Wed, 11 Apr 2012

Solving An Issue with DKIM, OpenSSL and Postfix

This post is intended mostly to benefit various searchers with a relatively obscure but frustrating technical problem, so apologies to my regular blog readers if this is not directly relevant to your interests.

If you're still reading, it's probably because you're trying to set up DKIM, or more specifically dkim-milter/dkim-filter on Postfix or Sendmail or something like it. I struggled with this issue on and off for a couple days. The biggest obstacle ended up being seeing logs like these in my maillog:
dkim-filter [...] SSL error:0906D06C:PEM routines:PEM_read_bio:no start line dkim-filter [...] dkim_eom(): resource unavailable: PEM_read_bio_PrivateKey() failed

After a ton of searching online, the issue pointed to a formatting error in the certificate I created using a dkim-genkey.sh script in an article that explained how to set it up. Specifically, it created a certificate file that lacked the -----BEGIN CERTIFICATE----- style header/footer. I tried manually adding these back in, re-creating the line breaks to build a standard .pem formatted file, but none of these seemed to work.

Ultimately, the way I fixed it was to use the "dkim-genkey -d [domain name]" command that came with the dkim distribution to generate the key and DKIM DNS record.

After restarting dkim-milter and postfix, and sending a test message to check-auth@verifier.port25.com (domain names munged below, but otherwise this is cut/paste from my unix cli)...
$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.example.com ESMTP Postfix MAIL FROM: khan@example.com 250 2.1.0 Ok RCPT TO: check-auth@verifier.port25.com 250 2.1.5 Ok DATA 354 End data with . SUBJECT: Testing Test . 250 2.0.0 Ok: queued as 9A30E76C137 QUIT 221 2.0.0 Bye Connection closed by foreign host.

Here's the response I got:

[snip] ---------------------------------------------------------- DKIM check details: ---------------------------------------------------------- Result: pass (matches From: khan@example.com) ID(s) verified: header.d=example.com Canonicalized Headers: Subject:'20'Test'0D''0A' To:'20'check-auth@verifier.port25.com'0D''0A' Message-Id:'20'<20120411204224.3839576C138@www.example.com>'0D''0A' Date:'20'Wed,'20'11'20'Apr'20'2012'20'13:42:13'20'-0700'20'(PDT)'0D''0A' From:'20'khan@example.com'0D''0A' DKIM-Signature:'20'v=1;'20'a=rsa-sha1;'20'c=simple/simple;'20'd=example.com;'20's=default;'0D''0A' '09't=1334176963;'20'bh=pN6k1Y/YJkrV9QxvE85uD6qiAqw=;'0D''0A' '09'h=Subject:To:Message-Id:Date:From;'0D''0A' '09'b= Canonicalized Body: Testing'0D''0A' DNS record(s): default._domainkey.example.com. 1800 IN TXT "v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDX3yuDnEl5XL2FPPKxW5h9iW43ZMxlg2hI/23BiYXczMFokP7AjsNMZKzg/9s1E2TswBFMFnM26ZDQtV7P3FmlcRO2H3YmRfIOftY 93+c88KXKN1fET5PfyKjWqraYHJiNID+Vwzn5njDfI1WnDxkzVPEx/30v7W3tfbCpAJGhkwIDAQAB"




Khan Klatt

Khan Klatt's photo