2

I've set up opendkim (2.10) with postfix on an ubuntu 16.04 host. According to the logs, all is fine (i.e., no errors), but mail isn't being signed. I can see that postfix is passing messages to OpenDKIM (because of I stop opendkim, postfix complains that it's not there), but I have no visibility on OpenDKIM itself.

This is the config I've got:

opendkim.conf:

Canonicalization        relaxed/relaxed
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
MinimumKeyBits          1024
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SigningTable            refile:/etc/opendkim/SigningTable
# Must agree with value in /etc/default/opendkim.                                                               
Socket                  inet:8891@localhost
## Postfix puts itself in a chroot jail and can't see this in the                                               
## default location.  So just use TCP.                                                                          
# Socket                  local:/var/run/opendkim/opendkim.sock                                                 
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  opendkim:opendkim

# Always oversign From (sign using actual From and a null From to prevent malicious                             
# signatures header fields (From and/or others) between the signer and the verifier)                            
OversignHeaders         From

# Hashing Algorithm                                                                                             
SignatureAlgorithm      rsa-sha256

# Auto restart when the failure occurs. CAUTION: This may cause a tight fork loops                              
AutoRestart             Yes

KeyTable:

nantes-1.p27.eu   p27.eu:mail:/etc/opendkim/p27.eu.key

SigningTable:

*@p27.eu                 nantes-1.p27.eu
*@transport-nantes.com   nantes-1.p27.eu

TrustedHosts:

127.0.0.1

postfix/main.cf:

# [...]

# OpenDKIM                                                                                                      
smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept
# Postfix v3 so milter protocol 6 and not 2.
milter_protocol         = 6
# There was a time, at least, when "auth_type" was not passed by default.
# I've not been able to determine if this still matters or not.
milter_mail_macros="i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen}"

Testing:

Sending mail leads to no errors in the logs, but the message is not dkim-signed. When I test locally, I see this:

[T] jeff@nantes-1:~ $ opendkim-testkey -d p27.eu -s mail -vvvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.p27.eu'
opendkim-testkey: key not secure
opendkim-testkey: key OK
[T] jeff@nantes-1:~ $ opendkim-testkey -d transport-nantes.com -s mail -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'mail._domainkey.transport-nantes.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK
[T] jeff@nantes-1:~ $

Any suggestions what I've done wrong or how to debug further?

Addendum: solution

The ubuntu 16.04 OpenDKIM solution spawns OpenDKIM thus:

/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/ope dkim.pid -p inet:8891@localhost

The solution was to /etc/opendkim.conf rather than /etc/opendkim/opendkim.conf. (Somewhere I'd read /etc/opendkim/opendkim.conf, correctly or incorrectly, and I forever after read both as the same.)

jma
  • 415
  • 5
  • 15
  • postfix chroots into a fixed directory, which you can place a socket into from the outside (`Socket local:/var/spool/postfix/opendkim/milter.sock` works with appropriate file/directory perms) - so a socket might be preferable to keep firewall config simple. – anx Oct 13 '20 at 19:32
  • It is listening on ipv6. – jma Oct 14 '20 at 09:09
  • The firewall blocks undesired ports, and listening on localhost (127.0.0.1) doesn't permit external connections anyway. Maybe there's another reason to use a unix domain socket instead, but I'd like to get this working first. – jma Oct 14 '20 at 09:11
  • This is resolved. It was a strange ubuntu artefact. See above. – jma Oct 14 '20 at 16:24

1 Answers1

0

The ubuntu 16.04 OpenDKIM solution spawns OpenDKIM thus:

/usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim \
    -P /var/run/opendkim/ope dkim.pid -p inet:8891@localhost

The solution was to use /etc/opendkim.conf rather than /etc/opendkim/opendkim.conf. (Somewhere I'd read /etc/opendkim/opendkim.conf, correctly or incorrectly, and I forever after read both as the same.)

In other words, this was was a combination of a known bug in human brains (see something close to right and see the same thing each time thereafter) and a weird convention violation by OpenDKIM (typically one makes a subdirectory of /etc/ rather than putting files directly in /etc/, especially if you'll later need more files).

jma
  • 415
  • 5
  • 15