Why is OpenDKIM not signing and verifying my emails? (CentOS 6.5, Postfix & OpenDKIM)
For verifying email, you must set mode parameter in opendkim.conf
as sv
(s means signing, v means verifying). By default it will verifying all emails coming from outside InternalHosts.
In your current config, you just signing the message coming from InternalHosts.
Related videos on Youtube
user17502902
Updated on September 18, 2022Comments
-
user17502902 almost 2 years
I'm running:
CentOS 6.5 Postfix 2.6.6 opendkim: OpenDKIM Filter v2.9.0 Compiled with OpenSSL 1.0.1e-fips 11 Feb 2013 SMFI_VERSION 0x1000001 libmilter version 1.0.1 Supported signing algorithms: rsa-sha1 rsa-sha256 Supported canonicalization algorithms: relaxed simple Active code options: USE_DB USE_UNBOUND libopendkim 2.9.0:
I've installed Zarafa and everythign is running perfectly. I then tried to install OpenDKIM and have been having trouble. I installed this on another server I have running Zimbra and there were no problems at all. This server is not cooperating though. My /var/log/maillog file is not even showing ANY indications of openDKIM. Nothing is logging at all regarding opendkim.
My DNS records are properly added. (tested via DIG) I've tried two different config files but this is the current one:
AutoRestart Yes AutoRestartRate 10/1h LogWhy Yes Syslog Yes SyslogSuccess Yes Mode s Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable SignatureAlgorithm rsa-sha256 Socket inet:8891@localhost PidFile /var/run/opendkim/opendkim.pid UMask 022 UserID opendkim:opendkim TemporaryDirectory /var/tmp
Here is /etc/opendkim/SigningTable:
# OPENDKIM SIGNING TABLE # This table controls how to apply one or more signatures to outgoing messages based # on the address found in the From: header field. In simple terms, this tells # OpenDKIM "how" to apply your keys. # To use this file, uncomment the SigningTable option in /etc/opendkim.conf, # then uncomment one of the usage examples below and replace example.com with your # domain name, then restart OpenDKIM. # WILDCARD EXAMPLE # Enables signing for any address on the listed domain(s), but will work only if # "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf. # Create additional lines for additional domains. #*@example.com default._domainkey.example.com # NON-WILDCARD EXAMPLE # If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then # wildcards will not work. Instead, full user@host is checked first, then simply host, # then [email protected] (with all superdomains checked in sequence, so "foo.example.com" # would first check "[email protected]", then "[email protected]", then "[email protected]"), # then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under # "SigningTable" for more details. #example.com default._domainkey.example.com *@mydomain.com dk_default._domainkey.mydomain.com Here is /etc/opendkim/KeyTable: # OPENDKIM KEY TABLE # To use this file, uncomment the #KeyTable option in /etc/opendkim.conf, # then uncomment the following line and replace example.com with your domain # name, then restart OpenDKIM. Additional keys may be added on separate lines. #default._domainkey.example.com example.comefault:/etc/opendkim/keys/default.private dk_default._domainkey.mydomain.com mydomain.comk_default:/etc/opendkim/keys/mydomain.com/dk_default Here is /etc/opendkim/TrustedHosts: # OPENDKIM TRUSTED HOSTS # To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts # option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts # may be added on separate lines (IP addresses, hostnames, or CIDR ranges). # The localhost IP (127.0.0.1) should always be the first entry in this file. 127.0.0.1 #host.example.com #192.168.1.0/24 172.20.6.178 mydomain.com zarafa.mydomain.com
EDIT:
/etc/postfix/main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name biff = no append_dot_mydomain = no readme_directory = no smtpd_tls_cert_file=/opt/yaffas/etc/ssl/certs/postfix.crt smtpd_tls_key_file=/opt/yaffas/etc/ssl/certs/postfix.key smtpd_use_tls=yes smtp_tls_security_level = may alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all mydestination = myorigin = $mydomain mynetworks = [::1]/128, [::ffff:127.0.0.0]/104, 127.0.0.0/8 virtual_mailbox_domains = localhost, zarafa.mydomain.com, mydomain.com virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf virtual_alias_maps = regexp:/etc/postfix/virtual_users_global, hash:/opt/yaffas/config/postfix/local-aliases.cf, hash:/opt/yaffas/config/postfix/public-folder-aliases.cf, hash:/etc/postfix/ldap-group.cf, ldap:/etc/postfix/ldap-aliases.cf virtual_transport = lmtp:127.0.0.1:2003 smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes content_filter = amavis:[127.0.0.1]:10024 smtpd_helo_required = yes smtpd_delay_reject = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, check_client_access hash:/opt/yaffas/config/postfix/whitelist-postfix, check_policy_service inet:127.0.0.1:12525, sender_canonical_maps = hash:/etc/postfix/sender_canonical transport_maps = hash:/opt/yaffas/config/postfix/transport-deliver-to-public zarafa-publicfolder_destination_recipient_limit = 1 myhostname = zarafa.mydomain.com message_size_limit = 20971520 smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2
/etc/postfix/master.cf:
# # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd #submission inet n - n - - smtpd # -o smtpd_enforce_tls=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #smtps inet n - n - - smtpd # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_client_restrictions=permit_sasl_authenticated,reject #628 inet n - n - - qmqpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr #qmgr fifo n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp # When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - n - - smtp -o fallback_relay= # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # The Cyrus deliver program has changed incompatibly, multiple times. # old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks zarafa-publicfolder unix - n n - 10 pipe flags=DORu user=vmail argv=/opt/yaffas/libexec/mailalias/zarafa-deliver-to-public ${nexthop}
EDIT: Also, Why is OpenDKIM not verifying emails? When I send an email, I am always getting messages back in my log like this:
Oct 25 21:13:32 zarafa postfix/smtp[7201]: certificate verification failed for megawatt.resistor.net[208.69.177.116]:25: untrusted issuer /C=US/ST=New York/L=Brooklyn/O=Eland Systems/OU=Eland CA/CN=Eland/[email protected]
And, it doesn't matter where I send the message to. I've sent it to myself on a server that I KNOW is passing DKIM verification and I'm still getting it.
-
user17502902 over 9 yearsI have added the .cf files as requested.
-
tpml7 over 9 yearsCould you post maillog generated when you send email?
-
user17502902 over 9 yearsIt seems to be signing the emails now. However... I keep getting the following error in the logs: Oct 25 21:13:32 zarafa postfix/smtp[7201]: certificate verification failed for megawatt.resistor.net[208.69.177.116]:25: untrusted issuer /C=US/ST=New York/L=Brooklyn/O=Eland Systems/OU=Eland CA/CN=Eland/[email protected] [
-
user17502902 over 9 yearsOK... I've done some more checking and I finally have the outgoing mails signing correctly. But none of the income emails are signing correctly. How can I fix this?
-
tpml7 over 9 yearsWhat do you mean none of income emails are signing correctly? AFAIK Incoming emails are subject of verifying not signing...
-
tpml7 over 9 yearsCould you update your question (or my answer below) to include the solutions of problem 'why opendkim not signing emails'?
-
-
user17502902 over 9 yearsOkay, I've re-worded the title to a question. But, the "mode" suggestion that you gave did not fix my particular email. Again, to reiterate. My emails are signing and passing (outbound). But, when I send an outbound message, I'm getting a message back saying that the certificate verification failed for the remote server. The message goes through and all the tests are showing my message as signed and passed.