DKIM filter not setup for sendmail

Submitted by sgrayban on Sun, 10/17/2010 - 04:04

I got one server that is still using sendmail, simply because I don't know of a easy way to convert to postfix, and the DKIM filter was not setup even through the output said it was.

Configuring mail server to use DKIM filter ..
.. done
Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Sun, 10/17/2010 - 13:07

Yes, DKIM should be supported fully on Sendmail.

What goes wrong exactly?

Submitted by sgrayban on Sun, 10/17/2010 - 13:33

I don't see the milter enabled in sendmail.mc

Submitted by JamieCameron on Sun, 10/17/2010 - 14:05

Not even a line like :

INPUT_MAIL_FILTER(\`dkim-filter', \`S=local:/var/run/dkim-milter/dkim-milter.sock')

Submitted by sgrayban on Sun, 10/17/2010 - 14:37

Actually there is a lot more to DK keys then what you got going on anyways.

In sendmail there are 2 settings you need to do. 1 is to add the line and the other is to enable it.

INPUT_MAIL_FILTER(dkim-filter',S=inet:8891@localhost')dnl define(confINPUT_MAIL_FILTERS',smf-spf,greylist,dkim-filter')dnl

Second DK must be run LAST of any milter regardless if its postfix or sendmail as DKIM keys actually modify the completed email.

And I just tested DKIM at autorespond+dkim@dk.elandsys.com and its failing as well.

Submitted by JamieCameron on Sun, 10/17/2010 - 16:28

Did you already have any milters setup?

On my system, that single line was enough to enable DKIM.

If you check the headers on a sent message, is the DomainKeys header included?

Submitted by sgrayban on Sun, 10/17/2010 - 21:57

Yes I have greylisting and spf checking milters running so in sendmail you have to define the order the milters should run using confINPUT_MAIL_FILTERS and DKIM has to run last.

Submitted by JamieCameron on Mon, 10/18/2010 - 01:26

Oddly, on my system with Sendmail 8.14.2 the confINPUT_MAIL_FILTERS define is not necessary, and DKIM works fine without it.

Which Sendmail version are you running? And if there is only one filter, is confINPUT_MAIL_FILTERS really needed?

Submitted by sgrayban on Mon, 10/18/2010 - 02:18

confINPUT_MAIL_FILTERS Is required of you are using more then one milter, which I am, and it determines which order the milters are run.

Sendmail version 8.14.3

Submitted by JamieCameron on Mon, 10/18/2010 - 23:17

Ok, thanks .. I will fix this up.

Submitted by JamieCameron on Tue, 10/19/2010 - 00:58

Yes, and it passes just fine. Also when I send email to a gmail address, it is shown as "signed-by" my domain.

Could you try sending me a DKIM-signed message from your server at jcameron@virtualmin.com ?

Submitted by sgrayban on Tue, 10/19/2010 - 04:10

I sent 2 emails to you. The one I wrote and sent and the other the results of the DKIM test I did previously.

It's also failing on another server that has postfix installed. I'll send you a test email from that as well.

Submitted by JamieCameron on Tue, 10/19/2010 - 11:19

Yeah, it looks like there is no TXT record at _domainkey.libertiesalliance.org .

What does the zone file for this domain contain? I presume your Virtualmin system is the master for that domain?

Submitted by sgrayban on Tue, 10/19/2010 - 13:18

This is what your code added.

_domainkey.libertiesalliance.org. IN TXT "t=y; o=-;"
default._domainkey.libertiesalliance.org. IN TXT "k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqUbW751QLvq5MLhb2WzQqZJ+E3/ykBXdnHQlwYmyUS4JHitg7Y6zDJDy9ZXyBO/8K70tT37g4ntUYVBUaKJCvX7vPpNkfL7cWqm/WMmmtb4r2eaCykkC2NCtDaMmddo3vZNZYshAIIW67uNS8LOlZnoXKGK/r1UaXxf42Ip0/j2iYzrRsyWN1kyp+ZRqf8y4dDyIoei9e8MPeSPvgX7N/JqsUCOu4jy6nfwxQ5TLUSNakxq3iWGNckORAxghlmlMg1zdVm9Hd8lEI2RxTshktVpSXit1bNUYGbpnRbeOUWoqVd1CuAjo7MecIzLo67GhnFQgO0uWBYbUJJ/6q/qBxwIDAQAB"

Submitted by JamieCameron on Tue, 10/19/2010 - 15:39

That looks correct .. but when I try to lookup that TXT record, I get no results :

fudu.home:~ > dig TXT default._domainkey.libertiesalliance.org

; <<>> DiG 9.5.1-P1 <<>> TXT default._domainkey.libertiesalliance.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47986
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;default._domainkey.libertiesalliance.org. IN TXT

;; AUTHORITY SECTION:
libertiesalliance.org. 10727 IN SOA spock.borgnet.us. root.borgnet.us. 1226259496 10800 3600 604800 38400

;; Query time: 0 msec
;; SERVER: 193.9.101.104#53(193.9.101.104)
;; WHEN: Tue Oct 19 13:38:21 2010
;; MSG SIZE  rcvd: 115

Does your DNS server perhaps need to be restarted?

What is the IP of this virtualmin system?

Submitted by sgrayban on Tue, 10/19/2010 - 15:48

Oct 19 16:46:17 spock named[4677]: dns_rdata_fromtext: /etc/bind/libertiesalliance.org.hosts:21: ran out of space
Oct 19 16:46:17 spock named[4677]: zone libertiesalliance.org/IN: loading from master file /etc/bind/libertiesalliance.org.hosts failed: ran out of space
Oct 19 16:46:17 spock named[4677]: zone libertiesalliance.org/IN: not loaded due to errors.

Submitted by sgrayban on Tue, 10/19/2010 - 15:50

removing the DKIM keys bind restarted just fine

Submitted by sgrayban on Tue, 10/19/2010 - 15:55

Crap dude -- enabling DKIM keys on any server I maintain breaks dns -- all zones refuse to reload with DKIM enabled so something is very wrong here.

Oct 19 20:52:46 box1 named[27335]: dns_rdata_fromtext: /etc/bind/feelgoodnet.ch.hosts:22: ran out of space
Oct 19 20:52:46 box1 named[27335]: zone feelgoodnet.ch/IN: loading from master file /etc/bind/feelgoodnet.ch.hosts failed: ran out of space
Oct 19 20:52:46 box1 named[27335]: zone feelgoodnet.ch/IN: not loaded due to errors.

so its not me doing anything wrong here.

Submitted by JamieCameron on Tue, 10/19/2010 - 15:59

Ah, maybe the key size is too long. The fix is as follows :

  1. Go to System Settings -> Virtualmin Configuration -> SSL settings and change the Default SSL key size to 512 bits.
  2. Go back to the DKIM page and re-enable, with the Force generation of new private key? set to Yes.
  3. Return to the SSL settings page and put the key size back where it was.

Submitted by JamieCameron on Tue, 10/19/2010 - 16:11

Was a new shorter key generated in the zone file?

Submitted by JamieCameron on Tue, 10/19/2010 - 18:44

What if you disable and then re-enable DKIM?

Submitted by sgrayban on Tue, 10/19/2010 - 18:47

Nope -- been trying everything

Submitted by JamieCameron on Tue, 10/19/2010 - 19:00

Hmm .. can I login to this machine and take a look?

Submitted by sgrayban on Tue, 10/19/2010 - 19:04

wow you wont believe this......

I had to manually delete /etc/dkim.key to get a new key size.

Force generation of new private key? is not working

Submitted by sgrayban on Tue, 10/19/2010 - 19:09

another thing 512 doesnt seem to work for the key size.. only 1024 did -- odd but in any case you need to update VM quickly to fix this issue.

Submitted by sgrayban on Tue, 10/19/2010 - 19:16

I just tested (autorespond+dkim@dk.elandsys.com) the DKIM key in sendmail -- remember you have to make sure this milter runs last.

The results are as follows: DKIM Signature validation: pass (1024-bit key) DKIM Author Domain Signing Practices: no DNS record for _adsp._domainkey.libertiesalliance.org
Authentication-Results: ns1.qubic.net; dkim=pass (1024-bit key) header.i=@libertiesalliance.org header.b=E0/S57p6; dkim-adsp=pass

Submitted by JamieCameron on Thu, 10/21/2010 - 18:15

Ok, the next Virtualmin release will add or update confINPUT_MAIL_FILTERS when setting up DKIM.

Also, it will fix the key size issue, and handle the case where there are too many domains for the dkim-milter.conf file (which causes it to crash on startup, due to a 1k line limit length).

Submitted by sgrayban on Thu, 10/21/2010 - 18:37

How are you going to manage the key size issue ? Obviously leaving the VM setting to 1024 isn't a good idea seeing that setting also creates the required 2048 SSL key.

Seem you need to either have a separate setting for the DKIM key size or you need to have DKIM auto switch the key down to 1024 or you need to split the key on multi-lines.

If the user keeps the VM key size at 2048 because of SSL then any new domains added will also kill DKIIM/BIND the next time its run for the new domain.

Submitted by JamieCameron on Thu, 10/21/2010 - 19:13

I'm going to make it always use a 1024 bit key, which is the recommended minimum for DKIM and also fits on a single line.

Submitted by Issues on Fri, 11/05/2010 - 20:21

Automatically closed -- issue fixed for 2 weeks with no activity.