Written by Update! RPMs and Yum now available.
I now build and maintain pre-built RPM packages of OpenDKIM for RHEL/CentOS and Fedora, which are available with Yum. For a much quicker and easier way to install OpenDKIM, read this.
Or, if you still prefer to go old-skool and compile your own binaries from source, or if you’re building on a non-RedHat system, the following instructions will still work fine… they just require more effort. If you want to build your own RPMs, you can also download SRPMs for OpenDKIM.
Build Your Own OpenDKIM Binaries
If you’d like to get DKIM working on an RHEL or CentOS box running Postfix, here’s how to do it (I’ve also verified these same steps work on a Fedora box). I had previously used dkimproxy, and had unsucessfully tried dkim-milter before making the switch to OpenDKIM. Both other methods may work for some, but OpenDKIM is the most current and the easiest way to get DKIM working so that’s what I recommend now.
For more information about DKIM and why you want to be running it on your mail server, check out http://www.dkim.org/. Now, on with the show!
Before you start
This tutorial assumes the following:
- You are running a “modern” RedHat-compatible Linux distro (RHEL 5, CentOS 5, Fedora, etc). I was running CentOS 5.5 when I did this.
- You are running Postfix 2.3.3 or better (do postconf -d mail_version to check).
- Your Postfix configuration is currently working (this is very important – you don’t want to troubleshoot two programs at once).
- Sendmail is turned off (do service sendmail status to verify).
- The necessary commands in this tutorial are done as root. If you don’t know what that means, then you probably shouldn’t be doing this. You may be able to get away with just using sudo, but I wanted to make sure I didn’t run into any path issues, so I do it as root.
Of course, these steps will probably work with slighter earlier or slightly later versions of RHEL/CentOS and/or Postfix, but those are the versions I used to get DKIM working (update: I now run Postfix 2.8 on a few of my servers just fine with this setup).
Download and install OpenDKIM
Again, if you’re on a Fedora, RHEL, CentOS, or other RedHat compatible system, I strongly recommend you install the OpenDKIM RPM package from the EPEL repository by following these directions.
Otherwise, go to http://www.opendkim.org/ and hit the Download link to download the software. Save it to /usr/local/src on your server. For this HowTo, I used OpenDKIM version 2.4.2, which was released on August 6, 2011.
You’ll also need to install the OpenSSL and Sendmail development packages, because they contain some secret herbs and spices (otherwise known as “libraries”) you need to get OpenDKIM working. Do:
yum install sendmail-devel openssl-devel
Extract, configure, compile, and install OpenDKIM with:
tar zxvf opendkim-2.4.2.tar.gz cd opendkim-2.4.2 ./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var make make install
Note that the ./configure command includes a few very important flags, which will be passed into the startup script that’s created when the configure command runs. The first tells the system where OpenDKIM’s conf file will be located, the second sets the preferred prefix for some other important file locations, and the final one controls the directory where the PID file for OpenDKIM will be stored. If none of this makes any sense to you, that’s ok – just be sure to use those flags when you run configure, since they are the settings used throughout this tutorial.
Also, it’s important to note that the make install command must be performed as root (or using sudo), since it needs to install files files in the /usr/local/bin directory.
Create a new user and home directory
Add a new user for DKIM called opendkim with the following options:
useradd -r -g opendkim -G mail -s /sbin/nologin -d /var/run/opendkim -c "OpenDKIM" opendkim
This command will:
- create a new system account (-r) and group (-g) called opendkim,
- create a home directory (-d) for the new user in /var/run/opendkim,
- also add the opendkim to the mail group (-G),
- assign no shell access to this user (-s), and
- set the account comment to “OpenDKIM (-c).
While the proper permissions for this account’s home directory should be set when the user is created, to avoid any permissions issues in further steps, it doesn’t hurt to manually set them with:
chown opendkim:opendkim /var/run/opendkim
then:
chmod 700 /var/run/opendkim
Create working directories
Make some new directories for OpenDKIM and give them the proper ownership and permissions with:
mkdir -p /etc/opendkim/keys chown -R opendkim:opendkim /etc/opendkim chmod -R go-wrx /etc/opendkim/keys
Copy the startup script to /etc/init.d/
Starting with version 2.3.0, OpenDKIM’s source package includes a contrib directory that contains a custom init script (written by yours truly) for use with all RedHat-compatible systems, including Fedora and CentOS. You can copy it to your /etc/init.d/ directory to make starting, stopping, restarting, and reloading OpenDKIM easy. Just do:
cp /usr/local/src/opendkim-2.4.2/contrib/init/redhat/opendkim /etc/init.d/
Now set the correct permissions for the init script with:
chmod 755 /etc/init.d/opendkim
Generate keys for signing
Now you’re getting to the good part. You need to generate a private and a public key for each of the domains for which you wish to sign mail. The private key is stored away from prying eyes on your server, while the public key gets published in your domain’s DNS records so that receiving mail servers can verify your DKIM-signed mail. If you’re hard-core, you can build the keys manually. Or, you can use the fancy script included with OpenDKIM to do it for you. I’ve manually generated enough keys in my life and have nothing to prove, so I use the script. 
Before running this script, decide now what the name of your selector is going to be. A selector is a unique keyword that is associated with both keys (public and private), included in all the signatures, and published in your DNS records. For simplicity, I use the word default as my default selector. Not very creative, but it’s effective. Feel free to choose something different, but if you do, you’ll need to use it consistently throughout your setup. Also, while this should go without saying, you should use your mail domain instead of example.com throughout the following steps.
Create your keys with:
mkdir /etc/opendkim/keys/example.com /usr/local/bin/opendkim-genkey -D /etc/opendkim/keys/example.com/ -d example.com -s default chown -R opendkim:opendkim /etc/opendkim/keys/example.com mv /etc/opendkim/keys/example.com/default.private /etc/opendkim/keys/example.com/default
You can do a man opendkim-genkey if you’re interested in what additional options are available when creating your keys. In this example, I used the -D (directory) option, the -d (domain) option, and the -s (selector) options. That’s all you need to get this going.
Edit configuration files
You’re getting really close now. You need to create or edit four files:
- /etc/opendkim.conf – OpenDKIM’s main configuration file
- /etc/opendkim/KeyTable – a list of keys available for signing
- /etc/opendkim/SigningTable - a list of domains and accounts allowed to sign
- /etc/opendkim/TrustedHosts – a list of servers to “trust” when signing or verifying
Use your favorite text editor to create an /etc/opendkim.conf file that looks like this:
## ## opendkim.conf -- configuration file for OpenDKIM filter ## Canonicalization relaxed/relaxed ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable LogWhy Yes MinimumKeyBits 1024 Mode sv PidFile /var/run/opendkim/opendkim.pid SigningTable refile:/etc/opendkim/SigningTable Socket inet:8891@localhost Syslog Yes SyslogSuccess Yes TemporaryDirectory /var/tmp UMask 022 UserID opendkim:opendkim
You can do man opendkim.conf for more information on each of the options.
Next, you’ll need to create the three text files that you just mentioned in your config file. First, using your favorite text editor, create an /etc/opendkim/KeyTable file that looks like this:
default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default
The KeyTable file tells OpenDKIM where to find your keys. Each entry in the KeyTable file is a single line for each key location (for example, all of the text in the above example should be on a single line in your file). If you’re going to use multiple keys (to sign mail for virtual domains with different keys, for example), you’ll need to create a separate line in the KeyTable file for each domain.
Next, create an /etc/opendkim/SigningTable file that looks like this:
*@example.com default._domainkey.example.com
The SigningTable file tells OpenDKIM how to use your keys, as in which senders should use which selectors for their signatures. In the above example, I’m saying that everyone (*) sending mail from the server “example.com” should use the selector named “default.” It’s important to note that the * wildcard symbol will only work if the SigningTable option uses the refile: prefix before the filename (see the opendkim.conf documentation for more details).
Now create an /etc/opendkim/TrustedHosts file that looks like this:
127.0.0.1 hostname1.example1.com hostname2.example1.com example1.com hostname1.example2.com hostname2.example2.com example2.com
The TrustedHosts file tells OpenDKIM who to let use your keys. Because it’s referenced by the ExternalIgnoreList directive in your conf file, OpenDKIM will ignore this list of hosts when verifying incoming mail. And, because it’s also referenced by the InternalHosts directive, this same list of hosts will be considered “internal,” and OpenDKIM will sign their outgoing mail.
IMPORTANT: Make sure you list the IP address for localhost (127.0.0.1) in the TrustedHosts file or OpenDKIM won’t sign mail sent from this server. If you have multiple servers on the same network that relay mail through this server and you want to sign their mail as well, they must be listed in the TrustedHosts file. Put each entry on its own line. An entry can be a hostname, domain name (e.g. “example.com”), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. “192.168.1.0/24″).
It should also go without saying (but I’ll say it anyway) that if you’re planning to sign outgoing mail for remote hosts, your Postfix should have been previously configured to allow relaying for those hosts, as “explained” here… although, when referring to Postfix’s programmer-centric documentation, I generally use the term “explain” very loosely. 
Edit your Postfix configuration
Now you’re ready to add the following lines to your Postfix main.cf file, which will make Postfix aware of OpenDKIM and allow it to sign and verify mail:
smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept
If you’re running a version of Postfix prior to 2.6, you may also need to add:
milter_protocol = 2
See http://www.postfix.org/MILTER_README.html#version for more info.
Start OpenDKIM and restart Postfix
It’s time to fire things up! Assuming you’re using bash, do:
hash -r
to rehash your shell so you can find the init script.
Now start OpenDKIM with:
service opendkim start
You should get a message that says:
Starting OpenDKIM Milter: [ OK ]
However, if you get an error message such as:
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 6: unrecognized parameter
don’t freak out. You probably just mistyped something in one of the config files. Go to the line number of the file listed, and check your work against the example(s) in this HowTo. Then try starting up OpenDKIM again.
Once it starts, refresh Postfix with:
postfix reload
If everything looks good, I recommend running chkconfig on OpenDKIM to make sure it starts when you boot your server:
chkconfig --level 2345 opendkim on
If things didn’t go right, try some of these startup troubleshooting tips before moving on.
Startup troubleshooting tips
Tip 1: The best advice I can give when troubleshooting any mail issues (including OpenDKIM) is to start a second shell session in another window and do:
tail -f /var/log/maillog
while you’re starting, stopping, and/or restarting OpenDKIM and Postfix. This allows you to see more details about any errors in your configuration.
Tip 2: To get the most verbose information from OpenDKIM, make sure the LogWhy option in your /etc/opendkim.conf file is uncommented and set to Yes. If your outgoing mail isn’t getting signed and you want to know why, this should tell you.
Tip 3: If you can’t get things working on your own, I recommend subscribing to the OpenDKIM-Users discussion list at http://lists.opendkim.org/. It’s a low-traffic list with very helpful and friendly members (including me!) who are happy to nudge you in the right direction.
The Most Important Step: Adding DNS Records
Now that your mail server is signing outgoing mail and verifying incoming mail, you’ll need to put some information in your DNS records to tell other mail servers how your keys are set up, and provide the public key for them to check that your mail is properly signed. Do:
cat /etc/opendkim/keys/example.com/default.txt
The output should look something like this:
default._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHY7Zl+n3SUldTYRUEU1BErHkKN0Ya52gazp1R7FA7vN5RddPxW/sO9JVRLiWg6iAE4hxBp42YKfxOwEnxPADbBuiELKZ2ddxo2aDFAb9U/lp47k45u5i2T1AlEBeurUbdKh7Nypq4lLMXC2FHhezK33BuYR+3L7jxVj7FATylhwIDAQAB" ; ----- DKIM default for example.com
If you manage your own DNS or have full access to your domain’s zone file, you’ll need to paste the entire contents of the default.txt file at the bottom of your domain’s zone file. If you’re using a web interface to manage your zone file, be careful that the long lines of the public key don’t wrap and create line-feed characters (or fix them if they do). Otherwise, your public key won’t work.
If you’re using GoDaddy’s Total DNS, the TXT Name would default._domainkey and the TXT Value would be everything inside the quotes (starting with v=). You can ignore the semi-colon and comments at the end.
If you’re using some other third-party DNS provider, follow their instructions for adding a new TXT Record.
You should also add another TXT Record to your zone file that reads:
_adsp._domainkey.example.com IN TXT "dkim=unknown"
This record publishes your Author Domain Signing Practices. “Unknown” is the least strict setting, and the best place to start. You can learn more and tinker with other options later, but most people just use “Unknown” for now, since ADSP is relatively new (as of the writing of this post).
And, as long as you’re messing with your domain’s zone file, now might be a good time to ensure that you already have a valid SPF Record in place. Having both DKIM and SPF in place will increase your chances of having your outgoing mail successfully delivered.
Testing Things Out
As I mentioned in my troubleshooting tips, the best way to see that everything is working on the server side is to keep an eye on your /var/log/maillog file. Do a:
tail -f /var/log/maillog
When OpenDKIM starts (or restarts), you should see lines like:
opendkim[4397]: OpenDKIM Filter: mi_stop=1 opendkim[4397]: OpenDKIM Filter v2.4.2 terminating with status 0, errno = 0 opendkim[27444]: OpenDKIM Filter v2.4.2 starting (args: -x /etc/opendkim.conf)
When you send a mail that gets successfully signed, you should see:
opendkim[22254]: 53D0314803B: DKIM-Signature header added
The best way to check that your signed mail is being authenticated and that your DNS records are properly set up is to use one of the free testing services. My favorites are:
- Brandon Checketts Email Validator
- Send a signed email to: autorespond+dkim@dk.elandsys.com
- Send a signed email to: sa-test@sendmail.net
- Send a signed email to: check-auth@verifier.port25.com
- (you can put all of the test email addresses in the To: field of a single outgoing message to test)
Each of these will tell you if things are working properly, and give you some pointers on troubleshooting if needed.
If you have a Gmail account, you can also send a signed message there for a quick and easy test. address Here’s what a signed message in Gmail will look like:
Look, Ma! My emails have DKIM Signatures!
The signed by: line tells you that the message has been verified as signed by the sender (you may need to press the show details link near the top of the message to see it). I like to click the Show Original link (under the Reply drop-down on the right) to see the signed headers in all their glory.
Further reading
I have to admit that there wasn’t a whole lot of publicly available information on getting OpenDKIM working with Postfix. Hopefully, this HowTo will make it easier for you than it was for me.
- DKIM.org – the official site for DomainKeys Identified Mail
- OpenDKIM Project Site – the program I used to get DKIM working
- Sendmail DKIM – a detailed article from Eland Systems about DKIM. They use the dkim-milter package, upon which OpenDKIM is based. I much prefer the newer OpenDKIM, but this article explains DKIM very well and has some good tips.
- Mail-DKIM and DKIM-proxy – my first experiments with DKIM were with these tools. I never got it working quite right, but there’s lots of good info there.
- OpenSPF.org – not technically related to DKIM, but it’s another spam-fighting technique that you should be using if you’re sending email
Good luck! Pease post in the comments with your successes, questions, or suggestions.
Upgrading OpenDKIM
If you’ve followed this guide to compile and install OpenDKIM, and would like to upgrade to a newer version, simply download the updated version (using the download link above), then repeat these steps:
tar zxvf opendkim-2.4.2.tar.gz cd opendkim-2.4.2 ./configure --sysconfdir=/etc --prefix=/usr/local --localstatedir=/var make make install
This will upgrade your OpenDKIM and keep your existing configuration intact. Remember to restart OpenDKIM after your upgrade with:
service opendkim restart
Do:
tail -f /var/log/maillog
to verify that the newer version started up with no problems.
Related posts:
- How to get DKIM and DomainKeys working with Postfix on RHEL 5 / CentOS 5 using OpenDKIM and dk-milter
- Installing OpenDKIM RPM via Yum with Postfix or Sendmail (for RHEL / CentOS / Fedora)
- Tips for installing Amavis-new, ClamAV, and SpamAssassin using Postfix on Fedora 12
- Building Postfix 2.10 on RHEL5 / CentOS 5 from Source
- DKIM Proxy Install on CentOS 5.4
Hy,
very nice tutorial, the best i found.
I have a little problem if you can help. “opendkim no signature data” and I don’t understand why. In trusted-hosts I have 127.0.0.1/8 and I tried with example.ws olso but it didn’t wok
[root@example ~]# tail -f /var/log/maillog
Sep 29 02:15:39 example postfix/smtpd[3474]: warning: example.ws[127.0.0.1]: SASL LOGIN authentication failed: authentication failure
Sep 29 02:15:39 example postfix/smtpd[3474]: 84EC2A48300: client=example.ws[127.0.0.1]
Sep 29 02:15:39 example postfix/cleanup[3511]: 84EC2A48300: message-id=
Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): example.ws [127.0.0.1] not internal
Sep 29 02:15:39 example opendkim[2140]: (unknown-jobid): not authenticated
Sep 29 02:15:39 example opendkim[2140]: 84EC2A48300: no signature data
Sep 29 02:15:39 example postfix/smtpd[3474]: disconnect from example.ws[127.0.0.1]
Sep 29 02:15:39 example postfix/qmgr[2358]: 84EC2A48300: from=, size=604, nrcpt=1 (queue active)
Sep 29 02:15:43 example postfix/smtp[3516]: 84EC2A48300: to=, relay=j.mx.mail.yahoo.com[66.94.237.64]:25, delay=4.2, delays=0.22/0/1.1/2.9, dsn=2.0.0, status=sent (250 ok dirdel)
Sep 29 02:15:43 example postfix/qmgr[2358]: 84EC2A48300: removed
The line in your log that says that example.ws is “not internal” is the one you want to focus on. That means that OpenDKIM doesn’t think that host is internal, so it’s not signing it. Check two things: 1) that the ExternalIgnoreList and InternalHosts directives in your opendkim.conf file are pointing to the correct location of your trusted-hosts file. 2) That the full hostname of your server is listed in the trusted-hosts file. If it’s host.example.ws, then put that in there. You may try experimenting with putting your external IP in there too. But until you put something in there that gets rid of that “not internal” message in your maillog, OpenDKIM won’t sign it. Let me know if you get it figured out!
Thanks for youre answer, very quick
In opendkim.conf I have :
ExternalIgnoreList refile:/etc/mail/dkim/trusted-hosts
InternalHosts refile:/etc/mail/dkim/trusted-hosts
so is good.
In trusted-hosts i have:
127.0.0.1/8
example.ws
94. . . (my ip)
But the same result
example.ws is my host, so localhost or example.ws or my ip it should work. I have reboot the server and the services with no luck …
Have you tried just “example” without the .ws? It’s clear that the problem is that OpenDKIM isn’t recognizing your host.
It didn’t work with any hosts
I will install on another server, maybe it’s from this one.
On the second server it works just fine
Thanks a lot for the tutorial.
I will need to set domainkeys too, or it is enough with dkim and SPF? Thanks
Glad to hear you got it working! I don’t bother using DomainKeys because DKIM is the newer implementation, and most places just care about DKIM now. You’re good to go!
DKIM Signature validation: pass (1024-bit key) DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.example.com
The second line is ok, or I have problems with the dns?
thanks
Oh, and make sure you’re using your own domain name instead of “example.com” in the adsp DNS record.
If you do “chkconfig –level 2345 opendkim on” as listed in the how to, it should automatically start when you reboot. I’m glad you got it working. Congrats!
Oh – and also make sure you’re using file: instead of refile: in your /etc/opendkim.conf file when referencing external files like trusted-hosts.
Agh, our postfix is now using sendmail. It never did prior to running yum install sendmail-devel openssl-devel which itself had a sendmail dependency.
Technically, your “postfix” isn’t using “sendmail,” but your server may be using sendmail as its MTA instead. Just type: service sendmail stop. Then make sure sendmail isn’t set to start automatically when your system boots.
Hello Steve, very good tut, when i’m trying to start opendkim, here is the error i get
/etc/init.d/opendkim: line 8: milter-aware: command not found
Starting DKIM milter: /usr/local/sbin/opendkim: error while loading shared libraries: libopendkim.so.3: cannot open shared object file: No such file or directory
Do i have to change something in file /etc/init.d/opendkim ? Uncomment some lines? Please help. I already have domainkey working find, DKIM is the last thing, i need, because Yahoo is pushing my emails in junkmail.
thanks
You should be aware that none of the major mail providers (Yahoo, Hotmail, GMail, AOL) will give you “extra” credit for having mail signed with both DKIM and DomainKeys. They are both very similar methods of signing mail and you’ll get no additional benefit from signing mail with more than one method. They only care that the message is signed.
If you decide you’d like to use OpenDKIM rather than DomainKeys (which is what I decided, too) then I’d recommend joining the OpenDKIM-users list at http://lists.opendkim.org/. They are going to be able to troubleshoot your issue much better.
my server is also trying to use sendmail now. ideas? I have stopped sendmail, but now its clear email isn’t going out and the /var/log/maillog states connection refused, since sendmail is off.
?
I have gone over everything and can’t see what I might have missed.
Did you have Postfix properly working as your mail server before trying to add OpenDKIM?
oh yes, its worked for months.
I am rebooting now. I commented the mods to the main.cf in postfix, restarted, to no avail, I can’t find where the system is rquiring sendmail to handle the email.
I desperately need your help.
What shows up when you do:
service status postfix
and
service status sendmail
[root@cms log]# service postfix status
master (pid 2070) is running…
[root@cms log]# service sendmail status
sendmail is stopped
any email sent from this server is not directed to sendmail’s mta instead of postfix and i am unable to figure out why – absolutely mind boggling.
Oct 23 14:05:36 cms sendmail[2121] bla bla bla bal
tat=Deferred: Connection refused by [127.0.0.1]
I start sendmail and email gets sent.
Are you using standard ports? What about firewall settings? What do you see when you try to telnet to the SMTP port 25 on the localhost:
# telnet localhost 25
with sendmail stopped, I can’t telnet to port 25, connection refused, hence, the system is using sendmail and not postfix since installing the devel package as stated above.
firewall is off
If sendmail is off, postfix is running, and you’re CERTAIN that the firewall is off (do service iptables status to be sure), and you can’t connect on port 25, then something is likely wrong in your postfix config.
Have you tried simply removing sendmail (yum remove sendmail), restoring your original main.cf file (or commenting out any changes you made) and then restarting postfix?
/etc/postfix/main.cf
I replaced that with my backup and now my system works again. I am now comparing the two to see what could have happened. what a mess
I’m not sure I’d call being able to simply return to your original config file and having everything work fine “a mess.”
But I am interested to see what settings on your system were different than mine when you went through these steps so I can update them accordingly. Thanks for keeping me informed.
I will keep you posted once I clear my head a bit. great blog and your responding so quickly – kudos !
I normally work on a development server, but your instructions were so simple and clear, lol – I thought I would try
Once I have it working, I will see where I went wrong. Its looking like specifying an IP interface in postfix/main.cf is causing the system to be forced to use sendmail somehow – more research / testing is needed.
Frankly, I’m very surprised it didn’t go easily, either! I’ve followed my own guide on all 6 of our mail servers! What does your postconf -n output look like?
I went back through some test emails. I had specified an IP for postfix to use, postfix will now only work with localhost now since sendmail-devel was installed. If I set main.cf to use a specific ip only, the system hands it off to sendmail, sendmail is stopped, therefore, its refused.
What in the world would cause this?
Better question, why did you have to install sendmail-devel on a postfix system for? Thats the real question I am dying to know.
I am guessing an uninstall of sendmail-devel will resolve my mta confused server issue.
According to http://www.opendkim.org/INSTALLOpenDKIM:
“To build this package you must first have installed or at least have available the OpenSSL package and libmilter… The application library
libmilter is part of the sendmail Open Source distribution and can be built and installed from there (ftp://ftp.sendmail.org).
As Postfix currently does not provide milter library, you need to have sendmail sources or development package installed. See http://www.postfix.org/MILTER_README.html
Nice tutorial!
A quick note about the refile and “first line only” issue. This is a bug; refiles should be able to process any number of lines. A bug in the handling code for refiles will be fixed in the next release, slated for a few days from now.
Also, refiles aren’t actual regular expressions, though that’s how they are implemented under the hood. They actually provide something more like shell-style wildcarding, also known as “globbing”: They permit “*” to be used to represent any set of characters when doing pattern matching. “*@example.com” is not a valid regular expression, for example, but it’s valid in refiles.
Happy signing!
Hey, Murray.
Thanks for the clarification. When the next release is out, I’ll update the download link in this tutorial and simplify the instructions, too.
I AM happily signing!
Well, here is my troubleshooting so far as to why sendmail is still involved with postfix for sending emails.
grep sendmail /var/log/maillog*
sendmail only involved after installing sendmail-devel
/etc/postfix/main.cf
# inet_interfaces = all
inet_interfaces = 174.xx.xxx.xx, localhost
remove localhost and postfix fails to send email, logs report relaying denied by sendmail.
I ask that you check your logs for me. Do this please:
grep -i sendmail /var/log/maillog
Do you also have sendmail involved in your outgoing mail operations???
follow up.
opendkim is working and signing, however, sendmail is involved, even with sendmail stopped:
[ previously recorded headers ]
Received: by my.example.com (Postfix, from userid 48)
now, its clear that sendmail is involved via these new header mods:
Received: (from apache@localhost)
by cms.example.com (8.13.8/8.13.8/Submit) id o9PGLq9H007511;
Mon, 25 Oct 2010 11:21:52 -0500
I am guessing this is the new requirement to hand off for opendkim filtering for signing of the emails.
Notice above, that post fix userid 48 was included in all of our emails, now, although postfix name is seen in the headers, we see sendmails 8.13 / submit listed in the headers.
I am curious if your logs show the same sendmail involvement.
Hey, Travis. First, GREAT news that you got it working. Can you please share with me what the issue was and what you did to get it fixed so I can explain it in the tutorial for others who might see the same issue?
Also, the ONLY mention of sendmail in my logs is if I run newaliases:
Oct 26 16:21:57 myhost sendmail[23078]: alias database /etc/aliases rebuilt by root
Oct 26 16:21:57 myhost sendmail[23078]: /etc/aliases: 155 aliases, longest 40 bytes, 2093 bytes total
Otherwise, I don’t see it at all.
But I am seeing the local sendmail client get involved in my headers, too. Here’s a full (anonymized) header of a test message sent to my gmail account:
Delivered-To: testaccount@gmail.com; Tue, 26 Oct 2010 16:22:56 -0700 (PDT); Tue, 26 Oct 2010 16:22:56 -0700
Received: by 10.229.68.168 with SMTP id v40cs122656qci;
Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
Received: by 10.143.157.16 with SMTP id j16mr7184678wfo.424.1288135379024;
Tue, 26 Oct 2010 16:22:59 -0700 (PDT)
Return-Path:
Received: from hostname.steveserver.com (steveserver.com [123.456.78.912])
by mx.google.com with ESMTP id e38si19054975wfj.44.2010.10.26.16.22.57;
Tue, 26 Oct 2010 16:22:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of sender@steveserver.com designates 123.456.78.912 as permitted sender) client-ip=123.456.78.912;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of sender@steveserver.com designates 123.456.78.912 as permitted sender) smtp.mail=sender@steveserver.com; dkim=pass header.i=@steveserver.com
Received: from hostname.steveserver.com (hostname.steveserver.com [127.0.0.1])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by hostname.steveserver.com (Postfix) with ESMTPS id F080410423FE
for
X-DKIM: OpenDKIM Filter v2.2.1 hostname.steveserver.com F080410423FE
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=steveserver.com;
s=default; t=1288135377;
bh=fdkeB/A0FkbVP24J4poeWH6vm9+b0C3OY87Cw8=;
h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type;
b=a+S/3J/GfO2n2smR9XCq
Received: from localhost (sender@localhost)
by hostname.steveserver.com (8.14.4/8.14.4/Submit) with ESMTP id o9QNMuwE023144
for
Date: Tue, 26 Oct 2010 16:22:56 -0700 (PDT)
From: Steve Jenkins
To: testaccount@gmail.com
Subject: SUBJECT GOES HERE
Message-ID:
User-Agent: Alpine 2.00 (LFD 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Message Body
——————–
SO like you said, the (8.14.4/8.14.4/Submit) is a giveaway that sendmail is involved. OpenDKIM requires libmilter, which is part of the sendmail-devel package, so I’m assuming that’s why we’re seeing it.
Also, if apache is sending (it looks like it is in your case) AND you have PHP involved, be sure to update the sendmail line in your /etc/php.ini to use /usr/sbin/sendmail.postfix
And finally, a new version of OpenDKIM (2.2.1) came out yesterday. You may want to update (it just copies right over the old one with no config file changes).
I had errors after installing opendkim:
fatal: host/service localhost/20209 not found: No address associated with…
Looks like it’s working now after I changed these the lines in main.cf :
smtpd_milters = inet:127.0.0.1:20209non_smtpd_milters = inet:127.0.0.1:20209
Glad to hear it’s working for you! But it should have worked with localhost, too. Can you do a “ping localhost” and get a reply?
You should check your /etc/hosts file to make sure that the first line in there is:
127.0.0.1 hostname localhost.localdomain localhost
Where “hostname” is your server’s hostname. The “localhost.localdomain” and “localhost” entries should be typed word-for-word.
Hi Steven, this is a great article, I’ve already configured some servers with your help, everything seems to be working fine, if you read carefully the article, if not, you really mess up.
Glad it’s working for you, Carlos!
Thanks for great article.I send test mail to check-auth@verifier.port25.com .But It says “Domainkeys=neutral” .What can i do ?
Domainkeys is the older version of same standard as DKIM. And since inbound mail handlers don’t give you any additional credit for having both Domainkeys and DKIM, as long as you’re passing the DKIM check, you can ignore the Domainkeys=neutral warning.
Thanks Steve.
Hello Steve,
Great tutorial !
Having finally wrapped my brain around the formats of the KeyTable and SigningTable, I think it would improve your tutorial to not use the whole DNS key as a key name, since the left entry in the KeyTable can be just a single word.
That would make it easier to understand:
#KeyTable:
mykeyname example.com:default:/etc/mail/dkim/keys/example.com/default
#SigningTable:
*@example.com mykeyname
That way one doesn’t confuse the notions needed for the DNS record with the two tables.
Hi, Robert! Thanks for the feedback and glad you got it working! You are right about not needing the full domain name… but ONLY if you’re signing keys for a single domain (and I assume that’s the case with your server). But if you have a mail server that signs different keys for more than one domain (like I do) or for multiple hostnames on a single domain name, or any combination of the above (such as mailer1.domainname.com, mailer2.domainname.com, somebodysserver.com, somebodyelseserver.com) then you will need the FQDN (fully qualified domain name) of the selector in the keyTable, signingTable, and in your DNS record for it to work.
Hello Steve,
In studying the readme file examples, I discovered that the key is only used to make the entries in the SigningTable match lines in the KeyTable, so for multiple domains, this works, too:
##keytable
KeyA domainOne.net:sel1:/etc/mail/dkim/X.private
KeyB domainTwo.net:selh:/etc/mail/dkim/Y.private
KeyC domainThree.net:sel1:/etc/mail/dkim/Z.private
##signingtable
*@domainOne.net KeyA
*@domainTwo.net KeyB
*@domainThree.net KeyC
And obviously each domain has to have the fully qualified entries in its DNS records.
If all the domains can share the same keys, then one can even use the % wildcard and get all domains that use the same server to get their mail signed with one line each:
##keytable
onekey %:im:/etc/mail/dkim/im.private
##signingtable
*@* onekey
the names used to link the two tables are completely independent from the entries in the DNS records.
The question I haven’t yet figured out is, even with a different key for each virtual domain, how can one prevent a php script running on one domain from signing mails with a “From:” header belonging to another domain on the same server?
Postfix will deliver them all irrespective, and OpenDKIM will happily sign with the correct key for each domain, simply taking the correct key for the domain used in the “From:” header…
Hello Steve, I want to ask you something, in every boot I’m getting this message:
–
Dec 6 07:22:12 domain sendmail[22269]: NOQUEUE: SYSERR(root): opendaemonsocket: daemon MTA: cannot bind: Address already in use
Dec 6 07:22:12 domain sendmail[22269]: daemon MTA: problem creating SMTP socket
–
Should I turn off Sendmail from chkconfig?
Thanks,
I run Postfix instead of Sendmail so I can’t reproduce that on my end. However, my guess is that maybe you’re already telling Sendmail to start somewhere else. So yes, I’d chkconfig sendmail off and reboot to see if it’s running.
I’m running Postfix too, however I did: yum install sendmail-devel, So it might be the problem, right? I will chkconfig sendmail off, and check it, anyway Thank you for answer me Steve.
Ahhh – then yes, that’s totally it!
By the way, pardon me if I bother you so much… But, I’m trying to get domainkeys working in another box… And when I do this:
/usr/local/sbin/opendkim-genkey -D /etc/mail/dkim/keys/mysite.com/ -d mysite.com -s default
I get this:
-bash: /usr/local/sbin/opendkim-genkey: No such file or directory
I’m checking in /usr/local/sbin
but the only file I found is: opendkim…
Try doing updatedb and then do a locate opendkim-genkey to see if perhaps your system put it somewhere else. By default, it should be in the path, so you could also log out and then log back in and try running opendkim-genkey without any path info.
If that doesn’t work, try doing the ./configure, ./make, and ./make install steps again from the dir where you unzipped the source code. After the install step, do updatedb and locate opendkim-genkey.
Which is the script, right? But, it keeps saying ” no such file or directory” , and I’ve already set permissions.
Thank you for your help, the I’ve already found the problem, it is in /bin/ not /sbin/, Thank you for your time.
Glad you got it working.
Hi,
I followed your tutorial and i’ve installed opendkim on a fresh centos vps.
I’ve also installed domain keys (dk-milter) and i’ve set up spf.
All the checks pass, both yahoo and gmail validate my dkim and domainkeys, but some of the emails I send enter the spam folder.
Here is the scenario:
1. if I send an email directly from the webmin postfix interface, the email get into inbox
2. if I send an email from PHP using smtp, the email gets into spam folder on yahoo and sometimes on gmail spam too.
Do you have any advice, what should I do? Is there any config I should do in order to get the mails sent my PHP via smtp to get in inbox?
Chances are that your messages sent by PHP are actually being sent by Sendmail. Check your /etc/php.ini file to make sure it’s using Postfix’s Sendmail clone. Mine looks like this:
sendmail_path = /usr/sbin/sendmail.postfix -t -i
Hi Steeve,
Thank you for reply.
I checked the sendmail_path and it was indeed set to sendmail rather than postfix. I changed it as in your advice, thank you.
However, I think that’s not the problem since I use php to send mails via smtp, and on the server I have configured postfix.
In the mean time I did other optimizations and i discovered the following:
1. if I send my emails from admin@domain.com but I set the “From” to, let’s say, just Domain.com, then Gmail marks me as spam.
2. I am sending HTML mails but if I add a txt copy of the email (an exact copy of the html mail but just the plain text), then gmail is happy and it doesn’t mark me as spam.
3. if I set also the replyTo to the same email address, it’s also a good thing.
However, Yahoo still considers my email to be spam (altough DKIM and DomainKeys pass, I have reverse IP, i’m not blacklisted, etc). I guess it’s just something with the way Yahoo filters emails.
Hi, Andrei. I’m curious about why you have your php application set up to connect to the smtp port rather than just using the mail command internally? And yes, most mail providers like the FROM to be an actual address, not just a domain. I’m also curious about your HTML + TXT mail approach. Do you mean that you’re sending BOTH the HTML and TXT version of the message? If so, are you sending the TXT as an attachment?
Hi Steve,
I’m using SwiftMailer and it is configured to send my mails via smtp.
About the HTML + TXT approach, yes, I am sending both versions of the mail. I found an explanation which said that for clients who do not accept html emails is good to send the txt version. Also, I found out that the anti-spam methods can give a better score to html mails which also have their txt version sent with (and like I said, the closest the txt version is, the higher chances are that you’re email won’t be marked as spam).
In SwiftMailer I am using the “addPart” method to add the txt version to the mail.
(just a little disclaimer, I found out about the txt thing from the SpamAssassin site here: http://wiki.apache.org/spamassassin/AvoidingFpsForSenders)
Hello!
Is the smallest valid key 512 bits? I’m having problems putting that long a string into the DNS config utility from my from registrar since it truncates it. Need to talk to my registrar, I guess.
Thanks!
It’s POSSIBLE to use as small as a 256 bit key… but I wouldn’t. That’s too easy to crack. I think you’re better off talking to your registrar as you suggested.
Another option is to consider using a different DNS provider. Amazon’s new Route 53 is an interesting option I’ve thought about trying. I’m assuming your registrar isn’t GoDaddy, since I know their TotalDNS service (which is included with any domain registered there) won’t truncate your key.
Let me know how things work out!
I got the ISP to change their DNS config web page the accept more characters. Tried it out and I’m good to go! Thanks for the great tutorial. Corey.
Great to hear, Corey! Congrats!
Hi Steve,
I just wanted to let you know that for some reason, Yahoo no longer considers my mail to be spam and delivers it right to the user’s inbox. Yuppy!
Thanks for sharing this article with the community, it helped me alot.
Hey,
Thank you very much for publishing a valuable post…. This really helps me to send emails to yahoo inbox… you are great… BTW i have a small question….. what is the difference between domain keys and DKIM … ? In you post both are included…..?? or we need to configure domain keys separately..?
Cheers..!
@Ethilanka: You’re very welcome! The simple explanation is that DKIM is a more current implementation of the original Domain Keys (that’s what the DK in DKIM stands for… not Donkey Kong…:)) Mail service providers will give you “credit” for using DKIM or DomainKeys, but you don’t get extra credit for using both. Since DKIM is the newer standard with the current momentum, that’s the one I recommend. There’s no need to do both!
Steve,
Thanks for posting this. I set everything up as described and I am having a problem I can’t find the answer to. My log shows the problem to be opendkim[7113]: 1F9BDD2004E: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed.
I have talked with my registar’s support to make the DNS zone record was entered correctly. I guess I don’t know how to move forward at this point. I have checked and rechecked to make sure I followed your directions correctly. Hopefully you can help.
Thanks,
Alex
@Alex: According to something I read from the developer of OpenDKIM, “The filter reads in your private key and passes it as a buffer to d2i_PrivateKey_bio(), a libcrypto function, which attempts to parse it. That parse is failing, which results in this error being logged and your message temp-failing.” In other words, it looks like your private key file might be corrupt. I’d try rebuilding it (just delete it, find that step above, and build it again) to see if that fixes it. Also, make sure you’re using at least version 2.1 of OpenDKIM, as there was a bug related to this in 2.0. Come back and let me know if it works!
Hi, I’ve follow your tutorial and apply to mail zimbra server it work great however I have problem domain keys are not sign below is my test result. I check the logs I opendkim header is added.
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
Hi, Rav3n. Good news! Your test results are fine. DomainKeys is a different (and outdated) method of signing mail. DKIM is the newer and improved method. You don’t need to use both, since receiving mail handlers don’t give any additional credit for both. So since you’re signing with DKIM and not DomainKeys, it’s appropriate to have the neutral test result. You’re good to go!
Hi I was finished setup everything and it’s working fine exact mail is not sign, I have to domain I’ve already added on my keytable and signing table when I try to test it is this is what i get.
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
Domainkeys check still neutral… been trying to check may configuration seems no issue… Please help
Correct, DomainKeys is supposed to be neutral. You are signing with DKIM, not DomainKeys. DomainKeys is outdated and you don’t need to sign with it. You are set up correctly.
Thanks now I now it’s working fine…
I have a zimbra server and the settings don’t work…
If i configure the milter_protocol=2, the zimbra.log says OK to add header but don’t send the message and if i don’t configure the milter_protocol, the message is sent OK, but without the header.
Can you help me?
Hi, Johnny. I don’t use Zimbra, but I’m sure someone on the OpenDKIM user email list is familiar with it. I’d recommend subscribing (the link is in this article) and seeing if anyone there has seen this particular issue.
Steve, I have figured out my problem and it was a tremendous oversight. When I create my keyTable and copy and pasted in your example which shows it on two lines in the browser, but clearly, if I would have looked closer, I would have seen that it should all be on one line.
Thanks for taking the time for this tutorial.
Glad you got it working, Alex! I’ve updated the article to specifically state that all the text in the example should be on a single line. Thanks for the feedback!
Hi I’ve successfully setup opendkim thanks for the guide it helps a lot. I have question I have to domain mail.example.com mail2.example.com both in different machine. I’ve creative another mail server for sending bulk messages I’ve setup everyting how ever I have error on full header view multiple domain keys. I was wondering how can I use other default keys to another machine so that I will have 1 domain keys on my domain server?
Hi Johnny I used zimbra it’s work for no problem with protocol 2…. makes sure you upgrade yon zimbra to new version
How to allow external ip to be sign by our smtp server?
If the server with the external IP shares the same domain, just add the IP to the InternalHosts file. If it’s a separate domain, then you’ll also have to create an additional set of keys and add the appropriate info for that domain to the keyTable and signingTable.
Hi Steve, thanks for the reply just to clarify if I have 1 domain… example.com and mail.example.com for dedicated for sending mail. and all my web server is sending email such as notification, transaction, mailing list, events, news letters etc. do I need to create separate dkim for webserver? All server is within same IP range. All webserver is http://www.example.com. Ahhh I more also sometimes we send email thru our office and it’s different IP range and no domain should I create new dkim for our IP in our office?
DKIM signatures are associated with the domain, so you can use the same one for multiple subdomains!
But you can’t sign messages sent from a machine that has no domain. Again, DKIM is associated with a domain, so it needs one in order to verify on the receiving end.
Thanks steve, guess I need to make new sud domain for our office to…
Steve,
I have been trying to setup OpenDKIM on another server for a friend since you helped me via this tutorial successfully set it up on mine. Anyway, it went much smoother this time. All is working, however, it is not signing emails for alex@domain.com. The log says that there is no signing table match for ‘alex@domain.com’. I checked the signing table and I have “*@domain.com default._domainkey.domain.com” on one line and this is the only line. I also use default as my selector. I have been reading the opendkim mail list and I can’t seem to find the answer to my problem. According to the signing table information I can’t figure out why it will not sign for alex@domain.com if I clearly have *@domain.com. Anyway, I was hoping you could help.
Hi, Alex. Sorry to hear you’ve having problems. Are you certain that the mail program (MTA) isn’t using a subdomain when sending? The domain address in the signing table needs to match the domain address in the Return-Path: header of your email.
I’m assuming that something like that must be the problem. I would bet that if you added a second line to your signing table that said: “alex@domain.com default._domainkey.domain.com” you’d still get the same error.
If you’re still having trouble, subscribe to the OpenDKIM-users mailing list and post the results of the test addresses (or Brandon’s test website). That can be very helpful in tracking down what’s wrong.
Steve, thanks for the quick reply and for pointing me in the right direction. Apparently, text case in the log is different than what is actually sending. The email was set up in the client like this “alex@DomainName.com”. Sends email fine, however, DKIM doesn’t like the change in case and the log was coming back “no signing table match for alex@domainname.com and so I was not able to figure out the problem until I checked his mail client setup. Anyway, thanks for pointing me in the right direction. I really appreciate what you are doing here.
@Alex: Ah – yes, case does matter with OpenDKIM 2.2.2. However, the newer version of OpenDKIM (v2.3.0 – which is still in beta, so I’m waiting until it’s released to update the blog post) allows upper or lower case. Glad to hear you got it going!
Thank you!
This guide worked perfectly on my Plesk 10 / PostFix / Centos5 rig.
I love you!!!
Glad to hear it, Bhupinder. Much love back atcha.
Well, I dont get this working. Have spent many hours in getting opendkim to work with plesk. I have two postfix profiles on plesk (old config). The one I want to get opendkim working, I’ve removed the 10025/6/7 lines from master.cf (since those refer to plesk filters). and put in the settings in main.cf. But the milter does not get applied, nothing in the log at all.
are you sure I dont have to get any setting modified in master.cf for this to work? the lines in master.cf are:
smtp inet n – - – - smtpd -o smtpd_proxy_filter=127.0.0.1:11025
pickup fifo n – - 60 1 pickup -o content_filter=smtp:127.0.0.1:11027
127.0.0.1:11025 inet n n n – - spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11027 before-queue
127.0.0.1:11026 inet n – - – - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions= -o receive_override_options=no_unknown_recipient_checks
127.0.0.1:11027 inet n n n – - spawn user=mhandlers-user argv=/usr/lib64/plesk-9.0/postfix-queue 127.0.0.1 11026 before-remote
plesk_saslauthd unix y y y – 1 plesk_saslauthd status=5 listen=6 dbpath=/plesk/passwd.db
smtps inet n – - – - smtpd -o smtpd_proxy_filter=127.0.0.1:11025 -o smtpd_tls_wrappermode=yes
submission inet n – - – - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.0.0.1:11025
only putting in the lines that put in the default domainkeys from plesk. (which does not get validated on brandonchecketts, saying wrong RSA, since diff public keys are present on both domains). the server hosts multiple domains on diff IP.
Hi, Pradeep. I have no experience with Plesk, and so I’m not going to be any help in trying to troubleshoot how it interacts with OpenDKIM. As far as a straightforward OpenDKIM install on Postfix, no – you don’t need to touch master.cf. If you’re still having trouble, I recommend joining the OpenDKIM-users mailing list at opendkim.org and presenting the issue there. There’s a very active group on that list (including the main developer) who will be happy to troubleshoot.
Further debugging in the logs with higher level, I got to know that a typo in the SigningTable file was hindering the email to match the email pattern. And later that the opendkim key file perms were restrictive. It now works with the separate postfix directory profile. Of course, I had to change all the plesk 10025/10026/10027 filters and spawns. No changes for opendkim were needed in master.cf, just like Steve wrote. I need to see if this is fine or I need to get domainkeys as well.
Good to hear! Forget about DomainKeys. They’re being phased out. DKIM is the replacement, and it’s all you need.
Hey,
This tutorial made my life easier and I really appreciate you taking the time to write it! +1 good Karma for you!
I’m breaking my head here.. all email get signed but I get the following error: Details: public key: unsupported version
Google results for this error show that your DNS records are probably incorrect. I’d triple-check those.
Hi Steve, can you please explain then I verified my setup on opendkim I have this result.
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
I tried to send email to yahoo and check full header I got this on yahoo result
Authentication-Results: mta1022.mail.sk1.yahoo.com from=ronald.com; domainkeys=neutral (no sig); from=auction.ph; dkim=permerror (future timestamp)
dkim=permerror?
If you Google “dkim=permerror (future timestamp)” you’ll see that this error is most likely a result of your server’s clock being incorrect. Install an NTP client and make sure you’re syncing daily.
If anyone here is using this to configure DKIM with Amazon SES (their email service), this guide works with the following addendum:
In the file “/etc/opendkim.conf” add:
OmitHeaders Message-Id,Date,Return-Path,Bounces-To
i’m getting the mail sitting in the postfix queue with the error
it sends if i take out the Postfix configuration
any ideas?
Hmm… even if OpenDKIM isn’t running, it will just log a warning and Postfix will still send. Is Postfix running properly otherwise?
both postfix and OpenDKIM are running without errors, it’s just when i add the lines to postfix’s main.cf that the problem happens, once i removed the code the mail was sent and the key was added to the email, could it be to do with iptables?
if i comment out these lines the queue is processed.
@Paul: With those lines commented in your main.cf, I don’t see how the key could have been added to the mail, since Postfix wouldn’t know to pass mail through the milter. Is your software config identical to the one in the tutorial? RHEL/CentOS, Postfix, OpenDKIM? Are you also running Sendmail by chance (it should be off in this scenario)? Also, a brand new version of OpenDKIM (2.3.0) was released yesterday. I recommend downloading it and going back through the tutorial step-by-step.
Hello Steve, I was trying to follow the default configuration for OpenDKIM, I think the installation and configuration that I’ve made it is all good, but, it is not signing my outgoing email….
I checked everything twice, tail /var/log/maillog, does not show me errors, I’m not sure what is the problem now…
@Carlos: Your maillog should still give you some sort of message even if it doesn’t sign. Is there any output from opendkim in your log, such as “not internal” or “no signature data added”?
Hi Steve, I’ve already fixed, seems to be a problem with my selector, so I reinstalled again, and now it’s working…. Thank you for answer me.
By the way, nice theme.
Hi,
I’ have done everything like Your tutorial says. When i try to send email i get :
Mar 3 18:56:46 qwe postfix/smtpd[20993]: connect from unknown[127.0.0.1]
Mar 3 18:56:46 qwe postfix/smtpd[20993]: fatal: host/service localhost/20209 not found: No address associated with hostname
and no mail is send;/
when i change in postfix main.cf
smtpd_milters = inet:localhost:20209
non_smtpd_milters = inet:localhost:20209
to
smtpd_milters = inet:127.0.0.1:20209
non_smtpd_milters = inet:127.0.0.1:20209
mail is sent, but 2 dkim signatures are added like this:
Delivered-To: xxx@xxx.com
Received: by 10.204.55.15 with SMTP id s15cs11793bkg;
Thu, 3 Mar 2011 09:29:07 -0800 (PST)
Received: by 10.204.169.193 with SMTP id a1mr1809154bkz.11.1299173347444;
Thu, 03 Mar 2011 09:29:07 -0800 (PST)
Return-Path:
Received: from xxx.com (myhost.com [f.i.r.stip])
by mx.google.com with ESMTPS id 20si2102167faw.28.2011.03.03.09.29.06
(version=TLSv1/SSLv3 cipher=OTHER);
Thu, 03 Mar 2011 09:29:06 -0800 (PST)
Received-SPF: neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) client-ip=f.i.r.stip;
Authentication-Results: mx.google.com; spf=neutral (google.com: f.i.r.stip is neither permitted nor denied by best guess record for domain of apache@xxx.com) smtp.mail=apache@xxx.com; dkim=neutral (bad format) header.i=@xxx.com
Received: from xxx.com (unknown [127.0.0.1])
by xxx.com (Postfix) with ESMTP id 6529748B803C
for ; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 6529748B803C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
s=default; t=1299177173;
bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
h=To:Subject:Message-Id:Date:From;
b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
+pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
Received: by xxx.com (Postfix, from userid 48)
id 4F18848B84A2; Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.3.0 xxx.com 4F18848B84A2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.com;
s=default; t=1299177173;
bh=ECATb+VWltvBu/ooHzVT5XGQ5S7FTDYKCJ0croZb0SY=;
h=To:Subject:Message-Id:Date:From;
b=a9G9xZkBgbPREvHPFMTl+zzRBfU27LErY+QOwlG0jRd2M5f+6/C2CIic8pUPENTMk
RmGXeLVa8e6gOgwPIHIPeaKD9ZR8UTMuc9zfwyNhFdIWYj85ASWEOVB1oGvs0cJgYR
+pBwXkGIAX0Tcr3+2hE0UloAZ8wfCxOzhZ4KoSDM=
To: xxx@xxx.com
Subject: subject
Message-Id:
Date: Thu, 3 Mar 2011 18:32:53 +0000 (UTC)
From: apache@xxx.com (Apache)
sample body
what can be the problem?
@michael: After chatting it over with my buddies on the OpenDKIM-Users mailing list, we agree that it looks like the message is somehow being passed to the filter twice before it gets sent out. Are you running multiple smtpd processes in your Postfix configuration?
A few ideas for you to try (from the developer of OpenDKIM himself):
1) Check your Postfix configuration to see if there’s some way the filter might hear about the same message twice.
2) Check your maillog to see how you might be able to distinguish the two instances. For example, if one is coming in over the localhost address while the other is coming in over some non-localhost address, you could add one or the other to the PeerList so that the filter simply ignores one of them outright.
3) Have the reinjection step change the From: so that there’s a hit in the SigningTable for one instance of the message but not the other.
I am having the same issue. I have checked DKIM on yahoo and it says OK but on Gmail, I am getting neutral (bad format). I have check /var/log/mail.log. Everything is looking fine. Please help
Its fixed guys. TXT had an error. missing g=*; k= . Its working fine now
@steve, thank You for Your priceless help, after pointing me in direction, that filter hears twice about message i examined my maillog
Mar 5 13:58:06 haha postfix/pickup[14521]: B4C4948B8033: uid=48 from=
Mar 5 13:58:06 haha postfix/cleanup[14525]: B4C4948B8033: message-id=?
Mar 5 13:58:06 haha opendkim[23216]: B4C4948B8033: DKIM-Signature header added (s=default, d=example.com)
Mar 5 13:58:06 haha postfix/qmgr[14528]: B4C4948B8033: from=, size=565, nrcpt=1 (queue active)
Mar 5 13:58:06 haha postfix/smtpd[14532]: connect from unknown[127.0.0.1]
Mar 5 13:58:06 haha postfix/smtpd[14532]: CE02B48B8032: client=unknown[127.0.0.1]
Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: apache@example.com
Mar 5 13:58:06 haha before-remote[14531]: check handlers for addr: somebody@somewhere.com
Mar 5 13:58:06 haha postfix/cleanup[14525]: CE02B48B8032: message-id=
Mar 5 13:58:06 haha opendkim[23216]: CE02B48B8032: DKIM-Signature header added (s=default, d=example.com)
Mar 5 13:58:06 haha postfix/qmgr[14528]: CE02B48B8032: from=, size=1157, nrcpt=1 (queue active)
Mar 5 13:58:06 haha postfix/smtp[14529]: B4C4948B8033: to=, relay=127.0.0.1[127.0.0.1]:10027, delay=0.22, delays=0.08/0/0.05/0.09, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as CE02B48B8032)
cleanup process was running twice , and everytime opendkim added signature, so i modified my pickup process with -o receive_override_options=no_milters
and it works like a charm!
pickup fifo n – - 60 1 pickup -o content_filter=smtp:127.0.0.1:10027 -o receive_override_options=no_milters
Again, big thanks to You and guys over mailing list for help. This tutorial rocks!
you forget to copy opendkim-genkey from /usr/local/src/opendkim to /usr/local/bin
cd /usr/local/sbin/
cp /usr/local/src/opendkim-2.3.0/opendkim-genkey /usr/local/sbin
opendkim-genkey -D /etc/mail/dkim/keys/test.com/ -d test.com -s default
regards , from Argentina
Hi, Thierry. Manually copying opendkim-genkey to /usr/local/bin isn’t necessary. The make install command automatically places all the necessary opendkim-* files in that directory. If it didn’t on your system, verify that you used the right permissions (root) when you did the make install command, since the default permissions for /usr/local/bin is owned and writeable only by root.
Help Me. Problem starting opendkim
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
@Ruslan: I need a bit more info. What system? Did you follow these steps EXACTLY? Do “updatedb” and then “locate opendkim” – does it find it on your system anywhere?
Greatest ever blog post! Thanks a lot for such detailed information!!!
Worked like a charm
I had same issue trying to start OpenDKIM.
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
The following is my setup:
CentOS release 5.6 (Final)
Postfix 2.3.3
OpenDKIM 2.3.2
executing as root and SELinux = disabled.
OpenDKIM 2.2.2 installs and starts fine however.
Hi steve,
good tutorial, but i’ve two problem:
1. I’ve install dkim e dk-milter but when i restart dk-milter i’ve this message:
chgrp: impossibile accedere a `inet:10035@localhost’: No such file or directory
chmod: impossibile accedere a `inet:10035@localhost’: No such file or directory
main.cf
smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
non_smtpd_milters = inet:127.0.0.1:10035, inet:127.0.0.1:20209
dk-milter
PORT=”inet:10035@localhost”
2. I must also use spamassin but when I insert this line in master.cf emails come back with the message “service unavailable”
smtp inet n – n – – smtpd -o
content_filter=spamd
Help me please!
I think you need to find this line /etc/init.d/dk-milter:
if [[ ! -z $(echo $PORT |grep "local") && $RETVAL -eq 0 ]];
then change this to:
if [[ -z $(echo $PORT |grep "inet") && $RETVAL -eq 0 ]];
Hope it helps!!
i had the same error as Ruslan:
Starting OpenDKIM Milter: /bin/bash: /usr/sbin/opendkim: No such file or directory
i have no clue how that happened since i definitely ran everything as root. i did fix the issue using this command.
cp /usr/local/src/opendkim-2.3.2/opendkim/opendkim /usr/sbin
Hi steve,
this is a very good and easy to understand tutorial.
i followed your tutorial and was able to install it. but i get the following error on the maillog when i try to send a mail.
May 27 01:59:01 sr postfix/cleanup[25854]: warning: connect to Milter service inet:127.0.0.1:20209: Connection refused
Thanks,
Neil
Excellent howto. Just a couple of quick notes:
ADSPAction doesn’t appear to work anymore. Looks like it should be ADSPDiscard (with “yes” or “no” as accepted parameters)
In my case, opendkim was adding a DKIM Signature header twice. Once when the email was initially received, and again after going through amavisd-new. Amavis wasn’t re-signing it, for some reason postfix signed it each time. Disabling Amavis as a content filter eliminated the problem, but now my outgoing mail doesn’t get scanned for viruses anymore.
Thanks for the heads up on the ADSPAction. I’ll check that.
Concerning amavisd-new, check the
127.0.0.1:10025 inet n - n - - smtpdsection in your master.cf. Add no_milters to the end of your -o receive-override_options line so that it looks like this:-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_miltersThen restart Postfix and Amavisd. That should solve your problem. I’ve added this tip to my Amavis-new tips blog post.
That worked perfectly, thank you.
Hi Steve,
if i add ADSPDiscard it give a error….
ADSPDiscard Yes
Stopping OpenDKIM Milter: [ OK ]
Starting OpenDKIM Milter: opendkim: /etc/opendkim.conf: configuration error at line 5: unrecognized parameter
I have a big problem too, I installed and configured opendkim on a server that is hosted on mail marketing software, sending a newsletter the validation fails, the message here:
Signature verification failed, message May Have Been tampered with or corrupted
Validating Signature
result = fail
Details: Body Has Been Altered
Can help me…
Hi Steve, thank you for this very great tutorials!! It really works!!
Hello Steve, I followed your steps (updated) and I get this messages: opendkim[1045]: can’t write pid to /var/run/opendkim/opendkim.pid: Permission denied
In /var/log/maillog
Any ideas?
Steve, nevermind, I just reinstalled everything and set the permission twice and it worked fine. Still, nice tutorial indeed.
Cool – glad to see you got it working. The permissions should be created properly on the useradd command, but I’ll add an extra step in there to manually set them just in case.
Any ideas on what could cause this?
dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed
This happens every time I try to send mail from a telnet session on localhost. I have double checked permissions and everything and I still get that error.
Any insight would be appreciated.
Superb post, installed and working seamlessly
Thanks!
- Paul
Hi Steve,
Thanks for your nice article I finish everything according to you, but when I start OpenDKIM check below log;
Jul 13 11:06:45 relay opendkim[16642]: OpenDKIM Filter: Unable to create listening socket on conn inet:20209@localhost
Jul 13 11:06:45 relay opendkim[16642]: smfi_opensocket() failed
Jul 13 11:06:45 relay opendkim[10817]: exited with status 69, restarting
Jul 13 11:06:45 relay opendkim[16643]: OpenDKIM Filter: Unable to bind to port inet:20209@localhost: Address already in use
I’m using MailScanner 4.83 . Is it a conflict with mailscanner or can I change Opendkim port? Please help…….
Thanks,
Raminda
I’m commenting on the 7 month old post from Raminda on July 13, 2011. I have been getting similar error messages.
Starting OpenDKIM Milter: opendkim: smfi_opensocket() failed
OpenDKIM Filter: Unable to bind to port inet:8891@localhost: Cannot assign requested address
OpenDKIM Filter: Unable to create listening socket on conn inet:8891@localhost
I have not figured out the true cause of my problem but I have stumble upon a workaround.
In /etc/opendkim.conf I changed …
Socket inet:8891@localhost
to …
Socket inet:8891@127.0.0.1
In /etc/mail/sendmail.mc I changed …
INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@localhost’)dnl
to …
INPUT_MAIL_FILTER(`opendkim’, `S=inet:8891@127.0.0.1′)dnl
I can’t explain why this is a fix. I’m 7 months late to help Raminda but maybe another googler will find this helpful.
Great tutorial, thanks a lot.
Im having a hard time telling if my DKIM is working or not.
Brandons DKIM checker says its ok, but when I send to GMail, I see that the DKIM signature is being added. However, GMail is not showing that an “Authentication-Results” header has been added.
I was prevoiously haviong problems, and GMail did add an “Authentication-Results” header. Is this header only added when the DKIM verification fails, or should there be one when DKIM passes too?
Hi Steve.
Thanks very much for the tutorial. I was able to deploy OpenDKIM succesfully. Cool.
One small typo FYI. The link behind:
Send a signed email to: autorespond+dkim@dk.elandsys.com
points to
check-auth@verifier.port25.com
Great tutorial! Thanks again…
Glad you got it installed, Jeff. And thanks for the heads up on the typo (fixed!).
Great tutorial, thank you very much.
One tip for everyone though: I recommend executing the chown command at the end, escpecially if you created files using
touch /etc/opendkim/KeyTable (if run by root, opendkim user wont be allowed to access the file)
So, when finished with everything, if mail doesnt get send when OpenDKIM enabled, run chown again.
chown -R opendkim:opendkim /etc/opendkim
Bye:)
Great tutorial Steve!
I have everything setup correct, except its not actually signing the emails and there is nothing related to SIGNING in the log. Startup info is in the log, but no error or anything when a piece of mail is sent.
I can only think its because I have my domain on another server, would this be correct? I setup the DNS on the other server with the dkim key, but do I need to setup a subdomain and point it to the server with the opendkim on it as well? Or, can I simply have ANY domain be on the opendkim (even if its not the “sending / from” domain)?
The only other thing I can think, in the event that I can use ANY domain on the opendkim server and it doesn’t have to be the SENDING server (from name domain), that it could be because I am testing with Amazon SES on the command line and it doesn’t necessarily perhaps properly fill out the return path?
Wish I could get more info from the log file but its just not even signing anything or giving me any info!
Thanks for any help anyone..
Hi
Excellent Howto and good tutorial.
i followed your tutorial and was able to install it. but i get the following Header in hotmail when i check it.
x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QC3Jx2/BsS+hK7OuBZi7BRB/Is4oUCB0t5q3uTQvBaMi+N7tkkYUjPs8IELCmQgn/yVn9uPYmce2L0EJqvUykwYg==
Authentication-Results: hotmail.com; sender-id=temperror (sender IP is xx.xx.xxx.x) header.from=reply@test.com; dkim=none header.d=test.com; x-hmca=none
X-Message-Status: n:0:n
and i dont see any headers any signatures of dkim and domainkeys in my source..
Thanks im advance
Unless you own the test.com domain (and I’m assuming you don’t), then the Hotmail test SHOULD fail on this example. DKIM checks the signature in your header against the one published in the DNS record for the stated domain. And if you don’t see any DKIM sig in your header, then something’s not set up right. Have you gone through all the troubleshooting steps? If so, have you turned on LogWhy? That should tell you why it’s failing. If that still doesn’t help, come ask your question on the OpenDKIM-Users mailing list. I’m sure we can get it sorted out over there.
Hello
Can anyone tell me simple steps which can do this things automatically.
I use interspire,vps,linus,centos
please assist
Hit the link at the top of the article about using Yum to install. That’s as automated as it gets.
Hi,
If i use multiple postfix instances (with separate config directorys) your guide should work?
Thanks,
StaCker
Hi Steve,
thank you for this howto.
As Niel I got, a “connect to Milter service inet:127.0.0.1:20209: Connection refused” in my log.
I am on Debian Lenny, so I have used the “generic” script found contrib/init.
When I start dkim by doing “/etc/init.d/opendkim start” I got no message at all…
Could you help me finding the problem ?
Sorry for my english level that is as good as my linux level.
Thanks again
Denis
Hi all,
I answer to myself.
Thanks to Murray help, I saw that opendkim wasn’t running at all after the start command.
The problem was that the PATH in opendkim.conf were on usr/sbin and not usr/local/sbin.
thanks for your help
Denis
Configured Opendkim, and reverse dns but still mails is going to spam its self
This is the error log
Jun 28 21:16:08 postfix/cleanup[16658]: CB94F231EB7: message-id
Jun 28 21:16:08 postfix/qmgr[16654]: CB94F231EB7: from=<root@fi
Jun 28 21:16:10 postfix/pickup[16653]: 43EB7231EBB: uid=0 from=
Jun 28 21:16:10 postfix/cleanup[16658]: 43EB7231EBB: message-id
Jun 28 21:16:10 postfix/qmgr[16654]: 43EB7231EBB: from=<root@fi
Jun 28 21:16:13 postfix/smtp[16660]: CB94F231EB7: to=<sateesh.h 8, delays=0.07/0.01/0.99/3.7, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 pv
Jun 28 21:16:13
postfix/qmgr[16654]: CB94F231EB7: removed
Jun 28 21:16:13 postfix/smtp[16664]: 43EB7231EBB: to=<sateesh.h 5, delays=0.05/0.01/0.94/2.5, dsn=2.0.0, status=sent (250 2.0.0 OK 1340878473 ps
Jun 28 21:16:13 postfix/qmgr[16654]: 43EB7231EBB: removed
If you’re receiving the following errors in your maillog :
.. no signing table match for
.. no signature data
Then try changing this in your SigningTable file :
*@example.com default._domainkey.example.com
to this, without the * :
@example.com default._domainkey.example.com
Worked for me on CentOS 64 bit, and a few others reported the same in a google search.
Man file : http://www.opendkim.org/opendkim.conf.5.html
Also, to the author, thanks for the tute, you may want to move the DNS chapter up a little, I didn’t notice it until well after I finished installation, and even then it was only by chance.
Hi, JK. Thanks for the comment. Out of curiosity, do you have “file:” or “refile:” in front of the SigningTable location in your opendkim.conf file? That makes a difference regarding whether the wild card * will work!
Thanks Steve,
To also have OpenDKIM sign postfix generated bounce messages add this line to main.cf:
internal_mail_filter_classes = bounce,notify
I got this working with SELinux enabled finally. You will just need a custom policy like this:
module postfixcleanupopendkim 1.0;
require {
type postfix_smtpd_t;
type postfix_cleanup_t;
class tcp_socket { read write };
}
#============= postfix_cleanup_t ==============
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket { read write };
Not sure why it’s not part of the rpm, but there you go.
@Chris Hecker, thanks so much for that custom policy, just what I needed. It’s relevant on RHEL/Centos 6.x with postfix 2.6.6 and I’d recommend you post it on Steve’s other blog post about doing this same thing on 6.x.
Hey, Jonathan. I’ve actually been swapping emails with Chris in the hopes of getting his policy in the next version of the packaged files. Fedora 18 has a policy built in, but I’ll need to install a custom one for RHEL 5 & 5, and Fedora 16 & 17. I’m hoping to have it ready for the next update.
Hello Steve!
Thansk for this great how-to.
When I sent an email using the email server I got this:
Jan 9 12:16:21 correo postfix/smtpd[16288]: connect from unknown[172.30.2.36]
Jan 9 12:16:22 correo postfix/smtpd[16288]: 7BF5FA1B8045: client=unknown[172.30.2.36], sasl_method=LOGIN, sasl_username=antonio.diaz
Jan 9 12:16:22 correo postfix/cleanup[16313]: 7BF5FA1B8045: message-id=
Jan 9 12:16:22 correo opendkim[16211]: 7BF5FA1B8045: DKIM-Signature header added (s=default, d=example.com.ec)
Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: from=, size=2861, nrcpt=1 (queue active)
Jan 9 12:16:22 correo postfix/local[16314]: 7BF5FA1B8045: to=, relay=local, delay=0.78, delays=0.77/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jan 9 12:16:22 correo postfix/qmgr[16285]: 7BF5FA1B8045: removed
Jan 9 12:16:25 correo postfix/smtpd[16288]: disconnect from unknown[172.30.2.36]
That is good
But I am trying to fake the identity of a sender from a foreign host I got this:
Jan 9 12:20:41 correo postfix/smtpd[16321]: connect from mail.attacker.com [211.211.111.59]
Jan 9 12:20:54 correo postfix/smtpd[16321]: 49A67A1B8045: client=mail.attacker.com[211.211.111.59]
Jan 9 12:20:59 correo postfix/cleanup[16326]: 49A67A1B8045: message-id=
Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): mail.attacker.com [211.211.111.59] not internal
Jan 9 12:20:59 correo opendkim[16211]: (unknown-jobid): not authenticated
Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: from=, size=480, nrcpt=1 (queue active)
Jan 9 12:20:59 correo postfix/local[16327]: 49A67A1B8045: to=, relay=local, delay=11, delays=11/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)
Jan 9 12:20:59 correo postfix/qmgr[16285]: 49A67A1B8045: removed
I need to reject (or discard) this kind of attempts when someone tried to send email messages with sender *@example.com from another non-authorized smtp host.
Thanks for your appreciated help!
Hello Steve!
I get messages with DKIM unverified remain in quarantine for a third-party software, and is actually the best, because I can manage those messages.
I have a question … how I can make messages that come through SASL authenticated, regardless of source IP address, get the DKIM signature to be considered valid messages?
Again, Thanks for your help.
HI!
You should change the
Canonicalization relaxed/simple
to
Canonicalization relaxed/relaxed
(Google uses also relaxed/relaxed) otherwise yahoo would fail with the dkim error perm error (bad sig).
Greetz
Agreed. I’ve made the change.
Thanks!
Hey Steve. Thank you for an excellent tutorial. Postfix is talking to OpenDKIM, etc, I’ve gotten past all my issues using maillog except a finall.. No output.. The last issue I had was “key not secure” and I chowned it to opendkim.opendkim and mod’d to 600. Restarted all and now I get no log message.. No Error BUT also no message saying a mail was signed… Any ideas? Does Why=yes still verbose a sucessfully signed message? Thanks!
Steve, I figured out my own issue.. If you use the yum install (I’m on RHEL 6.3) it defaults the mode to “v” rather than “sv”.. Might be helpful for future users. Thanks again for the tutorial!