0

I am having an issue while configuring dkim with postfix on ubuntu 20.04, as i get the following error:

opendkim-testkey -d example.com -s khloud -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/opendkim/keys/example.com/khloud.private
opendkim-testkey: checking key 'khloud._domainkey.example.com'
opendkim-testkey: 'khloud._domainkey.example.com' record not found

when i use dig, i can get the TXT record:

;; ANSWER SECTION:
khloud._domainkey.example.com. 3600 IN TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCovh+yxWZIxya57mm0hITvfGXH9RjW/MfeeKjrXkChqNrjlYAfqERBjUwL4VCmceUf/bbbkKskdNQUJq9mm54qAGi4MZS6v9TectyF7mvO1uw4GcjZjiCL8r8A1jX7znRjYl6Ew3+jecMLIoUci7m/LV7xPQcxMEMPO8sNK4dluQIDAQAB"

i have the following dkim record on my dns zone file (i am using bind9 on ubuntu 20.04):

khloud._domainkey.example.com.    IN    TXT    "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCovh+yxWZIxya57mm0hITvfGXH9RjW/MfeeKjrXkChqNrjlYAfqERBjUwL4VCmceUf/bbbkKskdNQUJq9mm54qAGi4MZS6v9TectyF7mvO1uw4GcjZjiCL8r8A1jX7znRjYl6Ew3+jecMLIoUci7m/LV7xPQcxMEMPO8sNK4dluQIDAQAB"

and here is my config: /etc/opendkim.conf

# Log to syslog
Syslog          yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain          example.com
KeyFile     /etc/opendkim/keys/example.com/khloud.private
Selector        khloud

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization    relaxed/simple
Mode            sv
#SubDomains     no

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket          local:/var/spool/postfix/opendkim/opendkim.sock

##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders     From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim

# Map domains in From addresses to keys used to sign messages
#KeyTable           refile:/etc/opendkim/key.table
#SigningTable       refile:/etc/opendkim/signing.table

# Hosts to ignore when verifying signatures
ExternalIgnoreList  /etc/opendkim/trusted.hosts

# A set of internal hosts whose mail should be signed
InternalHosts       /etc/opendkim/trusted.hosts

/etc/default/opendkim

# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
# postfix in a chroot:
#RUNDIR=/var/spool/postfix/run/opendkim
RUNDIR=/run/opendkim
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:12345@192.0.2.1
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=

i added the following section on /etc/postfix/main.cf

# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

my key table file:

khloud._domainkey.example.com     example.com:khloud:/etc/opendkim/keys/example.com/khloud.private

my signing table file:

*@example.com    khloud._domainkey.example.com

Notes:

  1. The private key file is owned by opendkim user.
  2. The size of the key is 1024 bits.
  3. I am using a local DNS (BIND9), so there isn’t a problem with propagating.
Khloud Mostafa
  • 1
  • 3
  • *"using a local DNS"*? How did you confirm that your record can be retrieved from outside your server? (try running `dig TXT khloud._domainkey.example.com`)? Unrelated to this question, but likely a source of follow-up problems: Why did you create a 1024 bit RSA key, current software should be generating 2048 bit keys? – anx Jun 27 '22 at 22:17
  • As i mentioned in my post, i can get my TXT record via dig so this command (dig TXT khloud._domainkey.example.com) is working fine. i tried with 2048 bit keys at first and i faced the same problem (record not found with opendkim-testkey) so i tried to minimize the key length so that the dkim record in zone file will be on the same line and not separated on multiple lines like in 2048 key as i thought the problem may be with dkim record syntax. i didn't get your first question but i mean with local dns is its only for my local test so there is no need to wait for the record to be propagated. – Khloud Mostafa Jun 28 '22 at 09:00

1 Answers1

0

From opendkim.conf(5) parameters:

Domain (dataset)

A set of domains whose mail should be signed by this filter. Mail from other domains will be verified rather than being signed.

This parameter is not required if a SigningTable is in use; in that case, the list of signed domains is implied by the lines in that file.

Selector (string)

Defines the name of the selector to be used when signing messages. See the DKIM specification for details. Used only when signing with a single key; see the SigningTable parameter below for more information.

This parameter is ignored if a KeyTable is defined.

In your opendkim.conf you have:

KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table

These are conflicting with your single domain settings above. You could either comment these two lines out or complete the configuration using them:

  • /etc/opendkim/key.table:

    khloud._domainkey.example.com example.com:khloud:/etc/opendkim/keys/mydomain.com/khloud.private

  • /etc/opendkim/signing.table:

    *@example.com khloud._domainkey.example.com

The latter is more suitable if you plan to add other domains later & wish to use separate selectors or keys.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thanks for your reply. I commented (Domain / Selector) lines in /etc/opendkim.conf and retest key again with (opendkim-testkey) --> the issue still exist and i get the same error (record not found). – Khloud Mostafa Jun 27 '22 at 14:02
  • You did something else than the things recommended in this answer. You should either comment out the `KeyTable` & `SigningTable` or complete the configuration as required when they exist. – Esa Jokinen Jun 27 '22 at 14:12
  • Ok sorry, now I commented out (KeyTable & SigningTable) lines and uncomment (Domain / Selector) lines But i still getting the same error (record not found). – Khloud Mostafa Jun 27 '22 at 14:42