Hi,
These are my OpenDKIM notes for anyone running into OpenDKIM problems. You are reading this message for one reason Your email messages are not signed by dkim, and you want to figure out why.
Note: Email Debugger should be able to fix all below errors for you.
CyberPanel use OpenDKIM with Postfix to add DKIM signatures to emails.
Step 1: Check if OpenDKIM signature is added
Go on command line and run
journalctl -f | grep opendkim
Then send email from SnappyMail, do you get an output like
root@cyberpanel:~# journalctl -f | grep dkim
Jan 10 10:49:17 cyberpanel.net opendkim[579]: 3447740AAD: DKIM-Signature field added (s=default, d=domain.com)
The output above shows that DKIM signature is added and working.
Well if there is no output then obviously OpenDKIM is not working. Either postfix is not able to communicate with OpenDKIM or OpenDKIM is running but not working as it should. Move on to read further.
Step 2: OpenDKIM is listening on port 8891?
If DKIM signature field is not getting added, then see if port 8891 is occupied by OpenDKIM or not
root@ubuntu-default-mariadb-install-check:~# lsof -i:8891
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
opendkim 292040 opendkim 3u IPv4 1710032 0t0 TCP localhost:8891 (LISTEN)
root@ubuntu-default-mariadb-install-check:~#
In this case as you can see opendkim is listening on port 8891, if not then you have to edit
/etc/opendkim.conf
Open this file and replace any instance of Socket value
Socket inet:8891
Socket local:/var/spool/postfix/opendkim/opendkim.sock
These or more possible values of Socket variable are not right, make sure it looks like
Socket inet:8891@localhost
then restart opendkim
systemctl restart opendkim
Then check again and OpenDKIM should be listening on port 8891.
Step 3: Check if your domain is present in OpenDKIM conf
Domain must be in Keytable, SigningTable and TrustedHosts files
/etc/opendkim/KeyTable
/etc/opendkim/SigningTable
/etc/opendkim/TrustedHosts
Let say our domain is cyberpanel.net, so example of above files for this domain should be
KeyTable
default._domainkey.cyberpanel.net cyberpanel.netdefault:/etc/opendkim/keys/cyberpanel.net/default.private
SigningTable
*@cyberpanel.net default._domainkey.cyberpanel.net
TrustedHosts
cyberpanel.net
If you have multiple domains for each domain you will have similar entries in all of those files.
If they are not present, add them and restart OpenDKIM.
If you don’t know what you are doing just reset email configs using Email Debugger
Bonus: Command to generated DKIM keys
opendkim-genkey -D /etc/opendkim/keys/cyberpanel.net -d cyberpanel.net -s default
Bonus 2: OpenDKIM and RSPAMD
If you are using RSPAMD and unable to get DKIM working then,
I found the solution to RSPAMD problem, first disable dkim skining in rspamd
nano /etc/rspamd/local.d/dkim_signing.conf
add following in this file
enabled = false;
then run following on cli
systemctl restart rspamd.service
Then open your postfix conf
nano /etc/postfix/main.cf
You will see something like at the very end of your postfix conf.
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
smtpd_milters = inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:11332
Convert it to
smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:11332
non_smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:11332
milter_default_action = accept
Then restart postfix
systemctl restart postfix
Basically you should only have one instance of smtpd_milters and non_smtpd_milters. You can combine them into a single entry as I’ve done above.
To be continued…