These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for DKIM fails on the new forum.
Web Hosting and Cloud Computing Control Panels
On seeing this messsage I decided to make sure the DKIM was working for myself. And it's not.
I've run a VirtualMin check and everything is reported as being OK. Regenerated the DKIM (just used save) and it tells me everything propagated correctly. But when I look at the email headers this is all I see :
Delivered-To: nigel.soft-focus-imagining@apache-web-server.twin-peaks-video.com
Received: from [127.0.0.1] (unknown [192.168.1.50])
DKIM-Filter: OpenDKIM Filter v2.11.0 apache-web-server.twin-peaks-video.com 5EED5C3EB8D6
Reply-To: nigel@twin-peaks-video.com
To: nigel@soft-focus-imagining.com
From: Nigel Aves nigel@twin-peaks-video.com
I do know that this was working sometime ago, as far as I know I've not changed anything to do with email services.
Any ideas?
What distro and version are y'all running?
--
Check out the forum guidelines!
Sorry, should have added this.
Operating system CentOS Linux 7.3.1611 Webmin version 1.852 Virtualmin version 6.00 Postfix Version: 2.10.1
Is the
opendkimpackage installed? (rpm -q opendkim)We don't depend on it during installation because I thought Jamie had code to install it automatically when DKIM is enabled, but maybe that's either not working, or not true, and I need to add a dependency to our yum groups.
If it's not installed, try installing it:
# yum install opendkimAnd, maybe restart postfix:
# systemctl restart postfixAnd, see if things behave differently. If so, then it's just a dependency issue...if not, it's something we might need to rope Jamie in on (and it might need a Virtualmin update to fix).
--
Check out the forum guidelines!
Hi,
Debian 9: Turn on DKIM. Then go to the console and enter:
/lib/opendkim/opendkim.service.generate
systemctl daemon-reload
service opendkim restart
For test:
netstat -natpu | grep opendkim
Joe.
Yes, opendkim is installed (and it was installed automatically when I built the server). I looked at the files in /etc/opendkim and none of them are modified, but I am assuming that Virtualmin stores the info somewhere else.
I have stopped and restarted Postfix. No difference.
Nigel
KrisPL
I did try your test netstat -natpu | grep opendkim
I believe this looks good.
[root@apache-web-server ~]# netstat -natpu | grep opendkim tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 25876/opendkim [root@apache-web-server ~]#
I'll ask Jamie to chime in, as he knows better what magic is supposed to happen to loop DKIM signing into the mix when sending mail.
Here's the ticket about it, though I'll relay back any necessary info once I understand what's happening: https://www.virtualmin.com/node/53420
--
Check out the forum guidelines!
Joe. it also does not work with debian 9.
Hello, I am running Debian 8.9 Dkim is installed and running, my emails are signed but the signature is invalid.
Joe,
I was looking through my log files trying to discover if this was a bug in VirtualMin or Operator Error - Me! :)
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: connect from unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 4A67DC3EB8D6: client=unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 774C3C3EB8D6: client=unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/cleanup[28647]: 774C3C3EB8D6: message-id=4dc39ace-d347-8788-23cc-f44a2cef20bb@twin-peaks-video.com
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: [192.168.1.50] [192.168.1.50] not internal
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: not authenticated
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: no signature data
Sep 8 13:37:20 apache-web-server postfix/qmgr[3361]: 774C3C3EB8D6: from=nigel@twin-peaks-video.com, size=1565, nrcpt=1 (queue active)
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: disconnect from unknown[192.168.1.50]
Any thoughts?
Nigel
Not sure if this is a bug or not, but discovered what was wrong.
First edit the /etc/opendkim/TrustedHosts filer and add your internal network
OPENDKIM TRUSTED HOSTS To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts may be added on separate lines (IP addresses, hostnames, or CIDR ranges). The localhost IP (127.0.0.1) should always be the first entry in this file.127.0.0.1 ::1
host.example.com192.168.1.0/24
Then edit /etc/opendkim.conf
and uncheck this line
Identifies a set "internal" hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
Now dkim is written to email messages.
There should probably be an option added in Virtualmin dkim setup to add your internal networks.
Nigel.
Hi, My problem is different : my emails are signed, but the signature is invalid. I have no dkim error in postfix logs
I would try:
Virtualmin -> Email Messages -> Domain Key Identified Mail
Force generation of new private key -> Yes
Save
Here succeeded to not """added my domain in "Additional domains to sign for" """"
But generate the key in the virtualserver for that domain itself!
( virtual server > server configuration > domainkey options )
Then it should be in the dns ofcourse otherwise they didn't work, if third party external DNS you have to add this manually
If you use ase key "" default"" then problems could be there so better change "default" in what you like , you can read that her > https://www.virtualmin.com/documentation/email/dkim
""""Do NOT enter default , as this can trigger a bug in the current Virtualmin release which deletes the /etc/default""""
noisemarine : I already tried that.
Jfro : I already added my domain, changed the "default" prefix, and added the key to my DNS.
I mean not add your domain there in that screen but to do the key generation it in the domain virtualserver itself. Open that screen on that domain again and you see your key to paste in dns record if needed, then you can check with dns https://mxtoolbox.com/dkim.aspx or these keys are the same! Ofcourse after ttl time...
And try test first by sending mail out over webmail webmin function http://dkimvalidator.com/
so go to the ones domain virtual server and generate the key there so > ( virtual server > server configuration > domainkey options )
Jfro : I cannot remove my domain from "Additional domains to sign for" : I get his error : Finding virtual servers to enable DKIM for .. .. no servers with both DNS and email enabled were found! DKIM setup failed!
I do not host my virtual server DNS, I am using the one from my provider, but I did add my dkim key, I can see it with mxtoolbox And there is no "virtual server > server configuration > domainkey options" menu
It may be that Virtualmin won't sign for domains it doesn't host DNS for. I don't think that should be necessary, but you could try enabling DNS for this domain. It's harmless to do so...if nobody queries the DNS server on the Virtualmin host, it'll just sit there doing nothing.
--
Check out the forum guidelines!
No, my emails are signed, but the signature is invalid
OK i'm only user/admin.
I have that option in menu, so i don't know how to help you.
Then ask Joe sorry.
We are ourselves only using third party DNS for Domains DKIM with Virtualmin 6 and CENTOS is working here, but it was a fresh VM6 install about 29-08 so not a updated older version of VM.