Koozali.org: home of the SME Server

[SOLVED] Upgraded 9.1 to 9.2: DKIM DMARC and other issues

Offline Michail Pappas

  • *
  • 339
  • +1/-0
[SOLVED] Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« on: May 12, 2017, 06:55:00 AM »
Hello,

I had DKIM running on 9.1 according to the wiki instructions at https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version.3C0.96

Due to the DMARC changes I saw that in 9.2 DKIM is supported without any custom templates, as described in the wiki https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96

How can I perform the switch from the 9.1-based method to the 9.2-based one? The easy part is that I should remove /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign and also enable the new DKIM method with:
Code: [Select]
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

But the issue is that I already have some DKIM keys. How can I "transfer" them to the new platform? Checking the qpsmtpd-print-dns shows that keys are possibly stored under /var/service/qpsmtpd/config/dkim/DOMAIN/public but I do not know how to copy them appropriately.

FYI:
1) I only have a "default" selector
2) on my setup even though the domain SME was created with was domainA, the actual domain I use for email is domainB:

Code: [Select]
# db domains show
domainA=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
domainB=domain
    Content=Primary
    Description=This is the actual domain I use
    Nameservers=internet
« Last Edit: May 12, 2017, 01:30:29 PM by Michail Pappas »

Offline holck

  • ****
  • 317
  • +1/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #1 on: May 12, 2017, 09:34:26 AM »
Here is what worked for me:

The old DKIM-keys were found in /var/service/qpsmtpd/config/dkimkeys/ with names like
  • dkim.public
  • myserver.com.private
  • myserver.eu.private
The file dkim.public was copied to /home/e-smith/dkim_keys/default/public, replacing the previous file there
One of the (all identical) *.private files was copied to /home/e-smith/dkim_keys/default/private, again replacing the previous file there.

This seems to work :-)
......

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #2 on: May 12, 2017, 10:38:34 AM »
Thanks for the reply. My problem is that there is nothing to be found in /home/e-smith/dkim_keys/default/public

Furthermore in /sbin/e-smith/qpsmtpd-print-dns there seems to be another directory involved, /var/service/qpsmtpd/config/dkim/$domain/selector

How does one set it up? Is it left empty?

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #3 on: May 12, 2017, 11:29:53 AM »
please, open a bug, thank you

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #4 on: May 12, 2017, 11:52:59 AM »
Hi Stefano,

I did not open a bug because I was not sure it was a bug at all. Let me explain: I have not run the following commands yet:
Code: [Select]
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update

Should I open a bug report nevertheless? And if so, which reason should I use on the bug report (sounds naive, but I do not understand what the bug might be here).

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #5 on: May 12, 2017, 11:55:52 AM »
well.. IIUC you modified db entries and it seems to work, but you'd like to import/use your old keys and something isn't working as expected.. am I right?

if so, something isn't working out of the box as expected, hence is likely a bug ;-)

feel free to correct me

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #6 on: May 12, 2017, 12:02:07 PM »
......

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #7 on: May 12, 2017, 12:31:40 PM »
well.. IIUC you modified db entries
I have not enabled DKIMSigning so far. I'm thinking on how to "import" my existing 9.1 DKIM keys to 9.2. So, not a bug IMHO.

See https://forums.contribs.org/index.php/topic,53038.0.html for some related discussion.

Thanks Dan. On that thread, the poster went another way, he dumped his existing 9.1 DKIM keys and used the ones automatically created for him in 9.2.

On one hand that is the proper way to go about, but to avoid any outgoing emails from my domain to be flagged as spam I'd have to ask my ISP to remove first the existing DKIM entries, wait for the DNS TTL to expire then ask to re-upload the new, 9.2-auto generated keys. A bit cumbersome procedure, but not an impossible one.

On the other hand, I was wondering how to transfer the existing keys to 9.2. holck's post above seems to be a workaround, but the main question for me is: is there any chance that sme at some point might overwrite these DKIM keys? I am asking because the current keys might be overwritten by some signal-event template expansion...

What would you suggest?



Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #8 on: May 12, 2017, 12:35:50 PM »
Well, "the poster" was me, and no, I didn't dump my existing keys.  I ended up copying my existing keys over the top of the ones generated by SME 9.2 (necessary because the new ones resulted in DNS entries too long for my DNS host), and it's working fine at this point, though I'm also wondering about whether they'll be overwritten.
......

Offline Michail Pappas

  • *
  • 339
  • +1/-0
Re: Upgraded 9.1 to 9.2: DKIM DMARC and other issues
« Reply #9 on: May 12, 2017, 01:30:18 PM »
Well, "the poster" was me, and no, I didn't dump my existing keys.  I ended up copying my existing keys over the top of the ones generated by SME 9.2 (necessary because the new ones resulted in DNS entries too long for my DNS host), and it's working fine at this point, though I'm also wondering about whether they'll be overwritten.
Did the exact same thing and everything looks ok. But I also hope that they will not be overwritten...

Case solved(?).