[Resolved]DKIM issue

Hello there, first of all, this is my context :

I have mydomain.com
The FQDN of my ISPConfig serveur is web.mydomain.com
My DNS Zone is managed from OVH not from the ISPConfig.
I have a SPF and DMARC entry on my DNS Zone, theses are OK.

In ISPConfig I have my email Domain created and I have enabled DKIM and generated the DKIM keys.
Got something like that :

Code:

default._domainkey.mydomain.com. 3600   TXT   v=DKIM1; t=s; p=PUBKEY

In OVH I created a TXT entry and this is what I got :

Code:

default._domainkey.mydomain.com IN TXT "v=DKIM1; t=s; p=PUBKEY"

When I check mydomain.com with default as selector from this https://www.mail-tester.com/spf-dkim-check, I got my DKIM right.
But when I test an email from my ISPConfig (sending it to mail-tester or gmail), mail-tester says DKIM is not OK, and I have nothing on the original mail on gmail.

And I can't figure out why ?

Any guess would be appreciated.

 

up ?

 

I'm not really clear if you mean there is no DKIM signature at all ('have nothing on original mail'), or just that it doesn't validate ('not OK'), but I think you mean it's completely missing?

DKIM signing happens in amavis, so check that your domain got added to /etc/amavis/conf.d/60-dkim (that's on debian 9, and likely varies location on other os's), that /etc/postfix/tag_as_originating.re filters mail through amavis on port 10026, and that postfix smtpd_sender_restrictions includes that access map. If that all looks good, make sure you're sending authenticated, and try restarting amavis. Maybe test sending a message to a local (same-server) account and see if DKIM signing happens.

 

Indeed, there is no DKIM signature at all.

You may have found my issue. I did not install amavis/spam assassin/clamav because I did not want spam/AV filters as it is quite consumming in terms of CPU/Memory.

If I install and configure amavis now, as I have already a working configuration of ISPConfig, can it break anything ?

 

I snapshoted my machine and gave it a try.
I installed and configured amavis-new from this tuto : https://www.security-helpzone.com/2015/12/03/securiser-postfix-avec-lantispam-amavis/
(only amavis)

after a reboot and regenerate DKIM keys in ISPConfig interface, I have my 60-dkim file created :

Code:

dkim_key('mydom.com', 'default', '/var/lib/amavis/dkim/mydom.com.private');

and mydom.com.private and public files do exist.

I tried once again https://www.mail-tester.com, but still saying that my mail is not signed by DKIM.

 

I may have something incorrect in my amavis config, but I dont have a clue :

master.cf :

Code:

amavis unix - - n - 2 smtp
  -o smtp_data_done_timeout=1200
  -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - n - - smtpd
  -o content_filter=
  -o smtpd_delay_reject=no
  -o smtpd_client_restrictions=permit_mynetworks,reject
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o smtpd_data_restrictions=reject_unauth_pipelining
  -o smtpd_end_of_data_restrictions=
  -o smtpd_restriction_classes=
  -o mynetworks=127.0.0.0/8
  -o smtpd_error_sleep_time=0
  -o smtpd_soft_error_limit=1001
  -o smtpd_hard_error_limit=1000
  -o smtpd_client_connection_count_limit=0
  -o smtpd_client_connection_rate_limit=0
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
  -o local_header_rewrite_clients=
  -o smtpd_milters=
  -o local_recipient_maps=
  -o relay_recipient_maps=

main.cf :
content_filter=amavis:[127.0.0.1]:10024

tag_as_foreign.re :
/^/ FILTER amavis:[127.0.0.1]:10024

tag_as_originating.re : (it was originaly in 10026 but mails refused to send)
/^/ FILTER amavis:[127.0.0.1]:10024

cat /etc/amavis/conf.d/* | grep 1002 :
$inet_socket_port = 10024; # default listening socket

postconf -n :

Code:

alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = amavis:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
greylisting = check_policy_service inet:127.0.0.1:10023
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
message_size_limit = 0
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = web.imperium-gaming.fr, localhost, localhost.localdomain
myhostname = web.imperium-gaming.fr
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtp_tls_exclude_ciphers = RC4, aNULL
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_restriction_classes = greylisting
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf

 

maybe you used the wrong tutorial? just install amavis and update ispconfig with "reconfigure services"

 

I rolled back to my snapshot, installed amavis again and updated with restart services.
I got errors now, emails not working anymore :

Code:

Apr 17 16:57:15 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
Apr 17 16:57:31 web postfix/postfix-script[13101]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
Apr 17 16:57:31 web postfix/postfix-script[13104]: warning: symlink leaves directory: /etc/postfix/./smtpd.key
Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
Apr 17 16:59:03 web postfix/postfix-script[13783]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
Apr 17 16:59:03 web postfix/postfix-script[13786]: warning: symlink leaves directory: /etc/postfix/./smtpd.key

Mail stuck in queue with

mail transport unavailable
status

 

This is not the issue, I had theses warning from a while, without amavis postfix was fine.
The real issue is

Code:

 Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory

 

Through logs I managed to add content_filter = amavis:[127.0.0.1]:10024 (missing in main.cf), I also had to comment out the lines for Clamav in amavis config but this is still not working I have a :
(mail transport unavailable) error when flushing queue
I also have a connect to 127.0.0.1[127.0.0.1]:10026: Connection refused

 

Holy f**k I did it.
I edited add content_filter = amavis:[127.0.0.1]:10024 for 10026 in master.cf
In main.cf I commented
#content_filter = amavis:[127.0.0.1]:10024
#receive_override_options = no_address_mappings

And in /etc/amavis/conf.d/50-user I edited $inet_socket_port for [10024,10026] (from [10024]).

After reboot everything, mails are now working with DKIM \0/

 

Offhand, did you reconfigure services via the ISPConfig update.php as @florian030 mentioned above? That should have made all the required changes to config files.

 

Yes I did. Some files were edited, but things were broken as I was not able to send mails anymore.

Code:

warning: connect to transport private/amavis: No such file or directory