Dkim Signature Error: No DKIM-Signature header found and Allignment

Discussion in 'General' started by emaddaou, May 5, 2022.

  1. emaddaou

    emaddaou New Member HowtoForge Supporter

    Dear ISPConfig,
    I have successfully installed an ISPConfig server behind an OPNSense Firewall for our assembly.
    Using the links of MX Record header check below, you will see that when I send email from Protonmail, all is green checked and looks great, hence proton is signing their Emails with signature the way it should be, but when I send Email from our Assembly domain to my personal Email ISPConfig server, there is no signature at all.
    However, If I send email from my personal Email server, it got signed, but my personal ISPConfig server is not behind OPNSense Firewall and uses only local ufw. Is it the OPNSense preventing the signing or am I missing something at our assembly ISPConfig Server?
    Header analyses sent by Protonmail to our assembly server
    https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=a5499b4b-ff84-4bec-9415-f746d3f91e42
    Header analyses sent by our assembly server to my personal server
    https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=b2c96a00-ddf4-48e4-8a36-52f343199d7d
    Header analyses sent by my personal server to our assembly server
    https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=244cadc2-09a8-47c2-97f9-39c7dafa13d0
    Here is the spf, DMARC, and DKIM result for our assembly all seems good.
    https://mxtoolbox.com/SuperTool.aspx?action=dmarc:georgianationals.org&run=toolpage
    https://mxtoolbox.com/SuperTool.aspx?action=dmarc:georgianationals.org&run=toolpage

    https://mxtoolbox.com/SuperTool.aspx?action=dkim:default._domainkey.georgianationals.org&run=toolpage
    What is it am missing, please help.
    Source from our Assembly domain missing the signature

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from whs.imaddaou.com
        by whs.imaddaou.com (Dovecot) with LMTP id RGTxIxC5cmK5DAAAUyo7cQ
        for <[email protected]>; Wed, 04 May 2022 10:34:08 -0700
    Received: from localhost (localhost.localdomain [127.0.0.1])
        by whs.imaddaou.com (Postfix) with ESMTP id 8CCC03A0958
        for <[email protected]>; Wed,  4 May 2022 10:34:08 -0700 (PDT)
    X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com
    Received: from whs.imaddaou.com ([127.0.0.1])
        by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id BQS_0cgAYkn0 for <[email protected]>;
        Wed,  4 May 2022 10:34:08 -0700 (PDT)
    Received: from mail.georgianationals.org (fw.georgianationals.org [209.145.56.136])
        by whs.imaddaou.com (Postfix) with ESMTPS id EF3573A0581
        for <[email protected]>; Wed,  4 May 2022 10:34:07 -0700 (PDT)
    Received: from [192.168.11.10] (107-213-209-81.lightspeed.tukrga.sbcglobal.net [107.213.209.81])
        (Authenticated sender: [email protected])
        by mail.georgianationals.org (Postfix) with ESMTPSA id 827AA100070
        for <[email protected]>; Wed,  4 May 2022 13:34:06 -0400 (EDT)
    To: Imad Daou <[email protected]>
    From: Georgia Assembly IT <[email protected]>
    Subject: Test DKIM
    Message-ID: <[email protected]>
    Date: Wed, 4 May 2022 13:34:06 -0400
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
     Thunderbird/78.14.0
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="------------3B28DB28D79F7C4406BD27EF"
    Content-Language: en-US
    
    This is a multi-part message in MIME format.
    --------------3B28DB28D79F7C4406BD27EF
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    
    
    --------------3B28DB28D79F7C4406BD27EF
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    <html>
      <head>
    
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      </head>
      <body>
        <p><br>
        </p>
      </body>
    </html>
    
    --------------3B28DB28D79F7C4406BD27EF--
    
    Source by my personal Email ISPConfig server showing the signature
    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from mail.georgianationals.org
        by mail.georgianationals.org with LMTP
        id sEizNd64cmI5bAAA+/slsg
        (envelope-from <[email protected]>)
        for <[email protected]>; Wed, 04 May 2022 13:33:18 -0400
    Received: from fw.georgianationals.org (fw.georgianationals.org [10.20.50.1])
        by mail.georgianationals.org (Postfix) with ESMTPS id D82E3100070
        for <[email protected]>; Wed,  4 May 2022 13:33:18 -0400 (EDT)
    Received: from pmg.georgianationals.org (pmg.georgianationals.org [209.145.56.137])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by fw.georgianationals.org (Postfix) with ESMTPS id 23661943091
        for <[email protected]>; Wed,  4 May 2022 13:33:18 -0400 (EDT)
    Received: from pmg.georgianationals.org (localhost [127.0.0.1])
        by pmg.georgianationals.org (Proxmox) with ESMTP id 6E23B3019B3F
        for <[email protected]>; Wed,  4 May 2022 13:33:17 -0400 (EDT)
    Received: from whs.imaddaou.com (whs.imaddaou.com [173.249.0.39])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits))
        (No client certificate requested)
        by pmg.georgianationals.org (Proxmox) with ESMTPS id 045713019B36
        for <[email protected]>; Wed,  4 May 2022 13:33:17 -0400 (EDT)
    Received: from localhost (localhost.localdomain [127.0.0.1])
        by whs.imaddaou.com (Postfix) with ESMTP id B3E153A0958
        for <[email protected]>; Wed,  4 May 2022 10:33:16 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=imaddaou.com; h=
        content-language:content-type:content-type:mime-version
        :user-agent:date:date:message-id:subject:subject:from:from; s=
        default; t=1651685596; x=1653499997; bh=gRq59MPff1u6Uu8QZgBrLExA
        mRz4W3vgOwCLTtYyrLc=; b=NPq2vgwUk6m1ZDrmooHvUu4qUtBu9faIPOwwHo9n
        2l8ESILJMSHD9ASOwotur2Z1QOA6lnsDAB8w5rQFE6nnqHWZ5nWLvLP/+H3jAqzr
        QhQtrQVESlPSI+0UGHuYZ7cwykhQ6P7dYrFzF7++7B8z/23289ILAbobrhE1K52T
        uE9JqU7gVneRwI+4n8S9xUkDeCbEBBJfa/7lbRbhlT9++kBre/4bs7nkrL794+II
        LVFVVvEoqX9BBCLMAKXnGttA8dzv7O0bICeKLze11cQAeY4VhRnXV8cdFsx9Tpqk
        zYnInfe8z76b4UQHSpEcbqbBgf3N+mYdi81sX9fiVoLChw==
    X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com
    Received: from whs.imaddaou.com ([127.0.0.1])
        by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10026)
        with LMTP id WlJhiCeoIgI0 for <[email protected]>;
        Wed,  4 May 2022 10:33:16 -0700 (PDT)
    Received: from [IPv6:2600:1700:3210:4f70:8eae:4cff:fef4:bc25] (unknown [IPv6:2600:1700:3210:4f70:8eae:4cff:fef4:bc25])
        (Authenticated sender: [email protected])
        by whs.imaddaou.com (Postfix) with ESMTPSA id 2356C3A0581
        for <[email protected]>; Wed,  4 May 2022 10:33:16 -0700 (PDT)
    To: Imad Daou <[email protected]>
    From: Imad Daou <[email protected]>
    Subject: Test DKIM
    Message-ID: <[email protected]>
    Date: Wed, 4 May 2022 13:33:15 -0400
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
     Thunderbird/78.14.0
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="------------216538DB2E7796DCC10C5EF0"
    Content-Language: en-US
    X-SPAM-LEVEL: Spam detection results:  0
        AWL                     2.316 Adjusted score from AWL reputation of From: address
        DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
        DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
        DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
        DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
        HTML_MESSAGE            0.001 HTML included in message
        RCVD_IN_DNSWL_HI           -5 Sender listed at https://www.dnswl.org/, high trust
        SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
        SPF_PASS               -0.001 SPF: sender matches SPF record
        T_SCC_BODY_TEXT_LINE    -0.01 -
        URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [obelievers.com,imaddaou.com]
    X-Spamd-Bar: /
    Authentication-Results: fw.georgianationals.org;
        dkim=pass header.d=imaddaou.com header.s=default header.b=NPq2vgwU;
        dmarc=pass (policy=quarantine) header.from=imaddaou.com;
        spf=softfail (fw.georgianationals.org: 209.145.56.137 is neither permitted nor denied by domain of [email protected]) [email protected]
    X-Rspamd-Server: fw.georgianationals.org
    X-Rspamd-Queue-Id: 23661943091
    X-Spamd-Result: default: False [-0.81 / 15.00];
        DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
        R_DKIM_ALLOW(-0.20)[imaddaou.com:s=default];
        MIME_GOOD(-0.10)[multipart/alternative,text/plain];
        MX_GOOD(-0.01)[];
        DKIM_TRACE(0.00)[imaddaou.com:+];
        DMARC_POLICY_ALLOW(0.00)[imaddaou.com,quarantine];
        RCVD_VIA_SMTP_AUTH(0.00)[];
        MIME_TRACE(0.00)[0:+,1:+,2:~];
        FROM_EQ_ENVFROM(0.00)[];
        RCVD_TLS_LAST(0.00)[];
        TO_DN_ALL(0.00)[];
        RCPT_COUNT_ONE(0.00)[1];
        R_SPF_SOFTFAIL(0.00)[~all];
        RCVD_COUNT_FIVE(0.00)[6];
        ARC_NA(0.00)[];
        ASN(0.00)[asn:40021, ipnet:209.145.48.0/20, country:US];
        FROM_HAS_DN(0.00)[];
        PREVIOUSLY_DELIVERED(0.00)[[email protected]];
        TO_MATCH_ENVRCPT_ALL(0.00)[];
        MID_RHS_MATCH_FROM(0.00)[]
    
    This is a multi-part message in MIME format.
    --------------216538DB2E7796DCC10C5EF0
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    
    --
    Imad Daou
    https://www.obelievers.com/
    Podcast https://www.obelievers.com/podcast
    
    
    --------------216538DB2E7796DCC10C5EF0
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    <html>
      <head>
    
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      </head>
      <body>
        <p><br>
        </p>
        <pre class="moz-signature" cols="72">--
    Imad Daou
    <a class="moz-txt-link-freetext" href="https://www.obelievers.com/">https://www.obelievers.com/</a>
    Podcast <a class="moz-txt-link-freetext" href="https://www.obelievers.com/podcast">https://www.obelievers.com/podcast</a></pre>
      </body>
    </html>
    
    --------------216538DB2E7796DCC10C5EF0--
    
    
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    No.
    Dkim requires a public key in public DNS to correspond with a private key in the mail server which is used for signing. From the logs it looks like the sender is using authentication, so from there I would check that the domain is in amavis config with a dkim key set (I forget the exact file name) and that the public DNS key is complete/correct.
     
    Last edited: May 6, 2022
  3. emaddaou

    emaddaou New Member HowtoForge Supporter

    Hello Jesse, thank you for your quick response. DKIM Private and Public Key has been generated using https://easydmarc.com/tools/dkim-record-generator And the reason we used EasyDmarc is because ISPConfig generated Public Key was giving us Syntax error when it's being verified by MX Record DMARC/DKIM check, I noticed due to " " being part of the public when ISPConfig creates those keys was the problem, is there a way to have ISPConfig generates PUBLIC DKIM keys without the " " quotes among the other characters?

    Please check the following, Public key has been set and MX DKIM check verifies it all good.

    DKIM Public key of our assembly domain was set as follows using Cloudflare
    Code:
    v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs3KRFwhHEha2EEglw5Fo/YEUD22AfLyXVH3nQkXJLRWHGiGlAuhouI5ZJiadwHEclswLxBgjggsy+7n85a3lCqEpoTU5aX+nuE8f6n4gIQsJ2r5E8BjMSwwWxCyaW56X3mgV7s07OkmZsrZ2R2Ik7dc61VZRURcjiWQ9fVl8rVBZ9GXXu4TRdDA2OfTGLBEQaM8rLnx1wwNw54GwMK+j/zI72bUynQgW2CNndid5iK+sMzM8gcAoAsOyDHvF3UQAV0vfgtdSwUtG/SrlA+tGvrqH39gmb9vt9O60uBmw/zWChmNmy49l8KA0JV29fqUwsDrVSGsS87tuNL6KBwA+mwIDAQAB
    Here is the problematic Key being generated by ISPConfig - Note the " "
    Code:
    default._domainkey.georgianationals.org. 3600  IN  TXT   "v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvSFlK2n5i2cdQS316qUkMwRTXAsggGaWF7XQvAFlfysO+yfxez0BPOPVvyUNvLme+7QSoxMj5WiWIDyf4a5XUyMJiSdnKt45hVkO1ZqIOHje4bZMgurmj1+Mqz3uRHjBi5hT9+1uPC5u""1FRAw1493uTBnPmSqWgqXZ5w6IVj/aZ3iSxyi7mu3dW3k3DX56nKKAMO9IxreocwWe3A1bxhdwxZ7T++vgQZ+LyRBTv3qK93/Sy2lIZJFhLKg1upMJiynssfOo85Uw4TGma+KZLCTqsh4svYGndKeLlN2tTZNvFKxTfW1I1YssXplnr1ppmELawzILe/xMHBjacjmRdm""sQIDAQAB"

    And verified using DKIM Checked by MX Tools

    https://mxtoolbox.com/SuperTool.aspx?action=dkim:default._domainkey.georgianationals.org&run=toolpage

    Hmmm...We don't use any SPAM or virus checks at ISPConfig server, hence, I have shutdown all related services such as amavis and spam checking tools. That's because we use ProxMox Mail Gateway to receive emails located at the DMZ network, OPNSense as Firewall being used as out-GW. If PMG MX record is down, then the second MX record is the OPNSense with priority 20.

    With this being said, are you saying that I need to re-enable amavis and spam check services at ISPConfig Mail server in order for our Assembly emails to be signed using the DKIM key? I never thought about that and that might be the coz?? :0) If that's the case, what Services I need to make sure it's up and running?
     
    Last edited: May 6, 2022
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Not currently, but it is a pretty simple matter to remove those three characters manually.
     
    emaddaou likes this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You don't need to use spam scanning, but dkim signing on a standard ispconfig server is done by amavis or rspamd. If you are generating your own DKIM keys and keeping them in sync with an external server/service, and you don't want to run amavis, it might make sense for you to setup opendkim for your signing instead?
     
  6. emaddaou

    emaddaou New Member HowtoForge Supporter

    Thank you Jesse for confirming, I never heard or configured opendkim before, I see, now I know why. Would you please when possible is point me to a Howto you trust and compatible with ISPConfig in order to configure opendkim on ispconfig server debian 10. Thank you again, your time is highly appreciated.
     
  7. emaddaou

    emaddaou New Member HowtoForge Supporter

    Oh wait, wouldn't that effect the relation between the private key part and its Public key if you alter it? If not, that would be awesome easy fix for me to just remove the "" characters. I thought you are not suppose to touch it.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No. You don't alter the key, these are just there to split the key in length for DNS server that support short TXT records only and the tool you used to verify the key does not support split TXT records as it seems, that#s why it shows it as invalid.
     
    emaddaou likes this.
  9. 30uke

    30uke Active Member HowtoForge Supporter

    That's correct. I didn't understand the quotes - and was struggling with the DNS form of a DNS provider: https://www.howtoforge.com/community/threads/resolved-issue-with-dkim-record.88907/#post-435500
    After removing the quotes the DNS record works properly. I was able to test/verify this by sending an e-mail to my GMail account and by using the DKIM Validator: https://dkimvalidator.com/
     
    emaddaou likes this.
  10. emaddaou

    emaddaou New Member HowtoForge Supporter

    Dear all, here what I did:
    I read the following thread
    https://www.howtoforge.com/community/threads/how-to-install-opendkim-on-ispconfig-3-1-2.75543/
    and I seen Till is not recommending opendkim since ISPConfig can do this already by default. So, I went a head installed, amavisd, enabled rspamd back again, updated the system, ran ispconfig_uodate.sh --force, made sure I chose to reconfigure the services, and rebooted the server. However, still my outgoing emails not being signed :( please check below:

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from whs.imaddaou.com
        by whs.imaddaou.com (Dovecot) with LMTP id itYXAdLfdWLIDwAAUyo7cQ
        for <[email protected]>; Fri, 06 May 2022 19:56:18 -0700
    Received: from localhost (localhost.localdomain [127.0.0.1])
        by whs.imaddaou.com (Postfix) with ESMTP id F0F523A36D1
        for <[email protected]>; Fri,  6 May 2022 19:56:17 -0700 (PDT)
    X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com
    Received: from whs.imaddaou.com ([127.0.0.1])
        by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id rx5sKn86EzpX for <[email protected]>;
        Fri,  6 May 2022 19:56:03 -0700 (PDT)
    Received: from mail.georgianationals.org (fw.georgianationals.org [209.145.56.136])
        by whs.imaddaou.com (Postfix) with ESMTPS id 0E2503A0599
        for <[email protected]>; Fri,  6 May 2022 19:55:58 -0700 (PDT)
    Received: from [192.168.11.10] (107-213-209-81.lightspeed.tukrga.sbcglobal.net [107.213.209.81])
        (Authenticated sender: [email protected])
        by mail.georgianationals.org (Postfix) with ESMTPSA id B08AD10007D
        for <[email protected]>; Fri,  6 May 2022 22:55:56 -0400 (EDT)
    To: Imad Daou <[email protected]>
    From: Imad Daou <[email protected]>
    Subject: Sending from logwatch
    Message-ID: <[email protected]>
    Date: Fri, 6 May 2022 22:55:55 -0400
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
     Thunderbird/78.14.0
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
     boundary="------------81BD506F352724A09DA2E778"
    Content-Language: en-US
    Authentication-Results: mail.georgianationals.org;
        auth=pass [email protected] [email protected]
    
    This is a multi-part message in MIME format.
    --------------81BD506F352724A09DA2E778
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    test
    
    
    --------------81BD506F352724A09DA2E778
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: 7bit
    
    <html>
      <head>
    
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      </head>
      <body>
        <p><font face="Cantarell">test</font><br>
        </p>
      </body>
    </html>
    
    --------------81BD506F352724A09DA2E778--
    
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You will need to edit the mail domain and save again, or maybe disable dkim and enable again, so it writes the key in amavis config.
     
  12. emaddaou

    emaddaou New Member HowtoForge Supporter

    Yes, that was it :D It's working!! Thank you Jesse and thank you Till, thank you all!
     

Share This Page