I’ve really been struggling for days with this but I fixed it. I have two identical server, both with identical OS versions, everything. I fixed it by comparing OpenDKIM conf files and the problem server had these two lines. . .
Renmoving them i.e. making the file the same as the functioning server immediately fixed a number of issues e.g. mails not being signed. My questions are:
What do these two lines do and have I broken something by removing them?
What would cause totally identical server to create differing conf files in this way?
To answer your question, the two lines you mention above appear to be added in order to allow individual virtual servers to have their own signing key.
The two lines are not added to /etc/opendkim.conf by default when first enabling DKIM, but they do appear later after hitting ‘save’ on the following page
Virtualmin > [any domain] > Server Configuration > DKIM Options
Hitting ‘save’ on this page (regardless of option selected) creates the two lines in /etc/opendkim.conf. Another way they can be added is when using the ‘Transfer Virtual Server’ to move a domain from another server.
However, as described in my other thread (https://www.virtualmin.com/node/33892), these two lines create a problem because their very existence now prevents the ‘Domain’ parameter in /etc/opendkim.conf from working. This is where the ‘additional domains to sign for’ are listed, but they are now ignored because of the presence of the newly added ‘KeyTable’ parameter. See http://www.opendkim.org/opendkim.conf.5.html under ‘Domain’ for an explanation of this.
But that’s not the biggest problem for me. On my Ubuntu 14.04 server I’m seeing emails being incorrectly signed with d=’*’ rather than d=‘mydomain.com’, which is causing every email sent to fail DKIM validation. This is also happening on Debian 7.5, but I can’t speak for any others.
The ONLY workaround I have found is to copy the key from /etc/dkim.key into each Virtual server’s individual DKIM page :
Virtualmin > [each domain] > Server Configuration > DKIM Options
and configure each domain to use it’s own key. Doing this ensures that each domain gets a ‘proper’ entry in /etc/dkim-keytable, and this ensures emails are correctly signed. It’s a pain when you’ve got dozens of domains, but it’s the only way to get this working correctly until it’s fixed in Virtualmin.