DKIM fails

22 posts / 0 new
Last post
#1 Tue, 09/05/2017 - 12:17
contremaitre

DKIM fails

Hello, I configured virtualmin to sign with dkim. But mail-tester and dkimvalidator.com reports invalid signature. I added my domain in "Additional domains to sign for", entered the key in my DNS record, and it is propagated. Whats could I check ? Thanks.

Tue, 09/05/2017 - 14:16
NigelAves

On seeing this messsage I decided to make sure the DKIM was working for myself. And it's not.

I've run a VirtualMin check and everything is reported as being OK. Regenerated the DKIM (just used save) and it tells me everything propagated correctly. But when I look at the email headers this is all I see :

Delivered-To: nigel.soft-focus-imagining@apache-web-server.twin-peaks-video.com

Received: from [127.0.0.1] (unknown [192.168.1.50])

by apache-web-server.twin-peaks-video.com (Postfix) with ESMTP id 5EED5C3EB8D6

for <nigel@soft-focus-imagining.com>; Tue,  5 Sep 2017 12:10:07 -0600 (MDT)

DKIM-Filter: OpenDKIM Filter v2.11.0 apache-web-server.twin-peaks-video.com 5EED5C3EB8D6

Reply-To: nigel@twin-peaks-video.com

To: nigel@soft-focus-imagining.com

From: Nigel Aves nigel@twin-peaks-video.com

I do know that this was working sometime ago, as far as I know I've not changed anything to do with email services.

Any ideas?

Tue, 09/05/2017 - 14:49
Joe
Joe's picture

What distro and version are y'all running?

--

Check out the forum guidelines!

Tue, 09/05/2017 - 15:00
NigelAves

Sorry, should have added this.

Operating system CentOS Linux 7.3.1611 Webmin version 1.852 Virtualmin version 6.00 Postfix Version: 2.10.1

Tue, 09/05/2017 - 15:03
Joe
Joe's picture

Is the opendkim package installed? (rpm -q opendkim)

We don't depend on it during installation because I thought Jamie had code to install it automatically when DKIM is enabled, but maybe that's either not working, or not true, and I need to add a dependency to our yum groups.

If it's not installed, try installing it:

# yum install opendkim

And, maybe restart postfix:

# systemctl restart postfix

And, see if things behave differently. If so, then it's just a dependency issue...if not, it's something we might need to rope Jamie in on (and it might need a Virtualmin update to fix).

--

Check out the forum guidelines!

Tue, 09/05/2017 - 15:13
KrisPL

Hi,

Debian 9: Turn on DKIM. Then go to the console and enter:

  1. /lib/opendkim/opendkim.service.generate

  2. systemctl daemon-reload

  3. service opendkim restart

For test:

netstat -natpu | grep opendkim

Tue, 09/05/2017 - 15:23
NigelAves

Joe.

Yes, opendkim is installed (and it was installed automatically when I built the server). I looked at the files in /etc/opendkim and none of them are modified, but I am assuming that Virtualmin stores the info somewhere else.

I have stopped and restarted Postfix. No difference.

Nigel

Tue, 09/05/2017 - 15:40
NigelAves

KrisPL

I did try your test netstat -natpu | grep opendkim

I believe this looks good.

[root@apache-web-server ~]# netstat -natpu | grep opendkim tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 25876/opendkim [root@apache-web-server ~]#

Tue, 09/05/2017 - 16:06
Joe
Joe's picture

I'll ask Jamie to chime in, as he knows better what magic is supposed to happen to loop DKIM signing into the mix when sending mail.

Here's the ticket about it, though I'll relay back any necessary info once I understand what's happening: https://www.virtualmin.com/node/53420

--

Check out the forum guidelines!

Wed, 09/06/2017 - 00:55
KrisPL

Joe. it also does not work with debian 9.

Wed, 09/06/2017 - 03:46
contremaitre

Hello, I am running Debian 8.9 Dkim is installed and running, my emails are signed but the signature is invalid.

Fri, 09/08/2017 - 15:06
NigelAves

Joe,

I was looking through my log files trying to discover if this was a bug in VirtualMin or Operator Error - Me! :)

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: connect from unknown[192.168.1.50]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 4A67DC3EB8D6: client=unknown[192.168.1.50]

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 774C3C3EB8D6: client=unknown[192.168.1.50]

Sep 8 13:37:20 apache-web-server postfix/cleanup[28647]: 774C3C3EB8D6: message-id=4dc39ace-d347-8788-23cc-f44a2cef20bb@twin-peaks-video.com

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: [192.168.1.50] [192.168.1.50] not internal

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: not authenticated

Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: no signature data

Sep 8 13:37:20 apache-web-server postfix/qmgr[3361]: 774C3C3EB8D6: from=nigel@twin-peaks-video.com, size=1565, nrcpt=1 (queue active)

Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: disconnect from unknown[192.168.1.50]

Any thoughts?

Nigel

Sat, 09/09/2017 - 11:02
NigelAves

Not sure if this is a bug or not, but discovered what was wrong.

First edit the /etc/opendkim/TrustedHosts filer and add your internal network

OPENDKIM TRUSTED HOSTS To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts may be added on separate lines (IP addresses, hostnames, or CIDR ranges). The localhost IP (127.0.0.1) should always be the first entry in this file.

127.0.0.1 ::1

host.example.com

192.168.1.0/24

Then edit /etc/opendkim.conf

and uncheck this line

Identifies a set "internal" hosts whose mail should be signed rather than verified.

InternalHosts refile:/etc/opendkim/TrustedHosts

Now dkim is written to email messages.

There should probably be an option added in Virtualmin dkim setup to add your internal networks.

Nigel.

Mon, 09/11/2017 - 09:33
contremaitre

Hi, My problem is different : my emails are signed, but the signature is invalid. I have no dkim error in postfix logs

Mon, 09/11/2017 - 11:26 (Reply to #14)
noisemarine

I would try:

Virtualmin -> Email Messages -> Domain Key Identified Mail

Force generation of new private key -> Yes

Save

Wed, 09/13/2017 - 06:53
Jfro

Here succeeded to not """added my domain in "Additional domains to sign for" """"

But generate the key in the virtualserver for that domain itself!

( virtual server > server configuration > domainkey options )

Then it should be in the dns ofcourse otherwise they didn't work, if third party external DNS you have to add this manually

If you use ase key "" default"" then problems could be there so better change "default" in what you like , you can read that her > https://www.virtualmin.com/documentation/email/dkim

""""Do NOT enter default , as this can trigger a bug in the current Virtualmin release which deletes the /etc/default""""

Wed, 09/13/2017 - 07:35
contremaitre

noisemarine : I already tried that.

Jfro : I already added my domain, changed the "default" prefix, and added the key to my DNS.

Wed, 09/13/2017 - 07:59
Jfro

I mean not add your domain there in that screen but to do the key generation it in the domain virtualserver itself. Open that screen on that domain again and you see your key to paste in dns record if needed, then you can check with dns https://mxtoolbox.com/dkim.aspx or these keys are the same! Ofcourse after ttl time...

And try test first by sending mail out over webmail webmin function http://dkimvalidator.com/

so go to the ones domain virtual server and generate the key there so > ( virtual server > server configuration > domainkey options )

Mon, 09/18/2017 - 08:08
contremaitre

Jfro : I cannot remove my domain from "Additional domains to sign for" : I get his error : Finding virtual servers to enable DKIM for .. .. no servers with both DNS and email enabled were found! DKIM setup failed!

I do not host my virtual server DNS, I am using the one from my provider, but I did add my dkim key, I can see it with mxtoolbox And there is no "virtual server > server configuration > domainkey options" menu

Mon, 09/18/2017 - 17:21 (Reply to #19)
Joe
Joe's picture

It may be that Virtualmin won't sign for domains it doesn't host DNS for. I don't think that should be necessary, but you could try enabling DNS for this domain. It's harmless to do so...if nobody queries the DNS server on the Virtualmin host, it'll just sit there doing nothing.

--

Check out the forum guidelines!

Tue, 09/19/2017 - 02:08 (Reply to #20)
contremaitre

No, my emails are signed, but the signature is invalid

Mon, 09/18/2017 - 08:15
Jfro

OK i'm only user/admin.

I have that option in menu, so i don't know how to help you.

Then ask Joe sorry.

We are ourselves only using third party DNS for Domains DKIM with Virtualmin 6 and CENTOS is working here, but it was a fresh VM6 install about 29-08 so not a updated older version of VM.

Topic locked