I have setup DKIM on a Ubuntu 14.04 machine using opendkim and postfix. I generated the RSA keypair and updated the TXT record.
When testing the settings at any DKIM tester like www.mail-tester.com or www.dkimvalidator.com, I get errors like “result = fail, bad RSA signature”.
Here is an example mail (info from dkimvalidator.com). I substituted the real domain with mail.example.com
.
DKIM Signature Message contains this DKIM Signature: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mail.example.com; h=content-type:content-type:mime-version:subject:subject :message-id:to:reply-to:from:from; s=dkim; t=1505761379; x= 1506625380; bh=xp3gKk5P39UaB7IV9Rj58h82gFaIiEDAqCbmUtWe2Yo=; b=s ErbZFhFhPQjrOz2dH2RlYMAaN0oUKT7SBJe/bQg5Uxq86VHr7HkHRnnqtw1lkRL6 Ha6Qd2rXAV+ftc5vL3K3TYojBz8HFigZtmJetjgY1/evk9XnRHtTaRBD6/ZrXtii Rsa87O6RsoM7om9brPP8QW01/84nPSonJIIQtobLt0= Signature Information: v= Version: 1 a= Algorithm: rsa-sha256 c= Method: relaxed/simple d= Domain: mail.example.com s= Selector: dkim q= Protocol: bh= xp3gKk5P39UaB7IV9Rj58h82gFaIiEDAqCbmUtWe2Yo= h= Signed Headers: content-type:content-type:mime-version:subject:subject :message-id:to:reply-to:from:from b= Data: s ErbZFhFhPQjrOz2dH2RlYMAaN0oUKT7SBJe/bQg5Uxq86VHr7HkHRnnqtw1lkRL6 Ha6Qd2rXAV+ftc5vL3K3TYojBz8HFigZtmJetjgY1/evk9XnRHtTaRBD6/ZrXtii Rsa87O6RsoM7om9brPP8QW01/84nPSonJIIQtobLt0= Public Key DNS Lookup Building DNS Query for dkim._domainkey.mail.example.com Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIbe1WBW7hf4IbeW8acNXKzi6uQb2UXagkJoLWqGqLaXbnrLmwEjgxzoJQRR7iLq4/niGmI76Nzbc0aASTGYRdAK62/Enjove3W70vl92VSgGy1Tm0oZ+9/4+Z8qLiwikPs+HL961CshehcAMu1aLnVSyMwe77pOlf6ZPG7Lxj5QIDAQAB Validating Signature result = fail Details: bad RSA signature
And here is /etc/opendimk.conf
:
# Log to syslog Syslog yes # Required to use local socket with MTAs that access the socket as a non- # privileged user (e.g. Postfix) UMask 002 Domain mail.example.com KeyFile /etc/dkimkeys/dkim.key Selector dkim # Commonly-used options; the commented-out versions show the defaults. #Canonicalization simple #Mode sv #SubDomains no OversignHeaders From TrustAnchorFile /usr/share/dns/root.key
Could there be a problem because I use a subdomain like johndoe@mail.example.com to send E-Mails?
Advertisement
Answer
Problem was because opendkim did not listen on the specified socket; Postfix was not able to reach opendkim and the email therefore not signed.