OpenDKIM not signing

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenDKIM not signing

Laura Smith
Based on the responses to my previous question about using OpenDKIM (quite what "standards have not changed" has to do with software bugs makes no sense to me !). However, having been told I'm stupid not to continue using software many years old I thought I would suck it up and continue with OpenDKIM.

OpenDKIM is not signing my mails.

Postfix main.cf is calling as follows:                                                                             
milter_protocol = 6    # I have also tried this with 2                                                              
milter_default_action = accept                                                                     
smtpd_milters = inet:localhost:8891                                                                
non_smtpd_milters = inet:localhost:8891                                                            
milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen}    

netstat -an  shows openDKIM as running and listening on 8891.

My opendkim.conf is as follows:
BaseDirectory           /run/opendkim
PidFile                 /run/opendkim/opendkim.pid
UserID                  opendkim:opendkim
Syslog                  yes
SyslogSuccess           yes
LogWhy                  yes
Canonicalization        relaxed/relaxed
Socket                  inet:8891@localhost
SendReports             no
SoftwareHeader          no
MinimumKeyBits          1024
KeyTable                /etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
InternalHosts           refile:/etc/opendkim/TrustedHosts
Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Jim P.
On Tue, 2019-04-09 at 08:22 +0000, Laura Smith wrote:
> OpenDKIM is not signing my mails.
.....
> KeyTable                /etc/opendkim/KeyTable

I think this should be:

KeyTable refile:/etc/opendkim/KeyTable


> InternalHosts           refile:/etc/opendkim/TrustedHosts

Try using ExternalIgnoreList (i don't know why it works, but it does)

#InternalHosts refile:/etc/opendkim/InternalHosts
ExternalIgnoreList refile:/etc/opendkim/InternalHosts

hth,

-Jim P.

Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Dominic Raferd


On Tue, 9 Apr 2019 at 09:41, Jim P. <[hidden email]> wrote:
On Tue, 2019-04-09 at 08:22 +0000, Laura Smith wrote:
> OpenDKIM is not signing my mails.
.....
> KeyTable                /etc/opendkim/KeyTable

I think this should be:

KeyTable                refile:/etc/opendkim/KeyTable


> InternalHosts           refile:/etc/opendkim/TrustedHosts

Try using ExternalIgnoreList (i don't know why it works, but it does)

#InternalHosts          refile:/etc/opendkim/InternalHosts
ExternalIgnoreList      refile:/etc/opendkim/InternalHosts

These are my postfix settings for opendkim (Ubuntu 18.04, slightly obfuscated, note that port 8893 milter is for opendmarc):

# postconf -n|grep milter
milter_default_action = accept
milter_protocol = 2
non_smtpd_milters = $smtpd_milters
smtpd_milters = inet:[127.0.0.1]:8891,inet:[127.0.0.1]:8893

Regarding 'KeyFile', see 'man opendkim' - OP's existing setting is correct if using flat file format (without patterns).

Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Janis
In reply to this post by Laura Smith
Why do use
> inet:localhost:8891
Instead of a socket?
I conf'ed it using this tutorial:
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
The sockets are relative path as postfix is chrooted. The absolute path
is /var/spool/postfix/opendkim/opendkim.sock (Use the relative though!)

Also check the syntax in tables. I was pulling my hair out and it turned
out my syntax was off. Refer to the tutorial!
Especially:
KeyTable                  /etc/opendkim/KeyTable
mydomaintld
mydomain.tld:201904:/etc/opendkim/keys/mydomain.tld/mydomaintld.private

SigningTable             refile:/etc/opendkim/SigningTable
*@mydomain.tld     mydomaintld

ExternalIgnoreList        /etc/opendkim/TrustedHosts
InternalHosts             /etc/opendkim/TrustedHosts

What does the log file say?
search for opendkim
$ tail -n 500 /var/log/mail.log | grep opendkim  # Or wherever your mail
log file is located.

Also check online Opendkim testers. There are many of them, try a few.
Helped me a lot.
https://www.mail-tester.com/spf-dkim-check

Remember that your DNS TXT records may take an hour to update and should
be submitted BEFORE you try signing anything. dig is your friend. Check
that your server and your work PC can read the recrods.

$ dig TXT 201904._domainkey.mydomain.tld
Should contain something like:
;; ANSWER SECTION:
201902._domainkey.mydomain.tld. 21599 IN    TXT    "v=DKIM1; h=sha256;
k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN.......

Remeber that 201904._domainkey is what you choose it to be when you
generate the public key you put in DNS TXT records!

Re-read tutorial! Remember that if you think that you don't understand
something, then the config error is probably because of that. Don't just
copy paste, think along every step.

On 09.04.19 11:22, Laura Smith wrote:

> Based on the responses to my previous question about using OpenDKIM (quite what "standards have not changed" has to do with software bugs makes no sense to me !). However, having been told I'm stupid not to continue using software many years old I thought I would suck it up and continue with OpenDKIM.
>
> OpenDKIM is not signing my mails.
>
> Postfix main.cf is calling as follows:
> milter_protocol = 6    # I have also tried this with 2
> milter_default_action = accept
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
> milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen}
>
> netstat -an  shows openDKIM as running and listening on 8891.
>
> My opendkim.conf is as follows:
> BaseDirectory           /run/opendkim
> PidFile                 /run/opendkim/opendkim.pid
> UserID                  opendkim:opendkim
> Syslog                  yes
> SyslogSuccess           yes
> LogWhy                  yes
> Canonicalization        relaxed/relaxed
> Socket                  inet:8891@localhost
> SendReports             no
> SoftwareHeader          no
> MinimumKeyBits          1024
> KeyTable                /etc/opendkim/KeyTable
> SigningTable            refile:/etc/opendkim/SigningTable
> InternalHosts           refile:/etc/opendkim/TrustedHosts
>

Reply | Threaded
Open this post in threaded view
|

RE: OpenDKIM not signing

L.P.H. van Belle
The linke of linode, but transformed in a script for Debian 9.
https://github.com/thctlo/debian-scripts/blob/master/setup-opendkim-postfix.sh 

Read it or use it. ( make backups first ).
Its tested on a clean setup, but if you read through the script you see everything thats needed to fix this.
And just a question, the DNS is already updated?

Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]]
> Namens Ntek, SIA Janis
> Verzonden: dinsdag 9 april 2019 11:19
> Aan: [hidden email]
> Onderwerp: Re: OpenDKIM not signing
>
> Why do use
> > inet:localhost:8891
> Instead of a socket?
> I conf'ed it using this tutorial:
> https://www.linode.com/docs/email/postfix/configure-spf-and-dk
im-in-postfix-on-debian-8/

>
> smtpd_milters = local:opendkim/opendkim.sock
> non_smtpd_milters = local:opendkim/opendkim.sock
> The sockets are relative path as postfix is chrooted. The
> absolute path
> is /var/spool/postfix/opendkim/opendkim.sock (Use the
> relative though!)
>
> Also check the syntax in tables. I was pulling my hair out
> and it turned
> out my syntax was off. Refer to the tutorial!
> Especially:
> KeyTable                  /etc/opendkim/KeyTable
> mydomaintld
> mydomain.tld:201904:/etc/opendkim/keys/mydomain.tld/mydomaintl
> d.private
>
> SigningTable             refile:/etc/opendkim/SigningTable
> *@mydomain.tld     mydomaintld
>
> ExternalIgnoreList        /etc/opendkim/TrustedHosts
> InternalHosts             /etc/opendkim/TrustedHosts
>
> What does the log file say?
> search for opendkim
> $ tail -n 500 /var/log/mail.log | grep opendkim  # Or
> wherever your mail
> log file is located.
>
> Also check online Opendkim testers. There are many of them,
> try a few.
> Helped me a lot.
> https://www.mail-tester.com/spf-dkim-check
>
> Remember that your DNS TXT records may take an hour to update
> and should
> be submitted BEFORE you try signing anything. dig is your
> friend. Check
> that your server and your work PC can read the recrods.
>
> $ dig TXT 201904._domainkey.mydomain.tld
> Should contain something like:
> ;; ANSWER SECTION:
> 201902._domainkey.mydomain.tld. 21599 IN    TXT    "v=DKIM1;
> h=sha256;
> k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN.......
>
> Remeber that 201904._domainkey is what you choose it to be when you
> generate the public key you put in DNS TXT records!
>
> Re-read tutorial! Remember that if you think that you don't
> understand
> something, then the config error is probably because of that.
> Don't just
> copy paste, think along every step.
>
> On 09.04.19 11:22, Laura Smith wrote:
> > Based on the responses to my previous question about using
> OpenDKIM (quite what "standards have not changed" has to do
> with software bugs makes no sense to me !). However, having
> been told I'm stupid not to continue using software many
> years old I thought I would suck it up and continue with OpenDKIM.
> >
> > OpenDKIM is not signing my mails.
> >
> > Postfix main.cf is calling as follows:
> > milter_protocol = 6    # I have also tried this with 2
> > milter_default_action = accept
> > smtpd_milters = inet:localhost:8891
> > non_smtpd_milters = inet:localhost:8891
> > milter_mail_macros = i {mail_addr} {daemon_addr}
> {client_name} {auth_authen}
> >
> > netstat -an  shows openDKIM as running and listening on 8891.
> >
> > My opendkim.conf is as follows:
> > BaseDirectory           /run/opendkim
> > PidFile                 /run/opendkim/opendkim.pid
> > UserID                  opendkim:opendkim
> > Syslog                  yes
> > SyslogSuccess           yes
> > LogWhy                  yes
> > Canonicalization        relaxed/relaxed
> > Socket                  inet:8891@localhost
> > SendReports             no
> > SoftwareHeader          no
> > MinimumKeyBits          1024
> > KeyTable                /etc/opendkim/KeyTable
> > SigningTable            refile:/etc/opendkim/SigningTable
> > InternalHosts           refile:/etc/opendkim/TrustedHosts
> >
>
>

Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Janis
In reply to this post by Laura Smith
What's your key-size?
My DNS provider does not support 2048, I found it out the hard way. 1024
seems to be the most popular size and google demands at least 1024.
Ounce you get the signing working you can regen a 2048 and check if you
can feed it in DNS TXT, but for first testing stick to 1024
Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Laura Smith
In reply to this post by Jim P.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, April 9, 2019 9:40 AM, Jim P. <[hidden email]> wrote:

> On Tue, 2019-04-09 at 08:22 +0000, Laura Smith wrote:
>
> > OpenDKIM is not signing my mails.
>
> .....
>
> > KeyTable                /etc/opendkim/KeyTable
>
> I think this should be:
>
> KeyTable refile:/etc/opendkim/KeyTable
>
> > InternalHosts           refile:/etc/opendkim/TrustedHosts
>
> Try using ExternalIgnoreList (i don't know why it works, but it does)
>
> #InternalHosts refile:/etc/opendkim/InternalHosts
> ExternalIgnoreList refile:/etc/opendkim/InternalHosts
>
> hth,
>
> -Jim P.


That seems to have woken something up (although not the signing), the logs have started showing something:
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: foobar.example.com [192.0.2.10] not internal
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: not authenticated
Apr  9 09:40:14 rx200 mail.debug opendkim[4396]: C03DE1014429: no signature data


Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Janis
> Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: foobar.example.com [192.0.2.10] not internal


It seems that the domain you want to sign is not in the KeyTable or
SigningTable! Note that if you put "refile:" before config file path in
/etc/opendkim.conf the syntax changes!
If
SigningTable             refile:/etc/opendkim/SigningTable
then
*@mydomain.tld   mydomaintld

If
SigningTable             /etc/opendkim/SigningTable
then
mydomain.tld     mydomaintld

Note that the dot (.) must not be in the second column. For me the
refile works better.



Reply | Threaded
Open this post in threaded view
|

RE: OpenDKIM not signing

angelo
In reply to this post by Laura Smith
Hi, not sure my SOP will help you but here it is and it does work.

https://linux.uits.uconn.edu/dkim-review-of-all-aspects/

Your logs will be the best place to find problems.
Good Luck.

-ANGELO FAZZINA

[hidden email]
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Laura Smith
Sent: Tuesday, April 9, 2019 5:43 AM
To: Jim P. <[hidden email]>
Cc: [hidden email]
Subject: Re: OpenDKIM not signing

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, April 9, 2019 9:40 AM, Jim P. <[hidden email]> wrote:

> On Tue, 2019-04-09 at 08:22 +0000, Laura Smith wrote:
>
> > OpenDKIM is not signing my mails.
>
> .....
>
> > KeyTable                /etc/opendkim/KeyTable
>
> I think this should be:
>
> KeyTable refile:/etc/opendkim/KeyTable
>
> > InternalHosts           refile:/etc/opendkim/TrustedHosts
>
> Try using ExternalIgnoreList (i don't know why it works, but it does)
>
> #InternalHosts refile:/etc/opendkim/InternalHosts
> ExternalIgnoreList refile:/etc/opendkim/InternalHosts
>
> hth,
>
> -Jim P.


That seems to have woken something up (although not the signing), the logs have started showing something:
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: foobar.example.com [192.0.2.10] not internal
Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: not authenticated
Apr  9 09:40:14 rx200 mail.debug opendkim[4396]: C03DE1014429: no signature data


Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Ralph Seichter-2
In reply to this post by Janis
* SIA Janis Ntek:

> Why do use
> > inet:localhost:8891
> Instead of a socket?

Probably because the above stream socket is, unfortunately, what is to
this day used in both opendkim.conf.simple and opendkim.conf.sample in
the source code, although a domain socket would be safer in terms of
access restrictions. :-/

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Bill Cole-3
In reply to this post by Janis
On 9 Apr 2019, at 5:36, Ntek, SIA Janis wrote:

> What's your key-size?
> My DNS provider does not support 2048, I found it out the hard way.

Note that this is usually due to a 255-character limit on a single
string in a TXT record. This is because the character-string type in DNS
is defined as a classical Pascal string: a single length byte followed
by the content.

There is a workaround supported by most DNS servers: using multiple
strings in a single TXT record. This is a part of the DNS standard (RFC
1035) so if your DNS service provider does not allow it, they are not a
real DNS provider. :)


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: OpenDKIM not signing

Scott Kitterman-4
On Tuesday, April 09, 2019 08:50:52 AM Bill Cole wrote:

> On 9 Apr 2019, at 5:36, Ntek, SIA Janis wrote:
> > What's your key-size?
> > My DNS provider does not support 2048, I found it out the hard way.
>
> Note that this is usually due to a 255-character limit on a single
> string in a TXT record. This is because the character-string type in DNS
> is defined as a classical Pascal string: a single length byte followed
> by the content.
>
> There is a workaround supported by most DNS servers: using multiple
> strings in a single TXT record. This is a part of the DNS standard (RFC
> 1035) so if your DNS service provider does not allow it, they are not a
> real DNS provider. :)

It's not that rare.  In fact it's the reason that RFC 8301 says MUST 1024,
SHOULD 2048.  If we'd thought it wouldn't have caused significant operational
problems for domains that don't host their own DNS, we'd have gone straight to
MUST 2048 for additional future proofing.

Lots of domains have DNS provided by the domain name registrar (i.e. not a
real DNS provider, I guess).

Scott K