Use DKIM without needing Virtualmin's local DNS and Mail services.

11 posts / 0 new
Last post
#1 Sun, 12/18/2011 - 12:35
MDS85

Use DKIM without needing Virtualmin's local DNS and Mail services.

I would be nice if you could enable/generate DKIM for Virtualmin domains without it being dependent on the internal DNS and Mail services.

I currently use both external DNS an Mail (Google Apps), but since there is still mail generated and shipped from my server, I would like to utilize the DKIM feature. Apparently with the BIND and User Mail modules disabled, DKIM fails... Ideally it should still allow you to generate DKIM for your domains, but alert the user that they will need to manually insert the records into their external DNS service. (and as such display the generated record for copying)

I know I can manually do all of this from shell, but would be far more optimal to just use VM's built-in functionality. I couldn't imagine it being a big change to allow it..

Sun, 12/18/2011 - 21:12
andreychek

I had to ask Jamie about this one, but he says it's possible to do this. He says that on the DKIM page, you can enter the names of domains without local DNS in the "Additional domains to sign for" field.

After DKIM has been enabled, the records to add on the remote DNS server can be copied from the "DNS records for additional domains" box.

Let us know if that does the trick for you!

-Eric

Mon, 12/19/2011 - 21:43
MDS85

Thank you Eric, I'll do that and let you know the results. :-)

Mon, 12/19/2011 - 22:11
MDS85

WOW! I feel dumb. Thank you Eric, and please extend my thanks to Jamie as well!

Virtualmin is such a brilliant application. :-)

Thu, 12/22/2011 - 16:08
MDS85

Just a follow up, it works great. However if I may make a suggestion: The current canonicalization algorithm is simple/simple, I propose that it is considered to change the default to relaxed. It's more friendly with common modifications like added whitespace. (For example, Google Apps also uses relaxed/relaxed)

Reference: http://www.elandsys.com/resources/sendmail/dkim.html Mail servers sometimes modify email in transit. This can invalidate the domainkeys signature. dkim-milter supports two canonicalization algorithms. The simple algorithm tolerates almost no modification. The relaxed algorithm tolerates common modifications such as white-space replacement and header line re-wrapping.

Tue, 04/15/2014 - 17:20
jmunjr

Hi I am trying to do this but I cannot seem to get the TXT record value to stick. My DNS provider is telling me there are invalid characters.

What exactly should be in the TXT record? Here is what I am given to use from "DNS records for additional domains"

2012._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAxxxNADCBiQKBgxxHOg4x7QVBbfUKinrZV" "uW84ozzOfckeNHa8jaGhrBvQ/kxxxHw42exaxxO3QHsxevZAxg3cuJdpVxe79hJKtenBNJiFpo6BZeY+" "jGwsBxkVJY9//4lfozuJmaAlQ9oUCyxxx9kDxxLzK9ejBFgxiCK8VhZZOBemltL65GCNePSYQIDAQAB" )

Note there are three keys in quotes. My DNS provider does not like this.

How should this be entered in to a TXT record?

Thanks

EDIT: Ok for whatever reason Virtualmin put quotes around each line in the text box.. Also the name above 2012._domainkey is the hostname. The key is everything in quotes and typical would be in the record like this:

"v=DKIM1; k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAxxxNADCBiQKBgxxHOg4x7QVBbfUKinrZVuW84ozzOfckeNHa8jaGhrBvQ/kxxxHw42exaxxO3QHsxevZAxg3cuJdpVxe79hJKtenBNJiFpo6BZeY+jGwsBxkVJY9//4lfozuJmaAlQ9oUCyxxx9kDxxLzK9ejBFgxiCK8VhZZOBemltL65GCNePSYQIDAQAB"

Wed, 06/18/2014 - 15:12
avibodha

Just in case it will help someone else, DnsMadeEasy also has a tricky entry box for this. You need:

No newlines (all on one line) No tabs (spaces only) No parenthesis around the txt entry

Separate quoted entries are automatically combined, so you can keep the separate sections quoted, just remove any tabs and newlines between them.

Thu, 04/18/2019 - 07:14
LuigiMdg
LuigiMdg's picture

I've the same problem.. I'm pasting the record with quotes but the first and last quotes was deleted..!

This is the record that I've inserted:

"v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB" "eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X" "m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5" "UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT" "pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF" "UASEolFUwIDAQAB"

This is the message of VirtualMin:

2015._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB" "eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X" "m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5" "UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT" "pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF" "UASEolFUwIDAQAB" )

How to solve it?

Fri, 04/19/2019 - 17:11
Jfro

Try first with a 1024 dkim to check if problem with to long one liner 2048bits

And check dkim with online tools after resolving and ttl times. https://www.dmarcanalyzer.com/dkim/dkim-check/

The quotes are not always in dns controlpanels and so on very much differences here.

sometimes also the domain must be written in this line (2015._domainkey_domainname) then sometimes with a dot/preiod at the end sometimes no. The interfaces GUI'S they are using are programmed very different.... :(

So 2015._domainkey.donagest.com or?

@luigi.. check your site youre leaking apache version 2.4.7 and some more security see links https://en.internet.nl/site/donagest.com/514312/

https://en.internet.nl/mail/donagest.com/218573/

https://discovery.cryptosense.com/analyze/donagest.com/07a2668

and so more test sites you can test more things but to start with . ;)

Sun, 04/21/2019 - 18:31
LuigiMdg
LuigiMdg's picture

Thank for very good helpfull message :-)

I will try with 1024 dkim and with / before the quotes.. Now, the domains hosting is under updating this zone of website and I can't view the DNS..! I've inserted 2015._domainkey.donagest.com without domain because I've used without domain for subdomain (third level).

For the security, Apache 2.4.7 is too unsecure? I've fear to update the server.. I'm not a system engineer.. I'm self-taught..!

For the IPv6, I've read that Digital Ocean have problem with email on IPv6 and I've disabled this.. To exclude this problem..!

Tue, 04/23/2019 - 02:25
Jfro

I'm pointing out you should not have your server VERSION PUBLIC! https://www.tecmint.com/hide-apache-web-server-version-information/

FOR OTHER SECURITY ISSEUS TEST WITH THE LINKS A HAVE POSTED.

If You can't handle those, please take some (online) courses readings.

While if you're going public online without such knowledge of your server hmm :( (SYSADMIN basic must have knowledge) Is if driving a car without driver license dangerous for others on the road / www to)

IF insecure : Then it is possible some taking over your box to hurt infrastructure while using your box for hacking...