DKIM Not Signing Email

Discussion in 'Installation/Configuration' started by LinuxPete, Nov 28, 2017.

  1. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Hi,
    In the process of of setting up DMARC I found I had DKIM problems.

    DKIMVALIDATOR (http://dkimvalidator.com) returns "This message does not contain a DKIM Signature"
    I've gone through the DKIM debug at https://blog.schaal-24.de/dkim/debug-2/?lang=en
    and the commands that did not return valid information were those to "query your own DNS"
    dig @ns.example.com default._domainkey.example.com TXT
    and
    dig @127.0.0.1 default._domainkey.example.com TXT
    These did not return an answer.

    However netstat -nap | grep \:53 did show it was listening on port 53
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 10.0.0.20:53 0.0.0.0:* LISTEN 1612/named
    tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1612/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1612/named
    tcp 0 0 10.0.0.20:143 70.88.86.213:53439 ESTABLISHED 29518/dovecot/imap-
    tcp6 0 0 :::53 :::* LISTEN 1612/named
    udp 0 0 10.0.0.20:53 0.0.0.0:* 1612/named
    udp 0 0 q192.168.122.1:53 0.0.0.0:* 1858/dnsmasq
    udp 0 0 192.168.122.1:53 0.0.0.0:* 1612/named
    udp 0 0 127.0.0.1:53 0.0.0.0:* 1612/named
    udp6 0 0 :::53 :::* 1612/named
    I've checked and double checked the records in Isconfig3 and did a resync as well as checked the records at zoneedit.com
    Any suggestions on how to proceed with this problem.

    Thanks Ray
     
  2. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Let me give a little background on my system:
    The Perfect Server w/Centos 7, Maria DB, Nginx, Round Cube.
    I am hosting multiple servers.
     
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

  4. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Thanks, Florian. But from my above text, I went through that debug tutorial (a good one at that) [I've gone through the DKIM debug at https://blog.schaal-24.de/dkim/debug-2/?lang=en and the commands that did not return valid information were those to "query your own DNS"]
    When I did a query on my own DNS (the one set up by ISPconfig), it did not return an answer with data.
    dig @ns.example.com default._domainkey.example.com TXT
    dig @127.0.0.1 default._domainkey.example.com TXT
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    if your own dns gives you no dkim, the keys are missing in the zone-files. check the zone in ispconfig and the files in /etc/bind/pri*
     
  6. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Well Florian,
    I've gone from bad to worse on my troubleshooting this problem.
    1) there are dns records in my ISPconfig
    2) but /etc/bind does not exist
    3) I installed amavisd-new and I lost the ability to send emails. (I removed it but still no email send.) In the maillog I get a refused.
    When I do a netstat -tap I cannot find anything on 25 and for 10025 I get (I assume postfix):
    localhost:10025 0.0.0.0:* LISTEN 5658/master
    At this point I'm not sure what to tackle first???
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    This can be fine, the directory on CentOS is /etc/named/ if I remember correctly, /etc/bind/ is the directory on Ubuntu and Debian.

    I wonder why it was not installed as it is part of every ISPConfig setup. Do you remember which tutorial you used to install your server?
     
  8. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Yes. It was The Perfect Server - CentOS 7 x86_64 (nginx, Dovecot, ISPConfig 3) - 2014/11
    I will re-install amavisd-new and take a look at take another look at your tutorial for DKIM.
    1) I took a look at the PDF for the install at step #13 it says:
    13 Install Amavisd-new, SpamAssassin, And ClamAV
    I have a check next to it so I performed it.
    Checking Yegors tutorial to patch ispconfig 3 @ http://blog.yegorgavrilov.com/2013/07/fix-dkim-issue-in-ispconfig3.html
    I checked and all the steps were there, except the last one on the /etc/amavis.conf file:
    #DKIM
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1; # load DKIM signing code,
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

    I added this.
     
    Last edited: Nov 30, 2017
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    That guide from Yegor is completely outdated and the Dkim code is in ISPConfig already for a log time, do not do this as it will break your server. Just install amavisd and ispconfig as shown in the perfect server guide. In case your server has not enough entropy to create dkim keys, then you might have to install the additional package 'haveged' with yum.
     
  10. LinuxPete

    LinuxPete Member HowtoForge Supporter

    OK. I backed out the old tutorial, rechecked the "Perfect Server for Centos 7, ifconfig 3, etc. But I still am having DKIM problems. Now It looks like I"ve caused a problem that stopped the email from working.
    I am doing a tail -f /var/maillog and when I email I get a connection refused:
    status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    I have checked to make sure that port is in the iptables and no other service is using it.
    netstat -a -n
    To be honest, I wish I had all the background to thoroughly understand this and troubleshoot it but I am beginning to wonder if it would be better to take the system down in the middle of the night and just rebuild???
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    is amavis running and listening on ports 10024 and 10026?
    ps -ef|grep amavis
    netstat -tanp|grep 1002
     
  12. LinuxPete

    LinuxPete Member HowtoForge Supporter

    It looks like amavis is running and its listening on ports 10024, 10025, 10027
    [[email protected] ~]# ps -ef|grep amavis
    amavis 1769 1 0 Nov12 ? 00:28:47 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf --foreground=yes
    amavis 13590 1 0 Dec03 ? 00:00:03 /sbin/amavisd (master)
    amavis 13591 13590 0 Dec03 ? 00:00:02 /sbin/amavisd (ch7-avail)
    amavis 13592 13590 0 Dec03 ? 00:00:01 /sbin/amavisd (ch6-avail)

    [[email protected] ~]# netstat -tanp|grep 1002
    tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 31638/master
    tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 13590/amavisd (mast
    tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 31638/master

    I do notice from iptables -L -nv I only have 10024 open. Do I need to open 10027, and 10025?
     
  13. LinuxPete

    LinuxPete Member HowtoForge Supporter

    Quick update:
    I did open up ports 10027 & 10025 in iptables. But still no change.
     
  14. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    sorry, it's 10024,10026 for amavis. 10025,10027 is for postfix.
     
  15. LinuxPete

    LinuxPete Member HowtoForge Supporter

    I opened a port for 10026 tried a test msg and still the same result.
    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10024
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10027
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10025
    ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10026
    I changed the /etc/amavisd.conf and set $log_level = 5;

    Did a reboot and found the information below in the maillog:

    Dec 7 11:30:16 localhost amavis[15475]: starting. /sbin/amavisd at avalon.chi-linux.net amavisd-new-2.11.0 (20160426), Unicode aware, LANG="en_US.UTF-8"
    Dec 7 11:30:18 localhost amavis[15476]: Net::Server: Group Not Defined. Defaulting to EGID '995 995'
    Dec 7 11:30:18 localhost amavis[15476]: Net::Server: User Not Defined. Defaulting to EUID '996'
    Dec 7 11:30:18 localhost amavis[15476]: No ext program for .rar, tried: rar, unrar
    Dec 7 11:30:18 localhost amavis[15476]: No ext program for .lha, tried: lha
    Dec 7 11:30:18 localhost amavis[15476]: No ext program for .tnef, tried: tnef
    Dec 7 11:30:18 localhost amavis[15476]: No decoder for .lha
    Dec 7 11:30:18 localhost amavis[15476]: No decoder for .rar
    Dec 7 11:30:18 localhost amavis[15476]: Using primary internal av scanner code for ClamAV-clamd
    Dec 7 11:30:18 localhost amavis[15476]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
    Dec 7 11:30:19 localhost amavis[15476]: DKIM signature verification disabled, corresponding features not available. If not intentional, consider enabling it by setting: $enable_dkim_verification to 1, or explicitly disable it by setting it to 0 to mute this warning.
    Dec 7 11:30:30 localhost amavis[15476]: (!)Net::Server: 2017/12/07-11:30:30 Re-exec server during HUP

    *** To change the problem, I turned off DKIM for all domains. ****
    Well, this did not change the problem.

    Also, now when I do a ps aux | grep amavis:
    amavis 15476 0.7 2.9 379396 112992 ? Ss 11:30 0:03 /sbin/amavisd (master)
    amavis 15491 0.0 2.7 380924 104096 ? S 11:30 0:00 /sbin/amavisd (virgin child)
    amavis 15492 0.0 2.7 380924 104060 ? S 11:30 0:00 /sbin/amavisd (virgin child)

    I have a router between the server and the Internet, does it make sense to open the ports on it also.
    Thanks
     
  16. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    "DKIM signature verification disabled" - please check, that you installed everythin accoring to the perfect-setups.
     
  17. LinuxPete

    LinuxPete Member HowtoForge Supporter

    thanks florian, I did and rebuilt the sever with Debian 9.It seems I could not make any progress with this issue.
    This post can be closed
     

Share This Page