Koozali.org: home of the SME Server

DKIM Question

Offline mdrone

  • 19
  • +0/-0
DKIM Question
« on: April 25, 2018, 12:11:21 PM »
When the "default" DKIM setup on my Koozali/SME server (9.2) got a "DKIM check: none" response from check-auth@verifier.port25.com after about a dozen trials-and-errors, I decided to modify things according to the instructions on https://wiki.contribs.org/Email#Outbound_DKIM_signing_.2F_SPF_.2F_DMARC_policy_FOR_MULTIPLE_DOMAINS to see if that would do any good . . . (easy enough to return to default).

cd /home/e-smith/dkim_keys
mkdir lists.roe3.org
cd lists.roe3.org
echo default > selector
openssl genrsa -out private 1024
openssl rsa -in private -out public -pubout
chown qpsmtpd:qpsmtpd private
chmod 400 private
signal-event email-update

Contents of /home/e-smith/dkim_keys/lists.roe3.org
[root@esmith lists.roe3.org]# ll
total 12
-r-------- 1 qpsmtpd qpsmtpd 887 Apr 22 07:03 private
-rw-r--r-- 1 root    qpsmtpd 272 Apr 22 07:03 public
-rw-r--r-- 1 root    qpsmtpd   8 Apr 22 07:03 selector

I went ahead and changed the file permissions on the "private" key to chmod 444 just to make sure that the qpsmtpd daemon could find it. I'll change it back if I ever get the doggone thing working.

Likewise, I made sure the /home/e-smith/dkim_keys/lists.roe3.org directory ownership is root.qpsmtpd

After the public key was transferred to my DNS host (easyDNS.com), I tested it with https://www.mail-tester.com/spf-dkim-check. Results below:

SPF check
1 SPF record found for the domain lists.roe3.org :

"v=spf1 a mx ~all"

DKIM check
DNS record for default._domainkey.lists.roe3.org:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e7g2BmSiqsAaJdo4US0pvIN1 eeKRuEYIPFJJiN/xZ42tN9yZNA8Tw0tR4OT6tcN6NJWIjngj1Ao4S2WVTPpU1p/X jutyXXe60b33e6x2uZ/JWvM32Wp7xq/uk8qbJYdGMMUDsu+upRs+LcoDzlilXK21 ovFKQXIBUWhca+yPgQIDAQAB"

Key length : 1024
(I'm forced to use a 1024-bit key because of my domain registrar's web panel field restrictions)

Looks fine, right?  Wrong!  I'm still getting a "DKIM check: none" response from check-auth@verifier.port25.com.

When I run 'qpsmtpd-print-dns' from the the command line, I get the same public key as when I run 'qpsmtpd-print-dns lists.roe3.org'.

The server just doesn't seem to be telling the world that it has a DKIM record in place.

The "config show qpsmtpd" command reveals that DKIMSigning is indeed enabled . . .

config show qpsmtpd
qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DKIMSigning=enabled
    DNSBL=disabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net,dnsbl-1.uceprotect.net,dnsbl-2.uceprotect.net,psbl.surriel.com,zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org,black.uribl.com,rhsbl.sorbs.net
    TlsBeforeAuth=1
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=disabled
    access=public
    qplogsumm=disabled
    status=enabled

Everything seems to be set up properly. The server just doesn't seem to be offering its DKIM signature to the outside world.

To quote a famous screenplay "Help me, Obi-Wan Kenobi. You're my only hope."

Any suggestions or pointers would be greatly appreciated.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #1 on: April 25, 2018, 03:20:51 PM »
I just took a look at this on mine.

I think you may have created your keys in /home/e-smith/dkim_keys/lists.roe3.org  but sqpsmtpd is looking for them in 'default'

First, check:

Code: [Select]
ll /var/service/sqpsmtpd/config/dkim
Where does your domain point, and is there anything in the directory?

eg does it look like this?

Code: [Select]
somedomain.net -> /home/e-smith/dkim_keys/default
or

Code: [Select]
somedomain.net -> /home/e-smith/dkim_keys/somedomain.net
Do you have domains individually enabled/disabled?

Code: [Select]
db domains show
From looking at the script  /etc/e-smith/events/actions/domains-update-dkim they should default to enabled.

I'm still not 100% sure of the script - there is some trick perl that is non obvious to me :-) Makes it hard to see the logic. I'm trying to figure it and will come back.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #2 on: April 25, 2018, 04:37:23 PM »
Thanks for the response and suggestions.

Here's how my server responds to the commands you recommend:

=====================================================

# ll /var/service/sqpsmtpd/config/dkim
total 0
lrwxrwxrwx 1 root qpsmtpd 38 Apr 22 07:05 lists.roe3.org -> /home/e-smith/dkim_keys/lists.roe3.org

# db domains show
lists.roe3.org=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    letsencryptSSLcert=enabled

=====================================================

Thanks also for pointing me toward the /etc/e-smith/events/actions/domains-update-dkim script. I'll give it a read and see if I can make heads or tails out of it.

Kind regards and thanks in advance for any other ideas,

-MD

I just took a look at this on mine.

I think you may have created your keys in /home/e-smith/dkim_keys/lists.roe3.org  but sqpsmtpd is looking for them in 'default'

First, check:

Code: [Select]
ll /var/service/sqpsmtpd/config/dkim
Where does your domain point, and is there anything in the directory?

eg does it look like this?

Code: [Select]
somedomain.net -> /home/e-smith/dkim_keys/default
or

Code: [Select]
somedomain.net -> /home/e-smith/dkim_keys/somedomain.net
Do you have domains individually enabled/disabled?

Code: [Select]
db domains show
From looking at the script  /etc/e-smith/events/actions/domains-update-dkim they should default to enabled.

I'm still not 100% sure of the script - there is some trick perl that is non obvious to me :-) Makes it hard to see the logic. I'm trying to figure it and will come back.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #3 on: April 25, 2018, 06:53:27 PM »
Looks like things are in the right places then so the script is doing the job.

Have you checked for errors in your logs?

/var/log/messages
/var/log/sqpsmtpd/current


...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #4 on: April 26, 2018, 12:08:43 PM »
Yes. I have checked all logs and have found no errors. That's what is confounding. There seems to be no logical reason why the server isn't "serving" the DKIM information to the outside world.

I can't imagine that it's an ownership/permissions thing on the /home/e-smith/dkim_keys/ directory/subdirectory & contents, but won't rule that out.

Thanks once again for your time and assistance. If you have any other ideas, please send them my way.

Kind regards,
-MD

Looks like things are in the right places then so the script is doing the job.

Have you checked for errors in your logs?

/var/log/messages
/var/log/sqpsmtpd/current

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #5 on: April 26, 2018, 01:07:28 PM »
When you send a mail you should get this in your log:

/var/log/sqpsmtpd/current

2018-04-26 12:44:49.150968500 4045 spooling message to disk
2018-04-26 12:44:49.176859500 4045 (data_post_headers) dkim: pass, we signed the message
2018-04-26 12:44:49.193177500 4045 (data_post) bogus_bounce: pass, not a null sender
2018-04-26 12:44:49.193179500 4045 (data_post) headers: skip, relay client
2018-04-26 12:44:49.193268500 4045 (data_post) naughty: pass
2018-04-26 12:44:49.193402500 4045 (data_post) uribl: skip, relay client
2018-04-26 12:44:49.210826500 4045 (data_post) virus::clamdscan: pass, clean

You could also try setting the log level higher.

I set mine to 10 to test - might be a bit over the top. However:

Code: [Select]
grep dkim /var/log/sqpsmtpd/current
@400000005ae1b0d4272bb3cc 5016 dkim hooking data_post_headers
@400000005ae1b0d4282d260c 5016 dkim hooking data_post_headers
@400000005ae1b0d430d6fbac 5016 dkim hooking data_post_headers
@400000005ae1b0d4319e1084 5016 (data_post_headers) running plugin: dkim
@400000005ae1b0d431b0c97c 5016 (data_post_headers) dkim: info, selector: default
@400000005ae1b0d43213b1cc 5016 (data_post_headers) dkim: pass, we signed the message
@400000005ae1b0d43214daac 5016 Plugin dkim, hook data_post_headers returned DECLINED,

Bit more detail.

You should see something at least?

Also, check the perms on directory:
Code: [Select]
ll /var/service/qpsmtpd/config
drwxr-s--- 2 qpsmtpd qpsmtpd  4096 Apr 26 13:04 dkim

If there is nothing you probably ought to raise a bug and someone will have a more in depth look.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: DKIM Question
« Reply #6 on: April 26, 2018, 01:08:27 PM »
...
DKIM check
DNS record for default._domainkey.lists.roe3.org:

"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e7g2BmSiqsAaJdo4US0pvIN1 eeKRuEYIPFJJiN/xZ42tN9yZNA8Tw0tR4OT6tcN6NJWIjngj1Ao4S2WVTPpU1p/X jutyXXe60b33e6x2uZ/JWvM32Wp7xq/uk8qbJYdGMMUDsu+upRs+LcoDzlilXK21 ovFKQXIBUWhca+yPgQIDAQAB"

Key length : 1024
...

Does your public dkim key really include the spaces that caused it to wrap in your original post, or was it damaged somehow during creation? I don't remember ever seeing an RSA key that contained spaces...

I've never tried to setup DKIM on SME, but when I have set it up, the server (Kerio Connect) does not attempt to sign anything if the public key is missing or incorrect.


Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #7 on: April 26, 2018, 01:23:16 PM »
There are no spaces in the public key. I suspect it got mucked up when I pasted it into the original post.

It's broken across multiple lines in /home/e-smith/dkim_keys/lists.roe3.org/public, which appears to be standard based on other SME 9.2 servers that I'm looking at . . .

# cat /home/e-smith/dkim_keys/lists.roe3.org/public
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/e7g2BmSiqsAaJdo4US0pvIN1
eeKRuEYIPFJJiN/xZ42tN9yZNA8Tw0tR4OT6tcN6NJWIjngj1Ao4S2WVTPpU1p/X
jutyXXe60b33e6x2uZ/JWvM32Wp7xq/uk8qbJYdGMMUDsu+upRs+LcoDzlilXK21
ovFKQXIBUWhca+yPgQIDAQAB
-----END PUBLIC KEY-----

I have another SME 9.2 server that I use for development that sits right beside this one. I'm going to activate DKIM on it and see if it behaves in a similar fashion.

Does your public dkim key really include the spaces that caused it to wrap in your original post, or was it damaged somehow during creation? I don't remember ever seeing an RSA key that contained spaces...

I've never tried to setup DKIM on SME, but when I have set it up, the server (Kerio Connect) does not attempt to sign anything if the public key is missing or incorrect.

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #8 on: April 26, 2018, 02:26:05 PM »
Terribly sorry! Missed this post.

When I grep for 'dkim' in the logs, nothing shows up anywhere.

Permissions on /var/service/qpsmtpd/config are . . .

drwxr-s---  2 qpsmtpd qpsmtpd 4096 Apr 26 06:45 dkim


Confounding.  :sad:

I actived DKIM on the dev server, registered all SPF and DKIM info with my DNS provider and sent email to check-auth@verifier.port25.com.  Same result:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         none   <-------- Replicated issue
SpamAssassin check: ham

==========================================================

I've never raised a bug before. Guidance?

-MD

When you send a mail you should get this in your log:

/var/log/sqpsmtpd/current

2018-04-26 12:44:49.150968500 4045 spooling message to disk
2018-04-26 12:44:49.176859500 4045 (data_post_headers) dkim: pass, we signed the message
2018-04-26 12:44:49.193177500 4045 (data_post) bogus_bounce: pass, not a null sender
2018-04-26 12:44:49.193179500 4045 (data_post) headers: skip, relay client
2018-04-26 12:44:49.193268500 4045 (data_post) naughty: pass
2018-04-26 12:44:49.193402500 4045 (data_post) uribl: skip, relay client
2018-04-26 12:44:49.210826500 4045 (data_post) virus::clamdscan: pass, clean

You could also try setting the log level higher.

I set mine to 10 to test - might be a bit over the top. However:

Code: [Select]
grep dkim /var/log/sqpsmtpd/current
@400000005ae1b0d4272bb3cc 5016 dkim hooking data_post_headers
@400000005ae1b0d4282d260c 5016 dkim hooking data_post_headers
@400000005ae1b0d430d6fbac 5016 dkim hooking data_post_headers
@400000005ae1b0d4319e1084 5016 (data_post_headers) running plugin: dkim
@400000005ae1b0d431b0c97c 5016 (data_post_headers) dkim: info, selector: default
@400000005ae1b0d43213b1cc 5016 (data_post_headers) dkim: pass, we signed the message
@400000005ae1b0d43214daac 5016 Plugin dkim, hook data_post_headers returned DECLINED,

Bit more detail.

You should see something at least?

Also, check the perms on directory:
Code: [Select]
ll /var/service/qpsmtpd/config
drwxr-s--- 2 qpsmtpd qpsmtpd  4096 Apr 26 13:04 dkim

If there is nothing you probably ought to raise a bug and someone will have a more in depth look.

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: DKIM Question
« Reply #9 on: April 26, 2018, 02:31:00 PM »
I think the line breaks in the public key file are a function of the format of the file and are not supposed to be included in the DNS entry.

On my server, for example, the public key looks like this:
Code: [Select]
# cat /home/e-smith/dkim_keys/default/public
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g57DDnaZuonYRNdKP5O
+26/15SesIt1jb40YH1Jrw5lWP9dUsc1IBwRSfQnWKWmCiBahNl9ZQMAII3luClR
CAOSmGmlW9x4s8O4Ft+qXDMEk9ec+EvlEeRzAElWfp9K8UYkvreuVHzPpve2Ib5d
k7YYc0p6K7l+4TIThFi2YZHcztJ2RqwPyY05YZWoB1aL9cy+InSQ1VS8Gm/uEpvR
OoA9R0RdZ/VPEUiTV7I7mwYt0hNgk5Q34fvjgHz7FSNQ+rykTYatL0zJkZSyqMhu
6JVFDV9xtd6qdFd/ybE5wdulkMexMys+wKOHzO9ZpMHedh+TBI12UtVhnTN9ImYv
PwIDAQAB
-----END PUBLIC KEY-----

Which I interpret as indicating a DNS key that should look like this:
Code: [Select]
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g57DDnaZuonYRNdKP5O+26/15SesIt1jb40YH1Jrw5lWP9dUsc1IBwRSfQnWKWmCiBahNl9ZQMAII3luClRCAOSmGmlW9x4s8O4Ft+qXDMEk9ec+EvlEeRzAElWfp9K8UYkvreuVHzPpve2Ib5dk7YYc0p6K7l+4TIThFi2YZHcztJ2RqwPyY05YZWoB1aL9cy+InSQ1VS8Gm/uEpvROoA9R0RdZ/VPEUiTV7I7mwYt0hNgk5Q34fvjgHz7FSNQ+rykTYatL0zJkZSyqMhu6JVFDV9xtd6qdFd/ybE5wdulkMexMys+wKOHzO9ZpMHedh+TBI12UtVhnTN9ImYvPwIDAQAB"

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: DKIM Question
« Reply #10 on: April 26, 2018, 02:43:16 PM »
Here are a couple references mentioning the need to remove the line breaks from the openssl-generated public key file in order to create the DNS entry:
https://support.plesk.com/hc/en-us/articles/115000214973-How-to-get-the-DKIM-public-key-from-Plesk-if-DNS-is-not-installed
https://lxadm.com/Generating_DKIM_key_with_openssl

I found other instructions saying to copy/paste as-is, which leads me to believe that some DNS services intelligently correct TXT entries that are pasted containing newline characters.

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #11 on: April 26, 2018, 02:47:24 PM »
Agree. 

I just submitted a bug . . .

https://bugs.contribs.org/show_bug.cgi?id=10572

Not sure that it is a bug. More likely just my ignorance of the topic.

Thanks for the help. Much appreciated.

I think the line breaks in the public key file are a function of the format of the file and are not supposed to be included in the DNS entry.

On my server, for example, the public key looks like this:
Code: [Select]
# cat /home/e-smith/dkim_keys/default/public
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g57DDnaZuonYRNdKP5O
+26/15SesIt1jb40YH1Jrw5lWP9dUsc1IBwRSfQnWKWmCiBahNl9ZQMAII3luClR
CAOSmGmlW9x4s8O4Ft+qXDMEk9ec+EvlEeRzAElWfp9K8UYkvreuVHzPpve2Ib5d
k7YYc0p6K7l+4TIThFi2YZHcztJ2RqwPyY05YZWoB1aL9cy+InSQ1VS8Gm/uEpvR
OoA9R0RdZ/VPEUiTV7I7mwYt0hNgk5Q34fvjgHz7FSNQ+rykTYatL0zJkZSyqMhu
6JVFDV9xtd6qdFd/ybE5wdulkMexMys+wKOHzO9ZpMHedh+TBI12UtVhnTN9ImYv
PwIDAQAB
-----END PUBLIC KEY-----

Which I interpret as indicating a DNS key that should look like this:
Code: [Select]
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2g57DDnaZuonYRNdKP5O+26/15SesIt1jb40YH1Jrw5lWP9dUsc1IBwRSfQnWKWmCiBahNl9ZQMAII3luClRCAOSmGmlW9x4s8O4Ft+qXDMEk9ec+EvlEeRzAElWfp9K8UYkvreuVHzPpve2Ib5dk7YYc0p6K7l+4TIThFi2YZHcztJ2RqwPyY05YZWoB1aL9cy+InSQ1VS8Gm/uEpvROoA9R0RdZ/VPEUiTV7I7mwYt0hNgk5Q34fvjgHz7FSNQ+rykTYatL0zJkZSyqMhu6JVFDV9xtd6qdFd/ybE5wdulkMexMys+wKOHzO9ZpMHedh+TBI12UtVhnTN9ImYvPwIDAQAB"

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #12 on: April 26, 2018, 02:50:59 PM »
Thanks!  I'll check them out.

I used the result from the qpsmtpd-print-dns command to copy/paste into my DNS hosting service's panel.

Here are a couple references mentioning the need to remove the line breaks from the openssl-generated public key file in order to create the DNS entry:
https://support.plesk.com/hc/en-us/articles/115000214973-How-to-get-the-DKIM-public-key-from-Plesk-if-DNS-is-not-installed
https://lxadm.com/Generating_DKIM_key_with_openssl

I found other instructions saying to copy/paste as-is, which leads me to believe that some DNS services intelligently correct TXT entries that are pasted containing newline characters.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #13 on: April 26, 2018, 03:12:41 PM »
Agree. 

I just submitted a bug . . .

https://bugs.contribs.org/show_bug.cgi?id=10572

Not sure that it is a bug. More likely just my ignorance of the topic.

OK, no worries - you have tried your best - can't ask for more than that.

Hopefully one of the devs can sort it out.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #14 on: April 26, 2018, 05:22:22 PM »
OK, no worries - you have tried your best - can't ask for more than that.

Hopefully one of the devs can sort it out.

I decided to view the /var/log/qpsmtpd/current log via the SME Server Manager rather than via the terminal.

It reveals lines similar to this for virtually every message:

2018-04-25 19:29:05.045085500 23151 (data_post_headers) dkim: pass, we signed the message

And these lines when I sent mail to check-auth@verifier.port25.com

2018-04-26 10:16:03.061248500 13372 (data_post_headers) dkim: pass, valid signature, accept policy
2018-04-26 10:16:03.061248500 13372 (data_post_headers) dkim: karma 1 (2)


Would this suggest that the server is indeed posting dkim information (?)

The rabbit hole gets deeper and more mysterious.