dkim-filter: key retrieval failed

Submitted by Hal9000 on Sun, 10/30/2011 - 18:21

Hello! I am running two Debian 6.0 servers, one with Virtualmin GPL, the other one with Virtualmin Pro. I enabled DKIM on both of them, and both are giving random errors like this: Oct 30 17:40:51 neptune dkim-filter[30047]: C494023A4B: key retrieval failed The messages then get a temporary error. Some messages get this over and over, and eventually get a delayed delivery notification, since the message just does not get through. The majority of incoming emails however does get delivered fine, so I kind of don't really know why dkim-filter sometimes fails. Any ideas? I enabled it over the Virtualmin interface... Here are the config files: /etc/postfix/main.cf

milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

/etc/dkim-filter.conf

Syslog yes
KeyFile /etc/dkim.key
Selector neptune
KeyList /etc/keylist

/etc/default/dkim-filter

DAEMON_OPTS="-b sv"
SOCKET=inet:8891@localhost
Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Sun, 10/30/2011 - 22:55

That's odd, I haven't seen that error message before.

Is the file /etc/dkim.key readable by the user dkim-milter runs as on your system?

Submitted by Hal9000 on Mon, 10/31/2011 - 01:37

yes, there is

-rwx------ 1 dkim-filter dkim-filter 887 Mar  7  2011 /etc/dkim.key

and

lrwxrwxrwx 1 root root 13 Mar  7  2011 /etc/neptune -> /etc/dkim.key</<code>

Submitted by JamieCameron on Mon, 10/31/2011 - 14:08

That KeyList file looks wrote - it shouldn't be a link to the key!

Try this - delete /etc/neptune, edit /etc/dkim-filter.conf , remove the KeyList line, then disable and re-enable DKIM in Virtualmin.

Submitted by Hal9000 on Mon, 10/31/2011 - 15:15

Ok, I did the steps you told me to. For some reason, after disabling dkim via virtualmin, the radio for "Verify DKIM signatures on incoming email?" remains enabled, even if I told it to disable it. Then, if I reenable DKIM signing, the /etc/neptune file gets recreated as before, as symlink to /etc/dkim.key owned by root with all permissions. Also, now that I reenabled signing, the radio of "Signing of outgoing mail enabled?" remains off, even if it actually is on.

Submitted by Hal9000 on Mon, 10/31/2011 - 15:28

I now completely uninstalled the dkim packages and removed the key and config files, so I setup dkim in virtualmin from scratch with "mercury" as selector. It generated a new key, but still, i got

-rwx------ 1 dkim-filter dkim-filter 887 Oct 31 21:21 /etc/dkim.key
lrwxrwxrwx 1 root root 13 Oct 31 21:21 /etc/mercury -> /etc/dkim.key

and lines in the /etc/keylist file point to /etc/mercury

Submitted by JamieCameron on Mon, 10/31/2011 - 15:37

You might need to clear the DKIM config files after removing the packages.

Try turning off DKIM in Virtualmin, un-installing the packages, deleting /etc/mercury and /etc/dkim* , then re-installing and re-enabling DKIM in Virtualmin.

Submitted by Hal9000 on Mon, 10/31/2011 - 15:44

i already did that (see post #5)

Submitted by JamieCameron on Mon, 10/31/2011 - 15:51

Ok .. but in /etc/dkim-filter.conf , is the KeyList still being set to that /etc/mercury file?

Submitted by Hal9000 on Mon, 10/31/2011 - 16:05

keylist is set to KeyList /etc/keylist and has always been, just the contents of the keylist file itself point to the mercury file

Submitted by JamieCameron on Mon, 10/31/2011 - 18:10

Ok, that should be fine ..

So are you still getting the same error about key retrieval failing, even after resetting DKIM?

Submitted by Hal9000 on Mon, 10/31/2011 - 18:39

looks fine so far... :) will let you know if i encounter any further problems thank you for your help!

Submitted by Issues on Mon, 11/14/2011 - 18:17

Automatically closed -- issue fixed for 2 weeks with no activity.