When the "default" DKIM setup on my Koozali/SME server (9.2) got a "DKIM check: none" response from check-auth@verifier.port25.com after about a dozen trials-and-errors, I decided to modify things according to the instructions on
https://wiki.contribs.org/Email#Outbound_DKIM_signing_.2F_SPF_.2F_DMARC_policy_FOR_MULTIPLE_DOMAINS to see if that would do any good . . . (easy enough to return to default).
cd /home/e-smith/dkim_keys
mkdir lists.roe3.org
cd lists.roe3.org
echo default > selector
openssl genrsa -out private 1024
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update
Contents of /home/e-smith/dkim_keys/lists.roe3.org
[root@esmith lists.roe3.org]# ll
total 12
-r-------- 1 qpsmtpd qpsmtpd 887 Apr 22 07:03 private
-rw-r--r-- 1 root qpsmtpd 272 Apr 22 07:03 public
-rw-r--r-- 1 root qpsmtpd 8 Apr 22 07:03 selector
I went ahead and changed the file permissions on the "private" key to chmod 444 just to make sure that the qpsmtpd daemon could find it. I'll change it back if I ever get the doggone thing working.
Likewise, I made sure the /home/e-smith/dkim_keys/lists.roe3.org directory ownership is root.qpsmtpd
After the public key was transferred to my DNS host (easyDNS.com), I tested it with
https://www.mail-tester.com/spf-dkim-check. Results below:
SPF check
1 SPF record found for the domain lists.roe3.org :
"v=spf1 a mx ~all"
DKIM check
DNS record for default._domainkey.lists.roe3.org:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e7g2BmSiqsAaJdo4US0pvIN1 eeKRuEYIPFJJiN/xZ42tN9yZNA8Tw0tR4OT6tcN6NJWIjngj1Ao4S2WVTPpU1p/X jutyXXe60b33e6x2uZ/JWvM32Wp7xq/uk8qbJYdGMMUDsu+upRs+LcoDzlilXK21 ovFKQXIBUWhca+yPgQIDAQAB"
Key length : 1024
(I'm forced to use a 1024-bit key because of my domain registrar's web panel field restrictions)
Looks fine, right? Wrong! I'm still getting a "
DKIM check: none" response from check-auth@verifier.port25.com.
When I run 'qpsmtpd-print-dns' from the the command line, I get the same public key as when I run 'qpsmtpd-print-dns lists.roe3.org'.
The server just doesn't seem to be telling the world that it has a DKIM record in place.
The "config show qpsmtpd" command reveals that DKIMSigning is indeed enabled . . .
config show qpsmtpd
qpsmtpd=service
Bcc=disabled
BccMode=cc
BccUser=maillog
DKIMSigning=enabled
DNSBL=disabled
LogLevel=6
MaxScannerSize=25000000
RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
RHSBL=disabled
RelayRequiresAuth=enabled
SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
TlsBeforeAuth=1
UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
URIBL=disabled
access=public
qplogsumm=disabled
status=enabled
Everything seems to be set up properly. The server just doesn't seem to be offering its DKIM signature to the outside world.
To quote a famous screenplay "Help me, Obi-Wan Kenobi. You're my only hope."
Any suggestions or pointers would be greatly appreciated.