Why is OpenDKIM not signing and verifying my emails? (CentOS 6.5, Postfix & OpenDKIM)

postfix centos6.5 opendkim

5,141

For verifying email, you must set mode parameter in opendkim.conf as sv (s means signing, v means verifying). By default it will verifying all emails coming from outside InternalHosts.

In your current config, you just signing the message coming from InternalHosts.

5,141

user17502902

Updated on September 18, 2022

Comments

user17502902 almost 2 years

I'm running:

CentOS 6.5
Postfix 2.6.6
opendkim: OpenDKIM Filter v2.9.0
    Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        USE_DB
        USE_UNBOUND
    libopendkim 2.9.0:

I've installed Zarafa and everythign is running perfectly. I then tried to install OpenDKIM and have been having trouble. I installed this on another server I have running Zimbra and there were no problems at all. This server is not cooperating though. My /var/log/maillog file is not even showing ANY indications of openDKIM. Nothing is logging at all regarding opendkim.

My DNS records are properly added. (tested via DIG) I've tried two different config files but this is the current one:

AutoRestart             Yes
AutoRestartRate         10/1h
LogWhy                  Yes
Syslog                  Yes
SyslogSuccess           Yes
Mode                    s
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
Socket                  inet:8891@localhost
PidFile                 /var/run/opendkim/opendkim.pid
UMask                   022
UserID                  opendkim:opendkim
TemporaryDirectory      /var/tmp

Here is /etc/opendkim/SigningTable:

# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to outgoing messages based
# on the address found in the From: header field. In simple terms, this tells
# OpenDKIM "how" to apply your keys.

# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
# then uncomment one of the usage examples below and replace example.com with your
# domain name, then restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but will work only if
# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
# wildcards will not work. Instead, full user@host is checked first, then simply host,
# then [email protected] (with all superdomains checked in sequence, so "foo.example.com"
# would first check "[email protected]", then "[email protected]", then "[email protected]"),
# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
# "SigningTable" for more details.

#example.com default._domainkey.example.com
*@mydomain.com dk_default._domainkey.mydomain.com


Here is /etc/opendkim/KeyTable:

# OPENDKIM KEY TABLE
# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
# then uncomment the following line and replace example.com with your domain
# name, then restart OpenDKIM. Additional keys may be added on separate lines.

#default._domainkey.example.com example.comefault:/etc/opendkim/keys/default.private
dk_default._domainkey.mydomain.com mydomain.comk_default:/etc/opendkim/keys/mydomain.com/dk_default


Here is /etc/opendkim/TrustedHosts:
# OPENDKIM TRUSTED HOSTS
# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
# The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
#host.example.com
#192.168.1.0/24
172.20.6.178
mydomain.com
zarafa.mydomain.com

EDIT:

/etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/opt/yaffas/etc/ssl/certs/postfix.crt
smtpd_tls_key_file=/opt/yaffas/etc/ssl/certs/postfix.key
smtpd_use_tls=yes
smtp_tls_security_level = may
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mydestination =
myorigin = $mydomain
mynetworks = [::1]/128, [::ffff:127.0.0.0]/104, 127.0.0.0/8
virtual_mailbox_domains = localhost, zarafa.mydomain.com, mydomain.com
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_alias_maps = regexp:/etc/postfix/virtual_users_global, hash:/opt/yaffas/config/postfix/local-aliases.cf, hash:/opt/yaffas/config/postfix/public-folder-aliases.cf, hash:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-aliases.cf
virtual_transport = lmtp:127.0.0.1:2003

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

content_filter = amavis:[127.0.0.1]:10024
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_restrictions = permit_mynetworks,
                             permit_sasl_authenticated,
                             reject_unauth_destination,
                             reject_unknown_recipient_domain,
                             check_client_access hash:/opt/yaffas/config/postfix/whitelist-postfix,
                             check_policy_service inet:127.0.0.1:12525,

sender_canonical_maps = hash:/etc/postfix/sender_canonical

transport_maps = hash:/opt/yaffas/config/postfix/transport-deliver-to-public
zarafa-publicfolder_destination_recipient_limit = 1
myhostname = zarafa.mydomain.com
message_size_limit = 20971520
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

/etc/postfix/master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps     inet  n       -       n       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       n       -       -       smtp
    -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -   -   n   -   1   scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# The Cyrus deliver program has changed incompatibly, multiple times.
#
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

amavis unix - - n - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks

zarafa-publicfolder unix -      n      n    -    10      pipe
     flags=DORu user=vmail argv=/opt/yaffas/libexec/mailalias/zarafa-deliver-to-public ${nexthop}

EDIT: Also, Why is OpenDKIM not verifying emails? When I send an email, I am always getting messages back in my log like this:

Oct 25 21:13:32 zarafa postfix/smtp[7201]: certificate verification failed for megawatt.resistor.net[208.69.177.116]:25: untrusted issuer /C=US/ST=New York/L=Brooklyn/O=Eland Systems/OU=Eland CA/CN=Eland/[email protected]

And, it doesn't matter where I send the message to. I've sent it to myself on a server that I KNOW is passing DKIM verification and I'm still getting it.

user17502902 over 9 years

I have added the .cf files as requested.
tpml7 over 9 years

Could you post maillog generated when you send email?
user17502902 over 9 years

It seems to be signing the emails now. However... I keep getting the following error in the logs: Oct 25 21:13:32 zarafa postfix/smtp[7201]: certificate verification failed for megawatt.resistor.net[208.69.177.116]:25: untrusted issuer /C=US/ST=New York/L=Brooklyn/O=Eland Systems/OU=Eland CA/CN=Eland/[email protected] [
user17502902 over 9 years

OK... I've done some more checking and I finally have the outgoing mails signing correctly. But none of the income emails are signing correctly. How can I fix this?
tpml7 over 9 years

What do you mean none of income emails are signing correctly? AFAIK Incoming emails are subject of verifying not signing...
tpml7 over 9 years

Could you update your question (or my answer below) to include the solutions of problem 'why opendkim not signing emails'?

user17502902 over 9 years

Okay, I've re-worded the title to a question. But, the "mode" suggestion that you gave did not fix my particular email. Again, to reiterate. My emails are signing and passing (outbound). But, when I send an outbound message, I'm getting a message back saying that the certificate verification failed for the remote server. The message goes through and all the tests are showing my message as signed and passed.