Join Log in
Score:0
Danger Lake avatar Server

DKIM Postfix message not signed for outgoing mail

ca flag
Danger Lake

I've been working on setting up SPF, DKIM, and DMARC for the past couple weeks. All is now successfully working, except that I cannot get my outgoing mail to be DKIM signed.

Debian 11 is the OS, OpenDkim with Postfix as my MTA.

Comparing with guides and other tutorials all seems to be well, but clearly I'm missing something.

Contents of Config files, though I've renamed the domain to Example.com.

/etc/opendkim.conf

Syslog                  yes
UMask                   007

# example.com as the domain doesn't seem to make a difference.
Domain                  * 
Selector                202306

Socket          local:/var/spool/postfix/opendkim/opendkim.sock
PidFile               /var/run/opendkim/opendkim.pid

OversignHeaders         From
TrustAnchorFile       /usr/share/dns/root.key
UserID                opendkim

KeyTable     /etc/opendkim/key.table
SigningTable     refile:/etc/opendkim/signing.table

ExternalIgnoreList         /etc/opendkim/trusted.hosts
InternalHosts              /etc/opendkim/trusted.hosts

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization   relaxed/simple
Mode     sv
SubDomains   no
AutoRestart                yes
AutoRestartRate  10/1M
Background   yes
DNSTimeout   5
SignatureAlgorithm    rsa-sha256

/etc/opendkim/key.table

202306  example.com:202306:/etc/opendkim/keys/example.private

/etc/opendkim/signing.table

*@example.com  202306._domainkey.example.com

/etc/opendkim/trusted.hosts

127.0.0.1
::1
localhost
example.com
smtp.example.com

/etc/postfix/main.cf

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/default/opendkim

RUNDIR=/var/run/opendkim
SOCKET="inet:8891@localhost"
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=

/etc/postfix/master.cf

# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
==========================================================================
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
           -o syslog_name=postfix/submission
           -o smtpd_tls_security_level=may
           -o smtpd_sasl_auth_enable=yes

smtps     inet  n       -       n       -       -       smtpd
          -o syslog_name=postfix/smtps
          -o smtpd_tls_wrappermode=yes
          -o smtpd_sasl_auth_enable=yes

pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
mydelivery   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

/bin/procmail -Y -a USER=${user} EXTENSION=${extension} /etc/procmailrc
procmail unix - n n - - procmail
127.0.0.1:10050  inet  n       n       n       -       0       spawn
user=mail argv=/usr/bin/perl /etc/postfix/log_smtp.pl

Some ideas I've had. Seems to be a Milter issue if all else is working and OpenDkim is running. Almost as if Postfix is not aware it should be speaking with OpenDkim.

I see the owners for /var/run/opendkim the directory is opendkim:opendkim, but the pid file within is owned by root:root, going to see if updating owner helps.

If there is any additional information needed, I can provide. MXtoolbox shows my DKIM DNS entries are all good.

Any assistance is appreciated. Thank you

[EDIT: I've updated the signing.Table as suggested below and added master.cf contents. (I assumed the Key and Signing table needed to refer to the same thing but maybe not, no change either way) Looks like Master.cf may be my issue, currently researching this config file to understand it more.]

80
1 + 0
Score:0
avatar Server
jp flag
Esa Jokinen

The format of your signing table seems incorrect, and should be:

*@example.com 202306._domainkey.example.com

Also check that your master.cf does not override the milter settings in main.cf for smtps (or submission, which is obsoleted by RFC 8314).

Couple of additional hints:

  • By default, DMARC trusts the Authentication-Results headers set by DKIM & SPF checks. Unfortunately, those headers can be forged. My answer from 2019 gives hardening advice against this.

  • Enabling debug logging in opendkim.conf helps following the decisions made by OpenDKIM:

    # Debug logging
LogResults yes
LogWhy yes
+ 1
Danger Lake avatar
ca flag
Danger Lake
I thought the Key and signing table would need this value to match, but I've updated the signing table didn't seem to make a difference. I've added my master.cf, and this is now my focus. I'm currently looking up how this file works to ensure I don't break something, but I'm looking at those bottom lines for potential removal so main.cf milters won't be redirected.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.