[Resolved]DKIM issue

Discussion in 'Installation/Configuration' started by AEG-Simply, Apr 12, 2018.

  1. AEG-Simply

    AEG-Simply Member

    Hello there, first of all, this is my context :

    I have mydomain.com
    The FQDN of my ISPConfig serveur is web.mydomain.com
    My DNS Zone is managed from OVH not from the ISPConfig.
    I have a SPF and DMARC entry on my DNS Zone, theses are OK.

    In ISPConfig I have my email Domain created and I have enabled DKIM and generated the DKIM keys.
    Got something like that :
    default._domainkey.mydomain.com. 3600   TXT   v=DKIM1; t=s; p=PUBKEY
    In OVH I created a TXT entry and this is what I got :
    default._domainkey.mydomain.com IN TXT "v=DKIM1; t=s; p=PUBKEY"
    When I check mydomain.com with default as selector from this https://www.mail-tester.com/spf-dkim-check, I got my DKIM right.
    But when I test an email from my ISPConfig (sending it to mail-tester or gmail), mail-tester says DKIM is not OK, and I have nothing on the original mail on gmail.

    And I can't figure out why ?

    Any guess would be appreciated.
  2. AEG-Simply

    AEG-Simply Member

  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I'm not really clear if you mean there is no DKIM signature at all ('have nothing on original mail'), or just that it doesn't validate ('not OK'), but I think you mean it's completely missing?

    DKIM signing happens in amavis, so check that your domain got added to /etc/amavis/conf.d/60-dkim (that's on debian 9, and likely varies location on other os's), that /etc/postfix/tag_as_originating.re filters mail through amavis on port 10026, and that postfix smtpd_sender_restrictions includes that access map. If that all looks good, make sure you're sending authenticated, and try restarting amavis. Maybe test sending a message to a local (same-server) account and see if DKIM signing happens.
  4. AEG-Simply

    AEG-Simply Member

    Indeed, there is no DKIM signature at all.

    You may have found my issue. I did not install amavis/spam assassin/clamav because I did not want spam/AV filters as it is quite consumming in terms of CPU/Memory.

    If I install and configure amavis now, as I have already a working configuration of ISPConfig, can it break anything ?
  5. AEG-Simply

    AEG-Simply Member

    I snapshoted my machine and gave it a try.
    I installed and configured amavis-new from this tuto : https://www.security-helpzone.com/2015/12/03/securiser-postfix-avec-lantispam-amavis/
    (only amavis)

    after a reboot and regenerate DKIM keys in ISPConfig interface, I have my 60-dkim file created :
    dkim_key('mydom.com', 'default', '/var/lib/amavis/dkim/mydom.com.private');
    and mydom.com.private and public files do exist.

    I tried once again https://www.mail-tester.com, but still saying that my mail is not signed by DKIM.
  6. AEG-Simply

    AEG-Simply Member

    I may have something incorrect in my amavis config, but I dont have a clue :

    master.cf :
    amavis unix - - n - 2 smtp
      -o smtp_data_done_timeout=1200
      -o smtp_send_xforward_command=yes inet n - n - - smtpd
      -o content_filter=
      -o smtpd_delay_reject=no
      -o smtpd_client_restrictions=permit_mynetworks,reject
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o smtpd_data_restrictions=reject_unauth_pipelining
      -o smtpd_end_of_data_restrictions=
      -o smtpd_restriction_classes=
      -o mynetworks=
      -o smtpd_error_sleep_time=0
      -o smtpd_soft_error_limit=1001
      -o smtpd_hard_error_limit=1000
      -o smtpd_client_connection_count_limit=0
      -o smtpd_client_connection_rate_limit=0
      -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
      -o local_header_rewrite_clients=
      -o smtpd_milters=
      -o local_recipient_maps=
      -o relay_recipient_maps=
    main.cf :

    tag_as_foreign.re :
    /^/ FILTER amavis:[]:10024

    tag_as_originating.re : (it was originaly in 10026 but mails refused to send)
    /^/ FILTER amavis:[]:10024

    cat /etc/amavis/conf.d/* | grep 1002 :
    $inet_socket_port = 10024; # default listening socket

    postconf -n :
    alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    compatibility_level = 2
    content_filter = amavis:[]:10024
    dovecot_destination_recipient_limit = 1
    greylisting = check_policy_service inet:
    header_checks = regexp:/etc/postfix/header_checks
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    maildrop_destination_concurrency_limit = 1
    maildrop_destination_recipient_limit = 1
    message_size_limit = 0
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    mydestination = web.imperium-gaming.fr, localhost, localhost.localdomain
    myhostname = web.imperium-gaming.fr
    mynetworks = [::1]/128
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    owner_request_special = no
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps
    readme_directory = /usr/share/doc/postfix
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
    relayhost =
    sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_client_message_rate_limit = 100
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
    smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
    smtpd_restriction_classes = greylisting
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_path = private/auth
    smtpd_sasl_type = dovecot
    smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_alias_domains =
    virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = dovecot
    virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
  7. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    maybe you used the wrong tutorial? just install amavis and update ispconfig with "reconfigure services"
  8. AEG-Simply

    AEG-Simply Member

    I rolled back to my snapshot, installed amavis again and updated with restart services.
    I got errors now, emails not working anymore :
    Apr 17 16:57:15 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
    Apr 17 16:57:31 web postfix/postfix-script[13101]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
    Apr 17 16:57:31 web postfix/postfix-script[13104]: warning: symlink leaves directory: /etc/postfix/./smtpd.key
    Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
    Apr 17 16:59:03 web postfix/postfix-script[13783]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert
    Apr 17 16:59:03 web postfix/postfix-script[13786]: warning: symlink leaves directory: /etc/postfix/./smtpd.key
    Mail stuck in queue with

    mail transport unavailable
    Last edited: Apr 17, 2018
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if your config does not support it that the ssl cert and key are symlinks. You can e.g. try to copy the cert and key into the /etc/postfix directory and replace the symlinks with them.
  10. AEG-Simply

    AEG-Simply Member

    This is not the issue, I had theses warning from a while, without amavis postfix was fine.
    The real issue is
     Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
  11. AEG-Simply

    AEG-Simply Member

    Through logs I managed to add content_filter = amavis:[]:10024 (missing in main.cf), I also had to comment out the lines for Clamav in amavis config but this is still not working I have a :
    (mail transport unavailable) error when flushing queue
    I also have a connect to[]:10026: Connection refused
  12. AEG-Simply

    AEG-Simply Member

    Holy f**k I did it.
    I edited add content_filter = amavis:[]:10024 for 10026 in master.cf
    In main.cf I commented
    #content_filter = amavis:[]:10024
    #receive_override_options = no_address_mappings

    And in /etc/amavis/conf.d/50-user I edited $inet_socket_port for [10024,10026] (from [10024]).

    After reboot everything, mails are now working with DKIM \0/
    till likes this.
  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Offhand, did you reconfigure services via the ISPConfig update.php as @florian030 mentioned above? That should have made all the required changes to config files.
  14. AEG-Simply

    AEG-Simply Member

    Yes I did. Some files were edited, but things were broken as I was not able to send mails anymore.
    warning: connect to transport private/amavis: No such file or directory

Share This Page