23 posts / 0 new
Last post
#1 Sun, 07/23/2017 - 04:21
dj586

DKIM

Hi,

I am having a brain-twisting issue with the DKIM setup. Perhaps I cannot see the wood for the trees!

DomainKeys identified mail options

Signing of outgoing mail enabled? is set to YES

The DNS for the specific domain is set with:

2015._domainkey.example.com. IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB"
"eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X"
"m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5"
"UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT"
"pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF"
"UASEolFUwIDAQAB" )

-- Which, as pasted below, is also shown in: "DNS records for additional domains" on the "DomainKeys identified mail options" page

2015._domainkey IN TXT ( "v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArOTbRs3iFf1rB"
"eARDmF43SCRfxh1BONZK1c9MCzRZXu5Izg/1eIbOgw2ybAqmKlloMk2gflfP/p/kmI/ZyWgoJljXjh3X"
"m0Bt/lmqHP3/qdqNK7IB2CCmfN29jteJetOZMJ/hXYsZ8pHNv4i/GcUInio2OGLxbSvvoTlAONIYdVL5"
"UDmB7N1tclDTGYC364LEPPLK7b2e4V0ZSH+plUHBlTHWfh3zPD+UF/vbv/Eh3pTxBdBFFLiAjrPrTmKT"
"pH8T4N77xeZN2arWRumzILWECOeJz9UvZDtMPB5/xvO+3BXcOCEqkiAQHwJWvRPEir01QTbVZdYQZwAF"
"UASEolFUwIDAQAB" )

However, Yahoo gives:

Authentication-Results: xxxx.yahoo.com from=example.com; domainkeys=neutral (no sig); from=example.com; dkim=neutral (no sig)

and http://appmaildev.com

gives me "DKIM-Result: none (no signature)"

it is driving me nuts

any guidance would be much appreciated

Sat, 08/19/2017 - 07:11
dj586

Hi

Would really appreciate some help with this.

I tried disabling and re-enabling the DKIM signing - but emails still not getting signed

cheers

Sat, 08/19/2017 - 14:11
Joe
Joe's picture

Is there anything in the maillog/mail.log about it, when sending a message?

Can you post the headers of a message sent from your Virtualmin system? (i.e. send an email, and look at the headers when it arrives) That'll tell us if signing is actually happening.

--

Check out the forum guidelines!

Sat, 08/19/2017 - 14:39
dj586

Hi Joe

Thanks for the response.

Here is an excerpt from a Yahoo header:

Received-SPF: none (domain of example.com does not designate permitted sender hosts)
Authentication-Results: mta1420.mail.bf1.yahoo.com  from=example.com; domainkeys=neutral (no sig);  from=example.com; dkim=neutral (no sig)

Thanks

Sat, 08/19/2017 - 16:11 (Reply to #4)
Joe
Joe's picture

No, I mean a header for a successfully delivered email. That's not the original headers from the message as it was sent out of your server, which is what I need to see to figure out if it's actually signing things. You can send mail to your own server, even. It just needs to go through the outgoing mail queue so Postfix can sign it and such.

And, we still need to see the entries in the mail.log or maillog when you try to send an email.

--

Check out the forum guidelines!

Sat, 08/19/2017 - 19:56
dj586

Hi Joe

Below is the result of a received email, viewing headers in Thunderbird

Return-Path: <apache@my.hostname>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
my.hostname
X-Spam-Level: ***
X-Spam-Status: No, score=3.4 required=5.0 tests=HTML_MESSAGE,
HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,NO_RELAYS,SUBJ_ALL_CAPS autolearn=no
version=3.3.1
X-Original-To: testadd@example.com
Delivered-To: testadd.example.com@my.hostname
Received: by my.hostname (Postfix, from userid 48)
id 0A1861661A30; Sun, 20 Aug 2017 00:53:35 +0000 (UTC)
To: testadd@example.com
Subject: DKIM 01:55
X-PHP-Originating-Script: 0:test-email.php
MIME-Version: 1.0
Content-type: text/html; UTF-8
From: TEST <testadd2@example.com>
Message-Id: <20170820005336.0A1861661A30@my.hostname>
Date: Sun, 20 Aug 2017 00:53:35 +0000 (UTC)

is this what you required?

the maillog seems to only contain some spam

Sun, 08/20/2017 - 14:02
ksihota

Not sure what your DNS setup is but my DNS is not on my main server but is provided by my host, so although it looked like my DNS records were all set up properly in Virtualmin I actually hadn't added the DNS text record for either DKIM or SPF to the real DNS server. Once I added these records to my real DNS server DKIM and SPF started to work properly.
Kim

Mon, 08/21/2017 - 03:32
dj586

Hi Kim,

Thanks for that.

Although my DNS is local, your post made me look into that side of things and I noticed that the reverse DNS had not been correctly setup with the host.

This has now been rectified by the host and I have updated the hostname accordingly.

Whether this was affecting the DKIM/SPF issue remains to be seen.

I am awaiting propagation before I continue with any more tests.

Regards

Darren

Mon, 08/21/2017 - 07:01
dj586

UPDATE

When I run a DKIM lookup on https://mxtoolbox.com/

I see the correct response:

v=DKIM1; k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlL8AO2Twj3Y4W4/0Cyq9K8hYnOIC6qBObtob7taz/1eCqPt/rVdYjT0V3HPRa0SAHU7MV8gzyCcomdZ5il8A3Pw+ArJQZI8aNO7+ALihKyQIy7KypZ0bw+1LBMsUoqtPZXTAN8LW9dCF9aYynAIQruQMvwn9x5PwVjnUwBeoHdD+tiLLIzMhip87WpwIg1HbC8wCa5ydTUKkcrU3J7qq16MmXwue4bGcvk1ABFl+gbj5x8e5VJgdWXIljh5Iv+MczfAUweQI2eFaxeVlNs0Up9j6fZMOlHylUzOl726BUElGTKZtA2S/stRL5qoaK/K7D7JPO8EVqbQnX6SJ5UkntwIDAQAB

ETC

However, I still get no SPF or DKIM signing from http://appmaildev.com/

SPF: None

Sender-IP:xx.xx.xx.xx (correct IP for reverse DNS)

Sender-Domain:myserver.com (correct hostname/domain for reverse DNS)

Query TEXT record from DNS server for: myserver.com

Exception: No records found for given DNS query

DKIM: None

DKIM-Result: none (no signature)

So I am presuming the problem lies in the emails not being signed by POSTFIX as they are being sent.

This is a production server, what would be the best (safest) way to capture the headers being added by Postfix?

FURTHER UPDATE:

I changed the setting: "What domain to use in outbound mail" in Postfix to use DOMAINNAME instead of HOSTNAME

I am now getting a PASS for SPF - but DKIM still failing

Thanks in advance for any further guidance

Darren

Mon, 08/21/2017 - 12:13
Joe
Joe's picture

I don't see a DKIM signature on that message. That looks like the following:

DKIM-Filter: OpenDKIM Filter v2.11.0 new.cloud.virtualmin.com 8BE391FA8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=new.cloud.virtualmin.com; s=default; t=1503252001;
bh=K2ZYWOI8FllBCThejtza427laAAdn5AyEETo//8rWCU=;
h=From:To:Subject:Date:From;
b=2z617WOkztcwZ93+7KmxfJ0o7siVJCMFduYtnqhRpcuoFQqIcbs+irUpVaTP5z8x/
VWwMsgyiZCprBUBPWIgq1QIDm1brdFEaQaFNnGBf0Gm79EKdchFAqeCS8s3iy8Apm5
6id172enC7j1kG0f1TPrkp6x8TFqF+DyHrw0j7bvC5Z7i0sqiJlXJw0sXB+XfwPjtE
49VcHQgS7xznGXG6oXTKnWC2Nk+fIoihqd0ArlEO+BbZObJN5OKVjlLvIqo/U4twMh
ItOJUWMx+UbWAjYprv1LUlY0i4PuiqrRFgt5B3iUAqzobtWYEcOsX9N+8NwchT3PHY
SnRiUWKRWaXKw==

So, that's where the problem lies. Maybe try disabling and re-enabling DKIM in Virtualmin (find that setting in Email Messages->DomainKey Identified Mail->Signing of outgoing mail enabled?), and see if DKIM signature begins to appear. I can't think of why it wouldn't sign your messages, if the feature is enabled.

--

Check out the forum guidelines!

Sat, 10/21/2017 - 12:20
brad100

Hi Darren @dj586 Did you manage to get your outgoing email signed ? Just going down the same route as you mxtoolbox says it is good, SPF is good - but my outgoing emails are not signed.. Kind Regards Brad

Tue, 10/24/2017 - 00:08
CEEWorld

One IMPORTANT factor to remember is that a policy record needs to be included for a domain. This is a text entry which tells a mail server how mail is signed by DKIM without it a DKIM signature will have issues.

Create a DNS txt record for your domain for the policy

Name: _domainkey.yoursite.tld

Message : o=-;

The above text tell the mail server that ALL messages are signed by DKIM and must be checked .. this is the strictest setting and best used IF you are being spoofed

A more relaxed version which tells a server receiving mail that some are signed is

Message: o=~;

Adding the policy may help and you will find your mail signed with your DKIM signature.

Tue, 10/24/2017 - 04:11
brad100

Hi @CEEWorld
Thank you for your reply.
May I ask for clarification on what you have suggested

  • Firstly am I including the selector in - like this myselector_domainkey when creating the txt record?
  • Secondly for the relaxed method you mentioned am I just adding " o=~; " ?


Kind Regards
Brad

Tue, 10/24/2017 - 11:05
CEEWorld

For the DKIM record you put your selector in front of _domainkey.yourdomain.td so it would look like this "yourselector_domainkey.yourdomain.tld

For the policy record you add NO selector is is just _domainkey.yourdomain.tld

Yes just add the o=~;

Tue, 10/31/2017 - 03:19
brad100

Hi @CEEWorld Thank you for your assistance - the main issue turned out to be a bug in my registrar DNS panel not properly removing txt records (after they were deleted) - I ended up with about 4 different yourselector_domainkey.yourdomain.tld records associated with my domain -

I switched my DNS to Cloudflare and had a green light in 5 minutes .

ATB Brad

Wed, 02/20/2019 - 08:08 (Reply to #15)
carras

Hi there,

I'm having the same problem as you. But I use Cloudflare, can you tell me how you manage to sign the emails?

Thanks.

Wed, 02/20/2019 - 08:21
brad100

Hi there In Virtualmin go to Email Settings > DomainKeys Identified Mail

The last section " DNS records for additional domains " has your cert

Step 1 create a new text record in Cloudflare use the cert name (for example 2019._domainkey) in the first field Step 2 copy the rest of the cert starting from v=DKIM1 (do not include the ") paste that record in a text editor and make the whole record one line removing all spaces and all (") that start and end each row . Step 3 paste your cert without spaces in the record box (cloudflare) and add the record. Step 4 wait 5 minutes and test

Hope this helps - if you get stuck paste your full record (before editing) here and I will try and help

Kind Regards Brad

Wed, 02/20/2019 - 08:26 (Reply to #17)
carras

Thanks, that's a perfect explanation.

But I have it that way but I don't get my email to send with the sign.

Any idea what I can be missing? Do you have to add the domain manual in the field "Additional domains to sign for"?

Wed, 02/20/2019 - 08:36
brad100

Hi Are you using Debian or Ubuntu? Kind Regards Brad

Wed, 02/20/2019 - 08:37
carras

Ubuntu 18.04.2 ; Latest LTS

Wed, 02/20/2019 - 09:06
brad100

Hi

On Debian I need to run

/lib/opendkim/opendkim.service.generate 

systemctl daemon-reload

service opendkim restart 

And than to test

netstat -natpu | grep opendkim

Hope that helps

Brad

Wed, 02/20/2019 - 09:21
carras

Yes, that solved it. Thanks a lot @brad100

Also could be helpful: https://www.virtualmin.com/node/59560

Mon, 04/08/2019 - 07:32
nikman

@brad100 you saved the day for me as well.

These commands solved it.

But I cannot figure out why this occurred. If someone could provide an explanation, it would be great.

I should mention that my /var/log/mail.warn log was full of:

postfix/smtpd[24329]: warning: connect to Milter service inet:localhost:8891: Connection refused