1

UPDATE

Now the validator at mail-tester.com says the DKIM signature is fine. On the other hand the isnotspam.com still doesn't seem to like it. I assume it is working fine now. Also gmail accepts the email.

The change I made:

I changed the smtpd_tls_cert_file=.. smtpd_tls_key_file=..

to hold the keys for the primary domain. However my VPS contains several domains, so it still remains to be seen what happens with mails from

someone@example2.com

END OF UPDATE

I am getting a DKIM validation error. For your reference you can find the report at the end of this post.

I am confused about what to put in the /etc/postfix/main.cf

smtpd_tls_cert_file=??? smtpd_tls_key_file=???

should these be the certificate of the domain (e.g. example.com)?

Of which these are the most relevant parts:

DomainKeys check details:

Result: neutral (message not signed) ID(s) verified: header.From=dexter@example.com Selector= domain= DomainKeys DNS Record=

DKIM check details:

Result: fail ID(s) verified: header.From=dexter@example.com Selector=201608 domain=example.com DomainKeys DNS Record=201608._domainkey.example.com

I did double check that the DNS (mxtoolbox) is what I would expect it to be. My message is getting signed, but for some reason the signature does not match.

I really am running out of options that's why I am knocking on your doors.

I followed the steps outlined here to the letter: https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8

(A very good tutorial I think. Nevertheless this would also give me another problem: warning: connect to Milter service local:/opendkim/opendkim.sock: Permission denied, which I worked around by changing UMask 000 to UMask 002).

Thanks a lot. dexter

From the isNOTspam service:

==========================================================

Summary of Results

SPF Check : pass Sender-ID Check : pass DomainKeys Check : neutral DKIM Check : fail

SpamAssassin Check : ham (non-spam)

Details:

HELO hostname: server.example.com Source IP: 37.97.206.208 mail-from: dexter@example.com

Anonymous To: ins-phz0j2aw@isnotspam.com

SPF check details:

Result: pass ID(s) verified: smtp.mail=dexter@example.com DNS record(s): example.com. 74618 IN TXT "v=spf1 a mx ip4:37.97.206.208 ip6:2a01:7c8:aac3:aa::1/48 ~all"

Sender-ID check details:

Result: pass

ID(s) verified: smtp.mail=dexter@example.com DNS record(s): example.com. 74618 IN TXT "v=spf1 a mx ip4:37.97.206.208 ip6:2a01:7c8:aac3:aa::1/48 ~all"

DomainKeys check details:

Result: neutral (message not signed) ID(s) verified: header.From=dexter@example.com Selector= domain= DomainKeys DNS Record=

DKIM check details:

Result: fail ID(s) verified: header.From=dexter@example.com Selector=201608 domain=example.com DomainKeys DNS Record=201608._domainkey.example.com

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; s=201608; t=1470311857; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=; h=To:Subject:Date:From:From; b=Xy3uCw55frNys0VUaYiEDRxnCB0uoO9JWuXwtQYM1n6uqyNenv7EL5RTFAxjABeiL jlfOlSN8r4HPpaKvmWff8wYyEpCvU++t67n+uoCwRixYZRG0x62wuLtFXOJc5dI5o4 EJkFvKTXuj49v/pDxPk4RYwgXmBSCcFiSY3g5YzxM3TIByBi78/6fuIo0NWHXGrBHK m+FwiB512yyETI4r/qK+VpqNVZtHKoZlYxrWSlPSTZZDKK0j7asR/yBqiA/UDqkqgt uSHiROnxVuhzcOqd5SVzbP0G+VjpkrP/iEdgtYVBV6+t9YhDSncZX0umAn4hPqGfyo 4GPz7s/Sf/Qbw==

dexter
  • 131
  • 2
  • 6

1 Answers1

1

Now the validator at mail-tester.com says the DKIM signature is fine. On the other hand the isnotspam.com still doesn't seem to like it. I assume it is working fine now. Also gmail accepts the email.

The change I made:

I changed the smtpd_tls_cert_file=.. smtpd_tls_key_file=..

to hold the keys for the primary domain. However my VPS contains several domains, so it still remains to be seen what happens with mails from

someone@example2.com

First the postfix SSL certs have absolutely nothing to do with DKIM so that was different issue you had.

Second if you still are getting errors at isnotspam.com then don't assume everything is alright until you get a green light on all tests.

Third create new signatures for each domain and make sure the DNS entry is correct as well as permissions on the signature files.

Also make sure your postfix/main.cf has the proper entries and the .sock actually exists.

    # DKIM / SPF
# --------------------------------------
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Check mail logs for errors, warnings after restart opendkim, should look something like this:

Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter: mi_stop=1
Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter v2.11.0 terminating with status 0, errno = 0
Feb 21 17:18:23 serverdcu opendkim[37449]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)
devCU Soft
  • 51
  • 4
  • 1
    `milter_protocol` should be `2` for postfix versions 2.5 and lower, `6` for 2.6 and higher. [source](https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/) – ki9 Oct 21 '18 at 19:15