1

So I've setup OpenDKIM with Postfix and I can still send emails but when I do: opendkim-testkey -d example.com -s mail -vvv

I get back:

opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'mail._domainkey.example.com' opendkim-testkey: No key

And if I use check-auth@verifier.port25.com it says

DKIM check: permerror and result: permerror (no usable key records)

but in the email I can see my public key in the email headers with the s=mail and d=mydomain.com etc...

The /etc/opendkim/ is set to opendkim:opendkim for user and group.

My opendkim.conf:

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain                 example.com
#KeyFile                /etc/mail/dkim.key
Selector                mail

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization       simple
#Mode                   sv
#SubDomains             no
#ADSPAction            continue

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders         From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)

#ATPSDomains            example.com

###########################
# My Config Setup Below   #
###########################

AutoRestart             Yes
AutoRestartRate         10/1h
SyslogSuccess           Yes
LogWhy                  Yes

Canonicalization        relaxed/simple

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                /etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable

Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SignatureAlgorithm      rsa-sha256

UserID                  opendkim:opendkim

Socket                  inet:12301@localhost

My KeyTable file:

example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

My SigningTable file:

*@example.com example.com

Any help on this is much appreciated.

Erdss4
  • 135
  • 1
  • 6
  • Is there actually a DNS record for 'mail._domainkey.example.com' with the public key component of your DKIM key pair – HBruijn Oct 15 '17 at 14:08
  • @HBruijn Yes I set `v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDxejbYaZuMvBYTRQEPF8RDhpbWH0CsXh5Gc+lfKbkw8RAlHsJgrQi1Ma+ANxCV9xuMv5sJTgXV/Apq0sfeMZIIXG0iSWDzEtl+PN6IuIlZ2/EgGAfdwPztIehyomIJ+189IcRIBBIqo8wRCUUkZr+3vW06PkSDK+qj1t86OE6UGQIDAQAB` as I TXT record but I do have a SPF TXT as well on the same domain, sure that won't matter? – Erdss4 Oct 15 '17 at 14:16
  • @HBruijn any ideas? – Erdss4 Oct 15 '17 at 15:22
  • Why don't you have the KeyFile and Domain options set? – Zip Oct 15 '17 at 15:38
  • @Zip Because thats what I thought the signing table and key table was for when you want to use multiple domains? – Erdss4 Oct 15 '17 at 15:48
  • @Erdss4 That's what they're for. I suppose you've also tested if the issue is file access, right? Like setting 644 on the keys for a moment... – Zip Oct 15 '17 at 16:05

1 Answers1

1

Sorted it now.

I was putting the public key in my DNS record in the main section, when I should of been putting it in the sub domain section with mail._domainkey.example.com as the name/ subdomain.

Erdss4
  • 135
  • 1
  • 6