One added note/question. If I remove the dkim private key, my understanding is assp is to create them on startup.
Two questions 1. Is this accurate and if it isn’t doing it, how does one force it? 2. If I run more than one domain thru ASSP and want them signed (defined in dkimconfig.txt), where do the autogenerated certs put their keys? If they’re in dlim-pub, how do you distinguish them for each domain? Thanks > On Mar 31, 2021, at 12:57 PM, Eric Germann <ekgerm...@semperen.com> wrote: > > Hello all, > > I’m pulling my hair out with DKIM in ASSP and not sure where else I can look. > > Inbound DKIM works fine. Mail validates and passes. > > Outbound mail is a different story. > > In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain > > <XXXX.com <http://xxxx.com/>> > <dkim> > Algorithm=rsa-sha1 > Method=relaxed/relaxed > Headers=From:Subject:To > KeyFile=/usr/local/assp/certs/dkim-dkim-XXXX.com.key > Mode=DKIM > </dkim> > </semperen.com <http://semperen.com/>> > > The key is 2048 bits and is generated by > https://easydmarc.com/tools/dkim-record-generator > <https://easydmarc.com/tools/dkim-record-generator>. I trimmed down the > Headers to just From, Subject and To which shouldn’t be calculated or change > at all. > > I know it’s picking up the key because when it’s in place, it generates a > “bad RSA signature” in https://dkimvalidator.com/results > <https://dkimvalidator.com/results>. If I remove the private key file, no > sig is generated in the headers at all. Google also shows only the SPF > header as matching and completely skips over the DKIM status when the key > file is missing. DMARC passes because the policy is set to SPF or DKIM need > to pass, not both. rsa-sha1 is listed in the DKIM sig and k=rsa is in the > public key. > > My public key is published in the DNS for XXXX.com <http://xxxx.com/>. I’ve > verified it’s there by doing a "dig @nameserver dkim._domainkey.XXXX.com > <http://domainkey.xxxx.com/> +short". It matches what is in the DKIM > generator. > > I know the DKIM generator is generating valid sigs because it outputs the > public and private keys in PEM format also. I’m able to sign a file and > decode it with the public and private keys just fine. > > So, I’m at wits end. Is there a way to mimic what Mail:DKIM is doing? Is it > as simple as extracting the headers to From, Subject and To in that order > then trying to sign them from the command line. > > Any other debugging advice? > > Thanks in advance for any advice. > > Eric > > >
_______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user
