I'm setting up opendkim on Linux. When I send an email, the dkim does not pass. In doing diagnostics I ran. opendkim-testkey -v -v and it returned, opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: record 0 for 'default._domainkey.mydomain.com' retrieved opendkim-testkey: load of key 'default._domainkey.mydomain.com' failed why doesn't the key load? I can't detect any errors in /var/log/mail.log.

i have question about the flow that an incoming email message goes trough the Postfix processes. According to Postfix documentation here: https://www.postfix.org/MILTER_README.html it seems to be that the message received via the smtpd daemon will first be processed by the configured milters and after that by the cleanup process before placed inside the queue. So - the path should be smtpd -> milters -> cleanup -> queue ... Looks fine, however i wonder why my log file looks like this - as you can see, the **cleanup** process log line comes **BEFORE** the lines written by the milters (**opendkim,opendmarc**)

2024-08-13T13:21:36.990607+03:00 mail postfix/smtp-p25/smtpd: F1CA9147E41: client= ...
2024-08-13T13:21:36.996145+03:00 mail postfix/cleanup: F1CA9147E41: message-id= ...
2024-08-13T13:21:37.033494+03:00 mail opendkim: F1CA9147E41: ... not internal
2024-08-13T13:21:37.033677+03:00 mail opendkim: F1CA9147E41: not authenticated
2024-08-13T13:21:37.044464+03:00 mail opendkim: F1CA9147E41: DKIM verification successful
2024-08-13T13:21:37.044608+03:00 mail opendkim: F1CA9147E41: s=smtp-out d=... a=rsa-sha256 SSL
2024-08-13T13:21:37.265707+03:00 mail opendmarc: F1CA9147E41: SPF(mailfrom): ... pass
2024-08-13T13:21:37.268392+03:00 mail opendmarc: F1CA9147E41: ... pass
2024-08-13T13:21:37.310273+03:00 mail postfix/qmgr: F1CA9147E41: from=, size=1648, nrcpt=1 (queue active)
2024-08-13T13:21:37.327950+03:00 mail postfix/lmtp: F1CA9147E41: to=, ...
2024-08-13T13:21:37.328497+03:00 mail postfix/qmgr: F1CA9147E41: removed

It looks like the milters are called asynchronously?

I am trying to build OpenDKIM from source. For some reason, the build is not supporting SHA-256, even when the OpenSSL version I am building with uses SHA-256. How is this possible ? I run:

./configure --with-openssl=/path/to/openssl/ssl

Then make and make install as usual. Checking opendkim -V shows the only supported algorithm is sha1. What is going wrong ? I have tried build with the latest stable OpenDKIM version 2.10.3 and the pre-release 2.11.0. Both have the same error. Is openssl somehow not being correctly linked ? I am really stuck here - any help is appreciated !

I am having an issue with not finding the public key of DKIM. I am using a local DNS (BIND), so there isn’t a problem with propagating. I just copypasted the output of given generated public key into my DNS Zone

user@test:~$ sudo opendkim-testkey -d domain.com -s default -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.domain.com'
opendkim-testkey: 'default._domainkey.domain.com' record not found

When I use dig, I can find the TXT record:

user@test:~$ dig TXT default._domainkey.domain.com

;; ANSWER SECTION:
default._domainkey.domain.com. 604800 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7CxWakZ+6jE5xpwlwV1ifu++ogiKUdo+6ByIVpmsZul4KM+TN7XfD8GeqXsQYWAwfXlFO+DWwTzASfSxcl3FqE8rXt2hfDTjz/9lGAvz3qJdSXSE3GarPzBxSmuEp8kjh9JAxgRP9CCdWhsTpfakOUbh3fzlIskAUeNtrv1gUMFrS8TQnjADvkd7sRkv5gwH0HmKNRtAX/PSJg" "QGgULTLraVB9zPc1dPzxt7RieW+bg/6Mnf0DN6E6VYUZPNGktNB2cjLSKCNQW2FU2z+TU3MRFu09u7PFbm28HA38mBaMZfC9+3l/trKtr4NkF17mKBmPoW9wfWLm1gk+4mh1L4oQIDAQAB"

I made sure I have the right selector and even tried this

user@test:~$ sudo opendkim-testkey -d domain.com -s default -vvv -k default.private
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'default._domainkey.domain.com'
opendkim-testkey: 'default._domainkey.domain.com' record not found

Any idea what went wrong?

I know that debian 8 (Jessie) is deprecated, but I have a debian 8 server that cannot be upgraded in the near future. I'm keeping that server running, and for the most part, so far, so good. However ... I'd like to install the opendkim and opendkim-tools packages on this server, and I can't find those packages in any apt repos. Does anyone know of any 3rd-party apt repo from which I could obtain the debian 8 packages for opendkim and opendkim-tools? Thank you very much in advance.

I'm trying to script the deployment of a postfix server, and creating DNS records accordingly. SPF ; DMARC and DKIM. The first two are pretty simple, but i'm struggling to extract the record from the file opendkim generated. This is the file that opendkim gives me :

mail._domainkey	IN	TXT	( "v=DKIM1; h=sha256; k=rsa; t=y; "
	  "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK9yGy7orNIceonobdyTxr0USLo9XlWoo2/hg5MU5Ix+7bKFN0exJIUEeNLDAOYXWZe/0vQZan3+vnry9v3pVxqwpNp/92/xbp0pILJBzc1i5YXFe60XAlBBWq+Y9UAY2uXXsiFY4IUmhGZdMCubuHguWy/R2HDmCwrtN5vn0XfQIDAQAB" )  ; ----- DKIM key mail for localhost

I would like an output suitable for dns records like

"v=DKIM1; h=sha256; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDK9yGy7orNIceonobdyTxr0USLo9XlWoo2/hg5MU5Ix+7bKFN0exJIUEeNLDAOYXWZe/0vQZan3+vnry9v3pVxqwpNp/92/xbp0pILJBzc1i5YXFe60XAlBBWq+Y9UAY2uXXsiFY4IUmhGZdMCubuHguWy/R2HDmCwrtN5vn0XfQIDAQAB"

I've tried several things, but i can't even extract what's between parenthesis with the commands i've found here : https://unix.stackexchange.com/questions/103004/grep-regex-only-for-match-anything-between-parenthesis It looks like there's some line return problems or i don't know Thanks for reading, sorry for bad english ! Have a nice day

There is a mail server (postfix), which has DKIM, SPF and DMARC policies configured.
All of them are PASSED, system works perfect.
As an administrator, I receive these kind of letters everyday: Subject: Report Domain: mydomain.com, example.com Report-ID and the content message like this:
Find attached the DMARC Aggregate Report. Does my mail server also send reports to other mail servers?
How can I edit content of message?

For example, I want to write: This DMARC report is generated automatically

I have a series of Inbound email servers and virtual domains that send out email via one smtp outbound server. We do absolutely no SPAMMING or Bulkmail of any kind. outbound server is Centos 7, postfix, dovecot (handles some inbound), sasl2 setup. Each of the servers has a DNS Record with an SPF allowing the IP4 of the outbound mail server to deliver mail on their behalf. v=spf1 mx a ip4:nn.mm.xxx.yyy -all On one of the inbound servers I have also added a _dmarc record to the DNS (trying to solve this gmail problem) v=DMARC1; p=none; Gmail keeps inconsistently bouncing the mail. I suspect some of their workers are configured differently to others. Also suspect this is a means to getting everyone on their domain (but that's for another day) I have the domain verified on postmaster.google.com but no actual stats show up (I'm guessing the traffic is too low) I get two messages typically Error 550, "5.7.1", Unauthenticated email is not accepted from this domain. & 550-5.7.1 [45.79.214.141 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. but the message content is literaly just regular text email with no links. I am looking at implementing DKIM on the outbound server but given this is sending mails from various other domains wanted to understand how this configuration could be made to work. Questions. 1. Does DKIM need to be done differently for each mail domain ? 2. How does implementing DKIM affect Gmail and will it solve the bounce problem any research links, suggestions or explanations gratefully accepted.

## Background Hello, [OpenDKIM](http://www.opendkim.org/docs.html) is available on the [official apk repository](https://git.alpinelinux.org/aports/tree/community/opendkim/APKBUILD) , but does not include important configuration flags I need such as --with-odbx and --with-sql-backend. I was able to compile it relatively easily. *However*, the resulting OpenDKIM binary cannot verify DKIM headers since it does not support RSA-SHA256. I found this odd since apk add opendkim *does* support RSA-SHA256. ## Question How can I compile OpenDKIM on Alpine 3.14 with these additional configuration flags *and* still have support for RSA-SHA256? ## Steps to reproduce First, I pre-downloaded OpenDKIM 2.11.0-Beta2 and OpenDBX 1.4.6 into a packages folder.

mkdir packages
wget -P packages \
  https://github.com/trusteddomainproject/OpenDKIM/archive/refs/tags/2.11.0-Beta2.tar.gz  \ 
  http://linuxnetworks.de/opendbx/download/opendbx-1.4.6.tar.gz 

Then I wrote this Dockerfile, based mainly on the [APKBUILD file](https://git.alpinelinux.org/aports/tree/community/opendkim/APKBUILD) .

FROM alpine:3.14

COPY packages /opt/data

RUN apk add --no-cache \
    alpine-sdk \
    automake \
    autoconf \
    db-dev \
    libtool \
    mariadb-dev \
    readline-dev \
  && cd /opt/data \
  && tar xzf opendbx-1.4.6.tar.gz \
  && cd opendbx-1.4.6/ \
  && CPPFLAGS="-I/usr/include/mysql" ./configure --with-backends="mysql" \
  && make install

RUN apk add --no-cache \
    openssl-dev \
    libmilter-dev \
  && cd /opt/data \
  && tar xzf 2.11.0-Beta2.tar.gz \
  && cd OpenDKIM-2.11.0-Beta2 \
  && autoreconf -vif \
  && ./configure \
    --sysconfdir=/etc/opendkim \
    --with-odbx \
    --with-openssl=/usr/lib \
    --with-sql-backend \
  && make \
  && make install

Then I built and ran the docker image:

docker build -t opendkim-alpine .
docker run opendkim-alpine opendkim -V

Notice rsa-sha256 is missing from the "Supported signing algorithms. Compare to the output here:

docker run alpine:3.14 ash -c 'apk add opendkim && opendkim -V'

## Notes - ./configure failed to complete with an error that libssl could not be found until I specified --with-openssl=/usr/lib. I think this may hint that I need to pass LDFLAGS or CFLAGS, but I don't know what those should be. - [Debian Buster *does* include the compilation flags I need](https://packages.debian.org/buster/opendkim) . - In the APKBUILD file, I have no idea what the values of CFLAGS are and I couldn't easily figure out what default_prepare does. It seems relatively opaque and difficult to find the answers to these questions except by experiment. - I've seen [other attempts](https://github.com/LordVeovis/docker-opendkim/blob/master/Dockerfile) which create an entire alpine build environment and use sed to modify the APKBUILD file to include extra flags. This seemed like overkill. - For Googlers, the error message I get when trying to run opendkim in verify mode is opendkim: verify mode requires rsa-sha256 support.

The mail.err has this (I've used FQDN.example.com as a marker for my domain): Mar 24 19:08:31 FQDN opendkim: can't load key from /etc/opendkim/keys/FQDN.example.com/mail.private: Permission denied Mar 24 19:08:31 FQDN opendkim: D1EBB1204E1: error loading key 'mail._domainkey.FQDN.example.com' But when I run opendkim-testkey -d FQDN.example.com -s mail -vvvvv I get opendkim-testkey: using default configfile /etc/opendkim.conf opendkim-testkey: checking key 'mail._domainkey.FQDN.example.com' opendkim-testkey: key not secure opendkim-testkey: key OK The reason the key is not secure because I set it to chmod 777 when I thought that the denied permissions had something to do with the file permissions. What is going on here? Using Debian 10.

I am currently trying to set up opendkim mainly as a verifier and have come across the following passage in the man page for its configuration file (man opendkim.conf): > BogusKey (string)
Instructs the filter to treat a passing signature > associated with a bogus (forged) key in a special way. Possible > values are neutral (return a "neutral" result), none (take no > special action) and fail (return a "fail" result; this is the > default). I have thought a while about that passage, but I don't get it. What exactly is a "bogus key" in that context? After all, a signature can only pass if it has been encrypted with the one private key which matches the signing domain's public key, which in turn is queried by the verifier upon verification. So how can a bogus key be associated with a passing signature?

I'm attempting to configure opendkim on my raspberry email server that has a dovecot/postfix setup already configured. I have followed some tutorials and some forum posts to further diagnose my issue. Excerpt from my syslog: Apr 16 08:55:06 raspberrypi postfix/smtpd: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory When I go to check if the file exists. It is not there. This leads me to believe that either my opendkim.conf file is either being ignored, or there is a permissions issue. However i have not been able to resolve this with my attempts. Tutorial I Followed Below is a question I referenced unix:/var/run/opendkim/opendkim.sock: No such file or directory I can't find the forum post that lead me to believe that this is an OS issue (Raspbian/Stretch), however there was one out there dated at SEP 2017 Another post I tried: https://serverfault.com/questions/796742/connect-to-milter-service-unix-var-run-opendkim-opendkim-sock-no-such-file-or **EDIT 1:** The result of attempting to manually start the opendkim.service Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Unit entered failed state. Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Failed with result 'exit-code'. Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Service hold-off time over, scheduling restart. Apr 18 15:49:29 raspberrypi systemd[1] : Stopped OpenDKIM DomainKeys Identified Mail (DKIM) Milter. Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Start request repeated too quickly. Apr 18 15:49:29 raspberrypi systemd[1] : Failed to start OpenDKIM DomainKeys Identified Mail (DKIM) Milter. Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Unit entered failed state. Apr 18 15:49:29 raspberrypi systemd[1] : opendkim.service: Failed with result 'exit-code'.

I'm following this guide https://www.linuxtechi.com/configure-domainkeys-with-postfix-on-centos-7/ When I get to this section, it gives an error # opendkim-default-keygen Generating default DKIM keys: Cannot determine host's domain name, so skipping default key generation. I do have my hostname set # hostname domain.org # cat /etc/hostname domain.org # cat /etc/hosts # Your system has configured 'manage_etc_hosts' as True. # As a result, if you wish for changes to this file to persist # then you will need to either # a.) make changes to the master file in /etc/cloud/templates/hosts.redhat.tmpl # b.) change or remove the value of 'manage_etc_hosts' in # /etc/cloud/cloud.cfg or cloud-config from user-data # # The following lines are desirable for IPv4 capable hosts 127.0.0.1 domain domain.org 127.0.0.1 localhost.localdomain localhost 127.0.0.1 localhost4.localdomain4 localhost4 # The following lines are desirable for IPv6 capable hosts ::1 domain domain.org ::1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 # cat /etc/sysconfig/network NETWORKING=yes HOSTNAME=domain.org NOZEROCONF=yes (I replaced all instances of the domain name with domain.) Other pages on the web only say to set the hostname, which is set. # cat /etc/centos-release CentOS Linux release 7.5.1804 (Core)

Some server send email without Date header, and Thunderbird doesn't recognize the date.So, I want to use following settings and add Date header. local_header_rewrite_clients = permit_inet_interfaces, ermit_sasl_authenticated always_add_missing_headers = yes But postfix.org says this may break DKIM signatures. Is there a way to add Date headers withoud break DKIM signatures ? (My mail server using DKIM.) Example of no Date header mail : Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on example.net X-Spam-Level: *** X-Spam-Status: No, score=3.7 required=8.0 tests=CONTENT_TYPE_PRESENT, FROM_MISSP_EH_MATCH,IP_LINK_PLUS,ISO2022JP_BODY,ISO2022JP_CHARSET, MISSING_DATE,MISSING_MID,NORMAL_HTTP_TO_IP,ONEGAI,QENCPTR1,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,RENRAKU,SPF_HELO_PASS,SPF_SOFTFAIL,TO_NO_BRKTS_FROM_MSSP autolearn=no autolearn_force=no version=3.4.0 X-Original-To: xxxxx@example.net Delivered-To: xxxxx@example.net Received: from xxxxx.example.org (xxxxx.example.org [xxx.xxx.xxx.xxx]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by example.net (Postfix) with ESMTPS id D53991D45 for ; Wed, 5 Sep 2018 20:44:48 +0900 (JST) DKIM-Filter: OpenDKIM Filter v2.11.0 example.net D53991D45 Received: from xxxxx.example.org (xxxxx.example.org [xxx.xxx.xxx.xxx]) by xxxxx.example.org (Postfix) with ESMTP id 77EFF8DC01 for ; Wed, 5 Sep 2018 20:44:48 +0900 (JST) Received: (qmail 23991 invoked by uid 101); 5 Sep 2018 20:44:43 +0900 Received: from unknown (HELO xxxxx.example.org) (xxx.xxx.xxx.xxx) by 0 with SMTP; 5 Sep 2018 20:44:43 +0900 Subject: ---email subject--- From: ---email subject--- To: ---email subject--- MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Mailer: Bap Version1 ---email body---

I'm using Fedora 28 x64 on a VPS. I've setup postfix as send-only mail server with OpenDKIM for signing outgoing emails. Postfix connects to OpenDKIM via unix socket setup on

/run/opendkim/opendkim.sock

Permission for

/run/opendkim/

is as follows

------.  2 opendkim opendkim   80 Jul 13 00:05 opendkim

For Postfix to connect to the OpenDKIM milter, I've changed

to

in the OpenDKIM unit file and added

=0750

. Here's the entire

.service

file. Location:

/usr/lib/systemd/system/opendkim.service

[Unit] Description=DomainKeys Identified Mail (DKIM) Milter Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html After=network.target remote-fs.target nss-lookup.target syslog.target [Service] Type=forking User=opendkim Group=postfix PIDFile=/run/opendkim/opendkim.pid EnvironmentFile=-/etc/sysconfig/opendkim ExecStart=/usr/sbin/opendkim $OPTIONS ExecReload=/bin/kill -USR1 $MAINPID RuntimeDirectory=opendkim RuntimeDirectoryMode=0750 [Install] WantedBy=multi-user.target The issue I'm facing is that the

,

,

values are only applied when I restart the OpenDKIM service manually. OpenDKIM is enabled to run on system boot via

enable opendkim

. But after rebooting the VPS, the directory permissions are the same.

------.  2 opendkim opendkim   80 Jul 13 00:05 opendkim

I've to run

restart opendkim

for the permissions to change to

-x---.  2 opendkim postfix   80 Jul 13 00:05 opendkim

Any idea why this happens? Anything I'm missing here?