Problem with DKIM and DMARC

Discussion in 'ISPConfig 3 Priority Support' started by muekno, Mar 27, 2021.

  1. muekno

    muekno Member HowtoForge Supporter

    Had Problems to sen Mail to gmx.de. Report from Mail Tools said DMARK record missing, found befor I can add a DMARK recort I need a DKIM record. Found this description https://manage.accuwebhosting.com/knowledgebase/3265/How-to-generate-DKIM-Record-in-ISPConfig.html
    No my configuration ist different I habe a privat Mail system GroupWise this relay Mail to a postfix on my ISPConfig testing system and relays mail to my production ISPConfig server postfix wich relays the mail to the internet. The postfix on the production system works for server domains fine since years. Incomming mails go to production postfix relay them to test postfix relays to Groupwise.
    So how to add DKIM and DMARC

    Thanks for help and hint

    Rainer
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The SMTP server should sign the emails with a DKIM key, for which you create a DNS record to be verified. Then, you can create a DMARC record.
    It is not clear to me how your server is set up, but when using ISPConfig, enable DKIM for the domain and make sure the shown TXT record is set for the domain.
     
  3. muekno

    muekno Member HowtoForge Supporter

    Both postfix servers are setup with ISPConfig latest Version. But there are two separet systems a test and a production system. I assume only the mailserver connection to the internet must have the DKIM and DMARC records. If I add a DKIM to the domain I get a Public Key Field. OK I know how to generate a ke ypiair but where should I save the Private Key and wht has to go to the DKIM-Selector field. Unfortunatly the ISPConfig 3.1 manual says nothing about DKIM or DMARC.
    Thanks so long
    Rainer

    Add on there are a lot articles about DKIM with ISPConfig 3.1 I have 3.2.3 so everything I find on the net does not really help
     
    Last edited: Mar 28, 2021
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The DNS record is shown in the DKIM settings for the mail domain. The selector can be anything, for example "default".
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Don't touch these fields at all and you don't have to do anything with the data in these fields.

    All you have to do is to add a DNS TXT record in the DNS zone of that domain by using the data in the DNS record field.
     
  6. muekno

    muekno Member HowtoForge Supporter

    Sorry but now I am totally confused. I found thishttps://www.mailhardener.com/kb/how-to-create-a-dkim-record-with-openssl what help me to create a for me good looking DKIM Record, but did not answer where to put the privat key. Finally that was a TXT record.
    To clear I put the privat key in the coresponding field an some text in my caste the domain without TLD in the identifier field. Now Till say do not touch but I can not great e a DKIM record leaving field empty.
    Rainer
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can generate it from the UI with the button "Generate DKIM private key" which can be found in the mail domain settings.
     
  8. muekno

    muekno Member HowtoForge Supporter

    So now we are back at the beginning. This domain is not a mail domain in ISPConfig it is only relaying. Does that mean my Groupwise originaly creating the mail has to add the DKIM Information and the finally relaying postfix (the one connected to the real internet) can not add the DKIM record, even if I create it manually as descriped
    Rainer
    Groupwise Docs say for DKIM I have to use 3rd Party gateway, so this implements for me I cat sign the mail later on ist way. So the question rest where to put the private key and why ISPConfig allows to create a DKIM record
     
    Last edited: Mar 28, 2021
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    DKIM signing is done by the mail server that is responsible for that domain and not by mail relays. If your mail server is GroupWise and not the ISPConfig system, then you should configure DKIM in Groupwise.
     
  10. muekno

    muekno Member HowtoForge Supporter

    As written Groupwise does not support it and groupwise doc say use 3rd Party Gateway. As descriped at the beginning the Groupwse MTA has my private ISPConfig postfix as relay the postfix on the production relays to the internet.
    Does your answer mean postfix can not sign relay mails?
    Rainer
    the domain itself DNS and mail relaying is maintained by ISPConfig
    postfix is often used as frontend mail relay befor GroupWise exchange and other mail systems. Does the mean every primay mails system using postfix as frontend relay and spam protection not supporting DKIM can not use DKIM
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    There is probably a way to get the relay to sign these emails. ISPConfig systems are using amavis or Rspamd for dkim signing, not postfix and you can't configure Dkim signing for non local domains in ISPConfig. But you can try to read the docs of Rpsmad or Amavis, depending on what you use, and try to add Dkim signing there for that domain.
     
  12. muekno

    muekno Member HowtoForge Supporter

    So it should work, I still use use Amavis. so if i put the private key in the same directory and the same way as you do manualy it should work, so if you can tell me the directory and how I will manage the rest.
    Thanks
    Rainer
     
  13. muekno

    muekno Member HowtoForge Supporter

    For everybody who need to sign relayed mail with DKIM
    ist is easier than expected
    generate privat and public key using https://www.mailhardener.com/kb/how-to-create-a-dkim-record-with-openssl
    got to DNS of your domain add record and select DKIM
    insert the public key in the corresponding field, just the key nothing else
    fill the identifier filed with a value not used elsewhere i.e. domain name, do not use default
    click save ISPConfig will create a valid TXT DKIM Record
    the edit /etc/amavis/conf.d/60-dkim and add a line
    <code>dkim_key('domain.tld'. 'your_identifier', '/var/lib/amavis/dkim/domain.tld.private');</code>
    and save the file
    finally copy the private key in /var/lib/amavis/dkim/ an name it domain.tld.private
    Now check if it works with i.e. https://www.dmarcanalyzer.com/de/dkim-de/dkim-record-check/
    It worked for me, so it should work for you
     
    Last edited: Mar 28, 2021
    Jesse Norell and Th0m like this.

Share This Page