OpenDKIM configuration to send debian.org email
Debian.org added support for DKIM in 2020. To configure this on my side, I had to do the following, on top of my email configuration.
add this line to
/etc/opendkim/signing.table:*@debian.org marcos-debian.anarcat.useradd this line to
/etc/opendkim/key.table:marcos-debian.anarcat.user debian.org:marcos-debian.anarcat.user:/etc/opendkim/keys/marcos-debian.anarcat.user.privateYes, that's quite a mouthful! That magic selector is long in that way because it needs a special syntax (specifically the
.anarcat.usersuffix) for Debian to be happy. The-debianstring is to tell me where the key is published. Themarcosprefix is to remind me where the private is used.generate the key with:
opendkim-genkey --directory=/etc/opendkim/keys/ --selector=marcos-debian.anarcat.user --domain=debian.org --verboseThis creates the DNS record in
/etc/opendkim/keys/marcos-debian.anarcat.user.txt(alongside the private key in.key).restart OpenDKIM:
service opendkim restartThe DNS record will look something like this:
marcos-debian.anarcat.user._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtKzBK2f8vg5yV307WAOatOhypQt3ANQ95iDaewkVehmx42lZ6b4PzA1k5DkIarxjkk+7m6oSpx5H3egrUSLMirUiMGsIb5XVGBPFmKZhDVmC7F5G1SV7SRqqKZYrXTufRRSne1eEtA31xpMP0B32f6v6lkoIZwS07yQ7DDbwA9MHfyb6MkgAvDwNJ45H4cOcdlCt0AnTSVndcl" "pci5/2o/oKD05J9hxFTtlEblrhDXWRQR7pmthN8qg4WaNI4WszbB3Or4eBCxhUdvAt2NF9c9eYLQGf0jfRsbOcjSfeus0e2fpsKW7JMvFzX8+O5pWfSpRpdPatOt80yy0eqpm1uQIDAQAB" ) ; ----- DKIM key marcos-debian.anarcat.user for debian.orgThe
"p=MIIB..."string needs to be joined together, without the quotes and thep=, and sent in a signed email tochanges@db.debian.org:-----BEGIN PGP SIGNED MESSAGE----- dkimPubKey: marcos.anarcat.user MIIB[...] -----BEGIN PGP SIGNATURE----- [...]Wait a few minutes for DNS to propagate. You can check if they have with:
host -t TXT marcos-debian.anarcat.user._domainkey.debian.org nsp.dnsnode.net(
nsp.dnsnode.netbeing one of theNSrecords of thedebian.orgzone.)
If all goes well, the tests should pass when sending from your server
as anarcat@debian.org.
Testing
Test messages can be sent to dkimvalidator, mail-tester.com
or check-auth@verifier.port25.com. Those tools will run Spamassassin
on the received emails and report the results. What you are looking
for is:
-0.1 DKIM_VALID: Message has at least one valid DKIM or DK signature-0.1 DKIM_VALID_AU: Message has a valid DKIM or DK signature from author's domain-0.1 DKIM_VALID_EF: Message has a valid DKIM or DK signature from envelope-from domain
If one of those is missing, then you are doing something wrong and
your "spamminess" score will be worse. The latter is especially tricky
as it validates the "Envelope From", which is the MAIL FROM: header
as sent by the originating MTA, which you see as from=<> in the
postfix logs.
The following will happen anyways, as soon as you have a signature, that's normal:
0.1 DKIM_SIGNED: Message has a DKIM or DK signature, not necessarily valid
And this might happen if you have a ADSP record but do not correctly sign the message with a domain field that matches the record:
1.1 DKIM_ADSP_ALLNo valid author signature, domain signs all mail
That's bad and will affect your spam core badly. I fixed that issue by using a wildcard key in the key table:
--- a/opendkim/key.table
+++ b/opendkim/key.table
@@ -1 +1 @@
-marcos anarc.at:marcos:/etc/opendkim/keys/marcos.private
+marcos %:marcos:/etc/opendkim/keys/marcos.private
References
- Ubuntu documentation
- Debian wiki
- linode tutorial, also recommends rotating keys every 6 months
- jak-linux: uses rspamd instead of opendkim, and PostSRSd
- Gio's tutorial
This is a copy of a subset of my more complete email configuration.
Update: Debian.org now provides an outgoing email submission service, see the following blog post.
hparameter.