a few days with opendkim and dkim keys



Is an idea i had to replace dkimproxy (my blog) it appears to have one instance rather than the many which could be an advantage. I have never used opendkim so spent a few days with it

i decide to explore via Google and things seem simple**.except that an /etc/default is unmentioned however with a bit poking i get a up and running daemon*.  Its not connected  to anything or has dns settings but its there.

I put a new key in dns, un-mangle dkimproxy and postfix.  Then with milter and try and send an email which the postfix cant see. Think that’s an acl issue with an host with two network cards, so i add the ip of the sending box.

My first experience varies between unexpected protocol error, and there’s nobody home where said milter should be.

fatal: 12345@localhost: garbage after numerical service
postfix/smtpd[6254]: fatal: host/service localhost/12345 
not found: Name or service not known

I re-enable dkimproxy which works.

Testing opendkim possible (as root)

opendkim-testkey -k /etc/opendkim/keys/domian/default.private -x /etc/opendkim.conf -vvv -s default  -d zoo

detectiveSo sort of successful.If you get a message about being not secure live with it, its not permisions, but key size which your going to read about later on.  I use different selectors so i could keep dkimproxy working while figuring out this.

I  restart another day this time i get opendkim and get postfix to send email via some alternative google suggestions

smtpd_milters = inet:
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept
milter_protocol = 2

Any how some adjusting leaves me with amavis (my blog) also being run However there is something up with signing table.

opendkim[2100]: x: no signing table match for ‘bananas@zoo’

Progress in a fashion is also indicated by logs

opendkim[2100]: x: [] [] not internal
opendkim[2100]: x: not authenticated
opendkim[2100]: x: no signature data

I set sv,, this is verifcation in action with a a yahoo webmail product with no dkim and that trustedhosts is working.  Giggle, However some hosts are better and this is from amavis (my blog) which shows it works well being i thought i was using dkimproxy for inbound dkim checks via some sort of perl.

Authentication-Results: mail2.zoo; dkim=pass
reason="2048-bit key; insecure key"
header.d=google.com header.i=@google.com header.b=chickens;
dkim-adsp=pass; dkim-atps=neutral

Key size seems an issue.and worth look although dns txt record limits mean i cant do 4096 key signing as thats 712 characters not the max 512 i get to work with , so 2048 it is. at and Its not all bad news dmarc (my blog) and spf pass just no dkim.

I have issues with these lines.

KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/TrustedHosts

So its back to hunting the issue which seems to be a refile issye with KeyTable and SigningTable which i comment out and opendkim -q  is not too helpful

I resort to

Domain zoo
Selector mail2
KeyFile /etc/opendkim/keys/zoo/mail2.private

In opendkim.conf and it signs rather than tell me to piss off..

That’s not the end of it for me as i have zoo1 zoo2 and others to add.  That’s why i wanted those refile things to work. But its a start as opendkim does something.  However that can wait,

I add zoo1 (a new domain and is not zoo) when i switched had a bad dns record

reason="invalid (public key: OpenSSL error: bad base64 decode)"

so i re did the dns, it tested as 2048 size but it seems you can only have one selector and domain in opendkim.conf. So its back to signing table. This is my screw up but

KeyTable /etc/opendkim/KeyTable
#removed refile:
SigningTable refile:/etc/opendkim/SigningTable

Works with thee contents something like

SigningTable looks like

*@zoo mail2._domainkey.zoo
     1                .zoo1

That’s a mask (bananas.falklands) @ zoo, then the public dkim dns lookup. zoo or zoo1 is a domain name


mail2._domainkey.zoo zoo:mail2:/etc/opendkim/keys/zoo/mail2.private
mail2._domainkey.zoo1 zoo1 mail2:/etc/opendkim/keys/zoo1/mail2.private
A bridget jones moment in the monkey house

A bridget jones moment in the monkey house

So keytable translates as dkim dns record, selector (-s mail), then private key, zoo (or zoo1) are domain names

If your files are not chown’ed by opendkim then opendkim will bitch at you with permission denied errors and not load.

Improvement wise I have doubled my signing key size over dkimproxy, and found out that dkim is trivial to crack but thats not really the point as dkim is something that can always be altered by us and is semi tricky to set up by somebody and pretend.to be somebody else and its another barrier into making stuff easy.

I still have two more zoo’s to move and its farewell to dkimproxy.

I bet nobody notices.

I seem to have broken spf on two domains (zoo3 and zoo2) which was once good but the rfc says no  Spf is trivial in comparison to fix.

However using the milter but it uses a lot less memory than four dkimproxy processes i used before.

* not a satanic thing  ** several days later and um well but at least i know what it does and how it works.

12 responses

  1. Pingback: Round the block with spf gremlins | Bananas in the Falklands

  2. Pingback: Wheezy to Jessie (debian upgrades) | Bananas in the Falklands

  3. Pingback: around the block with dnssec | Bananas in the Falklands

  4. Pingback: The sorry state of dns hosters – or why i went diy | Bananas in the Falklands

  5. Pingback: Opendkim with dnssec some numbers | Bananas in the Falklands

  6. Pingback: dkim and tls in the wild in email | Bananas in the Falklands

  7. Pingback: Trans, Juliet Jacques | Bananas in the Falklands

  8. Pingback: Bloody awful hosted dkim from Microsoft | Bananas in the Falklands

  9. Pingback: hosted web hosting – um meh | Bananas in the Falklands

  10. Pingback: some fun with a python | Bananas in the Falklands

  11. Pingback: Exploring opendmarc in debian jessie | Bananas in the Falklands

  12. Pingback: A second attempt at opendmarc | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s