Linux Uptime

How to get DKIM (DomainKeys Identified Mail) working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM 179


Update! RPMs and Yum now available.

I build and maintain the RPM packages of OpenDKIM for RHEL/CentOS and Fedora, which are available with Yum. For a much quicker and easier way to install OpenDKIM, read this.

Of course, if you still prefer to go old-skool and compile your own binaries from source, or if you’re building on a non-RedHat system, the following instructions will still work fine… they just require more effort. If you want to build your own RPMs, you can also download SRPMs for OpenDKIM.

Please note that I no longer maintain this outdated article. But I do maintain this article with more updated settings and instructions for configuring OpenDKIM. I recommend that you at least follow the updated configuration instructions on the newer post (particularly the opendkim.conf file details), even if you choose to build your own binaries by following the instructions in this post.

Build Your Own OpenDKIM Binaries

If you’d like to get DKIM working on an RHEL or CentOS box running Postfix, here’s how to do it (I’ve also verified these same steps work on a Fedora box). I had previously used dkimproxy, and had unsucessfully tried dkim-milter before making the switch to OpenDKIM. Both other methods may work for some, but OpenDKIM is the most current and the easiest way to get DKIM working so that’s what I recommend now.

For more information about DKIM and why you want to be running it on your mail server, check out http://www.dkim.org/. Now, on with the show!

Before you start

This tutorial assumes the following:

  • You are running a “modern” RedHat-compatible Linux distro (RHEL 5, CentOS 5, Fedora, etc). I was running CentOS 5.5 when I did this.
  • You are running Postfix 2.3.3 or better (do postconf -d mail_version to check).
  • Your Postfix configuration is currently working (this is very important – you don’t want to troubleshoot two programs at once).
  • Sendmail is turned off (do service sendmail status to verify).
  • The necessary commands in this tutorial are done as root. If you don’t know what that means, then you probably shouldn’t be doing this. You may be able to get away with just using sudo, but I wanted to make sure I didn’t run into any path issues, so I do it as root.

Of course, these steps will probably work with slighter earlier or slightly later versions of RHEL/CentOS and/or Postfix, but those are the versions I used to get DKIM working (update: I now run Postfix 2.8 on a few of my servers just fine with this setup).

Download and install OpenDKIM

Again, if you’re on a Fedora, RHEL, CentOS, or other RedHat compatible system, I strongly recommend you install the OpenDKIM RPM package from the EPEL repository by following these directions.

Otherwise, go to http://www.opendkim.org/ and hit the Download link to download the software. Save it to /usr/local/src on your server. For this HowTo, I used OpenDKIM version 2.4.2, which was released on August 6, 2011.

You’ll also need to install the OpenSSL and Sendmail development packages, because they contain some secret herbs and spices (otherwise known as “libraries”) you need to get OpenDKIM working. Do:

yum install sendmail-devel openssl-devel

Extract, configure, compile, and install OpenDKIM with:

tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make
make install

Note that the ./configure command includes a few very important flags, which will be passed into the startup script that’s created when the configure command runs. The first tells the system where OpenDKIM’s conf file will be located, the second sets the preferred prefix for some other important file locations, and the final one controls the directory where the PID file for OpenDKIM will be stored. If none of this makes any sense to you, that’s ok – just be sure to use those flags when you run configure, since they are the settings used throughout this tutorial.

Also, it’s important to note that the make install command must be performed as root (or using sudo), since it needs to install files files in the /usr/local/bin directory.

Create a new user and home directory

Add a new user for DKIM called opendkim with the following options:

useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim

This command will:

  • create a new system account (-r) and group (-g) called opendkim,
  • create a home directory (-d) for the new user in /var/run/opendkim,
  • also add the opendkim to the mail group (-G),
  • assign no shell access to this user (-s), and
  • set the account comment to “OpenDKIM (-c).

While the proper permissions for this account’s home directory should be set when the user is created, to avoid any permissions issues in further steps, it doesn’t hurt to manually set them with:

chown opendkim:opendkim /var/run/opendkim

then:

chmod 700 /var/run/opendkim

Create working directories

Make some new directories for OpenDKIM and give them the proper ownership and permissions with:

mkdir -p /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-wrx /etc/opendkim/keys

Copy the startup script to /etc/init.d/

Starting with version 2.3.0, OpenDKIM’s source package includes a contrib directory that contains a custom init script (written by yours truly) for use with all RedHat-compatible systems, including Fedora and CentOS. You can copy it to your /etc/init.d/ directory to make starting, stopping, restarting, and reloading OpenDKIM easy. Just do:

cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/

Now set the correct permissions for the init script with:

chmod 755 /etc/init.d/opendkim

Generate keys for signing

Now you’re getting to the good part. You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away from prying eyes on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail. If you’re hard-core, you can build the keys manually. Or, you can use the fancy script included with OpenDKIM to do it for you. I’ve manually generated enough keys in my life and have nothing to prove, so I use the script. :)

Before running this script, decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word default as my default selector. Not very creative, but it’s effective. Feel free to choose something different, but if you do, you’ll need to use it consistently throughout your setup. Also, while this should go without saying, you should use your mail domain instead of example.com throughout the following steps.

Create your keys with:

mkdir /etc/opendkim/keys/example.com
/usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default
chown -R opendkim:opendkim /etc/opendkim/keys/example.com
mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default

You can do a man opendkim-genkey if you’re interested in what additional options are available when creating your keys. In this example, I used the -D (directory) option, the -d (domain) option, and the -s (selector) options. That’s all you need to get this going.

Edit configuration files

You’re getting really close now. You need to create or edit four files:

  1. /etc/opendkim.conf – OpenDKIM’s main configuration file
  2. /etc/opendkim/KeyTable – a list of keys available for signing
  3. /etc/opendkim/SigningTable – a list of domains and accounts allowed to sign
  4. /etc/opendkim/TrustedHosts – a list of servers to “trust” when signing or verifying

Use your favorite text editor to create an /etc/opendkim.conf file that looks like this:

##
## opendkim.conf -- configuration file for OpenDKIM filter
##
Canonicalization        relaxed/relaxed
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
LogWhy                  Yes
MinimumKeyBits          1024
Mode                    sv
PidFile                 /var/run/opendkim/opendkim.pid
SigningTable            refile:/etc/opendkim/SigningTable
Socket                  inet:[email protected]
Syslog                  Yes
SyslogSuccess           Yes
TemporaryDirectory      /var/tmp
UMask                   022
UserID                  opendkim:opendkim

You can do man opendkim.conf for more information on each of the options.

Next, you’ll need to create the three text files that you just mentioned in your config file. First, using your favorite text editor, create an /etc/opendkim/KeyTable file that looks like this:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default

The KeyTable file tells OpenDKIM where to find your keys. Each entry in the KeyTable file is a single line for each key location (for example, all of the text in the above example should be on a single line in your file). If you’re going to use multiple keys (to sign mail for virtual domains with different keys, for example), you’ll need to create a separate line in the KeyTable file for each domain.

Next, create an /etc/opendkim/SigningTable file that looks like this:

*@example.com default._domainkey.example.com

The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. In the above example, I’m saying that everyone (*) sending mail from the server “example.com” should use the selector named “default.” It’s important to note that the * wildcard symbol will only work if the SigningTable option uses the refile: prefix before the filename (see the opendkim.conf documentation for more details).

Now create an /etc/opendkim/TrustedHosts file that looks like this:

127.0.0.1
hostname1.example1.com
hostname2.example1.com
example1.com
hostname1.example2.com
hostname2.example2.com
example2.com

The TrustedHosts file tells OpenDKIM who to let use your keys. Because it’s referenced by the ExternalIgnoreList directive in your conf file, OpenDKIM will ignore this list of hosts when verifying incoming mail. And, because it’s also referenced by the InternalHosts directive, this same list of hosts will be considered “internal,” and OpenDKIM will sign their outgoing mail.

IMPORTANT: Make sure you list the IP address for localhost (127.0.0.1) in the TrustedHosts file or OpenDKIM won’t sign mail sent from this server. If you have multiple servers on the same network that relay mail through this server and you want to sign their mail as well, they must be listed in the TrustedHosts file. Put each entry on its own line. An entry can be a hostname, domain name (e.g. “example.com”), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. “192.168.1.0/24”).

It should also go without saying (but I’ll say it anyway) that if you’re planning to sign outgoing mail for remote hosts, your Postfix should have been previously configured to allow relaying for those hosts, as “explained” here… although, when referring to Postfix’s programmer-centric documentation, I generally use the term “explain” very loosely. 😉

Edit your Postfix configuration

Now you’re ready to add the following lines to your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:

smtpd_milters           = inet:127.0.0.1:8891
non_smtpd_milters       = $smtpd_milters
milter_default_action   = accept

If you’re running a version of Postfix prior to 2.6, you may also need to add:

milter_protocol   = 2

See http://www.postfix.org/MILTER_README.html#version for more info.

Start OpenDKIM and restart Postfix

It’s time to fire things up! Assuming you’re using bash, do:

hash -r

to rehash your shell so you can find the init script.

Now start OpenDKIM with:

service opendkim start

You should get a message that says:

Starting OpenDKIM Milter:     [  OK  ]

However, if you get an error message such as:

Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 6: unrecognized parameter

don’t freak out. You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.

Once it starts, refresh Postfix with:

postfix reload

If everything looks good, I recommend running chkconfig on OpenDKIM to make sure it starts when you boot your server:

chkconfig --level 2345 opendkim on

If things didn’t go right, try some of these startup troubleshooting tips before moving on.

Startup troubleshooting tips

Tip 1: The best advice I can give when troubleshooting any mail issues (including OpenDKIM) is to start a second shell session in another window and do:

tail -f /var/log/maillog

while you’re starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.

Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn’t getting signed and you want to know why, this should tell you.

Tip 3: If you can’t get things working on your own, I recommend subscribing to the OpenDKIM-Users discussion list at http://lists.opendkim.org/. It’s a low-traffic list with very helpful and friendly members (including me!) who are happy to nudge you in the right direction.

The Most Important Step: Adding DNS Records

Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed. Do:

cat /etc/opendkim/keys/example.com/default.txt

The output should look something like this:

default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com

If you manage your own DNS or have full access to your domain’s zone file, you’ll need to paste the entire contents of the default.txt file at the bottom of your domain’s zone file. If you’re using a web interface to manage your zone file, be careful that the long lines of the public key don’t wrap and create line-feed characters (or fix them if they do). Otherwise, your public key won’t work.

If you’re using GoDaddy’s Total DNS, the TXT Name would  default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.

If you’re using some other third-party DNS provider, follow their instructions for adding a new TXT Record.

You should also add another TXT Record to your zone file that reads:

_adsp._domainkey.example.com    IN    TXT    "dkim=unknown"

This record publishes your Author Domain Signing Practices. “Unknown” is the least strict setting, and the best place to start. You can learn more and tinker with other options later, but most people just use “Unknown” for now, since ADSP is relatively new (as of the writing of this post).

And, as long as you’re messing with your domain’s zone file, now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.

Testing Things Out

As I mentioned in my troubleshooting tips, the best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. Do a:

tail -f /var/log/maillog

When OpenDKIM starts (or restarts), you should see lines like:

opendkim[4397]: OpenDKIM Filter: mi_stop=1
opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0
opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)

When you send a mail that gets successfully signed, you should see:

opendkim[22254]: 53D0314803B: DKIM-Signature header added

The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services. My favorites are:

Each of these will tell you if things are working properly, and give you some pointers on troubleshooting if needed.

If you have a Gmail account, you can also send a signed message there for a quick and easy test. address Here’s what a signed message in Gmail will look like:

DKIM Test Message

Look, Ma! My emails have DKIM Signatures!

The signed by: line tells you that the message has been verified as signed by the sender (you may need to press the show details link near the top of the message to see it). I like to click the Show Original link (under the Reply drop-down on the right) to see the signed headers in all their glory. :)

Further reading

I have to admit that there wasn’t a whole lot of publicly available information on getting OpenDKIM working with Postfix. Hopefully, this HowTo will make it easier for you than it was for me.

  • DKIM.org – the official site for DomainKeys Identified Mail
  • OpenDKIM Project Site – the program I used to get DKIM working
  • Sendmail DKIM – a detailed article from Eland Systems about DKIM. They use the dkim-milter package, upon which OpenDKIM is based. I much prefer the newer OpenDKIM, but this article explains DKIM very well and has some good tips.
  • Mail-DKIM and DKIM-proxy – my first experiments with DKIM were with these tools. I never got it working quite right, but there’s lots of good info there.
  • OpenSPF.org – not technically related to DKIM, but it’s another spam-fighting technique that you should be using if you’re sending email

Good luck! Pease post in the comments with your successes, questions, or suggestions.

Upgrading OpenDKIM

If you’ve followed this guide to compile and install OpenDKIM, and would like to upgrade to a newer version, simply download the updated version (using the download link above), then repeat these steps:

tar zxvf opendkim-2.4.2.tar.gz
cd opendkim-2.4.2
./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var
make
make install

This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:

service opendkim restart

Do:

tail -f /var/log/maillog

to verify that the newer version started up with no problems.

  • Pingback: DKIM Proxy Install on CentOS 5.4 | Steve Jenkins' Blog()

  • Cata

    Hy,

    very nice tutorial, the best i found.
    I have a little problem if you can help. “opendkim no signature data” and I don’t understand why. In trusted-hosts I have 127.0.0.1/8 and I tried with example.ws olso but it didn’t wok :(

    [root@example ~]# tail -f /var/log/maillog
    Sep 29 02:15:39 example postfix/smtpd[3474]: warning: example.ws[127.0.0.1]: SASL LOGIN authentication failed: authentication failure
    Sep 29 02:15:39 example postfix/smtpd[3474]: 84EC2A48300: client=example.ws[127.0.0.1]
    Sep 29 02:15:39 example postfix/cleanup[3511]: 84EC2A48300: message-id=
    Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): example.ws [127.0.0.1] not internal
    Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): not authenticated
    Sep 29 02:15:39 example opendkim[2140]: 84EC2A48300: no signature data
    Sep 29 02:15:39 example postfix/smtpd[3474]: disconnect from example.ws[127.0.0.1]
    Sep 29 02:15:39 example postfix/qmgr[2358]: 84EC2A48300: from=, size=604, nrcpt=1 (queue active)
    Sep 29 02:15:43 example postfix/smtp[3516]: 84EC2A48300: to=, relay=j.mx.mail.yahoo.com[66.94.237.64]:25, delay=4.2, delays=0.22/0/1.1/2.9, dsn=2.0.0, status=sent (250 ok dirdel)
    Sep 29 02:15:43 example postfix/qmgr[2358]: 84EC2A48300: removed

  • http://www.stevejenkins.com/ Steve Jenkins

    The line in your log that says that example.ws is “not internal” is the one you want to focus on. That means that OpenDKIM doesn’t think that host is internal, so it’s not signing it. Check two things: 1) that the ExternalIgnoreList and InternalHosts directives in your opendkim.conf file are pointing to the correct location of your trusted-hosts file. 2) That the full hostname of your server is listed in the trusted-hosts file. If it’s host.example.ws, then put that in there. You may try experimenting with putting your external IP in there too. But until you put something in there that gets rid of that “not internal” message in your maillog, OpenDKIM won’t sign it. Let me know if you get it figured out!

  • Cata

    Thanks for youre answer, very quick :)

    In opendkim.conf I have :
    ExternalIgnoreList refile:/etc/mail/dkim/trusted-hosts
    InternalHosts refile:/etc/mail/dkim/trusted-hosts
    so is good.
    In trusted-hosts i have:
    127.0.0.1/8
    example.ws
    94. . . (my ip)

    But the same result :)
    example.ws is my host, so localhost or example.ws or my ip it should work. I have reboot the server and the services with no luck …

    • http://www.stevejenkins.com/ Steve Jenkins

      Have you tried just “example” without the .ws? It’s clear that the problem is that OpenDKIM isn’t recognizing your host.

  • Cata

    It didn’t work with any hosts :( I will install on another server, maybe it’s from this one.

  • Cata

    On the second server it works just fine :) Thanks a lot for the tutorial.
    I will need to set domainkeys too, or it is enough with dkim and SPF? Thanks

    • http://www.stevejenkins.com/ Steve Jenkins

      Glad to hear you got it working! I don’t bother using DomainKeys because DKIM is the newer implementation, and most places just care about DKIM now. You’re good to go!

  • Cata

    DKIM Signature validation: pass (1024-bit key) DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.example.com

    The second line is ok, or I have problems with the dns?

    thanks

    • http://www.stevejenkins.com/ Steve Jenkins

      Oh, and make sure you’re using your own domain name instead of “example.com” in the adsp DNS record.

  • Cata

    :) I use my own domain name. It was a little problem because I have restarted the server and DKIM daemon didn’t start good. Thanks

  • http://www.stevejenkins.com/ Steve Jenkins

    If you do “chkconfig –level 2345 opendkim on” as listed in the how to, it should automatically start when you reboot. I’m glad you got it working. Congrats! :)

  • http://www.stevejenkins.com/ Steve Jenkins

    Oh – and also make sure you’re using file: instead of refile: in your /etc/opendkim.conf file when referencing external files like trusted-hosts.

  • Larry

    Agh, our postfix is now using sendmail. It never did prior to running yum install sendmail-devel openssl-devel which itself had a sendmail dependency.

    • http://www.stevejenkins.com/ Steve Jenkins

      Technically, your “postfix” isn’t using “sendmail,” but your server may be using sendmail as its MTA instead. Just type: service sendmail stop. Then make sure sendmail isn’t set to start automatically when your system boots.

  • Franck.H

    Hello Steve, very good tut, when i’m trying to start opendkim, here is the error i get

    /etc/init.d/opendkim: line 8: milter-aware: command not found
    Starting DKIM milter: /usr/local/sbin/opendkim: error while loading shared libraries: libopendkim.so.3: cannot open shared object file: No such file or directory

    Do i have to change something in file /etc/init.d/opendkim ? Uncomment some lines? Please help. I already have domainkey working find, DKIM is the last thing, i need, because Yahoo is pushing my emails in junkmail.

    thanks

    • http://www.stevejenkins.com/ Steve Jenkins

      You should be aware that none of the major mail providers (Yahoo, Hotmail, GMail, AOL) will give you “extra” credit for having mail signed with both DKIM and DomainKeys. They are both very similar methods of signing mail and you’ll get no additional benefit from signing mail with more than one method. They only care that the message is signed.

      If you decide you’d like to use OpenDKIM rather than DomainKeys (which is what I decided, too) then I’d recommend joining the OpenDKIM-users list at http://lists.opendkim.org/. They are going to be able to troubleshoot your issue much better.

  • travis

    my server is also trying to use sendmail now. ideas? I have stopped sendmail, but now its clear email isn’t going out and the /var/log/maillog states connection refused, since sendmail is off.

    ?

    I have gone over everything and can’t see what I might have missed.

    • http://www.stevejenkins.com/ Steve Jenkins

      Did you have Postfix properly working as your mail server before trying to add OpenDKIM?

  • travis

    oh yes, its worked for months.

    I am rebooting now. I commented the mods to the main.cf in postfix, restarted, to no avail, I can’t find where the system is rquiring sendmail to handle the email.

    I desperately need your help.

    • http://www.stevejenkins.com/ Steve Jenkins

      What shows up when you do:

      service status postfix

      and

      service status sendmail

  • travis

    [root@cms log]# service postfix status
    master (pid 2070) is running…
    [root@cms log]# service sendmail status
    sendmail is stopped

    any email sent from this server is not directed to sendmail’s mta instead of postfix and i am unable to figure out why – absolutely mind boggling.

    Oct 23 14:05:36 cms sendmail[2121] bla bla bla bal
    tat=Deferred: Connection refused by [127.0.0.1]

    I start sendmail and email gets sent.

    • http://www.stevejenkins.com/ Steve Jenkins

      Are you using standard ports? What about firewall settings? What do you see when you try to telnet to the SMTP port 25 on the localhost:

      # telnet localhost 25

  • travis

    with sendmail stopped, I can’t telnet to port 25, connection refused, hence, the system is using sendmail and not postfix since installing the devel package as stated above.

    firewall is off

    • http://www.stevejenkins.com/ Steve Jenkins

      If sendmail is off, postfix is running, and you’re CERTAIN that the firewall is off (do service iptables status to be sure), and you can’t connect on port 25, then something is likely wrong in your postfix config.

      Have you tried simply removing sendmail (yum remove sendmail), restoring your original main.cf file (or commenting out any changes you made) and then restarting postfix?

  • travis

    /etc/postfix/main.cf

    I replaced that with my backup and now my system works again. I am now comparing the two to see what could have happened. what a mess :-)

    • http://www.stevejenkins.com/ Steve Jenkins

      I’m not sure I’d call being able to simply return to your original config file and having everything work fine “a mess.” :) But I am interested to see what settings on your system were different than mine when you went through these steps so I can update them accordingly. Thanks for keeping me informed.

  • travis

    I will keep you posted once I clear my head a bit. great blog and your responding so quickly – kudos !

    I normally work on a development server, but your instructions were so simple and clear, lol – I thought I would try :-)

    Once I have it working, I will see where I went wrong. Its looking like specifying an IP interface in postfix/main.cf is causing the system to be forced to use sendmail somehow – more research / testing is needed.

    • http://www.stevejenkins.com/ Steve Jenkins

      Frankly, I’m very surprised it didn’t go easily, either! I’ve followed my own guide on all 6 of our mail servers! What does your postconf -n output look like?

  • travis

    I went back through some test emails. I had specified an IP for postfix to use, postfix will now only work with localhost now since sendmail-devel was installed. If I set main.cf to use a specific ip only, the system hands it off to sendmail, sendmail is stopped, therefore, its refused.

    What in the world would cause this?

    Better question, why did you have to install sendmail-devel on a postfix system for? Thats the real question I am dying to know.

    I am guessing an uninstall of sendmail-devel will resolve my mta confused server issue.

  • http://www.stevejenkins.com/ Steve Jenkins

    According to http://www.opendkim.org/INSTALLOpenDKIM:

    “To build this package you must first have installed or at least have available the OpenSSL package and libmilter… The application library
    libmilter is part of the sendmail Open Source distribution and can be built and installed from there (ftp://ftp.sendmail.org).

    As Postfix currently does not provide milter library, you need to have sendmail sources or development package installed. See http://www.postfix.org/MILTER_README.html

  • http://www.opendkim.org MSK

    Nice tutorial!

    A quick note about the refile and “first line only” issue. This is a bug; refiles should be able to process any number of lines. A bug in the handling code for refiles will be fixed in the next release, slated for a few days from now.

    Also, refiles aren’t actual regular expressions, though that’s how they are implemented under the hood. They actually provide something more like shell-style wildcarding, also known as “globbing”: They permit “*” to be used to represent any set of characters when doing pattern matching. “*@example.com” is not a valid regular expression, for example, but it’s valid in refiles.

    Happy signing!

    • http://www.stevejenkins.com/ Steve Jenkins

      Hey, Murray. :)

      Thanks for the clarification. When the next release is out, I’ll update the download link in this tutorial and simplify the instructions, too.

      I AM happily signing! :)

  • travis

    Well, here is my troubleshooting so far as to why sendmail is still involved with postfix for sending emails.

    grep sendmail /var/log/maillog*

    sendmail only involved after installing sendmail-devel

    /etc/postfix/main.cf

    # inet_interfaces = all
    inet_interfaces = 174.xx.xxx.xx, localhost

    remove localhost and postfix fails to send email, logs report relaying denied by sendmail.

    I ask that you check your logs for me. Do this please:

    grep -i sendmail /var/log/maillog

    Do you also have sendmail involved in your outgoing mail operations???

  • travis

    follow up.

    opendkim is working and signing, however, sendmail is involved, even with sendmail stopped:

    [ previously recorded headers ]
    Received: by my.example.com (Postfix, from userid 48)

    now, its clear that sendmail is involved via these new header mods:

    Received: (from apache@localhost)
    by cms.example.com (8.13.8/8.13.8/Submit) id o9PGLq9H007511;
    Mon, 25 Oct 2010 11:21:52 -0500

    I am guessing this is the new requirement to hand off for opendkim filtering for signing of the emails.

    Notice above, that post fix userid 48 was included in all of our emails, now, although postfix name is seen in the headers, we see sendmails 8.13 / submit listed in the headers.

    I am curious if your logs show the same sendmail involvement.

  • http://www.stevejenkins.com/ Steve Jenkins

    Hey, Travis. First, GREAT news that you got it working. Can you please share with me what the issue was and what you did to get it fixed so I can explain it in the tutorial for others who might see the same issue?

    Also, the ONLY mention of sendmail in my logs is if I run newaliases:

    Oct 26 16:21:57 myhost sendmail[23078]: alias database /etc/aliases rebuilt by root
    Oct 26 16:21:57 myhost sendmail[23078]: /etc/aliases: 155 aliases, longest 40 bytes, 2093 bytes total

    Otherwise, I don’t see it at all.

    But I am seeing the local sendmail client get involved in my headers, too. Here’s a full (anonymized) header of a test message sent to my gmail account:

    Delivered-To: [email protected]
    Received: by 10.229.68.168 with SMTP id v40cs122656qci;
    Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
    Received: by 10.143.157.16 with SMTP id j16mr7184678wfo.424.1288135379024;
    Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
    Return-Path:
    Received: from hostname.steveserver.com (steveserver.com [123.456.78.912])
    by mx.google.com with ESMTP id e38si19054975wfj.44.2010.10.26.16.22.57;
    Tue, 26 Oct 2010 16:22:57 -0700 (PDT)
    Received-SPF: pass (google.com: domain of [email protected] designates 123.456.78.912 as permitted sender) client-ip=123.456.78.912;
    Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 123.456.78.912 as permitted sender) smtp.mail=[email protected]; dkim=pass header.i=@steveserver.com
    Received: from hostname.steveserver.com (hostname.steveserver.com [127.0.0.1])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by hostname.steveserver.com (Postfix) with ESMTPS id F080410423FE
    for ; Tue, 26 Oct 2010 16:22:56 -0700 (PDT)
    X-DKIM: OpenDKIM Filter v2.2.1 hostname.steveserver.com F080410423FE
    DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=steveserver.com;
    s=default; t=1288135377;
    bh=fdkeB/A0FkbVP24J4poeWH6vm9+b0C3OY87Cw8=;
    h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
    b=a+S/3J/GfO2n2smR9XCq
    Received: from localhost (sender@localhost)
    by hostname.steveserver.com (8.14.4/8.14.4/Submit) with ESMTP id o9QNMuwE023144
    for ; Tue, 26 Oct 2010 16:22:56 -0700
    Date: Tue, 26 Oct 2010 16:22:56 -0700 (PDT)
    From: Steve Jenkins
    To: [email protected]
    Subject: SUBJECT GOES HERE
    Message-ID:
    User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
    MIME-Version: 1.0
    Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

    Message Body
    ——————–

    SO like you said, the (8.14.4/8.14.4/Submit) is a giveaway that sendmail is involved. OpenDKIM requires libmilter, which is part of the sendmail-devel package, so I’m assuming that’s why we’re seeing it.

    Also, if apache is sending (it looks like it is in your case) AND you have PHP involved, be sure to update the sendmail line in your /etc/php.ini to use /usr/sbin/sendmail.postfix

    And finally, a new version of OpenDKIM (2.2.1) came out yesterday. You may want to update (it just copies right over the old one with no config file changes).

  • http://www.autogari.ro Mircea

    I had errors after installing opendkim:

    fatal: host/service localhost/20209 not found: No address associated with…

    Looks like it’s working now after I changed these the lines in main.cf :

    smtpd_milters = inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:20209

    • http://www.stevejenkins.com/ Steve Jenkins

      Glad to hear it’s working for you! But it should have worked with localhost, too. Can you do a “ping localhost” and get a reply?

      You should check your /etc/hosts file to make sure that the first line in there is:

      127.0.0.1 hostname localhost.localdomain localhost

      Where “hostname” is your server’s hostname. The “localhost.localdomain” and “localhost” entries should be typed word-for-word.

  • Carlos Sura

    Hi Steven, this is a great article, I’ve already configured some servers with your help, everything seems to be working fine, if you read carefully the article, if not, you really mess up.

    • http://www.stevejenkins.com/ Steve Jenkins

      Glad it’s working for you, Carlos!

  • emre
    • http://www.stevejenkins.com/ Steve Jenkins

      Domainkeys is the older version of same standard as DKIM. And since inbound mail handlers don’t give you any additional credit for having both Domainkeys and DKIM, as long as you’re passing the DKIM check, you can ignore the Domainkeys=neutral warning.

  • emre

    Thanks Steve.

  • http://flashgenie.net Robert

    Hello Steve,

    Great tutorial !

    Having finally wrapped my brain around the formats of the KeyTable and SigningTable, I think it would improve your tutorial to not use the whole DNS key as a key name, since the left entry in the KeyTable can be just a single word.
    That would make it easier to understand:

    #KeyTable:
    mykeyname example.com:default:/etc/mail/dkim/keys/example.com/default

    #SigningTable:
    *@example.com mykeyname

    That way one doesn’t confuse the notions needed for the DNS record with the two tables.

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, Robert! Thanks for the feedback and glad you got it working! You are right about not needing the full domain name… but ONLY if you’re signing keys for a single domain (and I assume that’s the case with your server). But if you have a mail server that signs different keys for more than one domain (like I do) or for multiple hostnames on a single domain name, or any combination of the above (such as mailer1.domainname.com, mailer2.domainname.com, somebodysserver.com, somebodyelseserver.com) then you will need the FQDN (fully qualified domain name) of the selector in the keyTable, signingTable, and in your DNS record for it to work.

  • http://flashgenie.net Robert

    Hello Steve,

    In studying the readme file examples, I discovered that the key is only used to make the entries in the SigningTable match lines in the KeyTable, so for multiple domains, this works, too:

    ##keytable
    KeyA domainOne.net:sel1:/etc/mail/dkim/X.private
    KeyB domainTwo.net:selh:/etc/mail/dkim/Y.private
    KeyC domainThree.net:sel1:/etc/mail/dkim/Z.private

    ##signingtable
    *@domainOne.net KeyA
    *@domainTwo.net KeyB
    *@domainThree.net KeyC

    And obviously each domain has to have the fully qualified entries in its DNS records.

    If all the domains can share the same keys, then one can even use the % wildcard and get all domains that use the same server to get their mail signed with one line each:

    ##keytable
    onekey %:im:/etc/mail/dkim/im.private

    ##signingtable
    *@* onekey

    the names used to link the two tables are completely independent from the entries in the DNS records.

    The question I haven’t yet figured out is, even with a different key for each virtual domain, how can one prevent a php script running on one domain from signing mails with a “From:” header belonging to another domain on the same server?
    Postfix will deliver them all irrespective, and OpenDKIM will happily sign with the correct key for each domain, simply taking the correct key for the domain used in the “From:” header…

  • Carlos Sura

    Hello Steve, I want to ask you something, in every boot I’m getting this message:

    Dec 6 07:22:12 domain sendmail[22269]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use
    Dec 6 07:22:12 domain sendmail[22269]: daemon MTA: problem creating SMTP socket

    Should I turn off Sendmail from chkconfig?
    Thanks,

    • http://www.stevejenkins.com/ Steve Jenkins

      I run Postfix instead of Sendmail so I can’t reproduce that on my end. However, my guess is that maybe you’re already telling Sendmail to start somewhere else. So yes, I’d chkconfig sendmail off and reboot to see if it’s running.

  • Carlos Sura

    I’m running Postfix too, however I did: yum install sendmail-devel, So it might be the problem, right? I will chkconfig sendmail off, and check it, anyway Thank you for answer me Steve.

    • http://www.stevejenkins.com/ Steve Jenkins

      Ahhh – then yes, that’s totally it! :)

  • Carlos Sura

    By the way, pardon me if I bother you so much… But, I’m trying to get domainkeys working in another box… And when I do this:
    /usr/local/sbin/opendkim-genkey -D /etc/mail/dkim/keys/mysite.com/ -d mysite.com -s default

    I get this:
    -bash: /usr/local/sbin/opendkim-genkey: No such file or directory

    I’m checking in /usr/local/sbin
    but the only file I found is: opendkim…

    • http://www.stevejenkins.com/ Steve Jenkins

      Try doing updatedb and then do a locate opendkim-genkey to see if perhaps your system put it somewhere else. By default, it should be in the path, so you could also log out and then log back in and try running opendkim-genkey without any path info.

      If that doesn’t work, try doing the ./configure, ./make, and ./make install steps again from the dir where you unzipped the source code. After the install step, do updatedb and locate opendkim-genkey.

  • Carlos Sura

    Which is the script, right? But, it keeps saying ” no such file or directory” , and I’ve already set permissions.

  • Carlos Sura

    Thank you for your help, the I’ve already found the problem, it is in /bin/ not /sbin/, Thank you for your time.

    • http://www.stevejenkins.com/ Steve Jenkins

      Glad you got it working. :)

  • http://www.spunetiparerea.ro Andrei

    Hi,
    I followed your tutorial and i’ve installed opendkim on a fresh centos vps.
    I’ve also installed domain keys (dk-milter) and i’ve set up spf.

    All the checks pass, both yahoo and gmail validate my dkim and domainkeys, but some of the emails I send enter the spam folder.

    Here is the scenario:
    1. if I send an email directly from the webmin postfix interface, the email get into inbox
    2. if I send an email from PHP using smtp, the email gets into spam folder on yahoo and sometimes on gmail spam too.

    Do you have any advice, what should I do? Is there any config I should do in order to get the mails sent my PHP via smtp to get in inbox?

    • http://www.stevejenkins.com/ Steve Jenkins

      Chances are that your messages sent by PHP are actually being sent by Sendmail. Check your /etc/php.ini file to make sure it’s using Postfix’s Sendmail clone. Mine looks like this:

      sendmail_path = /usr/sbin/sendmail.postfix -t -i

  • http://www.spunetiparerea.ro Andrei

    Hi Steeve,
    Thank you for reply.

    I checked the sendmail_path and it was indeed set to sendmail rather than postfix. I changed it as in your advice, thank you.
    However, I think that’s not the problem since I use php to send mails via smtp, and on the server I have configured postfix.

    In the mean time I did other optimizations and i discovered the following:

    1. if I send my emails from [email protected] but I set the “From” to, let’s say, just Domain.com, then Gmail marks me as spam.
    2. I am sending HTML mails but if I add a txt copy of the email (an exact copy of the html mail but just the plain text), then gmail is happy and it doesn’t mark me as spam.
    3. if I set also the replyTo to the same email address, it’s also a good thing.

    However, Yahoo still considers my email to be spam (altough DKIM and DomainKeys pass, I have reverse IP, i’m not blacklisted, etc). I guess it’s just something with the way Yahoo filters emails.

  • http://www.stevejenkins.com/ Steve Jenkins

    Hi, Andrei. I’m curious about why you have your php application set up to connect to the smtp port rather than just using the mail command internally? And yes, most mail providers like the FROM to be an actual address, not just a domain. I’m also curious about your HTML + TXT mail approach. Do you mean that you’re sending BOTH the HTML and TXT version of the message? If so, are you sending the TXT as an attachment?

  • http://www.spunetiparerea.ro Andrei

    Hi Steve,
    I’m using SwiftMailer and it is configured to send my mails via smtp.
    About the HTML + TXT approach, yes, I am sending both versions of the mail. I found an explanation which said that for clients who do not accept html emails is good to send the txt version. Also, I found out that the anti-spam methods can give a better score to html mails which also have their txt version sent with (and like I said, the closest the txt version is, the higher chances are that you’re email won’t be marked as spam).
    In SwiftMailer I am using the “addPart” method to add the txt version to the mail.

    (just a little disclaimer, I found out about the txt thing from the SpamAssassin site here: http://wiki.apache.org/spamassassin/AvoidingFpsForSenders)

  • Corey

    Hello!

    Is the smallest valid key 512 bits? I’m having problems putting that long a string into the DNS config utility from my from registrar since it truncates it. Need to talk to my registrar, I guess.

    Thanks!

  • http://www.stevejenkins.com/ Steve Jenkins

    It’s POSSIBLE to use as small as a 256 bit key… but I wouldn’t. That’s too easy to crack. I think you’re better off talking to your registrar as you suggested.

    Another option is to consider using a different DNS provider. Amazon’s new Route 53 is an interesting option I’ve thought about trying. I’m assuming your registrar isn’t GoDaddy, since I know their TotalDNS service (which is included with any domain registered there) won’t truncate your key.

    Let me know how things work out!

  • Corey

    I got the ISP to change their DNS config web page the accept more characters. Tried it out and I’m good to go! Thanks for the great tutorial. Corey.

    • http://www.stevejenkins.com/ Steve Jenkins

      Great to hear, Corey! Congrats!

  • http://www.spunetiparerea.ro Andrei

    Hi Steve,
    I just wanted to let you know that for some reason, Yahoo no longer considers my mail to be spam and delivers it right to the user’s inbox. Yuppy!
    Thanks for sharing this article with the community, it helped me alot.

  • ethilanka

    Hey,

    Thank you very much for publishing a valuable post…. This really helps me to send emails to yahoo inbox… you are great… BTW i have a small question….. what is the difference between domain keys and DKIM … ? In you post both are included…..?? or we need to configure domain keys separately..?

    Cheers..!

    • http://www.stevejenkins.com/ Steve Jenkins

      @Ethilanka: You’re very welcome! The simple explanation is that DKIM is a more current implementation of the original Domain Keys (that’s what the DK in DKIM stands for… not Donkey Kong…:)) Mail service providers will give you “credit” for using DKIM or DomainKeys, but you don’t get extra credit for using both. Since DKIM is the newer standard with the current momentum, that’s the one I recommend. There’s no need to do both!

  • http://vegenag.com Alex

    Steve,

    Thanks for posting this. I set everything up as described and I am having a problem I can’t find the answer to. My log shows the problem to be opendkim[7113]: 1F9BDD2004E: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed.
    I have talked with my registar’s support to make the DNS zone record was entered correctly. I guess I don’t know how to move forward at this point. I have checked and rechecked to make sure I followed your directions correctly. Hopefully you can help.

    Thanks,
    Alex

  • http://www.stevejenkins.com/ Steve Jenkins

    @Alex: According to something I read from the developer of OpenDKIM, “The filter reads in your private key and passes it as a buffer to d2i_PrivateKey_bio(), a libcrypto function, which attempts to parse it. That parse is failing, which results in this error being logged and your message temp-failing.” In other words, it looks like your private key file might be corrupt. I’d try rebuilding it (just delete it, find that step above, and build it again) to see if that fixes it. Also, make sure you’re using at least version 2.1 of OpenDKIM, as there was a bug related to this in 2.0. Come back and let me know if it works!

  • rav3n

    Hi, I’ve follow your tutorial and apply to mail zimbra server it work great however I have problem domain keys are not sign below is my test result. I check the logs I opendkim header is added.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, Rav3n. Good news! Your test results are fine. DomainKeys is a different (and outdated) method of signing mail. DKIM is the newer and improved method. You don’t need to use both, since receiving mail handlers don’t give any additional credit for both. So since you’re signing with DKIM and not DomainKeys, it’s appropriate to have the neutral test result. You’re good to go!

  • rav3n

    Hi I was finished setup everything and it’s working fine exact mail is not sign, I have to domain I’ve already added on my keytable and signing table when I try to test it is this is what i get.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Domainkeys check still neutral… been trying to check may configuration seems no issue… Please help

    • http://www.stevejenkins.com/ Steve Jenkins

      Correct, DomainKeys is supposed to be neutral. You are signing with DKIM, not DomainKeys. DomainKeys is outdated and you don’t need to sign with it. You are set up correctly. :)

  • rav3n

    Thanks now I now it’s working fine… 😀

  • http://www.camelofs.com.br Johnny

    I have a zimbra server and the settings don’t work…

    If i configure the milter_protocol=2, the zimbra.log says OK to add header but don’t send the message and if i don’t configure the milter_protocol, the message is sent OK, but without the header.

    Can you help me?

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, Johnny. I don’t use Zimbra, but I’m sure someone on the OpenDKIM user email list is familiar with it. I’d recommend subscribing (the link is in this article) and seeing if anyone there has seen this particular issue.

  • http://vegenag.com Alex

    Steve, I have figured out my problem and it was a tremendous oversight. When I create my keyTable and copy and pasted in your example which shows it on two lines in the browser, but clearly, if I would have looked closer, I would have seen that it should all be on one line.

    Thanks for taking the time for this tutorial.

  • http://www.stevejenkins.com/ Steve Jenkins

    Glad you got it working, Alex! I’ve updated the article to specifically state that all the text in the example should be on a single line. Thanks for the feedback!

  • Pingback: How to get DKIM and DomainKeys working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM and dk-milter | Steve Jenkins' Blog()

  • rav3n

    Hi I’ve successfully setup opendkim thanks for the guide it helps a lot. I have question I have to domain mail.example.com mail2.example.com both in different machine. I’ve creative another mail server for sending bulk messages I’ve setup everyting how ever I have error on full header view multiple domain keys. I was wondering how can I use other default keys to another machine so that I will have 1 domain keys on my domain server?

  • rav3n

    Hi Johnny I used zimbra it’s work for no problem with protocol 2…. makes sure you upgrade yon zimbra to new version

  • rav3n

    How to allow external ip to be sign by our smtp server?

    • http://www.stevejenkins.com/ Steve Jenkins

      If the server with the external IP shares the same domain, just add the IP to the InternalHosts file. If it’s a separate domain, then you’ll also have to create an additional set of keys and add the appropriate info for that domain to the keyTable and signingTable.

  • rav3n

    Hi Steve, thanks for the reply just to clarify if I have 1 domain… example.com and mail.example.com for dedicated for sending mail. and all my web server is sending email such as notification, transaction, mailing list, events, news letters etc. do I need to create separate dkim for webserver? All server is within same IP range. All webserver is http://www.example.com. Ahhh I more also sometimes we send email thru our office and it’s different IP range and no domain should I create new dkim for our IP in our office?

    • http://www.stevejenkins.com/ Steve Jenkins

      DKIM signatures are associated with the domain, so you can use the same one for multiple subdomains!

      But you can’t sign messages sent from a machine that has no domain. Again, DKIM is associated with a domain, so it needs one in order to verify on the receiving end.

  • rav3n

    Thanks steve, guess I need to make new sud domain for our office to…

  • http://vegenag.com Alex

    Steve,
    I have been trying to setup OpenDKIM on another server for a friend since you helped me via this tutorial successfully set it up on mine. Anyway, it went much smoother this time. All is working, however, it is not signing emails for [email protected]. The log says that there is no signing table match for ‘[email protected]’. I checked the signing table and I have “*@domain.com default._domainkey.domain.com” on one line and this is the only line. I also use default as my selector. I have been reading the opendkim mail list and I can’t seem to find the answer to my problem. According to the signing table information I can’t figure out why it will not sign for [email protected] if I clearly have *@domain.com. Anyway, I was hoping you could help.

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, Alex. Sorry to hear you’ve having problems. Are you certain that the mail program (MTA) isn’t using a subdomain when sending? The domain address in the signing table needs to match the domain address in the Return-Path: header of your email.

      I’m assuming that something like that must be the problem. I would bet that if you added a second line to your signing table that said: “[email protected] default._domainkey.domain.com” you’d still get the same error.

      If you’re still having trouble, subscribe to the OpenDKIM-users mailing list and post the results of the test addresses (or Brandon’s test website). That can be very helpful in tracking down what’s wrong.

  • http://vegenag.com Alex

    Steve, thanks for the quick reply and for pointing me in the right direction. Apparently, text case in the log is different than what is actually sending. The email was set up in the client like this “[email protected]”. Sends email fine, however, DKIM doesn’t like the change in case and the log was coming back “no signing table match for [email protected] and so I was not able to figure out the problem until I checked his mail client setup. Anyway, thanks for pointing me in the right direction. I really appreciate what you are doing here.

    • http://www.stevejenkins.com/ Steve Jenkins

      @Alex: Ah – yes, case does matter with OpenDKIM 2.2.2. However, the newer version of OpenDKIM (v2.3.0 – which is still in beta, so I’m waiting until it’s released to update the blog post) allows upper or lower case. Glad to hear you got it going!

  • Bhupinder

    Thank you!

    This guide worked perfectly on my Plesk 10 / PostFix / Centos5 rig.

    I love you!!!

    • http://www.stevejenkins.com/ Steve Jenkins

      Glad to hear it, Bhupinder. Much love back atcha. 😉

      • http://sprytechies.com Pradeep

        Well, I dont get this working. Have spent many hours in getting opendkim to work with plesk. I have two postfix profiles on plesk (old config). The one I want to get opendkim working, I’ve removed the 10025/6/7 lines from master.cf (since those refer to plesk filters). and put in the settings in main.cf. But the milter does not get applied, nothing in the log at all.

        are you sure I dont have to get any setting modified in master.cf for this to work? the lines in master.cf are:

        smtp inet n – – – – smtpd -o smtpd_proxy_filter=127.0.0.1:11025

        pickup fifo n – – 60 1 pickup -o content_filter=smtp:127.0.0.1:11027
        127.0.0.1:11025 inet n n n – – spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11027 before-queue
        127.0.0.1:11026 inet n – – – – smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks
        127.0.0.1:11027 inet n n n – – spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11026 before-remote
        plesk_saslauthd unix y y y – 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db
        smtps inet n – – – – smtpd -o smtpd_proxy_filter=127.0.0.1:11025 -o smtpd_tls_wrappermode=yes
        submission inet n – – – – smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:11025

        only putting in the lines that put in the default domainkeys from plesk. (which does not get validated on brandonchecketts, saying wrong RSA, since diff public keys are present on both domains). the server hosts multiple domains on diff IP.

        • http://www.stevejenkins.com/ Steve Jenkins

          Hi, Pradeep. I have no experience with Plesk, and so I’m not going to be any help in trying to troubleshoot how it interacts with OpenDKIM. As far as a straightforward OpenDKIM install on Postfix, no – you don’t need to touch master.cf. If you’re still having trouble, I recommend joining the OpenDKIM-users mailing list at opendkim.org and presenting the issue there. There’s a very active group on that list (including the main developer) who will be happy to troubleshoot.

          • http://sprytechies.com Pradeep

            Further debugging in the logs with higher level, I got to know that a typo in the SigningTable file was hindering the email to match the email pattern. And later that the opendkim key file perms were restrictive. It now works with the separate postfix directory profile. Of course, I had to change all the plesk 10025/10026/10027 filters and spawns. No changes for opendkim were needed in master.cf, just like Steve wrote. I need to see if this is fine or I need to get domainkeys as well.

          • http://www.stevejenkins.com/ Steve Jenkins

            Good to hear! Forget about DomainKeys. They’re being phased out. DKIM is the replacement, and it’s all you need. :)

  • http://crushdev.com Tim Gurske

    Hey,
    This tutorial made my life easier and I really appreciate you taking the time to write it! +1 good Karma for you!

  • Taaniel

    I’m breaking my head here.. all email get signed but I get the following error: Details: public key: unsupported version :(

    • http://www.stevejenkins.com/ Steve Jenkins

      Google results for this error show that your DNS records are probably incorrect. I’d triple-check those.

  • rav3n

    Hi Steve, can you please explain then I verified my setup on opendkim I have this result.

    ==========================================================
    Summary of Results
    ==========================================================
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    I tried to send email to yahoo and check full header I got this on yahoo result

    Authentication-Results: mta1022.mail.sk1.yahoo.com from=ronald.com; domainkeys=neutral (no sig); from=auction.ph; dkim=permerror (future timestamp)

    dkim=permerror?

    • http://www.stevejenkins.com/ Steve Jenkins

      If you Google “dkim=permerror (future timestamp)” you’ll see that this error is most likely a result of your server’s clock being incorrect. Install an NTP client and make sure you’re syncing daily. :)

  • Will Oberman

    If anyone here is using this to configure DKIM with Amazon SES (their email service), this guide works with the following addendum:
    In the file “/etc/opendkim.conf” add:
    OmitHeaders Message-Id,Date,Return-Path,Bounces-To

  • Pingback: Переход с Sendmail на Postfix+OpenDKIM на CentOS | Костин Алексей()

  • Paul Roberts

    i’m getting the mail sitting in the postfix queue with the error

    conversation with 127.0.0.1 timed out while receiving the initial server greeting

    it sends if i take out the Postfix configuration

    any ideas?

    • http://www.stevejenkins.com/ Steve Jenkins

      Hmm… even if OpenDKIM isn’t running, it will just log a warning and Postfix will still send. Is Postfix running properly otherwise?

  • Paul Roberts

    both postfix and OpenDKIM are running without errors, it’s just when i add the lines to postfix’s main.cf that the problem happens, once i removed the code the mail was sent and the key was added to the email, could it be to do with iptables?

  • Paul Roberts

    if i comment out these lines the queue is processed.

    # smtpd_milters = inet:localhost:20209
    # non_smtpd_milters = inet:localhost:20209
    # milter_protocol = 2
    # milter_default_action = accept

  • http://www.stevejenkins.com/ Steve Jenkins

    @Paul: With those lines commented in your main.cf, I don’t see how the key could have been added to the mail, since Postfix wouldn’t know to pass mail through the milter. Is your software config identical to the one in the tutorial? RHEL/CentOS, Postfix, OpenDKIM? Are you also running Sendmail by chance (it should be off in this scenario)? Also, a brand new version of OpenDKIM (2.3.0) was released yesterday. I recommend downloading it and going back through the tutorial step-by-step.

  • Carlos Sura

    Hello Steve, I was trying to follow the default configuration for OpenDKIM, I think the installation and configuration that I’ve made it is all good, but, it is not signing my outgoing email….

    I checked everything twice, tail /var/log/maillog, does not show me errors, I’m not sure what is the problem now…

  • http://www.stevejenkins.com/ Steve Jenkins

    @Carlos: Your maillog should still give you some sort of message even if it doesn’t sign. Is there any output from opendkim in your log, such as “not internal” or “no signature data added”?

  • Carlos Sura

    Hi Steve, I’ve already fixed, seems to be a problem with my selector, so I reinstalled again, and now it’s working…. Thank you for answer me.

    By the way, nice theme.

  • michal

    Hi,
    I’ have done everything like Your tutorial says. When i try to send email i get :
    Mar 3 18:56:46 qwe postfix/smtpd[20993]: connect from unknown[127.0.0.1]
    Mar 3 18:56:46 qwe postfix/smtpd[20993]: fatal: host/service localhost/20209 not found: No address associated with hostname

    and no mail is send;/
    when i change in postfix main.cf
    smtpd_milters = inet:localhost:20209
    non_smtpd_milters = inet:localhost:20209

    to
    smtpd_milters = inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:20209

    mail is sent, but 2 dkim signatures are added like this:

    Delivered-To: [email protected]
    Received: by 10.204.55.15 with SMTP id s15cs11793bkg;
    Thu, 3 Mar 2011 09:29:07 -0800 (PST)
    Received: by 10.204.169.193 with SMTP id a1mr1809154bkz.11.1299173347444;
    Thu, 03 Mar 2011 09:29:07 -0800 (PST)
    Return-Path:
    Received: from xxx.com (myhost.com [f.i.r.stip])
    by mx.google.com with ESMTPS id 20si2102167faw.28.2011.03.03.09.29.06
    (version=TLSv1/SSLv3 cipher=OTHER);
    Thu, 03 Mar 2011 09:29:06 -0800 (PST)
    Received-SPF: neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of [email protected]) client-ip=f.i.r.stip;
    Authentication-Results: mx.google.com; spf=neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of [email protected]) smtp.mail=[email protected]; dkim=neutral (bad format) header.i=@xxx.com
    Received: from xxx.com (unknown [127.0.0.1])
    by xxx.com (Postfix) with ESMTP id 6529748B803C
    for ; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 6529748B803C
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
    s=default; t=1299177173;
    bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
    h=To:Subject:Message-Id:Date:From;
    b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
    RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
    +pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
    Received: by xxx.com (Postfix, from userid 48)
    id 4F18848B84A2; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 4F18848B84A2
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
    s=default; t=1299177173;
    bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
    h=To:Subject:Message-Id:Date:From;
    b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
    RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
    +pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
    To: [email protected]
    Subject: subject
    Message-Id:
    Date: Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
    From: [email protected] (Apache)

    sample body

    what can be the problem?

  • http://www.stevejenkins.com/ Steve Jenkins

    @michael: After chatting it over with my buddies on the OpenDKIM-Users mailing list, we agree that it looks like the message is somehow being passed to the filter twice before it gets sent out. Are you running multiple smtpd processes in your Postfix configuration?

    A few ideas for you to try (from the developer of OpenDKIM himself):

    1) Check your Postfix configuration to see if there’s some way the filter might hear about the same message twice.

    2) Check your maillog to see how you might be able to distinguish the two instances. For example, if one is coming in over the localhost address while the other is coming in over some non-localhost address, you could add one or the other to the PeerList so that the filter simply ignores one of them outright.

    3) Have the reinjection step change the From: so that there’s a hit in the SigningTable for one instance of the message but not the other.

    • Salman

      I am having the same issue. I have checked DKIM on yahoo and it says OK but on Gmail, I am getting neutral (bad format). I have check /var/log/mail.log. Everything is looking fine. Please help :(

      • Salman

        Its fixed guys. TXT had an error. missing g=*; k= . Its working fine now :)

  • michal

    @steve, thank You for Your priceless help, after pointing me in direction, that filter hears twice about message i examined my maillog


    Mar 5 13:58:06 haha postfix/pickup[14521]: B4C4948B8033: uid=48 from=
    Mar 5 13:58:06 haha postfix/cleanup[14525]: B4C4948B8033: message-id=?
    Mar 5 13:58:06 haha opendkim[23216]: B4C4948B8033: DKIM-Signature header added (s=default, d=example.com)
    Mar 5 13:58:06 haha postfix/qmgr[14528]: B4C4948B8033: from=, size=565, nrcpt=1 (queue active)
    Mar 5 13:58:06 haha postfix/smtpd[14532]: connect from unknown[127.0.0.1]
    Mar 5 13:58:06 haha postfix/smtpd[14532]: CE02B48B8032: client=unknown[127.0.0.1]
    Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: [email protected]
    Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: [email protected]
    Mar 5 13:58:06 haha postfix/cleanup[14525]: CE02B48B8032: message-id=
    Mar 5 13:58:06 haha opendkim[23216]: CE02B48B8032: DKIM-Signature header added (s=default, d=example.com)
    Mar 5 13:58:06 haha postfix/qmgr[14528]: CE02B48B8032: from=, size=1157, nrcpt=1 (queue active)
    Mar 5 13:58:06 haha postfix/smtp[14529]: B4C4948B8033: to=, relay=127.0.0.1[127.0.0.1]:10027, delay=0.22, delays=0.08/0/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CE02B48B8032)

    cleanup process was running twice , and everytime opendkim added signature, so i modified my pickup process with -o receive_override_options=no_milters
    and it works like a charm!
    pickup fifo n – – 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 -o receive_override_options=no_milters
    Again, big thanks to You and guys over mailing list for help. This tutorial rocks!

  • http://gurucube.com Thierry

    you forget to copy opendkim-genkey from /usr/local/src/opendkim to /usr/local/bin

    cd /usr/local/sbin/

    cp /usr/local/src/opendkim-2.3.0/opendkim-genkey /usr/local/sbin

    opendkim-genkey -D /etc/mail/dkim/keys/test.com/ -d test.com -s default

    regards , from Argentina

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, Thierry. Manually copying opendkim-genkey to /usr/local/bin isn’t necessary. The make install command automatically places all the necessary opendkim-* files in that directory. If it didn’t on your system, verify that you used the right permissions (root) when you did the make install command, since the default permissions for /usr/local/bin is owned and writeable only by root.

  • Ruslan Conk

    Help Me. Problem starting opendkim

    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    • http://www.stevejenkins.com/ Steve Jenkins

      @Ruslan: I need a bit more info. What system? Did you follow these steps EXACTLY? Do “updatedb” and then “locate opendkim” – does it find it on your system anywhere?

  • Pingback: smtp port - Zimbra :: Forums()

  • http://sportaxy.com Evgeny

    Greatest ever blog post! Thanks a lot for such detailed information!!!
    Worked like a charm

  • h16h

    I had same issue trying to start OpenDKIM.

    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    The following is my setup:

    CentOS release 5.6 (Final)
    Postfix 2.3.3
    OpenDKIM 2.3.2

    executing as root and SELinux = disabled.

    OpenDKIM 2.2.2 installs and starts fine however.

  • Mauro

    Hi steve,

    good tutorial, but i’ve two problem:

    1. I’ve install dkim e dk-milter but when i restart dk-milter i’ve this message:
    chgrp: impossibile accedere a `inet:10035@localhost’: No such file or directory
    chmod: impossibile accedere a `inet:10035@localhost’: No such file or directory

    main.cf
    smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
    non_smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209

    dk-milter
    PORT=”inet:10035@localhost”

    2. I must also use spamassin but when I insert this line in master.cf emails come back with the message “service unavailable”

    smtp inet n – n – – smtpd -o
    content_filter=spamd

    Help me please!

    • Branz

      I think you need to find this line /etc/init.d/dk-milter:

      if [[ ! -z $(echo $PORT |grep “local”) && $RETVAL -eq 0 ]];

      then change this to:

      if [[ -z $(echo $PORT |grep “inet”) && $RETVAL -eq 0 ]];

      Hope it helps!!

  • john

    i had the same error as Ruslan:
    Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory

    i have no clue how that happened since i definitely ran everything as root. i did fix the issue using this command.

    cp /usr/local/src/opendkim-2.3.2/opendkim/opendkim /usr/sbin

  • neil

    Hi steve,

    this is a very good and easy to understand tutorial.

    i followed your tutorial and was able to install it. but i get the following error on the maillog when i try to send a mail.

    May 27 01:59:01 sr postfix/cleanup[25854]: warning: connect to Milter service inet:127.0.0.1:20209: Connection refused

    Thanks,
    Neil

  • http://www.friendlyphotozone.com GoremanX

    Excellent howto. Just a couple of quick notes:

    ADSPAction doesn’t appear to work anymore. Looks like it should be ADSPDiscard (with “yes” or “no” as accepted parameters)

    In my case, opendkim was adding a DKIM Signature header twice. Once when the email was initially received, and again after going through amavisd-new. Amavis wasn’t re-signing it, for some reason postfix signed it each time. Disabling Amavis as a content filter eliminated the problem, but now my outgoing mail doesn’t get scanned for viruses anymore.

    • http://www.stevejenkins.com/ Steve Jenkins

      Thanks for the heads up on the ADSPAction. I’ll check that.

      Concerning amavisd-new, check the 127.0.0.1:10025 inet n - n - - smtpd section in your master.cf. Add no_milters to the end of your -o receive-override_options line so that it looks like this:

      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

      Then restart Postfix and Amavisd. That should solve your problem. I’ve added this tip to my Amavis-new tips blog post.

      • http://www.friendlyphotozone.com GoremanX

        That worked perfectly, thank you.

  • Pingback: Tips for installing Amavisnew, ClamAV, and SpamAssassin using Postfix on Fedora 12 – Steve Jenkins' Blog()

  • Mauro

    Hi Steve,

    if i add ADSPDiscard it give a error….
    ADSPDiscard Yes
    Stopping OpenDKIM Milter: [ OK ]
    Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter

    I have a big problem too, I installed and configured opendkim on a server that is hosted on mail marketing software, sending a newsletter the validation fails, the message here:

    Signature verification failed, message May Have Been tampered with or corrupted

    Validating Signature

    result = fail
    Details: Body Has Been Altered

    Can help me…

  • Branz

    Hi Steve, thank you for this very great tutorials!! It really works!!

  • Carlos Sura

    Hello Steve, I followed your steps (updated) and I get this messages: opendkim[1045]: can’t write pid to /var/run/opendkim/opendkim.pid: Permission denied

    In /var/log/maillog

    Any ideas?

  • Carlos Sura

    Steve, nevermind, I just reinstalled everything and set the permission twice and it worked fine. Still, nice tutorial indeed.

    • http://www.stevejenkins.com/ Steve Jenkins

      Cool – glad to see you got it working. The permissions should be created properly on the useradd command, but I’ll add an extra step in there to manually set them just in case.

  • David

    Any ideas on what could cause this?

    dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed

    This happens every time I try to send mail from a telnet session on localhost. I have double checked permissions and everything and I still get that error.

    Any insight would be appreciated.

  • Paul

    Superb post, installed and working seamlessly :)

    Thanks!
    – Paul

  • http://www.agroarticles.info Raminda Subhashana

    Hi Steve,

    Thanks for your nice article I finish everything according to you, but when I start OpenDKIM check below log;

    Jul 13 11:06:45 relay opendkim[16642]: OpenDKIM Filter: Unable to create listening socket on conn inet:20209@localhost
    Jul 13 11:06:45 relay opendkim[16642]: smfi_opensocket() failed
    Jul 13 11:06:45 relay opendkim[10817]: exited with status 69, restarting
    Jul 13 11:06:45 relay opendkim[16643]: OpenDKIM Filter: Unable to bind to port inet:20209@localhost: Address already in use

    I’m using MailScanner 4.83 . Is it a conflict with mailscanner or can I change Opendkim port? Please help…….

    Thanks,
    Raminda

    • Ed Davis

      I’m commenting on the 7 month old post from Raminda on July 13, 2011. I have been getting similar error messages.

      Starting OpenDKIM Milter: opendkim: smfi_opensocket() failed
      OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Cannot assign requested address
      OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost

      I have not figured out the true cause of my problem but I have stumble upon a workaround.

      In /etc/opendkim.conf I changed …
      Socket inet:8891@localhost
      to …
      Socket inet:[email protected]

      In /etc/mail/sendmail.mc I changed …
      INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@localhost’)dnl
      to …
      INPUT_MAIL_FILTER(`opendkim’, `S=inet:[email protected]′)dnl

      I can’t explain why this is a fix. I’m 7 months late to help Raminda but maybe another googler will find this helpful.

      • Zack

        thank you Ed. This solve…

  • Paul

    Great tutorial, thanks a lot.

    Im having a hard time telling if my DKIM is working or not.

    Brandons DKIM checker says its ok, but when I send to GMail, I see that the DKIM signature is being added. However, GMail is not showing that an “Authentication-Results” header has been added.

    I was prevoiously haviong problems, and GMail did add an “Authentication-Results” header. Is this header only added when the DKIM verification fails, or should there be one when DKIM passes too?

  • Jeff McCarrell
    • http://www.stevejenkins.com/ Steve Jenkins

      Glad you got it installed, Jeff. And thanks for the heads up on the typo (fixed!).

  • Pingback: Installing OpenDKIM via RPM with Postfix or Sendmail (for RHEL / CentOS / Fedora) – Steve Jenkins' Blog()

  • http://www.easistent.com gEMboO0

    Great tutorial, thank you very much.

    One tip for everyone though: I recommend executing the chown command at the end, escpecially if you created files using

    touch /etc/opendkim/KeyTable (if run by root, opendkim user wont be allowed to access the file)

    So, when finished with everything, if mail doesnt get send when OpenDKIM enabled, run chown again.

    chown -R opendkim:opendkim /etc/opendkim

    Bye:)

  • Nick

    Great tutorial Steve!

    I have everything setup correct, except its not actually signing the emails and there is nothing related to SIGNING in the log. Startup info is in the log, but no error or anything when a piece of mail is sent.

    I can only think its because I have my domain on another server, would this be correct? I setup the DNS on the other server with the dkim key, but do I need to setup a subdomain and point it to the server with the opendkim on it as well? Or, can I simply have ANY domain be on the opendkim (even if its not the “sending / from” domain)?

    The only other thing I can think, in the event that I can use ANY domain on the opendkim server and it doesn’t have to be the SENDING server (from name domain), that it could be because I am testing with Amazon SES on the command line and it doesn’t necessarily perhaps properly fill out the return path?

    Wish I could get more info from the log file but its just not even signing anything or giving me any info!

    Thanks for any help anyone..

  • Donnie

    Hi
    Excellent Howto and good tutorial.

    i followed your tutorial and was able to install it. but i get the following Header in hotmail when i check it.

    x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QC3Jx2/BsS+hK7OuBZi7BRB/Is4oUCB0t5q3uTQvBaMi+N7tkkYUjPs8IELCmQgn/yVn9uPYmce2L0EJqvUykwYg==

    Authentication-Results: hotmail.com; sender-id=temperror (sender IP is xx.xx.xxx.x) header.from=[email protected]; dkim=none header.d=test.com; x-hmca=none

    X-Message-Status: n:0:n

    and i dont see any headers any signatures of dkim and domainkeys in my source..

    Thanks im advance

    • http://www.stevejenkins.com/ Steve Jenkins

      Unless you own the test.com domain (and I’m assuming you don’t), then the Hotmail test SHOULD fail on this example. DKIM checks the signature in your header against the one published in the DNS record for the stated domain. And if you don’t see any DKIM sig in your header, then something’s not set up right. Have you gone through all the troubleshooting steps? If so, have you turned on LogWhy? That should tell you why it’s failing. If that still doesn’t help, come ask your question on the OpenDKIM-Users mailing list. I’m sure we can get it sorted out over there. :)

  • sharol

    Hello
    Can anyone tell me simple steps which can do this things automatically.
    I use interspire,vps,linus,centos

    please assist

    • http://www.stevejenkins.com/ Steve Jenkins

      Hit the link at the top of the article about using Yum to install. That’s as automated as it gets. :)

  • Pingback: installing opendkim,make permanent changes on /opt/zimbra/postfix/conf/main.cf - Zimbra :: Forums()

  • Stacker

    Hi,
    If i use multiple postfix instances (with separate config directorys) your guide should work?

    Thanks,
    StaCker

  • Denis

    Hi Steve,

    thank you for this howto.
    As Niel I got, a “connect to Milter service inet:127.0.0.1:20209: Connection refused” in my log.
    I am on Debian Lenny, so I have used the “generic” script found contrib/init.
    When I start dkim by doing “/etc/init.d/opendkim start” I got no message at all…
    Could you help me finding the problem ?
    Sorry for my english level that is as good as my linux level.

    Thanks again
    Denis

  • Denis

    Hi all,
    I answer to myself.
    Thanks to Murray help, I saw that opendkim wasn’t running at all after the start command.
    The problem was that the PATH in opendkim.conf were on usr/sbin and not usr/local/sbin.
    thanks for your help
    Denis

  • sateesh

    Configured Opendkim, and reverse dns but still mails is going to spam its self

    This is the error log
    Jun 28 21:16:08 postfix/cleanup[16658]: CB94F231EB7: message-id
    Jun 28 21:16:08 postfix/qmgr[16654]: CB94F231EB7: from=<root@fi
    Jun 28 21:16:10 postfix/pickup[16653]: 43EB7231EBB: uid=0 from=
    Jun 28 21:16:10 postfix/cleanup[16658]: 43EB7231EBB: message-id
    Jun 28 21:16:10 postfix/qmgr[16654]: 43EB7231EBB: from=<root@fi
    Jun 28 21:16:13 postfix/smtp[16660]: CB94F231EB7: to=<sateesh.h 8, delays=0.07/0.01/0.99/3.7, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 pv
    Jun 28 21:16:13
    postfix/qmgr[16654]: CB94F231EB7: removed
    Jun 28 21:16:13 postfix/smtp[16664]: 43EB7231EBB: to=<sateesh.h 5, delays=0.05/0.01/0.94/2.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 ps
    Jun 28 21:16:13 postfix/qmgr[16654]: 43EB7231EBB: removed

  • Pingback: How to easily setup opendkim on Centos for DKIM key signing! - AffJohnAffiliate John!()

  • JK

    If you’re receiving the following errors in your maillog :

    .. no signing table match for
    .. no signature data

    Then try changing this in your SigningTable file :

    *@example.com default._domainkey.example.com

    to this, without the * :

    @example.com default._domainkey.example.com

    Worked for me on CentOS 64 bit, and a few others reported the same in a google search.

    Man file : http://www.opendkim.org/opendkim.conf.5.html

    Also, to the author, thanks for the tute, you may want to move the DNS chapter up a little, I didn’t notice it until well after I finished installation, and even then it was only by chance.

    • http://www.stevejenkins.com/ Steve Jenkins

      Hi, JK. Thanks for the comment. Out of curiosity, do you have “file:” or “refile:” in front of the SigningTable location in your opendkim.conf file? That makes a difference regarding whether the wild card * will work!

  • Pingback: Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora) _1 - 眺海()

  • Pingback: » Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora) _1()

  • Matt Cain

    Thanks Steve,

    To also have OpenDKIM sign postfix generated bounce messages add this line to main.cf:

    internal_mail_filter_classes = bounce,notify

  • http://chrishecker.com Chris Hecker

    I got this working with SELinux enabled finally. You will just need a custom policy like this:

    module postfixcleanupopendkim 1.0;

    require {
    type postfix_smtpd_t;
    type postfix_cleanup_t;
    class tcp_socket { read write };
    }

    #============= postfix_cleanup_t ==============
    allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write };

    Not sure why it’s not part of the rpm, but there you go.

    • http://twitter.com/jnalley Jonathan Nalley

      @Chris Hecker, thanks so much for that custom policy, just what I needed. It’s relevant on RHEL/Centos 6.x with postfix 2.6.6 and I’d recommend you post it on Steve’s other blog post about doing this same thing on 6.x.

      • http://www.stevejenkins.com/ Steve Jenkins

        Hey, Jonathan. I’ve actually been swapping emails with Chris in the hopes of getting his policy in the next version of the packaged files. Fedora 18 has a policy built in, but I’ll need to install a custom one for RHEL 5 & 5, and Fedora 16 & 17. I’m hoping to have it ready for the next update.

  • Antonio Díaz Meneses

    Hello Steve!

    Thansk for this great how-to.

    When I sent an email using the email server I got this:

    Jan 9 12:16:21 correo postfix/smtpd[16288]: connect from unknown[172.30.2.36]
    Jan 9 12:16:22 correo postfix/smtpd[16288]: 7BF5FA1B8045: client=unknown[172.30.2.36], sasl_method=LOGIN, sasl_username=antonio.diaz
    Jan 9 12:16:22 correo postfix/cleanup[16313]: 7BF5FA1B8045: message-id=
    Jan 9 12:16:22 correo opendkim[16211]: 7BF5FA1B8045: DKIM-Signature header added (s=default, d=example.com.ec)
    Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: from=, size=2861, nrcpt=1 (queue active)
    Jan 9 12:16:22 correo postfix/local[16314]: 7BF5FA1B8045: to=, relay=local, delay=0.78, delays=0.77/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
    Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: removed
    Jan 9 12:16:25 correo postfix/smtpd[16288]: disconnect from unknown[172.30.2.36]

    That is good

    But I am trying to fake the identity of a sender from a foreign host I got this:

    Jan 9 12:20:41 correo postfix/smtpd[16321]: connect from mail.attacker.com [211.211.111.59]
    Jan 9 12:20:54 correo postfix/smtpd[16321]: 49A67A1B8045: client=mail.attacker.com[211.211.111.59]
    Jan 9 12:20:59 correo postfix/cleanup[16326]: 49A67A1B8045: message-id=
    Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): mail.attacker.com [211.211.111.59] not internal
    Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): not authenticated
    Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: from=, size=480, nrcpt=1 (queue active)
    Jan 9 12:20:59 correo postfix/local[16327]: 49A67A1B8045: to=, relay=local, delay=11, delays=11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
    Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: removed

    I need to reject (or discard) this kind of attempts when someone tried to send email messages with sender *@example.com from another non-authorized smtp host.

    Thanks for your appreciated help!

    • Antonio Díaz Meneses

      Hello Steve!

      I get messages with DKIM unverified remain in quarantine for a third-party software, and is actually the best, because I can manage those messages.

      I have a question … how I can make messages that come through SASL authenticated, regardless of source IP address, get the DKIM signature to be considered valid messages?

      Again, Thanks for your help.

  • Probot

    HI!
    You should change the
    Canonicalization relaxed/simple

    to
    Canonicalization relaxed/relaxed

    (Google uses also relaxed/relaxed) otherwise yahoo would fail with the dkim error perm error (bad sig).

    Greetz

    • http://www.stevejenkins.com/ Steve Jenkins

      Agreed. I’ve made the change. :) Thanks!

  • http://www.realpage.com Kevin Gibbs

    Hey Steve. Thank you for an excellent tutorial. Postfix is talking to OpenDKIM, etc, I’ve gotten past all my issues using maillog except a finall.. No output.. The last issue I had was “key not secure” and I chowned it to opendkim.opendkim and mod’d to 600. Restarted all and now I get no log message.. No Error BUT also no message saying a mail was signed… Any ideas? Does Why=yes still verbose a sucessfully signed message? Thanks!

  • http://www.realpage.com Kevin Gibbs

    Steve, I figured out my own issue.. If you use the yum install (I’m on RHEL 6.3) it defaults the mode to “v” rather than “sv”.. Might be helpful for future users. Thanks again for the tutorial!

  • Pingback: What is a DMARC record and how to add it |()

  • jjsolutions

    Hi I make a small script For generating DKIM key for CentOS 6.x
    It is well tested and help you guys …

    #############################################
    # #
    # OPENDKIM INSTALLATION #
    # #
    #############################################

    ############# PRE-INSTALLATION STATUS #############################

    # Find Os name and details
    echo -e ” os name is `cat /etc/issue`”

    # you must be login with Root
    echo -e ” You login with `who` ”

    #checking version of postfix
    echo -e “`postconf mail_version`”

    #Checking Sendmail status
    echo -e “`service sendmail status`”

    ############ INPUTS #####################
    # Enter Hostname
    echo -e “Enter Hostname ”
    read host

    # Enter domain-name
    echo -e “Enter domain name”
    read domain

    #Enter selector
    echo -e “Enter selector ”
    read select

    ######## DOWNLOAD AND INSTALLATION OF OPENDKIM PACKAGE ###########
    cd /usr/local/src
    # Download data
    wget http://sourceforge.net/projects/opendkim/files/Previous%20Releases/opendkim-2.4.2.tar.gz/download

    ## Installation of packages .
    yum install sendmail-devel openssl-devel -y
    yum install gcc -y
    yum install make -y
    tar zxvf opendkim-2.4.2.tar.gz
    cd opendkim-2.4.2
    ./configure –sysconfdir=/etc –prefix=/usr/local –localstatedir=/var
    make
    make install
    adduser opendkim
    groupadd opendkim
    groupadd mail
    opendkim -s /sbin/nologin
    mkdir /var/run/opendkim
    useradd -G mail opendkim
    usermod -c “OpenDKIM” opendkim
    chown opendkim:opendkim /var/run/opendkim
    chmod 700 /var/run/opendkim
    mkdir -p /etc/opendkim/keys
    chown -R opendkim:opendkim /etc/opendkim
    chmod -R go-wrx /etc/opendkim/keys
    cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/
    chmod 755 /etc/init.d/opendkim

    ############################ CONFIGURATION ##############################
    ##### Generate key for signing #######
    mkdir /etc/opendkim/keys/$domain
    /usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/$domain/ -d /$domain -s $select
    chown -R opendkim:opendkim /etc/opendkim/keys/$domain
    mv /etc/opendkim/keys/$domain/$select.private /etc/opendkim/keys/$domain/$select

    ########## EDIT Configuration file /etc/opendkim.conf ##########
    echo -e ” AutoRestart Yes
    AutoRestartRate 10/1h
    Canonicalization relaxed/simple
    ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
    InternalHosts refile:/etc/opendkim/TrustedHosts
    KeyTable refile:/etc/opendkim/KeyTable
    LogWhy Yes
    Mode sv
    PidFile /var/run/opendkim/opendkim.pid
    SignatureAlgorithm rsa-sha256
    SigningTable refile:/etc/opendkim/SigningTable
    Socket inet:8891\@localhost
    Syslog Yes
    SyslogSuccess Yes
    TemporaryDirectory /var/tmp
    UMask 022
    UserID opendkim:opendkim ” > /etc/opendkim.conf

    ##### CREATE FILE /etc/opendkim/KeyTable #######
    touch /etc/opendkim/KeyTable
    echo -e “$select._domainkey.$domain $domain:$select:/etc/opendkim/keys/$domain/$select” > /etc/opendkim/KeyTable

    ###### CREATE FILE /etc/opendkim/SigningTable ########################
    touch /etc/opendkim/SigningTable
    echo -e “* $select._domainkey.$domain” > /etc/opendkim/SigningTable

    ###### CREATE FILE /etc/opendkim/TrustedHosts ######
    touch /etc/opendkim/TrustedHosts
    echo -e ” 127.0.0.1
    $host” > /etc/opendkim/TrustedHosts

    #### ADD Lines In Postfix/main.cf #####
    echo -e “smtpd_milters = inet:127.0.0.1:8891
    non_smtpd_milters = $smtpd_milters
    milter_default_action = accept
    milter_protocol = 2 ” >> /etc/postfix/main.cf

    ###### RESTART SERVICES ################################
    hash -r
    service opendkim restart
    service postfix restart
    chkconfig –level 2345 opendkim on

    ############## TROUBLE-SHOOTING ###########
    ### FOR DKIM KEYS ####

    cat /etc/opendkim/keys/$domain/$select.txt

    ############ Good LUCK #############

    • http://www.stevejenkins.com/ Steve Jenkins

      Thanks – that script looks good, but I think it’s even easier just to install the EPEL repo in CentOS and do ‘yum install opendkim’ :)

      • jjsolutions

        But it will automatically update opendkim configuration files.
        Thanks for considering my script . I am new to OpenDkim and learn new things about it .Thanks again..

  • http://www.winefetch.com Steve

    Thanks for the tutorial. I followed it, have it installed, but for some some reason, I’m receiving a “no signing table match for [email protected]“. I run an outgoing email marketing server for multiple clients and not sure if that’s the issue. I tried setting the email [email protected] directly into the SigningTable file, that didn’t work. I tried wildcarding the emails like you suggested, didn’t work. I tried setting the ReturnPath email in the SigningTable file, didn’t work. I tried

    Any thoughts on what’s going on or what I can try?

    Cheers!

  • Ruben Sedano

    Hi Steve, I have a question for you, in signin table its posible that a email *@mydomain.com have two header DKIM signature ? for example I have domain1.com and domain2.com, I want to add to email of domain2.com two headers DKIM sign (domain1.com and domain2.com)
    Its posible using signingtable file, I try the following but I can´t add signatures:

    *@domain2.com mail._domainkey.domain2.com
    *@domain2.com mail._domainkey.domain1.com

    Only add 1 signature and was the first.
    Best Regards.

  • Pingback: What is a DMARC record and how to add it - Techarena51()

  • http://gravatar.com/mtandarbeni sam_iben

    after i read ur posting , finally im success adding signature private key.
    and im success adding dns record , i have check my selector via web checker and it appear.
    But untill now im confuse , because any error in my log

    Aug 1 15:09:43 jiepzmco601 opendkim[4238]: D855E84C96: DKIM-Signature header added (s=default, d=e.example.com)
    Aug 1 15:15:49 jiepzmco601 opendkim[4238]: OpenDKIM Filter: mi_stop=1
    Aug 1 15:15:49 jiepzmco601 opendkim[4238]: OpenDKIM Filter v2.6.7 terminating with status 0, errno = 0
    Aug 1 15:15:50 jiepzmco601 opendkim[12850]: OpenDKIM Filter v2.6.7 starting (args: -x /etc/opendkim.conf -P /var/run/opendkim/opendkim

    But if i send mail to user , it is not authenticated like below :

    Authentication-Results: mta1064.mail.ne1.yahoo.com from=e.example.com; domainkeys=neutral (no sig); from=e.example.com; dkim=neutral (no sig)