Having DKIM INVALID troubles
by mfoley from LinuxQuestions.org on (#4VCFK)
I have several issues with DKIM I can't seem to figure out. I've set this up on several servers, one of which always seems to be a problem. I'll start with the simplest issue first.
I have a host, mail.ohprs.org with the public domain ohprs.org. It is Slackware64 14.2, sendmail 8.15.2. I've installed opendkim 2.10.3. I've created an opendkim group and user account and generated keys: 'opendkim-genkey -s hprsmail -d ohprs.org'. The domain name administrator is networksolutions.com which has this domain's A record.
At networksolutions I added the TXT record which, on their system is a fill-in form which looks like:
Code:*.ohprs.org. "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU ..."(quotes are not part of the string). I copied the generated private key to /etc/opendkim which has permissions:
Code:> ls -ld /etc/opendkim
drwxr-xr-x 2 root root 4096 2019-02-14 00:41 /etc/opendkim/
> ls -l /etc/opendkim
-rw------- 1 root root 887 2019-02-14 19:58 hprsmail.privateI've configured /etc/opendkim.conf as:
Code:# This is a simple config file for signing and verifying
#LogWhy yes Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain ohprs.org
Selector default
KeyFile /etc/opendkim/hprsmail.private
Socket inet:8891@localhost
ReportAddress sysadmin@ohprs.org
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
InternalHosts 192.168.0.0/24, 98.102.63.106, 98.102.63.107
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid
UserID opendkim:opendkimI have added the following milter to the sendmail.mc:
Code: INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')Finally, I start opendkim at boot as a daemon.
Sorry for all the detail, but perhaps something in the above is amiss, so better to describe everything I've done.
As an example, when I send a message from noreply@ohprs.org on that server to mfoley@novatec-inc.com (my personal email server) I get:
Code:Authentication-Results: server.novatec-inc.com;
dkim=fail reason="signature verification failed" (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=rhbb1L88Why? Pretty much all other emails I receive at novatec-inc.com are valid. For example one received shortly after the above invalid one:
Code:Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=mail.house.gov header.i=@mail.house.gov header.b=gdXTij1tA possible factor: the noreply@ohprs.org sender is really root but sending with 'mail -r noreply@ohprs'. Would that make a difference?
I'm at a loss as to where to look for this error.
I have a host, mail.ohprs.org with the public domain ohprs.org. It is Slackware64 14.2, sendmail 8.15.2. I've installed opendkim 2.10.3. I've created an opendkim group and user account and generated keys: 'opendkim-genkey -s hprsmail -d ohprs.org'. The domain name administrator is networksolutions.com which has this domain's A record.
At networksolutions I added the TXT record which, on their system is a fill-in form which looks like:
Code:*.ohprs.org. "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQU ..."(quotes are not part of the string). I copied the generated private key to /etc/opendkim which has permissions:
Code:> ls -ld /etc/opendkim
drwxr-xr-x 2 root root 4096 2019-02-14 00:41 /etc/opendkim/
> ls -l /etc/opendkim
-rw------- 1 root root 887 2019-02-14 19:58 hprsmail.privateI've configured /etc/opendkim.conf as:
Code:# This is a simple config file for signing and verifying
#LogWhy yes Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain ohprs.org
Selector default
KeyFile /etc/opendkim/hprsmail.private
Socket inet:8891@localhost
ReportAddress sysadmin@ohprs.org
SendReports yes
## Hosts to sign email for - 127.0.0.1 is default
## See the OPERATION section of opendkim(8) for more information
#
InternalHosts 192.168.0.0/24, 98.102.63.106, 98.102.63.107
## For secondary mailservers - indicates not to sign or verify messages
## from these hosts
#
# PeerList X.X.X.X
# PidFile /var/run/opendkim/opendkim.pid
UserID opendkim:opendkimI have added the following milter to the sendmail.mc:
Code: INPUT_MAIL_FILTER(`opendkim', `S=inet:8891@localhost')Finally, I start opendkim at boot as a daemon.
Sorry for all the detail, but perhaps something in the above is amiss, so better to describe everything I've done.
As an example, when I send a message from noreply@ohprs.org on that server to mfoley@novatec-inc.com (my personal email server) I get:
Code:Authentication-Results: server.novatec-inc.com;
dkim=fail reason="signature verification failed" (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=rhbb1L88Why? Pretty much all other emails I receive at novatec-inc.com are valid. For example one received shortly after the above invalid one:
Code:Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=mail.house.gov header.i=@mail.house.gov header.b=gdXTij1tA possible factor: the noreply@ohprs.org sender is really root but sending with 'mail -r noreply@ohprs'. Would that make a difference?
I'm at a loss as to where to look for this error.