DKIM was enabled by default but was not working

Hi team, hope everyone is doing well.

We attempted to setup DKIM for a virtual server and we could not find the Server Configuration > DomainKey option. We assumed that DKIM was disabled on the server by default as this was a default install. Now we check Email Settings > DomainKeys Identified Mail and to our surprise, the "Signing of outgoing mail enabled?" option was set to Yes. We turned it off and then it tried to remove all the DNS records for all our virtual servers but it said that they were already removed and nothing was to be done. Not sure if this is expected behavior because if it is set to Yes, we would have assumed that DKIM records were being added and everything was working properly, but turns out, it actually wasn't on at all. When we switched the option back to Yes and saved, then it actually started generating keys and the Server Configuration > DomainKey option started showing up for our Virtualmin users. We are thinking about scaling here and we are trying to minimize deployment issues. If we have to scale a large amount of servers and need to do this trick every time, it will not be efficient for us. Can you guys please verify if you are able to reproduce this on a default centos 7 install?

In addition, if the Virtualmin user is using CloudFlare or an external DNS provider, they should be able to just add the DNS records no issues right? We read the help page and it states that apparently we have to add more domains to sign for if the DNS is hosted elsewhere but email is hosted on the server. We wouldn't be able to manually add every single virtualmin user's domains to this list so we are hoping that this is not needed and it works by adding the same TXT record in DNS Options to the external DNS provider like CloudFlare.

Looking forward to hearing back from you guys, thank you!

Additionally: DKIM was installed by virtualmin during main install because it was already on the system. We did not get a message saying that DKIM was not installed and Virtualmin can try to install it automatically.

This was for the GPL install of Virtualmin for Centos!

Update: We tested DKIM by adding the records needed for DKIM in CloudFlare on a test site and virtualmin did sign the emails just fine, no problems here. Just need to figure out the initial issue now. Thanks!

Webmin version 1.942 Usermin version 1.791 Virtualmin version 6.08 Cloudmin version 9.5.kvm Pro

Status: 
Needs work

Comments

Ilia's picture
Submitted by Ilia on Thu, 03/26/2020 - 13:53

If we have to scale a large amount of servers and need to do this trick every time, it will not be efficient for us. Can you guys please verify if you are able to reproduce this on a default centos 7 install?

I have given it a try and checked how it looks by default on CentOS 7 - I can say that it's off by default and if enabled, then newly added domains automatically will get the signature.

In addition, if the Virtualmin user is using CloudFlare or an external DNS provider, they should be able to just add the DNS records no issues right?

If DNS for domain is hosted elsewhere, the records would have to be added manually.

We wouldn't be able to manually add every single virtualmin user's domains to this list so we are hoping that this is not needed and it works by adding the same TXT record in DNS Options to the external DNS provider like CloudFlare.

You could use one key for signing all domains but you would have to set it up manually for your external DNS server. In case it's local DNS records, it will be added automatically.

thedaemexco's picture
Submitted by thedaemexco on Thu, 03/26/2020 - 14:38 Pro Licensee

Sounds good, no problem. I don't know what caused it but we'll let you know if it happens with our next deployment. Just one last question, if the client wanted to use their own DKIM key, adding the record to CloudFlare will be fine and we don't have to do anything else on our side, correct? Looking forward to hearing back from you Ilia.

Ilia's picture
Submitted by Ilia on Thu, 03/26/2020 - 15:44

if the client wanted to use their own DKIM key, adding the record to CloudFlare will be fine and we don't have to do anything else on our side, correct?

Yes, in case a client will Generate new key in Server Configuration/DomainKey Options and you as admin in Administration Options/Edit Owner Limits will enable under Allowed capabilities and features tab the options Can edit virtual server and Can edit email settings, then yes.

What I don't like about this page (Server Configuration/DomainKey Options), is that it actually doesn't display DNS records for additional domains like Email Settings/DomainKeys Identified Mail does, what makes unclear which records to add on external DNS server. I will ask Jamie, if he wouldn't mind adding it to Server Configuration/DomainKey Options as well.

thedaemexco's picture
Submitted by thedaemexco on Thu, 03/26/2020 - 16:06 Pro Licensee

Hi there Ilia,

We tested with CloudFlare and it works just fine. I agree with you 100%, because as of now... the user actually has to go into their DNS options to see the public key. The DKIM options the user sees only displays the private key. If there is also a way to display the public key and have it easy to copy and paste, that would be fantastic. If you input the key as it is by copying from the DNS entry, it has quotation marks and if you paste it into CloudFlare, it gives an error. Many of our clients are using CloudFlare so this would be a very common issues people would contact us about. Much appreciated, thanks!

Nice idea - look for this in the next release.

Implementation of this feature is done for inclusion in the next release.

Ilia's picture
Submitted by Ilia on Mon, 04/06/2020 - 06:02

Jamie, thanks but it's not exactly what was requested. It's good to have public and private keys listed as part of global configuration BUT what about server owners and edit_domdkim.cgi page, IF a user selects Generate new key, then she/he will never see the DNS records for inclusion. Mentioned edit_domdkim.cgi page MUST have either default default._domainkey IN TXT record displayed OR custom, in case GLOBAL key is not used. Does it make sense? :)

I checked the code, and as long as the domain does NOT have DNS enabled, the suggested DNS records should still be displayed on that page. Or did you mean that suggested records aren't shown unless there is a custom key?

Ilia's picture
Submitted by Ilia on Sun, 04/12/2020 - 08:00

Or did you mean that suggested records aren't shown unless there is a custom key?

I expect, in any case, to have DomainKey Options page to display public and DKIM DNS record. See attached images expected_dkim.png vs current_dkim.png.

With the most recently checked-in code for that page, it should now be behaving like in your expected screenshot.

thedaemexco's picture
Submitted by thedaemexco on Mon, 04/27/2020 - 17:46 Pro Licensee

Beautiful! The expected picture looks great! Will we see this feature pushed to the next update? If so, this issue can be closed guys!