OpenDKIM is a way to sign your outgoing e-mails with DKIM. It nicely integrates into a Postfix setup and exists as opendkim package on Debian and Ubuntu (any probably other distributions, too).
Note: A good DKIM setup how to can be found on Linode.
Once the DKIM entries were created and the resulting DNS record added to the DNS zone (domain), there's the opendkim-testkey command to verify the setup.
This verifies that the public DNS record matches the local DKIM key. The latter is used to sign the outgoing e-mails.
But on this particular mail server, the command returned an error:
root@mailserver:~# opendkim-testkey -d example.com -s dkim -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'dkim._domainkey.example.com'
opendkim-testkey: 'dkim._domainkey.example.com' query timed out
First I suspected a problem with the local DNS resolver, defined in /etc/resolv.conf. But, as it turns out, OpenDKIM by default wants to do DNS queries directly on the DNS Root servers. This is defined in /etc/opendkim.conf with the TrustAnchorFile option:
root@mailserver:~# tail /etc/opendkim.conf
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
If your machine doesn't allow outgoing DNS queries (to the Internet), then you run into this timeout error.
As you can see at the end of /etc/opendkim.conf, there's a Nameservers option - by default disabled. We can tell OpenDKIM to do queries on a specified DNS resolver and not use the DNS Root servers:
root@mailserver:~# tail /etc/opendkim.conf
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
#TrustAnchorFile /usr/share/dns/root.key
Nameservers 192.168.53.53
The Nameservers option was now enabled and points to a local DNS resolver, on which the DNS query should happen.
After a restart of the OpenDKIM service, the opendkim-testkey command now works:
root@mailserver:~# systemctl restart opendkim
root@mailserver:~# opendkim-testkey -d example.com -s dkim -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'dkim._domainkey.example.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Observability Office OpenSearch PHP Perl Personal PostgreSQL PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder Linux