored if KeyTable is enabled.
KeyFile /etc/opendkim/keys/default.private
# Gives the location of a file mapping key names to signing keys. In simple terms,
# this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
# directive in the configuration file. Requires SigningTable be enabled.
KeyTable /etc/opendkim/KeyTable
# Defines a table used to select one or more signatures to apply to a message based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM how to use your keys. Requires KeyTable be enabled.
SigningTable refile:/etc/opendkim/SigningTable
# Identifies a set of "external" hosts that may send mail through the server as one
# of the signing domains without credentials as such.
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
# Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
This is my log by the way:
May 29 07:34:07 s18378428 opendkim[5801]: OpenDKIM Filter v2.10.1 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid)
May 29 07:35:02 s18378428 opendkim[5801]: 5562C18C60060: verifier.port25.com [38.95.177.125] not internal
May 29 07:35:02 s18378428 opendkim[5801]: 5562C18C60060: not authenticated
May 29 07:35:02 s18378428 opendkim[5801]: 5562C18C60060: DKIM verification successful
Thanks for your time.
P.D.: Just in case, I got the DNS records right and the propper keys for my domain.
Best Answer
In your
opendkim.conf
filesets the operating mode to verify only, so your outgoing messages will never be signed.
This is explained in the comment right above the relevant line:
I suspect your log entries come from incoming mail (i.e. from
verifier.port25.com
) being verified rather than outgoing mail being signed.A "good" log entry for signing an outgoing message would be