When OpenDKIM logs messages like "not authenticated" and "no signature data" despite proper SMTP authentication, we're typically dealing with one of these common issues:
# Sample error from mail.log
Nov 8 16:35:02 illium opendkim[30142]: 826DF501F39: %clienthostname% %clientip% not internal
Nov 8 16:35:02 illium opendkim[30142]: 826DF501F39: not authenticated
Nov 8 16:35:02 illium opendkim[30142]: 826DF501F39: no signature dataFirst, verify these key configuration points:
# In /etc/opendkim.conf
InternalHosts /etc/opendkim/TrustedHosts
ExternalIgnoreList /etc/opendkim/TrustedHostsYour TrustedHosts file should include:
127.0.0.1
::1
localhost
# Add your mail server's public IP if needed
192.168.1.100The Postfix milter configuration needs special attention. Here's a more robust setup:
# In /etc/postfix/main.cf
smtpd_milters =
unix:/var/run/opendkim/opendkim.sock,
unix:/var/run/clamav/clamav-milter.ctl,
unix:/var/run/spamass-milter/spamass.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 6Check the OpenDKIM socket permissions:
# Verify socket exists and has proper permissions
ls -la /var/run/opendkim/opendkim.sock
# Example permissions that work:
srw-rw-rw- 1 opendkim opendkim 0 Nov 10 10:00 /var/run/opendkim/opendkim.sockAfter making changes, test with these commands:
# Test OpenDKIM configuration
opendkim-testkey -d domain1.com -s mail -vvv
# Verify DNS records
dig TXT mail._domainkey.domain1.comIf issues persist, increase logging level:
# In /etc/opendkim.conf
LogWhy yes
Syslog yes
SyslogSuccess yes
LogResults yesThen monitor logs in real-time:
tail -f /var/log/mail.log | grep opendkimHere's a complete working opendkim.conf example:
# Basic operational parameters
Syslog yes
UMask 002
SyslogSuccess yes
LogWhy yes
# Socket specification
Socket local:/var/run/opendkim/opendkim.sock
# Key and signing tables
KeyTable /etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
# Trusted hosts and domains
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
# Signing options
Canonicalization relaxed/simple
Mode sv
SignatureAlgorithm rsa-sha256
OversignHeaders From
UserID opendkim:opendkimRemember to restart services after changes:
systemctl restart opendkim postfixThe critical error message shows OpenDKIM isn't recognizing authenticated mail submissions:
Nov 8 16:35:02 illium opendkim[30142]: 826DF501F39: not authenticated
Nov 8 16:35:02 illium opendkim[30142]: 826DF501F39: no signature dataDespite SMTP authentication, OpenDKIM's InternalHosts configuration is too restrictive. The current TrustedHosts only includes:
127.0.0.1
::1
localhostWe need to modify three key components:
# /etc/opendkim/TrustedHosts - Add your mail server's public IP and private network
127.0.0.1
::1
localhost
192.168.1.0/24 # Your internal network
203.0.113.45 # Your server's public IPAlso verify Postfix's milter configuration is properly formatted:
# /etc/postfix/main.cf correct format:
smtpd_milters =
unix:/opendkim/opendkim.sock,
unix:/clamav/clamav-milter.ctl,
unix:/spamass/spamass.sockVerify your keys are properly configured:
# Test each domain's keys
opendkim-testkey -d domain1.com -s mail -vvv
opendkim-testkey -d domain2.com -s mail -vvvIf keys test valid but signing still fails, check socket permissions:
ls -la /opendkim/opendkim.sock
# Should show postfix user has accessFor complex networks, use CIDR notation in TrustedHosts:
# /etc/opendkim/TrustedHosts
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16Remember to restart services after changes:
systemctl restart opendkim postfixSend a test email and check headers for DKIM signature:
Received: by mail.example.com (Postfix, from userid 1000)
id ABC123; Wed, 10 Nov 2023 09:00:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=domain1.com;
s=mail; t=1234567890;
bh=ABC123=; h=From:To:Subject:Date;
b=ABC123...Check OpenDKIM logs for successful signing attempts:
grep "signature data" /var/log/mail.log