Hello there, first of all, this is my context : I have mydomain.com The FQDN of my ISPConfig serveur is web.mydomain.com My DNS Zone is managed from OVH not from the ISPConfig. I have a SPF and DMARC entry on my DNS Zone, theses are OK. In ISPConfig I have my email Domain created and I have enabled DKIM and generated the DKIM keys. Got something like that : Code: default._domainkey.mydomain.com. 3600 TXT v=DKIM1; t=s; p=PUBKEY In OVH I created a TXT entry and this is what I got : Code: default._domainkey.mydomain.com IN TXT "v=DKIM1; t=s; p=PUBKEY" When I check mydomain.com with default as selector from this https://www.mail-tester.com/spf-dkim-check, I got my DKIM right. But when I test an email from my ISPConfig (sending it to mail-tester or gmail), mail-tester says DKIM is not OK, and I have nothing on the original mail on gmail. And I can't figure out why ? Any guess would be appreciated.
I'm not really clear if you mean there is no DKIM signature at all ('have nothing on original mail'), or just that it doesn't validate ('not OK'), but I think you mean it's completely missing? DKIM signing happens in amavis, so check that your domain got added to /etc/amavis/conf.d/60-dkim (that's on debian 9, and likely varies location on other os's), that /etc/postfix/tag_as_originating.re filters mail through amavis on port 10026, and that postfix smtpd_sender_restrictions includes that access map. If that all looks good, make sure you're sending authenticated, and try restarting amavis. Maybe test sending a message to a local (same-server) account and see if DKIM signing happens.
Indeed, there is no DKIM signature at all. You may have found my issue. I did not install amavis/spam assassin/clamav because I did not want spam/AV filters as it is quite consumming in terms of CPU/Memory. If I install and configure amavis now, as I have already a working configuration of ISPConfig, can it break anything ?
I snapshoted my machine and gave it a try. I installed and configured amavis-new from this tuto : https://www.security-helpzone.com/2015/12/03/securiser-postfix-avec-lantispam-amavis/ (only amavis) after a reboot and regenerate DKIM keys in ISPConfig interface, I have my 60-dkim file created : Code: dkim_key('mydom.com', 'default', '/var/lib/amavis/dkim/mydom.com.private'); and mydom.com.private and public files do exist. I tried once again https://www.mail-tester.com, but still saying that my mail is not signed by DKIM.
I may have something incorrect in my amavis config, but I dont have a clue : master.cf : Code: amavis unix - - n - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients= -o smtpd_milters= -o local_recipient_maps= -o relay_recipient_maps= main.cf : content_filter=amavis:[127.0.0.1]:10024 tag_as_foreign.re : /^/ FILTER amavis:[127.0.0.1]:10024 tag_as_originating.re : (it was originaly in 10026 but mails refused to send) /^/ FILTER amavis:[127.0.0.1]:10024 cat /etc/amavis/conf.d/* | grep 1002 : $inet_socket_port = 10024; # default listening socket postconf -n : Code: alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 dovecot_destination_recipient_limit = 1 greylisting = check_policy_service inet:127.0.0.1:10023 header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/postfix/html inet_interfaces = all inet_protocols = all mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 maildrop_destination_concurrency_limit = 1 maildrop_destination_recipient_limit = 1 message_size_limit = 0 mime_header_checks = regexp:/etc/postfix/mime_header_checks mydestination = web.imperium-gaming.fr, localhost, localhost.localdomain myhostname = web.imperium-gaming.fr mynetworks = 127.0.0.0/8 [::1]/128 myorigin = /etc/mailname nested_header_checks = regexp:/etc/postfix/nested_header_checks owner_request_special = no proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps readme_directory = /usr/share/doc/postfix recipient_delimiter = + relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf relayhost = sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_restriction_classes = greylisting smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re , permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf virtual_alias_domains = virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf
maybe you used the wrong tutorial? just install amavis and update ispconfig with "reconfigure services"
I rolled back to my snapshot, installed amavis again and updated with restart services. I got errors now, emails not working anymore : Code: Apr 17 16:57:15 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory Apr 17 16:57:31 web postfix/postfix-script[13101]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Apr 17 16:57:31 web postfix/postfix-script[13104]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory Apr 17 16:59:03 web postfix/postfix-script[13783]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Apr 17 16:59:03 web postfix/postfix-script[13786]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Mail stuck in queue with mail transport unavailable status
Seems as if your config does not support it that the ssl cert and key are symlinks. You can e.g. try to copy the cert and key into the /etc/postfix directory and replace the symlinks with them.
This is not the issue, I had theses warning from a while, without amavis postfix was fine. The real issue is Code: Apr 17 16:58:57 web postfix/qmgr[17314]: warning: connect to transport private/amavis: No such file or directory
Through logs I managed to add content_filter = amavis:[127.0.0.1]:10024 (missing in main.cf), I also had to comment out the lines for Clamav in amavis config but this is still not working I have a : (mail transport unavailable) error when flushing queue I also have a connect to 127.0.0.1[127.0.0.1]:10026: Connection refused
Holy f**k I did it. I edited add content_filter = amavis:[127.0.0.1]:10024 for 10026 in master.cf In main.cf I commented #content_filter = amavis:[127.0.0.1]:10024 #receive_override_options = no_address_mappings And in /etc/amavis/conf.d/50-user I edited $inet_socket_port for [10024,10026] (from [10024]). After reboot everything, mails are now working with DKIM \0/
Offhand, did you reconfigure services via the ISPConfig update.php as @florian030 mentioned above? That should have made all the required changes to config files.
Yes I did. Some files were edited, but things were broken as I was not able to send mails anymore. Code: warning: connect to transport private/amavis: No such file or directory
