[BlueOnyx:25915] Re: DKIM

Michael Stauber mstauber at blueonyx.it
Wed Jan 11 19:20:22 -05 2023 

Hi Richard,

> Bit of advice please. I have 3 x BlueOnyx Servers in this scenario.
> 
> 1 x Primary DNS only – 5210R
> 1 x POP3 Server only – 5210R
> 1 x SMTP Server only – 5210R
> 
> On the POP3 server, I have followed Michael’s instructions, enabled DKIM 
> and in the virtual site I enabled OpenDKIM. It produced 3 x DKIM 
> aliases, a Hostname of DNS TXT Record -  default._domainkey and the TXT 
> record.

It's no biggy if the DNS server is separate. You then just have to 
manually create the correct TXT record there.

Having the POP3/IMAP (and therefore the mailboxes) on *one* server and 
the SMTP on *another* server complicates things a little, though. It's 
not a big deal, but something to keep in mind.

Generally: DKIM needs to be configured and activated on the server where 
SMTP is running. Because when you and your users send emails via that, 
DKIM looks if it is configured to sign outgoing emails for the users in 
question. If the configuration says: Yes, sign all emails belonging to 
this sender's domain, then it'll sign those emails.

In your case the error message tells us that the SMTP server is unable 
to sign those emails, as its DKIM doesn't have the configuration for this:

---------------------------------------------------------------------
Jan 11 18:08:05 smtp opendkim[1212727]: 30BI84rL1432344: no signing 
table match for 'timing at xxxxonline.uk'

Jan 11 18:08:05 smtp opendkim[1212727]: 30BI84rL1432344: no signature data
---------------------------------------------------------------------

On the POP3/IMAP server DKIM is only good if you want to verify the 
signature of inbound emails. But if you have the AV-SPAM there and have 
it's SpamAssassin enabled? It'll also do that already and will apply a 
SPAM score of 1.0 for emails that have invalid DKIM signatures.

So if you configure and activate DKIM on the SMTP server (instead of the 
POP3/IMAP server) and use the data it provides in your DNS TXT record, 
then you should be fine.

> I added a TXT record on the DNS server.
> 
> I didn’t know whether the Hostname of DNS TXT Record should go in the 
> Host Name section but did add it plus I then added the full key in the 
> Text Record.

The DNS record should looks like this:

Hostname: 	default._domainkey
Domain-Name:	xxxxonline.uk
Type:		TXT
Data:		v=DKIM1; k=rsa; p=MIGfMA0...and...so..on

Or directly in the Bind configs it would look like this:

default._domainkey.xxxxonline.uk.  in txt "v=DKIM1; k=rsa; 
p=MIGfMA0...and...so..on"

The above goes all into one line and the content starting with v=DKIM1 
and ending with the cryptic block is encased in quotation marks.

That should do the trick then.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list