0

I configured OpenDKIM following the guidelines here:

https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

Rather than generate keys I used those already configured on our domain, that were generated in the Gmail admin portal.

Everything looked OK until mail came in that should be signed, at which point I get this in the logs:

Sep 27 15:00:05 kattos opendkim[6210]: 2283C43B35: SSL error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag; error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error; error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag; error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error; error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib; error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag; error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

The keys all check out fine when tested on the command line using opendkim-testkey:

root@kattos:~# opendkim-testkey -d myhostedfax.co.uk -s google -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'google._domainkey.myhostedfax.co.uk'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Not really sure to go with this next and would appreciate any guidance.

btongeorge
  • 277
  • 1
  • 11
  • Does this answer your question? [opendkim-testkey: key not secure](https://serverfault.com/questions/1048491/opendkim-testkey-key-not-secure) – diya Sep 27 '22 at 14:32
  • I think the problem is more fundamental - I only have the public DKIM key as downloaded from the Google Apps portal, and can see no way to get hold of the private key. Obviously without that there's no way I can sign emails! So I reckon that's the problem. – btongeorge Sep 27 '22 at 14:42

1 Answers1

1

You have to create your own keys to be able to sign outgoing email, opendkim comes with a key generator (opendkim-genkey).

I have no knowledge of google's admin portal, but if you control the DNS of myhostedfax.co.uk you should be able to put a public key next to your gmail key. Just be careful not to use the same selector as google (that is, don't use "google"), since that will lead to your email being incorrectly marked as altered.

As for the key, it is recommended to replace (or rotate) it from time to time, I rotate keys routinely every three months since they usually are quite short - many web interfaces have problems with really long keys, so 1024-bit RSA keys are quite often used. While elliptic keys - ed25519 - are allowed by the DKIM standard (see RFC 8463) I have not seen widespread use of them despite their clear advantages of shorter key lengths for similar or better security.

flinkflonk
  • 664
  • 4
  • 5