DKIM signature not being added to mail.

Hi, I am having an issue where the DKIM signature is not being added to emails. My account 5571470.

I have stopped the opendkim server and restarted it. Have turned off and then turned back on DKIM signatures as well in virtualmin

I did some research on the issue and checked the files and it seems that INET all point to correct port as per that research so I am now at a loss as to why it isn't working.

All I am getting in mail log is

warning: connect to Milter service inet:localhost:8891: Connection refused

Some of the material I have already referenced is

https://serverfault.com/questions/847435/cant-change-opendkim-socket-in-...

https://serverfault.com/questions/858879/postfix-connect-to-milter-servi...

My current webmin and virtualmin versions are:

Webmin: 1.900 Virtualmin: 6.06-2pro

I hope someone may be able to help

Regards.

Status: 
Closed (fixed)

Comments

That message about inet:localhost:8891 means that the openDKIM server isn't running, or is using the wrong port.

Can you check if there is a process named opendkim or similar running on your system?

Hi Jamie,

Yes it is working but DKIM sig not being added. I rebooted system to see if it helped before I put ticket in.

Here is the output of systemctl status opendkim.service

opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
   Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset:
   Active: active (running) since Mon 2019-02-25 02:12:09 GMT; 11h ago
     Docs: man:opendkim(8)
           man:opendkim.conf(5)
           man:opendkim-genkey(8)
           man:opendkim-genzone(8)
           man:opendkim-testadsp(8)
           man:opendkim-testkey
           http://www.opendkim.org/docs.html
  Process: 36401 ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf (code=exited
Main PID: 36402 (opendkim)
    Tasks: 6 (limit: 9830)
   CGroup: /system.slice/opendkim.service
           └─36402 /usr/sbin/opendkim -x /etc/opendkim.conf

Feb 25 02:12:09 atlantic2320 systemd[1]: Starting OpenDKIM DomainKeys Identified
Feb 25 02:12:09 atlantic2320 systemd[1]: Started OpenDKIM DomainKeys Identified
Feb 25 02:12:09 atlantic2320 opendkim[36402]: OpenDKIM Filter v2.11.0 starting (
lines 1-19/19 (END)

All DKIM conf files that I have checked all have port set at 8891 which I assume is the default seeting when open DKIM is installed under virtualmin

Regards.

I thought I would alter the DMARC record as I was getting mail rejected due to DKIM issues when I saved the configuration I got this output

Failed to save record : DNSSEC signing after records change failed : dnssec-signzone: warning: addnode: NSEC node already exists dnssec-signzone: fatal: No self-signed KSK DNSKEY found. Supply an active key with the KSK flag set, or use '-P'.

Yet DNSKEY exists and is used for DNSSEC purposes

If I try and open the Setup DNSSEC Key on the zone I get this

The zone already has a DNSSEC key, and so is already signed. Webmin will re-sign the zone automatically when any changes are made.

HTTP/1.0 500 Perl execution failed Server: MiniServ/1.900 Date: Tue, 26 Feb 2019 05:13:13 GMT Content-type: text/html; Charset=iso-8859-1 Connection: close
Error - Perl execution failed

Can't use an undefined value as an ARRAY reference at /usr/share/webmin/bind8/edit_zonekey.cgi line 41.

I assume that perhaps this error maybe affecting the DKIM milter in some way but not sure what or why.

Hope the added info helps

Regards.

I should say that the issue is not on all the zones for the sites I am hosting so not sure why one would throw an error and another not

Hi Jaime,

DMARC not affecting DKIM. I removed and reinstalled the one virtual server that was giving the DMARC issue and it has now gone away.

DKIM still not being added to mail.

As DKIM is active and records are those installed with virtualmin any idea why it is still not being added?

It is important that I get DKIM working again as soon as possible as we sign all emails with it. The reason was we had people faking our mail addresses to spam others using DKIM those spoofed emails were rejected. If we cannot use DKIM then that will have an impact. DKIM also makes sure that any emails sent even with a spoofed address to our own addresses are filtered out if they do not have the correct DKIM sig. Right now as that sig is not being added we are unable to rely on that happening.

Regards.

It looks like the real issue is that the opendkim server isn't running on the port that Virtualmin and Postfix expects (port 8891).

What does the /etc/default/opendkim file contain on your system?

Hi Jaime,

This is what file /etc/default/opendkim contains

EXTRAAFTER=""
DAEMON_OPTS="-b sv"
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
USER=opendkim
SOCKET=inet:8891@localhost
RUNDIR=/var/run/opendkim

For completeness /lib/systemd/system/opendkim.service has following contents

[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target

[Service]
Type=forking
PIDFile=/var/run/opendkim/opendkim.pid
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim.conf
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID

[Install]
WantedBy=multi-user.target

Regards.

That looks OK. But in your /etc/opendkim.conf file, what does the Socket line contain?

Hi Jaime,

This is from /etc/opendkim.conf

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket local:/var/run/opendkim/opendkim.sock

Looking at code I assume it would be better to uncomment the inet socket changing port to 8891 and then to comment out the local: socket?

Regards.

Yes, that's the fix you need to make (then restart the DKIM server).

Hi Jaime,

Many thanks. All working correctly now.

Regards.

Great! The next Virtualmin release will attempt to handle this kind of mismatch in the ports between different config files better.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.