dkim: ключ не найден в DNS
У меня возникла проблема при настройке dkim с постфиксом в Ubuntu 20.04, так как я получаю следующую ошибку:
sudo opendkim-testkey -d example.com -s khloud222 -vvv
opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: checking key 'khloud222._domainkey.example.com'
opendkim-testkey: 'khloud222._domainkey.example.com' record not found
и результат аутентификации в заголовке электронной почты:
Authentication-Results:
dkim=fail reason="key not found in DNS"
когда я использую dig, я могу получить запись TXT:
;; ANSWER SECTION:
khloud222._domainkey.example.com. 3600 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwE23pelVeUyu7uhI9WVX0rnimMMgszgO7bdYVmBP55TK+qhp/25xF/sx2EZTjqNBFIcJeN7aRKPADk0Hno/VprAJCyqb6pWBz+VY7wzm/KtHFZrd92l5ZjrBxjNWvBpLBZ6I+L34bPlaw4v8cDctCS7tKv5R5IouVPtnECa/bAJ/SOPfrTXHUaKw9OM08yCOeleFfmHQxp75a6" "h86Bfj47cWRL+4ZW6Z1EFo/u2fzT4HQYesGfw0I6JlBupuplybyrB43tVcyEI3DDGCwL9n6hm6icUR5Q73jLco9A4BBQPfPE5ckjqNluNEq0+5pDqORO2tqW7h2CcjyAgkOl1H+wIDAQAB"
у меня есть следующая запись dkim в моем файле зоны DNS (я использую bind9 в Ubuntu 20.04):
khloud222._domainkey.example.com. IN TXT ( "v=DKIM1; h=sha256; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwE23pelVeUyu7uhI9WVX0rnimMMgszgO7bdYVmBP55TK+qhp/25xF/sx2EZTjqNBFIcJeN7aRKPADk0Hno/VprAJCyqb6pWBz+VY7wzm/KtHFZrd92l5ZjrBxjNWvBpLBZ6I+L34bPlaw4v8cDctCS7tKv5R5IouVPtnECa/bAJ/SOPfrTXHUaKw9OM08yCOeleFfmHQxp75a6"
"h86Bfj47cWRL+4ZW6Z1EFo/u2fzT4HQYesGfw0I6JlBupuplybyrB43tVcyEI3DDGCwL9n6hm6icUR5Q73jLco9A4BBQPfPE5ckjqNluNEq0+5pDqORO2tqW7h2CcjyAgkOl1H+wIDAQAB" )
а вот мой конфиг: /etc/opendkim.conf
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization relaxed/simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
SignatureAlgorithm rsa-sha256
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
#Socket inet:8892@localhost
Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
# Map domains in From addresses to keys used to sign messages
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
# Hosts to ignore when verifying signatures
ExternalIgnoreList /etc/opendkim/trusted.hosts
# A set of internal hosts whose mail should be signed
InternalHosts /etc/opendkim/trusted.hosts
/etc/по умолчанию/opendkim
# Command-line options specified here will override the contents of
# /etc/opendkim.conf. See opendkim(8) for a complete list of options.
#DAEMON_OPTS=""
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
# postfix in a chroot:
#RUNDIR=/var/spool/postfix/run/opendkim
RUNDIR=/run/opendkim
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
SOCKET="local:/var/spool/postfix/opendkim/opendkim.sock"
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:12345@192.0.2.1
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=
я добавил следующий раздел в /etc/postfix/main.cf
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
мой файл таблицы ключей:
khloud222._domainkey.example.com example.com:khloud222:/etc/opendkim/keys/example.com/khloud222.private
мой файл таблицы подписи:
*@example.com khloud222._domainkey.example.com