Questions[opendkim](server)

We have developers who like to do things their own way, regardless of advice given. One of these is to send emails with completely bogus sender-addresses

I'd like to get OpenDKIM to reject or drop emails that it can't sign - is this possible?

Jan  4 21:30:25 smtp2 opendkim: 12345: no signing table match for '[email protected]'
Jan  4 21:30:25 smtp2 opendkim: 12345: no signature data

There are no configuration options that seem relevant other than SendReports yes which generates a new email back to the sender while continuing to send the unsigned original.

I've explored Canonicalization but that's unrelated.

Question: Can OpenDKIM stop delivery of an email that it can't sign ?

I have configured DKIM:

Dec 27 11:10:03 mailer opendkim[378]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf)
Dec 27 11:10:10 mailer postfix/postfix-script[551]: warning: symlink leaves directory: /etc/postfix/./makedefs.out
Dec 27 11:10:10 mailer postfix/postfix-script[719]: starting the Postfix mail system
Dec 27 11:10:10 mailer postfix/master[721]: daemon started -- version 3.4.13, configuration /etc/postfix

But the letters are not signed, I connect on port 25, there are no errors, tell me in which configuration file can there be problems? My key is being verified

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from /etc/postfix/dkim/mail.private
opendkim-testkey: checking key 'mail._domainkey.domain.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Configured exactly as in this guide https://www.linuxbabe.com/mail-server/setting-up-dkim-and-spf

Please tell me which way to look and where I could be wrong with the settings. Thanks in advance to everyone!

grep Socket /etc/opendkim.conf ->

# Socket smtp://localhost
# ##  Socket socketspec
#Socket                  inet:8892@localhost
#Socket    inet:12301@localhost
Socket inet:8891@localhost
#Socket    local:/run/opendkim/opendkim.sock

sammy@mailer:~$ grep -e 8891 -e unix /etc/postfix/main.cf
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

Referencing this: https://crypto.stackexchange.com/questions/72297/recommended-key-size-for-dkim

What I get from this is (at the time) DNS providers (usually) allow for up to 1024 bit keys but not 2048 bit. Now, my provider does let me use 2048 and confirmed DKIM signs. Of course, the post claims 1024 is perfectly safe, but if I have the option to use 2048 I'd like to.

Am I good to go, so long as my provider supports that big of a TXT record? Or could there still be issues?

I set up Opendkim milter to work with postfix on my machine. Now email is signed & verified correctly i.e. email source code shows DKIM-Signature header.

TXT record on the authorative dns is set up like this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> delv -t txt dkim-domain._domainkey.domain.eu
...
...
dkim-domain._domainkey.domain.eu. 1780 IN TXT   "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8drA4hH8gJaVpLaHhtQonhpOeanMo/oPmrAVehP3lBYAjsoxifCIclLqJo7kk0maelqu9SIN9ttQ0boCzEiQBMO1" "c1P+Sj/PxphZB71c8VNhqMJ32VG6Ky3ZD4Tds39Vye/wsWdi+842MUT3Z2dJnxS2AAG4pSkjaytFPCs0J94OUQC0tDErbnsMZh+gg+7IsYgND8FR/cRDzpXjD0qFJk4Cnc1q27WorPAGAiRsRfLt9u" "gkYgQRwapnofmKJ3hk/L8096YR7gan60L4+RGojsx5ppTdIEhYasyK9MokefmVeNyGwVXTJchqG8vhcg9uGjGy9mPiPg4B2TQgEBPwyQIDAQAB"
...
...

So on first glance everything is okay but when I run the diagnostics on my machine it says this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> opendkim-testkey -d domain.eu -s dkim-domain -vvv

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'dkim-pistam._domainkey.pistam.eu'
opendkim-testkey: key not secure
opendkim-testkey: key OK

Note the key not secure answer. I read from this answer that warning exists because DNSSEC is not enabled. But DNSSEC for my domain domain.eu is enabled. according to the DNSViz.

ADD:

It may be that the topic I linked to earlier is missleading, because I later read an answer here, suggesting that warning is due to too permissive privileges regarding the key pair! I set user rights on the key pair and their folder like this:

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> ls -l /etc/opendkim/keys/
total 8
-rw------- 1 opendkim opendkim 1675 Dec 30 08:45 dkim-rsa-private.key
-rw------- 1 opendkim opendkim  451 Dec 30 08:46 dkim-rsa-public.key

┌───┐
│ # │ root > server > ~
└─┬─┘
  └─> ls -ld /etc/opendkim/keys/
drwx------ 2 opendkim opendkim 4096 Jan  1 07:18 /etc/opendkim/keys/

So it should be secure... But it is not.

I've just been moving a postfix mail server to a different box, and I'm having trouble getting postfix to talk opendkim via a unix socket. The opendkim socket is located at /var/run/opendkim/opendkim.sock:

srwxrwxr-x 1 opendkim opendkim 0 Aug 14 15:11 /var/run/opendkim/opendkim.sock=

....but postfix can't see it. Here's a line from /var/log/mail.log:

Aug 14 15:13:04 new postfix/smtpd[23954]: warning: connect to Milter service unix:/var/run/opendkim/opendkim.sock: No such file or directory

Here is the line from my /etc/postfix/main.cf:

smtpd_milters = inet:127.0.0.1:11444 unix:/var/run/opendkim/opendkim.sock

Does anyone have any ideas as to what is causing the problem? I have googled around a bit, but I can't find any solutions that work.

Update: I'm using Postfix 3.1.0-3. Here's my uname -a:

Linux starbeamrainbowlabs.com 3.14.32-xxxx-grs-ipv6-64 #7 SMP Wed Jan 27 18:05:09 CET 2016 x86_64 x86_64 x86_64 GNU/Linux