Is an idea i had to replace dkimproxy (my blog) it appears to have one instance rather than the many which could be an advantage. I have never used opendkim so spent a few days with it
i decide to explore via Google and things seem simple**.except that an /etc/default is unmentioned however with a bit poking i get a up and running daemon*. Its not connected to anything or has dns settings but its there.
I put a new key in dns, un-mangle dkimproxy and postfix. Then with milter and try and send an email which the postfix cant see. Think that’s an acl issue with an host with two network cards, so i add the ip of the sending box.
My first experience varies between unexpected protocol error, and there’s nobody home where said milter should be.
fatal: 12345@localhost: garbage after numerical service postfix/smtpd: fatal: host/service localhost/12345 not found: Name or service not known
I re-enable dkimproxy which works.
Testing opendkim possible (as root)
opendkim-testkey -k /etc/opendkim/keys/domian/default.private -x /etc/opendkim.conf -vvv -s default -d zoo
So sort of successful.If you get a message about being not secure live with it, its not permisions, but key size which your going to read about later on. I use different selectors so i could keep dkimproxy working while figuring out this.
I restart another day this time i get opendkim and get postfix to send email via some alternative google suggestions
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
Any how some adjusting leaves me with amavis (my blog) also being run However there is something up with signing table.
opendkim: x: no signing table match for ‘bananas@zoo’
Progress in a fashion is also indicated by logs
opendkim: x: [22.214.171.124] [126.96.36.199] not internal opendkim: x: not authenticated opendkim: x: no signature data
I set sv,, this is verifcation in action with a a yahoo webmail product with no dkim and that trustedhosts is working. Giggle, However some hosts are better and this is from amavis (my blog) which shows it works well being i thought i was using dkimproxy for inbound dkim checks via some sort of perl.
Authentication-Results: mail2.zoo; dkim=pass reason="2048-bit key; insecure key" header.d=google.com email@example.com header.b=chickens; dkim-adsp=pass; dkim-atps=neutral
Key size seems an issue.and worth look although dns txt record limits mean i cant do 4096 key signing as thats 712 characters not the max 512 i get to work with , so 2048 it is. at and Its not all bad news dmarc (my blog) and spf pass just no dkim.
I have issues with these lines.
So its back to hunting the issue which seems to be a refile issye with KeyTable and SigningTable which i comment out and opendkim -q is not too helpful
I resort to
Domain zoo Selector mail2 KeyFile /etc/opendkim/keys/zoo/mail2.private
In opendkim.conf and it signs rather than tell me to piss off..
That’s not the end of it for me as i have zoo1 zoo2 and others to add. That’s why i wanted those refile things to work. But its a start as opendkim does something. However that can wait,
I add zoo1 (a new domain and is not zoo) when i switched had a bad dns record
reason="invalid (public key: OpenSSL error: bad base64 decode)"
so i re did the dns, it tested as 2048 size but it seems you can only have one selector and domain in opendkim.conf. So its back to signing table. This is my screw up but
KeyTable /etc/opendkim/KeyTable #removed refile: SigningTable refile:/etc/opendkim/SigningTable
Works with thee contents something like
SigningTable looks like
*@zoo mail2._domainkey.zoo 1 .zoo1
That’s a mask (bananas.falklands) @ zoo, then the public dkim dns lookup. zoo or zoo1 is a domain name
mail2._domainkey.zoo zoo:mail2:/etc/opendkim/keys/zoo/mail2.private mail2._domainkey.zoo1 zoo1 mail2:/etc/opendkim/keys/zoo1/mail2.private
So keytable translates as dkim dns record, selector (-s mail), then private key, zoo (or zoo1) are domain names
If your files are not chown’ed by opendkim then opendkim will bitch at you with permission denied errors and not load.
Improvement wise I have doubled my signing key size over dkimproxy, and found out that dkim is trivial to crack but thats not really the point as dkim is something that can always be altered by us and is semi tricky to set up by somebody and pretend.to be somebody else and its another barrier into making stuff easy.
I still have two more zoo’s to move and its farewell to dkimproxy.
I bet nobody notices.
I seem to have broken spf on two domains (zoo3 and zoo2) which was once good but the rfc says no Spf is trivial in comparison to fix.
However using the milter but it uses a lot less memory than four dkimproxy processes i used before.
* not a satanic thing ** several days later and um well but at least i know what it does and how it works.