opendkim dkim

[davordragic]

I having issue with dkim configuration. Certificates were generated automaticly and save into pv. But on start of docker image, I see error opendkim: /etc/opendkim.conf: configuration error at line 2: unrecognized parameter

My /etc/opendkim.conf is generated and looks like:

InternalHosts 0.0.0.0/0, ::/0
KEY_TABLE vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private
KeyTable refile:/etc/opendkim/KeyTable
Mode sv
SELECTOR vps
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:12301@localhost
Syslog yes
UMask 002 

docker-compose.yml file is like this:

yaml
  postfix:
    image: mwader/postfix-relay
    restart: unless-stopped
    volumes:
      - ./env/postfix/dkim/:/etc/opendkim/keys/
    environment:
      - POSTFIX_myhostname=${HOSTNAME}
      - OPENDKIM_DOMAINS=mydomain.com=vps
      - OPENDKIM_SELECTOR=vps
      - OPENDKIM_KEY_TABLE=vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private

I have replaced my actual domain with mydomain.com

Main issue here is that my email don't have DKIM signature.

I have tested it via https://dkimvalidator.com/ and results is: This message does not contain a DKIM Signature

Received: from **hostname** (**ip**.clients.your-server.de [**ip**])
    by relay-2.us-west-2.relay-prod (Postfix) with ESMTPS id 2CD3C2501A
    for <SipMBRRfppi4kt@dkimvalidator.com>; Tue,  9 May 2023 14:53:28 +0000 (UTC)
Received: from **domain** (**hostname**_default [172.0.0.5])
    by **hostname** (Postfix) with ESMTP id B5275E001D
    for <SipMBRRfppi4kt@dkimvalidator.com>; Tue,  9 May 2023 14:53:26 +0000 (UTC)
Date: Tue, 9 May 2023 14:53:26 +0000
To: SipMBRRfppi4kt@dkimvalidator.com
From: =?UTF-8?Q?=5B**hostname**?= <develop@**domain**>
Subject: =?UTF-8?Q?[**hostname**]_Ponastavi_geslo?=
Message-ID: <4T8O2u99oCNsamVrGrcmvqxJYSUNFYnobuoKPbMq7o@**domain**>
X-Mailer: WPMailSMTP/Mailer/smtp 3.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

**email content**

What am I missing here?

[wader]

Hmm could it be as simple as OPENDKIM_KEY_TABLE should be OPENDKIM_KeyTable? Maybe also OPENDKIM_ Selector. It's a bit confusing OPENDKIM_DOMAINS is treated differently, all the other gets written as is to config.

[davordragic]

Thank you for fast response. I have changed the line in docker-compose.yml

 postfix:
    image: mwader/postfix-relay
    restart: unless-stopped
    volumes:
      - ./env/postfix/dkim/:/etc/opendkim/keys/
    environment:
      - POSTFIX_myhostname=${HOSTNAME}
      - OPENDKIM_DOMAINS=mydomain.com=vps
      - OPENDKIM_SELECTOR=vps
      - OPENDKIM_KeyTable=vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private

Now I get new error:

$ docker compose logs -f postfix
**hostname**-postfix-1  | DNS records:
**hostname**-postfix-1  | vps._domainkey    IN  TXT ( "v=DKIM1; h=sha256; k=rsa; p=******" )
**hostname**-postfix-1  | opendkim: /etc/opendkim.conf: vps._domainkey.mydomain.com:default:/etc/opendkim/keys/mydomain.com/vps.private: dkimf_db_open(): Unknown database type
**hostname**-postfix-1  | Starting OpenDKIM: Starting Postfix Mail Transport Agent: postfix.
**hostname**-postfix-1  | 2023-05-09T15:06:49.783629+00:00 47692a7af8a8 rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="141" x-info="https://www.rsyslog.com"] start

I'll do quick test if maybe DKIM signature is attached to email.

EDIT: DKIM signature still not in email. No idea if connected, but found one more warning in log warning: connect to Milter service inet:localhost:12301: Cannot assign requested address

[wader]

Haven't seen those messages before. But change OPENDKIM_SELECTOR to `OPENDKIM_Selector, that looks wrong. If possible can you clear all data and regenerate new signature and files?

It's been a while since i poked around with OpenDKIM so don't remember much :)

[davordragic]

I have changed selector, but this did not fix missing dkim. Will generate new signature, to see if that might help.

EDIT: Generated new signture, still no dkim signature in email.

[davordragic]

I have no idea how dkim works, but should there be a dkim as process?

root@dbf2ba75c72e:/# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   3736  2804 ?        Ss   May09   0:00 /bin/bash /root/run
root         140  0.0  0.1  43500  7820 ?        Ss   May09   0:00 /usr/lib/postfix/sbin/master
root         141  0.0  0.0 154136  3436 ?        Sl   May09   0:00 rsyslogd -n
postfix      145  0.0  0.1  43572  7924 ?        S    May09   0:00 qmgr -l -t unix -u
postfix      160  0.0  0.1  43520  7924 ?        S    16:34   0:00 pickup -l -t unix -u -c
postfix     1025  0.0  0.1  43704  7956 ?        S    16:40   0:00 tlsmgr -l -t unix -u -c
root        1040  0.3  0.0   3868  3276 pts/0    Ss   16:48   0:00 bash
root        1047  0.0  0.0   7640  2744 pts/0    R+   16:48   0:00 ps aux

root@dbf2ba75c72e:/# service opendkim status [FAIL] opendkim is not running ... failed! root@dbf2ba75c72e:/# service opendkim start Starting OpenDKIM: opendkim: /etc/opendkim.conf: vps._domainkey.**.si:default:/etc/opendkim/keys/**.si/vps.private: dkimf_db_open(): Unknown database type root@dbf2ba75c72e:/# cat /etc/opendkim/SigningTable *@**.si vps._domainkey.**.si root@dbf2ba75c72e:/# opendkim -x /etc/opendkim.conf -f -v opendkim: /etc/opendkim.conf: vps._domainkey.**.si:default:/etc/opendkim/keys/**.si/vps.private: dkimf_db_open(): Unknown database type

[wader]

Yes i think there should be opendkim process. Could you have a look at that database file? and that database was created by the run script and did not exist on the volume before starting the container?

[davordragic]

I have tried both ways. Creating certificates by myself and mounting it and second genereting with run script. In between I did destroy postfix docker image, because I notice volume on /etc/opendkim/keys

[wader]

Could you exec into the container and make sure it's the same database file as the one you volume mount in from the host? i've experience before that docker-compose can play tricks on you with Dockerfile VOLUMES surviving between containers.

[davordragic]

I have removed volume mount in docker compose. Did docker compose rm postfix. Run new container without a volume in compose.

New certificated has been generated, but still same error. File inside docker container is in proper location and thats /etc/opendkim/keys/domain.com/vps.private

[wader]

Had a look inside one postfix-relay container that i've had running for a long while:

root@f77e3489d65e:/etc/opendkim/keys/<DOMAIN># cat mail.private
-----BEGIN RSA PRIVATE KEY-----
<REMOVED base64>
-----END RSA PRIVATE KEY-----

root@f77e3489d65e:/etc/opendkim/keys/<DOMAIN># cat mail.txt
mail._domainkey IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwMXuXr/edueQ9PKPFOJETXkHcbxpdc9++J/uKTNT8njPbx0wxJ5mwy7EkY61++w8z2Bbt/MsGAavNz8ENchA7cY3REr2cFc/wGKRXD8HEn47PhHvWsrSw2zQWej/pBjh7cEpTmLm7HFTso1axPqsM47qODn7HSKzq8C14IOH2ZHiUKe3c9n35D7M2kaeKjZKT2iqsnpbLTYSsl"
      "KttAkUyyvQ3fJifkorxUIqco+rDdy6CgUnkcgMXlvLUBgCxEgvm99cdodkuphJQfWCPAyEU4N9tJey0XbY746nSuEh9v2gFlKfUDCElgAn4YpZKFYsrFGRKWTm4T6XfZGLDAqQ8QIDAQAB" )  ; ----- DKIM key mail for <DOMAIN>

But reading http://www.opendkim.org/opendkim.conf.5.html it get a feeling KeyTable should be a path to a file containing mapping and not the mapping itself?

[davordragic]

I have removed selector and keytable from variables

root@1c1270b63b6c:/# service opendkim status
[FAIL] opendkim is not running ... failed!
root@1c1270b63b6c:/# service opendkim start
Starting OpenDKIM: opendkim.
root@1c1270b63b6c:/# service opendkim status
[FAIL] opendkim is not running ... failed!
root@1c1270b63b6c:/# opendkim -x /etc/opendkim.conf -f -v
opendkim: smfi_opensocket() failed```

[davordragic]

https://github.com/wader/postfix-relay/issues/63

Found one with same issue here, but solution he gave does not help me. Additinaly private key generated has permissions 600 but should be 400 and I'm getting opendkim-testkey: key not secure but changing to 400 does not fix this.

Regardless of all, I'm not able to start opendkim, always fails with smfi_opensocket() failed

[davordragic]

https://github.com/wader/postfix-relay/blob/master/run#LL32C17-L32C17

This should be only u=r

[wader]

Sorry not at computer. Btw what host OS is this? Maybe https://github.com/wader/postfix-relay#i-see-key-data-is-not-secure-etcopendkimkeys-can-be-read-or-written-by-other-users-error-messages can help if the volume causes the permissions to not be changeable

[davordragic]

I'm trying on my laptop (macos) and server (debian). Same issue.

I don't think that a problem, because you have in you run script and you set u+rw permissions (600). This should be fixed in run script.

Anyway, this still does not fix issue with opendkim not wanting to start.

[wader]

Yeap sounds resonable, send PR? So that is only a warning and not why it does not start?

[davordragic]

This change does not fix non of 2 issues.

opendkim-testkey still reporting that key is unsecure (I'm not using any volume). and opendkim service does not want to start. If I manualy kill the process and remove pid, when I try to start the opendkim service I get no errors (only when manuly remove pid) but when I check service status it's failed.

Looks like something strange is going on with service process (opendkim) - can't explain better

[wader]

Ah was the socket thing also

[davordragic]

Issue with opendkim not starting can be reproduced simple with docker run --name postfix_test -e OPENDKIM_DOMAINS=test.com -d mwader/postfix-relay if I go into docker image docker exec -it postfix_test bash and write service opendkim status I get status failed.

[wader]

Hmm could this be some regression after updating base image?

[hemberger]

https://github.com/wader/postfix-relay/blob/master/run#LL32C17-L32C17

This should be only u=r

Requiring u=r should not be necessary. From the OpenDKIM docs:

(4) Store the private key in a safe place. We generally use a path like /var/db/dkim/SELECTOR.key.pem (where "SELECTOR" is the name you chose). The /var/db/dkim directory and the associated .pem file should be owned by the user that will be executing the filter (preferably not the superuser) and be mode 0700 and 0600 respectively.

[davordragic]

Hmm could this be some regression after updating base image?

I have tried few older images, even 1.0.1 and issue is the same. At this point, I have no idea what to check ...

Might be related to docker deamon updated? I'm using docker 23 tried on centos7 and 20.10.9, same issue

[wader]

Strange, tried latest image with docker for mac, seem to work ok.

Will update docker and try also

Client:
 Cloud integration: v1.0.31
 Version:           20.10.23
 API version:       1.41
 Go version:        go1.18.10
 Git commit:        7155243
 Built:             Thu Jan 19 17:35:19 2023
 OS/Arch:           darwin/amd64
 Context:           default
 Experimental:      true

Server: Docker Desktop 4.17.0 (99724)
 Engine:
  Version:          20.10.23
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.18.10
  Git commit:       6051f14
  Built:            Thu Jan 19 17:32:04 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.18
  GitCommit:        2456e983eb9e37e47538f59ea18f2043c9a73640
 runc:
  Version:          1.1.4
  GitCommit:        v1.1.4-0-g5fd4c4d
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

$  docker pull mwader/postfix-relay
Using default tag: latest
latest: Pulling from mwader/postfix-relay
Digest: sha256:7fa67408f57e707c1face317b56f4ba56008a168921ffde7dc272d0f44e76a34
Status: Image is up to date for mwader/postfix-relay:latest
docker.io/mwader/postfix-relay:latest
$ docker run -e OPENDKIM_DOMAINS=test.com mwader/postfix-relay
DNS records:
No DKIM private key found for selector 'mail' in domain 'test.com'. Generating one now...
mail._domainkey.test.com.   IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA52fqAKrTaZQK4th79LTvy7M8cuq2agKNgiEkw6FP8Cmh6yhNhu/pdTJ8l9nn4fGWYkblUS6rSnshYxWhZQspyISSlf7xxa6xxnuY1J1nr97cdgrdBsyNg67jmXpmu9B6aDSMyGlJeh6jNAcSxWJkNjUdKnHoQq1zPD7NkANFa0g/4wCpHZRZgLWPEyYYgNr2cM3Q+bf5TOzL2w"
      "5RO5+UyKfD3WkQZIrZIDgk9PTdxlwjepTOCBLkjfpvuiKMLysZtinPNxA+80LBgol41h/GIsF+DJV/yRNUMtgf4u7D4zL2QlCe5ycbiDJp/PWa5JKAvHY6PZYIQhxXCDj/8coAMQIDAQAB" )  ; ----- DKIM key mail for test.com
Starting OpenDKIM: opendkim.
Starting Postfix Mail Transport Agent: postfix.
2023-05-10T19:51:42.000267+00:00 11d4254b4369 rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="161" x-info="https://www.rsyslog.com"] start
^C
Stopping Postfix Mail Transport Agent: postfix2023-05-10T19:51:50.656847+00:00 11d4254b4369 postfix/master[159]: terminating on signal 15
.
Stopping OpenDKIM: No /usr/sbin/opendkim found running; none killed.
opendkim.

[davordragic]

you wont see error there. Run docker image in detached mode. Enter container and type service opendkim status

[wader]

Ah ok, weridly it seems opendkim is running and pid file seems ok but status fails:

root@18c234ebb012:/# cat /var/run/opendkim/opendkim.pid
39
root@18c234ebb012:/# ps axf
  PID TTY      STAT   TIME COMMAND
  166 pts/0    Ss     0:00 bash
  260 pts/0    R+     0:00  \_ ps axf
    1 ?        Ss     0:00 /bin/bash /root/run
   39 ?        Ssl    0:00 /usr/sbin/opendkim -x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid
  159 ?        Ss     0:00 /usr/lib/postfix/sbin/master
  164 ?        S      0:00  \_ pickup -l -t unix -u -c
  165 ?        S      0:00  \_ qmgr -l -t unix -u
  161 ?        Sl     0:00 rsyslogd -n
root@18c234ebb012:/# service opendkim status
[FAIL] opendkim is not running ... failed!

Tried to debug the status script a bit with sh -x but got lost, maybe unrelated to your issue

[wader]

Tried with latest docker stable (23.0.5), same as above, opendkim runs but status fails.

[davordragic]

My main issue here is that I'm not getting dkim signature in mails. Now is this servise status related issue or not, no idea.

I'm trying to get dkim signature to emails sent with this postfix

[davordragic]

After everythink, I did complety delete container and started again. Despite service status fail, it works and dkim is signed.

Will you have a look about service status issue or might give me some hints and I'll try to have a go.

[wader]

Ok, great. Yeah will have a look but you can help out if you want of course. Maybe do sh -x /etc/init.d/opendkim status and follow long in the script and see what it's going wrong.

[davordragic]

Just for test, I have added on top of run command this:

#!/bin/bash
service opendkim start
sh -x /etc/init.d/opendkim status

results is this

Starting OpenDKIM: opendkim.
+ PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ DAEMON=/usr/sbin/opendkim
+ NAME=opendkim
+ DESC=OpenDKIM
+ stoptimeout=5
+ test -x /usr/sbin/opendkim
+ . /lib/lsb/init-functions
+ run-parts --lsbsysinit --list /lib/lsb/init-functions.d
+ [ -r /lib/lsb/init-functions.d/20-left-info-blocks ]
+ . /lib/lsb/init-functions.d/20-left-info-blocks
+ FANCYTTY=
+ [ -e /etc/lsb-base-logging.sh ]
+ true
+ [ -f /etc/default/opendkim ]
+ . /etc/default/opendkim
+ RUNDIR=/var/run/opendkim
+ SOCKET=local:/var/run/opendkim/opendkim.sock
+ USER=opendkim
+ GROUP=opendkim
+ PIDFILE=/var/run/opendkim/opendkim.pid
+ EXTRAAFTER=
+ USER=opendkim
+ GROUP=opendkim
+ PIDFILE=/var/run/opendkim/opendkim.pid
+ [ -f /etc/opendkim.conf ]
+ awk $1 == "Socket" { print $2 } /etc/opendkim.conf
+ CONFIG_SOCKET=inet:12301@localhost
+ [ -n local:/var/run/opendkim/opendkim.sock -a -z inet:12301@localhost ]
+ DAEMON_OPTS=-x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid 
+ status /usr/sbin/opendkim opendkim
+ local pidfile daemon name status
+ pidfile=
+ OPTIND=1
+ getopts p: opt
+ shift 0
+ [ -n  ]
+ daemon=/usr/sbin/opendkim
+ name=opendkim
+ status=0
+ pidofproc /usr/sbin/opendkim
+ local pidfile base status specified pid OPTIND
+ pidfile=
+ specified=
+ OPTIND=1
+ getopts p: opt
+ shift 0
+ [ 1 -ne 1 ]
+ base=opendkim
+ [ !  ]
+ pidfile=/var/run/opendkim.pid
+ [ -n /var/run/opendkim.pid ]
+ [ -e /var/run/opendkim.pid ]
+ [ -x /bin/pidof ]
+ [ !  ]
+ status=0
+ /bin/pidof -c -o %PPID -x /usr/sbin/opendkim
+ status=1
+ [ 1 = 1 ]
+ return 3
+ status=3
+ [ 3 = 0 ]
+ log_failure_msg opendkim is not running
+ [ -n opendkim is not running ]
+ log_begin_msg opendkim is not running ...
+ log_begin_msg_pre opendkim is not running ...
+ log_daemon_msg_pre opendkim is not running ...
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ [ -z opendkim ]
+ echo -n opendkim is not running ...
+ log_begin_msg_post opendkim is not running ...
+ :
+ log_end_msg 1
+ [ -z 1 ]
+ local retval
+ retval=1
+ log_end_msg_pre 1
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ log_use_fancy_output
+ TPUT=/usr/bin/tput
+ EXPR=/usr/bin/expr
+ [ -t 1 ]
+ FANCYTTY=0
+ false
+ RED=
+ YELLOW=
+ NORMAL=
+ [ 1 -eq 0 ]
+ [ 1 -eq 255 ]
+ /bin/echo -e  failed!
opendkim is not running ... failed!
+ log_end_msg_post 1
+ :
+ return 1
+ true
+ exit 3
Stopping OpenDKIM: No /usr/sbin/opendkim found running; none killed.
opendkim.

[davordragic]

an idea... since there are two service running in container, why not using supervisord? I might help with migration to supervisord docker setup.

[wader]

Yes would be nicer i think and would be great if you would like look into it

[davordragic]

Will have a look at it on weekend. Since this issue is resolved, I'll close the issue.

[wader]

👍