Generate DKIM for Hostname

Discussion in 'Installation/Configuration' started by Tuhin, Nov 17, 2019.

  1. Tuhin

    Tuhin New Member

    @till
    Can you please give me a way to generate DKIM for hostname?
    like server.example.com
    I am using cloudflare DNS. I have DKIM configured for mail domain but not for the server name. Looks like that's an issue here.
    I didn't get information related to this topic.
    I am using ispconfig3.1 with ubuntu 18.04
    Removed clamav and amavis to reduce server load, followed tutorial. Everything works fine except DKIM..
    Thanks in advanced
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Tuhin

    Tuhin New Member

    Sorry! Wikipedia is not always 100% correct.
    Take a look here please WHM/cPanel forum: features.cpanel.net/topic/dkim-for-hostname

    "
    Enable the setting of domainkeys, spf or DKIM for hostname to prevent issues with mail providers blocking bulk email from non-signed senders.
    We have recently been blocked by google and yahoo due to the root emails sent from the hostname not being signed with DKIM."
     
  4. recin

    recin Member

    I think amavis is responsible of DKIM and you should start it.
    For DKIM hostname, can't you create a DNS and mail called server.example.com and do DKIM for it?
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I read that, it does not convince me. I also read the RFC documents related to DKIM.
    What would it mean to create DKIM for a hostname? What useful purpose would it serve? What is the reason you think DKIM for hostname is needed?
    I set up DKIM from ISPConfig Panel for the e-mail domain. It works and the testing and website tools I used verify everything is OK.
    I am pretty sure like @recin that it is amavis that does the DKIM signing. So if you remove amavis you lose DKIM also.
     
    Tuhin likes this.
  6. Jesse Norell

    Jesse Norell Well-Known Member

    System mail is generated from the hostname, and these do go out without dkim signatures; my weekly dmarc reports always show non-alignments for my ispconfig servers, and I imagine I could publish a dmarc policy for those "subdomains" that simply says not to require dkim or spf, but it would be nice to actually fix it and have full spf/dkim/dmarc setup.

    I've seen other mentions of the issue here and/or the issue tracker, and have intended to look into implementing that, but just haven't gotten there yet. In a quick look, the mail_plugin_dkim.inc.php (mail) server plugin is what manages the dkim keys files and amavis config for domains (I believe the keys are actually generated on the control panel host, not the mail server), which adds context as to what server should be configured with a given domain's keys, and the control panel can automatically add DNS records to the DNS servers if using ISPConfig dns, as it's driving the show.

    When dealing with a server's hostname, I imagine a similar thing could be done from the Server Config > Mail tab. The control panel node could generate the keys, push a appropriate datalog record to have the mail server to configure the key, and then add a record into DNS if the parent domain happens to be a configured DNS domain (it is not in my case, but I don't see any reason it would not work), else just show the dkim key to be published if using external DNS. Note the "appropriate datalog record" type may not exist currently, as the mail_plugin_dkim.inc.php plugin triggers on mail_domain_{insert,update,delete} events, but that would not be hard to add a new event for the server config. It seems pretty doable.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    (Note the obvious workaround of "just add the server's hostname as a mail domain" doesn't work as that is an incompatible setup with ISPConfig (ie. that's actually the cause of a faq problem, and "don't do that" is the solution).)
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

  9. Tuhin

    Tuhin New Member

    @Taleman
    Thank you for your help. I really appreciate that.
    And you are absolutely correct!
    It was amavis issue. I had to enable it.
     

Share This Page