dkim on centos 6.5 over ISPconfig 3.0.5.4p6 - is not a good DKIM key record

Discussion in 'ISPConfig 3 Priority Support' started by nmazza, Jun 9, 2015.

  1. nmazza

    nmazza New Member HowtoForge Supporter

    Hello, till
    I had installed DKIM from
    https://www.howtoforge.com/set-up-d...working-with-postfix-on-centos-using-opendkim
    after that ...
    http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/
    but, when I check DKIM with
    http://dkimcore.org/tools/keycheck.html
    This is not a good DKIM key record. You should fix the errors shown in red.
    DNS query failed for 'default._domainkey.sofiha-isp.com._domainkey.sofiha-isp.com':NXDOMAIN
    A public-key (p=) is required

    If I chceck
    cat /etc/opendkim/keys/example.com/default.txt
    default._domainkey IN TXT "v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC621j8C4rNFIQWX8wQR+kwZEwR2STK3GBQDb9b42Zl5ol9859JGtGqSGd2NrknCrfQfPlgEg/RDI3JMGGklMS4sfthDyT2YbUTqasvtRGDOelIicRDazlmTqK0WadPBfIPSNUIVYpAZpwSyX5Dl/z1bizN5/4SBFFGnohWDG+ZkwIDAQAB" ; ----- DKIM default for example.com

    I had added to my DNS over Linode DNS Manager an TXT record.
    Name: default._domainkey
    Value: v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC621j8C4rNFIQWX8wQR+kwZEwR2STK3GBQDb9b42Zl5ol9859JGtGqSGd2NrknCrfQfPlgEg/RDI3JMGGklMS4sfthDyT2YbUTqasvtRGDOelIicRDazlmTqK0WadPBfIPSNUIVYpAZpwSyX5Dl/z1bizN5/4SBFFGnohWDG+ZkwIDAQAB

    And the amavis checks ...
    amavisd -c /etc/amavisd/amavisd.conf showkeys
    ; key#1, domain example.com, /var/db/dkim/example.com-foo.key.pem
    foo._domainkey.example.com. 3600 TXT (
    "v=DKIM1; p="
    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+yVFt3inZrvUWCpJBSbX8qJ6g"
    "UwIx36ai5jPJT5qvlkGcDxNsc6RLj+IJ9sjB2KBl1Ljn6WZSO2YFsiDO3nMo3BFW"
    "begK+0ee0yniYgTMDDL9cG5iUVGufIp2qczwJTyogEigf4gLuLdAalnuQEwfYeal"
    "tB+Rr2t+pNGj9I794QIDAQAB")
    and
    amavisd -c /etc/amavisd/amavisd.conf testkeys
    TESTING#1: foo._domainkey.example.com => invalid (public key: not available)
    I'll appreciate your cooperation.
    Nestor Mazza
     
    Last edited: Jun 9, 2015
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Seems you created your dns entry with "default" as name, but dkim expects "foo".
     
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Instead of using opendkim and creating evertyhing manually, you can also install the dkim-patch.
     
  4. nmazza

    nmazza New Member HowtoForge Supporter

    Thanks for your answer, let me try it.

    Nestor
    regards
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    But make sure, that you disable dkim-signing with opendkim.
     
  6. nmazza

    nmazza New Member HowtoForge Supporter

    Hello, again.
    I'm in a wrong concept, let me step by step.
    I think, I have an issue before dkim amavisd.conf settings
    I had updated amavisd.conf
    vim /etc/amavisd/amavisd.conf
    #$enable_dkim_verification = 1;
    #$enable_dkim_signing = 1;
    #dkim_key('example.com', 'foo', '/var/db/dkim/example-foo.key.pem');
    [email protected]_signature_options_bysender_maps = (
    #{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    [email protected] = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
    192.168.0.0/16);
    and
    # reboot, and after reboot
    # tail -f /var/log/maillog
    Jun 9 21:57:44 mail postfix/smtpd[2036]: 2C6B7494E: client=unknown[127.0.0.1]
    Jun 9 21:57:44 mail postfix/cleanup[2001]: 2C6B7494E: message-id=<[email protected]>
    Jun 9 21:57:44 mail opendkim[1989]: 2C6B7494E: no signing table match for '[email protected]'
    Jun 9 21:57:44 mail opendkim[1989]: 2C6B7494E: no signature data
    I think this is my first issue.
    Any idea to solve them.

    Let me one more thing ...
    # yum install opendkim
    Loaded plugins: fastestmirror, priorities
    Setting up Install Process
    Loading mirror speeds from cached hostfile
    * base: mirrors.linode.com
    * epel: epel.check-update.co.uk
    * extras: mirrors.linode.com
    * rpmforge: www.mirrorservice.org
    * updates: mirrors.linode.com
    1654 packages excluded due to repository priority protections
    Resolving Dependencies
    --> Running transaction check
    ---> Package opendkim.x86_64 0:2.10.3-1.el6 will be installed
    --> Processing Dependency: libopendkim(x86-64) = 2.10.3-1.el6 for package: opendkim-2.10.3-1.el6.x86_64
    --> Processing Dependency: libbsd.so.0(LIBBSD_0.0)(64bit) for package: opendkim-2.10.3-1.el6.x86_64
    --> Processing Dependency: libopendkim.so.10()(64bit) for package: opendkim-2.10.3-1.el6.x86_64
    --> Processing Dependency: libopendbx.so.1()(64bit) for package: opendkim-2.10.3-1.el6.x86_64
    --> Processing Dependency: libbsd.so.0()(64bit) for package: opendkim-2.10.3-1.el6.x86_64
    --> Running transaction check
    ---> Package libbsd.x86_64 0:0.6.0-1.el6 will be installed
    ---> Package libopendkim.x86_64 0:2.10.3-1.el6 will be installed
    ---> Package opendbx.x86_64 0:1.4.6-6.el6 will be installed
    --> Finished Dependency Resolution

    May I update opendkim using yum, because you offer me another page with a Patch.
    http://blog.schaal-24.de/ispconfig/dkim-patch-1-0/?lang=en
    regards
    Nestor Mazza
     
  7. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    With
    you define a dkim-key for the domain example.com using the delimiter foo. The delimter is needed for the dns-record while the domain is used to sign mails for the domain.

    occours due to the difference between example.com and mail.example.com in the domainname.

    I don´t use opendkim to sign any mails with dkim (but on some servers to verify them with opendmarc). With the patch from #3 you don´t need opendkim. Amavis will be integrated in postfix and sign the mails.
     
  8. nmazza

    nmazza New Member HowtoForge Supporter

    Hello, Florian
    I had updated my ISPConfig 3.0.5.4 sp6 to ISPConfig with 3.0.5.4 sp8
    after that
    chmod -R 750 /var/lib/amavis
    and Adjust the server config under Mail

    /var/lib/amavis
    I had updated in ISPConfig for My Domain, under Mail Domain
    for sofiha-isp.com domain
    enable DKIM (checked)
    after that
    Generate DKIM Private-key
    and in
    DNS-Record
    .default_domainkey._sofiha-isp.com. 3600 TXT v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8Q3xInIUlPkaWt7+Y4e/SkcgSkkXvJywTE/kmkCozEkTkYCXf1SwxaMaF2o8pAvo3IdN9qGTvTDPWWMT8wLct6+oxiOSax/PcpKgNOL4MSEp2U9911uzzArHfFCbf8Q69S1IML0Q/YxOwGX/LWcV8pi2DBjVoWo2R7iN9Bd0aMwIDAQAB
    Remember, I have my DNSs in DNS Manager of Linode.
    I had updated my old TXT record with the following
    Name: default_domainkey._
    Value: v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8Q3xInIUlPkaWt7+Y4e/SkcgSkkXvJywTE/kmkCozEkTkYCXf1SwxaMaF2o8pAvo3IdN9qGTvTDPWWMT8wLct6+oxiOSax/PcpKgNOL4MSEp2U9911uzzArHfFCbf8Q69S1IML0Q/YxOwGX/LWcV8pi2DBjVoWo2R7iN9Bd0aMwIDAQAB
    and Finally a simple test
    # echo " This is a test mail " | mail -s "OpenDKIM test mail" [email protected]
    tail -f /var/log/maillog
    Jun 11 12:15:24 mail postfix/smtpd[1970]: NOQUEUE: filter: RCPT from localhost[127.0.0.1]: <[email protected]-isp.com>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]-isp.com> to=<[email protected]> proto=ESMTP helo=<mail.sofiha-isp.com>
    Jun 11 12:15:24 mail postfix/smtpd[1970]: B608B4906: client=localhost[127.0.0.1], sasl_sender=[email protected]-isp.com
    Jun 11 12:15:24 mail postfix/cleanup[2015]: B608B4906: message-id=<[email protected]-isp.com>
    Jun 11 12:15:24 mail opendkim[2006]: B608B4906: no signing table match for '[email protected]-isp.com'
    Jun 11 12:15:24 mail opendkim[2006]: B608B4906: no signature data
    Jun 11 12:15:24 mail postfix/qmgr[1889]: B608B4906: from=<[email protected]-isp.com>, size=735, nrcpt=1 (queue active)
    Jun 11 12:15:24 mail sendmail[2099]: t5BCFOpo002099: to=[email protected], ctladdr=centos (500/500), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30248, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (Ok: queued as B608B4906)
    Jun 11 12:15:24 mail postfix/smtp[2023]: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
    Jun 11 12:15:24 mail postfix/smtp[2023]: B608B4906: to=<[email protected]>, relay=none, delay=0.05, delays=0.05/0/0/0, dsn=4.4.1, status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
    Jun 11 12:15:24 mail postfix/smtpd[1970]: disconnect from localhost[127.0.0.1]
    Any idea why Not Work?
    I think I'll have to wait, Linode DNS Manager updates during today.
    Regards
    Nestor Mazza
     
    Last edited: Jun 11, 2015
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You really get a dns-record like ".default_domainkey._sofiha-isp.com." in the interface? And not "default._domainkey.sofiha-isp.com."?
    The dkim-key exists for mail.sofiha-isp.com? Check this with
    Code:
    amavisd-new showkey mail.sofiha-isp.com
    I don´t know how linode´s interfaces works. But you need a record like
    name: default._domainkey.mail.sofiha-isp.com.
    type: TXT
    data: v=DKIM1; t=s; p=....
     
  10. nmazza

    nmazza New Member HowtoForge Supporter

    Hello, again
    I had updated amavisd.conf
    $inet_socket_port = [10024,10026];
    because after install
    $inet_socket_port = 10024; # listen on this local TCP port(s)
    # $inet_socket_port = [10024,10026]; # listen on multiple TCP ports
    and now
    echo " This is a test mail " | mail -s "OpenDKIM test mail" [email protected]
    works fine ...
    # amavisd -c /etc/amavisd/amavisd.conf showkeys
    ; key#1, domain sofiha-isp.com, /var/lib/amavis/dkim/sofiha-isp.com.private
    default._domainkey.sofiha-isp.com. 3600 TXT (
    "v=DKIM1; p="
    "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8Q3xInIUlPkaWt7+Y4e/SkcgS"
    "kkXvJywTE/kmkCozEkTkYCXf1SwxaMaF2o8pAvo3IdN9qGTvTDPWWMT8wLct6+ox"
    "iOSax/PcpKgNOL4MSEp2U9911uzzArHfFCbf8Q69S1IML0Q/YxOwGX/LWcV8pi2D"
    "BjVoWo2R7iN9Bd0aMwIDAQAB")
    But
    # amavisd -c /etc/amavisd/amavisd.conf testkeys
    TESTING#1: default._domainkey.sofiha-isp.com => invalid (public key: not available)
    I can see, one more thing in amavisd.conf
    # $notify_method = 'smtp:[127.0.0.1]:10025';
    # $forward_method = 'smtp:[127.0.0.1]:10025'; # set to undef with milter!
    Are ok, comment out ?

    I'll appreciate your cooperation
    Thanks again!
     
    Last edited: Jun 12, 2015
  11. nmazza

    nmazza New Member HowtoForge Supporter

    Thanks, I'm writting Linode, because, the Length of the Name Field in their DNS Manager is less than I need
    for default._domainkey.mail.sofiha-isp.com.
    regards
    Nestor Mazza
     
  12. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    If the txt-record is limited, just use a key-strength of 1024
     
  13. nmazza

    nmazza New Member HowtoForge Supporter

    Hello, Florian
    I'll offer you Linode answer
    Hello Nestor,
    The length of the name field is dependent on the DNS specification - in other words, the maximum length is 255 as the specification states.
    At this time your TXT record is functioning as expected, please let us know if there is anything else we can do for you.
    Regards,
    Jonathan
    # dig +short TXT default._domainkey.mail.sofiha-isp.com
    "v=DKIM1\; t=s\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD8Q3xInIUlPkaWt7+Y4e/SkcgSkkXvJywTE/kmkCozEkTkYCXf1SwxaMaF2o8pAvo3IdN9qGTvTDPWWMT8wLct6+oxiOSax/PcpKgNOL4MSEp2U9911uzzArHfFCbf8Q69S1IML0Q/YxOwGX/LWcV8pi2DBjVoWo2R7iN9Bd0aMwIDAQAB"

    Let me another question.
    # amavisd-new showkey mail.sofiha-isp.com
    -bash: amavisd-new: command not found
    Thanks again
    Regards
    Nestor
     
  14. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Your DNS record looks ok. If your OS does not known amavis-new, try amavisd
     
  15. nmazza

    nmazza New Member HowtoForge Supporter

    Hello,
    Until now DKIM aren't signing e-mails, and GMAIL recipient is as SPAM box
    Let me show you, maillog

    Jun 16 16:14:08 mail postfix/smtpd[18967]: connect from unknown[190.18.121.6]
    Jun 16 16:14:09 mail dovecot: auth: mysql: Connected to localhost (dbispconfig)

    Jun 16 16:14:09 mail postfix/smtpd[18967]: NOQUEUE: filter: RCPT from unknown[190.18.121.6]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<SOPORTEPC>
    Jun 16 16:14:09 mail postfix/smtpd[18967]: D73A14852: client=unknown[190.18.121.6], sasl_method=PLAIN, sasl_username=[email protected]
    Jun 16 16:14:10 mail postfix/smtpd[18967]: D73A14852: filter: RCPT from unknown[190.18.121.6]: <[email protected]>: Sender address triggers FILTER amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<SOPORTEPC>
    Jun 16 16:14:10 mail postfix/cleanup[18981]: D73A14852: message-id=<[email protected]>

    Jun 16 16:14:10 mail opendkim[1979]: D73A14852: no signing table match for '[email protected]'
    Jun 16 16:14:11 mail opendkim[1979]: D73A14852: no signature data

    Jun 16 16:14:11 mail postfix/qmgr[1864]: D73A14852: from=<[email protected]>, size=637, nrcpt=2 (queue active)
    Jun 16 16:14:11 mail clamd[1768]: SelfCheck: Database status OK.
    Jun 16 16:14:11 mail postfix/smtpd[18967]: disconnect from unknown[190.18.121.6]
    Jun 16 16:14:12 mail postfix/smtpd[18985]: connect from localhost[127.0.0.1]
    Jun 16 16:14:12 mail postfix/smtpd[18985]: AE30B49FD: client=localhost[127.0.0.1]
    Jun 16 16:14:12 mail postfix/cleanup[18981]: AE30B49FD: message-id=<[email protected]>
    Jun 16 16:14:12 mail opendkim[1979]: AE30B49FD: no signing table match for '[email protected]'
    Jun 16 16:14:13 mail opendkim[1979]: AE30B49FD: key retrieval failed (s=default, d=sofiha-isp.com): 'default._domainkey.sofiha-isp.com' record not found

    Jun 16 16:14:13 mail postfix/qmgr[1864]: AE30B49FD: from=<[email protected]>, size=1522, nrcpt=2 (queue active)
    Jun 16 16:14:13 mail postfix/smtpd[18985]: disconnect from localhost[127.0.0.1]

    Jun 16 16:14:13 mail amavis[29397]: (29397-09) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [190.18.121.6]:60421 [190.18.121.6] <[email protected]> -> <[email protected]>,<[email protected]>, Message-ID: <[email protected]>, mail_id: 58TkNdXH1LT3, Hits: 0.213, size: 603, queued_as: AE30B49FD, dkim_new=default:sofiha-isp.com, 1789 ms
    Jun 16 16:14:13 mail postfix/smtp[18982]: D73A14852: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=3.6, delays=1.8/0.05/0/1.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as AE30B49FD)
    Jun 16 16:14:13 mail postfix/smtp[18982]: D73A14852: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=3.6, delays=1.8/0.05/0/1.8, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as AE30B49FD)
    Jun 16 16:14:13 mail postfix/qmgr[1864]: D73A14852: removed
    Jun 16 16:14:13 mail dovecot: lda([email protected]): sieve: msgid=<[email protected]>: stored mail into mailbox 'INBOX'
    Jun 16 16:14:13 mail postfix/pipe[18987]: AE30B49FD: to=<[email protected]>, relay=dovecot, delay=0.57, delays=0.53/0.02/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)
    Jun 16 16:14:14 mail postfix/smtp[18988]: AE30B49FD: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c05::1a]:25, delay=1.6, delays=0.53/0.07/0.1/0.93, dsn=2.0.0, status=sent (250 2.0.0 OK 1434471254 q14si2578550wju.110 - gsmtp)
    Jun 16 16:14:14 mail postfix/qmgr[1864]: AE30B49FD: removed
    Any idea
    I need to solve, as soon as posible, because I have problems with some of my clients.
    Regards
    Nestor
     
  16. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    The mail wa signed by amavis: queued_as: AE30B49FD, dkim_new=default:sofiha-isp.com

    You should not mix opendkim and amavis to add dkim-signatures
     
  17. nmazza

    nmazza New Member HowtoForge Supporter

    Ok!, but why the messages end in SPAM box on GMAIL?
    Let me a little new comment, if I use opendkim for sign them, the messages end in InBOX on GMAIL, I had checked in my PRODUCTION SERVER sofihacloud.com.ar and works fine and NOT SPAM Box on GMAIL, but I'm out the lastest ISPConfig 3 and maybe a problem in a future.
    I will be out of any updates, because opendkim is out of the ISPConfig3 box.
    Regards.
    Nestor
     
  18. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You may find the information for "why it´s spam" in the header in your gmail inbox.
     
  19. nmazza

    nmazza New Member HowtoForge Supporter

    Helllo, again
    Another problem in my PRODUCTION SERVER,
    All the contact form are NOT working after update ISPConfig sp5 to sp8
    Let me show you ...
    ==========================================
    The original message was received at Sat, 20 Jun 2015 04:08:19 GMT
    from [email protected]

    ----- The following addresses had permanent fatal errors -----
    [email protected];[email protected]

    ----- Transcript of session follows -----
    553 5.1.3 [email protected];[email protected]... Invalid route address
    ==========================================

    Reporting-MTA: dns; mail.sofihacloud.com.ar
    Arrival-Date: Sat, 20 Jun 2015 04:08:19 GMT

    Final-Recipient: RFC822; [email protected];[email protected]
    X-Actual-Recipient: rfc822; "553 Invalid route address"@mail.sofihacloud.com.ar
    Action: failed
    Status: 5.1.3
    Last-Attempt-Date: Sat, 20 Jun 2015 04:08:19 GMT
    =========================================
    Let me say you,
    in this SERVER I had updted ISPConfig sp8 only
    dkim-latest_ispconfig3.tar.gz is not installed in this server.
    I also installed opendkim and opendmarc through yum.
    Thanks
    I'' appreciate your cooperation again
     
    Last edited: Jun 20, 2015
  20. nmazza

    nmazza New Member HowtoForge Supporter

    I think because the Sender email address is not in the GMail contact list Recipient email address.
    If I add the sender email address to my GMail contact list, the next messge FROM the sender is not end in SPAM Box.
    Regards
    Nestor
     
    Last edited: Jun 20, 2015

Share This Page