Allow me to share with you my rough notes compiled during my recent configuration of email and DKIM on a new Ubuntu VPS installation. Hopefully these helpful hints will help the next poor soul trying to get DKIM up and running on the first try:
- SpamAssassin seems to want to fail DKIM keys from Gmail or Google Apps with an error of T_DKIM_INVALID. There's some noise online about this perhaps being an issue with clock synchronization, but it is more likely that you don't have one or more perl modules installed necessary for SpamAssassin to properly decode the DKIM key. The fix turned out to be simple; installing these packages solved that issue:
sudo apt-get install libmail-dkim-perl
sudo apt-get install libcrypt-openssl-random-perl
sudo apt-get install libcrypt-openssl-rsa-perl
(Thank you, Henrik Schack, for the tip!) - If you are new to OpenDKIM's Authentication Results header, you're going to be confused by this. You'll see a lot of DKIM as having passed, but with a reason of "1024-bit key; insecure key." This made me start poking around, looking at file permissions for my various keys (I set up signing for multiple domains). I assumed I had done something wrong, but I couldn't find any issue no matter where I looked. It turns out that it is not really an issue at all. What the error message actually means is that the domain that send you the message isn't using DNSSEC. Long term? Sure, yeah, everybody should look at DNSSEC, but one thing at a time.
- Here's what nobody tells you if you're DKIM signing multiple domains on the same server, using OpenDKIM: It is possible to interpret the opendkim.conf configuration file in a way that would lead you to add multiple sections starting with "domain," setting a selector for each and linking to different keys. Truth be told, OpenDKIM will only honor the LAST one of these sections, signing mail for only one of your domains. It won't generate any sort of error message, either, so it can be frustrating to understand what is happening. Remember, if you want to set up signing for multiple domains, look at how to configure the SigningTable and KeyTable settings in OpenDKIM.
(Originally posted to my personal blog, but I think it makes more sense here since it's talking about email, spam filtering and authentication.)
Yep, this seems to have fixed the T_DKIM_INVALID / Gmail issue for me on Ubuntu 14.04.
ReplyDeletesudo apt-get install libmail-dkim-perl
sudo apt-get install libcrypt-openssl-random-perl
sudo apt-get install libcrypt-openssl-rsa-perl
Thanks for posting :)
Thanks for this.
ReplyDeleteIt worked for me. :-)
Just a reminder that you need to restart spamassassin before it'll start working:
sudo service spamassassin restart
Thanks! I was stuck in how to fix the missing DKIM module in spamssassin.
ReplyDeleteThank you !!!
ReplyDeleteI was looking for this for 3 days
Great info. Note that if it does still not work, you should add [/path/to/DKIM.pm] (with []) after le loading DKIM plugin in 312.pre file.
ReplyDelete