Hello,
I’m also trying to get the DKIM signing of outgoing mail configured via the Virtualmin control panel as described here: www.virtualmin.com/documentation/email/dkim
I found two bugs in the settings that the Virtualmin 3.82 GPL script produces (running Ubuntu 10.04):
- the DNS TXT records generated are missing a semicolon after k=rsa
i.e., they read:
k=rsa t=y; p=MIGfMA0G …
instead of:
k=rsa; t=y; p=MIGfMA0G …
Here is a useful link where you can have the validity of your DNS TXT record checked:
http://www.sendmail.org/dkim/checker
- the keylist that is generated looks like this:
*@firstdomain.net:firstdomain.net:/etc
*@seconddomain.net:seconddomain.net:/etc
this gives an error when trying to start the dkim-filter service saying “dkim-filter: /etc: read(): Is a directory”
I fixed this by adding the selector to each line (/etc/dkim-filter.conf has “selector im”) so it looks like this:
*@firstdomain.net:firstdomain.net:/etc/im
*@seconddomain.net:seconddomain.net:/etc/im
/etc/im is a symbolic link to the key file in etc/dkim.key
Now mail goes out with a correct-looking DKIM header, but it still fails the test one can do by sending a test mail to sa-test@sendmail.net
Unfortunately there is not a very detailed report in their feedback email, it just says “Signature verification failed; signature is missing or key could not be found”, so I suppose it’s some error in the outgoing email headers, because my dns entries pass the test at the first link.
This is an example of an outgoing email header being generated:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=firstdomain.net; s=im;
t=1290951635; bh=4bYd6ZlIWAG92Y7oV7+JdZrw99unl9uLKC7csIf6pwc=;
h=To:Subject:From:Reply-To:Message-Id:Date;
b=iMXXdaGe6ToXM4Q3QzDTpTV/R2YnJ+gkWkC1RLivktxBCSz9iCYFRWpYcXa+DJXQg
1azzf3iv5nnggkQDdnhMxQ5VghmJ3fwQ+dwZBOGpgnOxZbTkyh9m7e3agR6GCkWztD
OR5fldf+MlA6+Ldh/5bPsaEl7FlqqEsyiBu+fE0c=
I wonder if anyone has had more luck using OpenDKIM instead of the dkim-filter package?
Another issue with the virtual host scenario is that all virtual domains use the same key.
But even if they didn’t since even with a separate key for each domain, the key is selected based on the From: header (if I understand correctly), so with one Postfix service being shared by all domains, there would be nothing to stop a script on one of the virtual domains sending out emails with a From header of another and getting it signed.