Re: keytable and signingtable

From: Fabrizio Regalli <fab_at_mailsicura.org>
Date: Wed, 01 Dec 2010 12:06:37 +0100

> Hello Fabrizio,
>

Hi Robert.

> you will hopefully get more expert advice, because I only starting working with OpenDKIM 3 days ago.

Don't worry: any answer is appreciated :)

>
> I have a similar setup as yours, and the only thing I can think of is that maybe your OpenDKIM process is not actually running as user opendkim, so maybe it can't access the key file because of that?

The process I see with "ps" :

 opendkim[1596]: OpenDKIM Filter v2.0.1 starting (args:
-x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p
inet:12345_at_localhost)

as you can see, there is the option "-u opendkim" in the startup command
line and the process is like follow:

opendkim 32202 1 0 11:58 ? 00:00:00 /usr/sbin/opendkim
-x /etc/opendkim.conf -u opendkim -P /var/run/opendkim/opendkim.pid -p
inet:8891_at_localhost

But your suggest give me an help: in effect the two
file /etc/opendkim/keytable and /etc/opendkim/signingtable are root:root
Now I try to change the owner and group of these and retry.

>
> In your example, "fab" is the name that links entries in the SigningTable to those in the KeyTable, so you have that correct.
>
> When the sender matches the line
>
> *_at_mailsicura.org FAB
>
> in the SigningTable, it will take the key defined by the line
>
> FAB mailsicura.org:mail:/var/db/dkim/mailsicura.org/mail
>

So, if I understand right, this means that first value "FAB" is
something like an alias and you can choose what you want.

> Good luck!
> Robert
>
Thanks Robert!

Ciao.
Fabrizio.

> On 1 déc. 2010, at 10:40, Fabrizio Regalli wrote:
>
> > Hi.
> > I switched from dkim-militer to opendkim because it's more updated and
> > more developed but I need a clarification about keytable and
> > signingtable that replacing previous KeyList mechanism
> > My scenario: many users for many domains. Each domains have one key and
> > each user use it for signing.
> > Reading the man page I found an example on how to create keytable
> >
> >
> > preskey example.com:foo:/usr/local/etc/dkim/keys/president
> > ...
> >
> >
> >
> > but I don't understand very well what's "preskey" stay for.
> > Is it an alias? Is it the selector name?
> > Assuming "preskey" it's an alias, I create my keytable in this way:
> >
> > fab mailsicura.org:mail:/var/db/dkim/mailsicura.org/mail
> >
> > "fab" it's the alias
> > "mailsicura.org" it's the domain
> > "mail" it's the selector
> > "/var/db/dkim/mailsicura.org/mail" it's the key path
> >
> > and my signingtable look like:
> >
> > *_at_mailsicura.org fab
> >
> > but unfortunately I can't send the e-mail, and my /var/log/mail.log
> > says:
> >
> > opendkim[18308]: 8D2F0221AC error loading key `fab'
> >
> > My /etc/opendkim.conf looks like:
> >
> >
> > Syslog yes
> > LogWhy yes
> > UMask 002
> > KeyTable refile:/etc/opendkim/keytable
> > SigningTable refile:/etc/opendkim/signingtable
> > On-Default accept
> > On-BadSignature accept
> > On-DNSError tempfail
> > On-InternalError accept
> > On-NoSignature accept
> > On-Security tempfail
> >
> > and the permission of the key file seems to be ok
> >
> > -rw------- 1 opendkim opendkim 887 dic
> > 100:08 /var/db/dkim/mailsicura.org/mail
> >
> > I have generated the key according the man page:
> >
> > opendkim-genkey -s mail -d mailsicura.org
> >
> > and
> >
> > opendkim-testkey -d mailsicura.org -s mail
> > -k /var/db/dkim/mailsicura.org/mail
> >
> > return nothing, so I suppose my key it's ok.
> >
> > What I have missed?
> >
> > Once again, thanks!
>





Received on Wed Dec 01 2010 - 11:06:37 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:50 PST