I am running exim+dovecot. I tried to generate a dkim key with opendkim but i got as a result that my dkim is not valid. Should i sign a DKIM signature with openssl or with opendkim?
And what are the correct steps to correctly setup dkim with exim for outgoing emails?
What is the correct setting in exim.conf?
DKIM do not need signing at all. All that you need is a proper pair of RSA/DSA keys that can be generated by ssh-keygen bundled with preinstalled openssh. Leave passphrase empty:
> ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): mydomain.tld
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mydomain.tld.
Your public key has been saved in mydomain.tld.pub.
The key fingerprint is:
SHA256:CD0n/Ut/GQgjYgKwONoj7FGXUJvdgyJt4FFczGZfqoE root@xx.yy.zz
The key's randomart image is:
+---[RSA 2048]----+
|...++o+. |
|....=o=*o . |
|+ +oOXo=o= |
|oo. +E.B =.o . |
|ooo . S o . . |
|.... . . o o |
| . . . o |
| . |
| |
+----[SHA256]-----+
Now we have two files: mydomain.tld and mydomain.tld.pub. Second file contains one long line where second field (marked as bold italic) is the public key you have to place into the zone record for your domain.
ssh-rsa AAAAB3NzaC1yc.....9akAq8YqPJN root@xx.yy.zz
The first file is already ready to be used by the MTA. Just rename it to the mydomain.tld.key and copy it to the secure place and refer it from the MTA config. Keep in mind that MTA in general require private DKIM key to be readable by MTA user only so permissions should be set to the 600 instead of usual 644.
DNS configuration is pretty well described in the number of howtos. And exim should be configured that way:
begin transports
xmit:
driver = smtp
dkim_domain = mydomain.tld
dkim_selector = mydomaintld
dkim_private_key = /path/to/the/mydomain.tld.key
. . . . .