OpenDKIM – Troubleshooting Mail Signing Issues

debian-jessieopendkimpostfix

So I'm having trouble with getting OpenDKIM to sign my messages, but I'm hitting a wall as to what might causing it:

On Debian Jessie, with Postfix and OpenDKIM.

My /etc/opendkim.conf:

Syslog                  yes
SyslogSuccess           Yes
LogWhy yes
UMask                   002
Canonicalization        relaxed/simple
Mode                    sv
SubDomains              no
#ADSPAction             continue
AutoRestart             Yes
AutoRestartRate         10/1h
Background              yes
DNSTimeout              5
SignatureAlgorithm      rsa-sha256
UserID                  opendkim:opendkim
Socket                  inet:12301@localhost
KeyTable        refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts

My /etc/opendkim/KeyTable:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

My /etc/opendkim/SigningTable:

example.com default._domainkey.example.com

Tried the following variation on SigningTable, but that disabled my SMTP:

*@example.com default._domainkey.example.com

Have the following line uncommented in my /etc/default/opendkim:

SOCKET="inet:12345@localhost

Have the following in my /etc/postfix/main/cf:

# DKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:12345
non_smtpd_milters = inet:localhost:12345

This what opendkim-testkey -d example.com -s default -vvv returns:

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

There don't seem to be any errors in my logs relating to opendkim, but when I try to verify signing, mail-tester.com reports no DKIM signature, check-auth@verifier.port25.com returns an DKIM check: none.

Any help with pinpointing what I'm missing would be much appreciated. Thanks.

Best Answer

Issues I see:

  • Your use of refile
    From the documentation:

    If the string begins with "refile:", then the remainder of the string is presumed to specify a file that contains a set of patterns, one per line, and their associated values. The pattern is taken as the start of the line to the first whitespace, and the portion after that whitespace is taken as the value to be used when that pattern is matched. Patterns are simple wildcard patterns, matching all text except that the asterisk ("*") character is considered a wildcard. If a value contains multiple entries, the entries should be separated by colons.

    The KeyTable doesn't follow that pattern, so it doesn't need the refile keyword. Maybe it doesn't hurt, I don't know. I don't use it in my config there, and it works for me.

    KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable

  • Your KeyTable

    The lines are supposed to start with the domain, not with the domainkey record:

    example.com example.com:default:/etc/opendkim/keys/example.com/default.private

  • SigningTable

    The signing table should map Email-Addresses to the domain. It should look like this:

    *@example.com example.com

    Here the refile keyword is needed.

I don't know about ExternalIgnoreList and InternalHosts, as I don't use them. The rest of the configuration looks good to me.

Related Topic