Koozali.org: home of the SME Server

DKIM sign

Offline Fumetto

  • *
  • 874
  • +1/-0
DKIM sign
« on: May 26, 2020, 08:32:52 AM »
I have a lot of doubts and I'm looking for someone who will enlighten me.

From the manual I read that to enable the DKIM for the emails sent just do a procedure illustrated in the manual

Code: [Select]
db configuration setprop qpsmtpd DKIMSigning enabled
signal-event email-update
qpsmtpd-print-dns

The last command returns the specifications to be entered in the domain's DNS records. Okay, but I have some doubts.

First: If I use a smarthost for sending, could this cause problems?

Second: the adkim and aspf parameters (on DMARC record) are currently set in "r"; is it necessary for adkim to be in "s" as per the specifications provided by the command on SME? I understand that with "s" a check is made on the sender but it is not clear to me how it works ...

The DKIM record that the provider preset me is "different" from the one that SME gives me; specifically this is what the provider preset me

Quote
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDmWTDqLKkuFsaSgrTv5VDzAGHMF3948wfrBc0O+mEt1WCQod1nP0nMSuiWFc72XeumGRM8nrMZ2NewxbWeRRt9qD4/rk2W3/tkiYRxvIqISYOqUrzJ4HT9FkUkgaKGzqt1I3mEv82W3jIHuoBYb6zB4nzpBRSTLUw55s72ozY8lQIDAQAB;"

and this is what SME gave me



I notice a significant difference; the provider has set me a much shorter public key than the one SME gives me. Among other things, it seems to me that the key is "divided" in two ("... p=first_piece_of_the_key""second_piece_of_the_key;t=y")

So hypothetically, just use the first part of the key? Or do I have to go all out?

Could someone give me some advice to avoid doing damage?

TIA  :)

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: DKIM sign
« Reply #1 on: June 04, 2020, 05:57:37 PM »
I, too, am having a bit of trouble with DKIM. easydmarc.com indicates the dkim record is ok, but the dkim test fails for all but one email processed.

Quote
I notice a significant difference; the provider has set me a much shorter public key than the one SME gives me. Among other things, it seems to me that the key is "divided" in two ("... p=first_piece_of_the_key""second_piece_of_the_key;t=y")
I did not notice that. Interesting. Perhaps one is the public and the other private key?

Update: I see the quote marks in the documentation, too. https://wiki.fws.fr/smedev/qpsmtpd_096#publishing_your_dns_entries

I am not sure what do to here. I tried several things for the DKIM record:
 - use the entire output of the qpsmtpd command,
 - use the entire output minus the pair of quotes in the middle,
 - use only first "string",
 - use only the second "string".

None of these validated per easydmarc.com.
« Last Edit: June 04, 2020, 07:24:57 PM by Mophilly »
- Mark

Offline warren

  • *
  • 291
  • +0/-0
Re: DKIM sign
« Reply #2 on: June 05, 2020, 07:43:32 PM »
@Fumetto  @Mophilly

If you look carefully at the output of :
Code: [Select]
qpsmtpd-print-dns
Code: [Select]
default._domainkey IN TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+D""fabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB"

you will see that their is a ""  in that string. That needs to come out. ( above is the example from https://wiki.fws.fr/smedev/qpsmtpd_096#publishing_your_dns_entries ).

You can then check the validity of the key here : https://dkimcore.org/c/keycheck

here is the Key with the double "" removed , the below is what you paste into the key record checkbox :

Code: [Select]
v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/Qq3Ntpx2QNdRxGKMeKc2r9ULvyYW633IbLivHznN9JvjJIbS54PGIEk3sSxvZSdpTRAvYlxn/nRi329VmcDK0vJYb2ut2rnZ3VO3r5srm+XEvTNPxij5eU4gqw+5ayySDjqzAMEMc5V7lUMpZ/YiqnscA075XiMF7iEq8Quv1y0LokmgwtxzOXEZap34WXlKyhYzH+DfabF6SUllmA0ovODNvudzvEOanPlViQ7q7d+Mc3b7X/fzgJfh5P9f5U+iSmzgyGctSb6GX8sqsDMNVEsRZpSE3jd2Z33RDWyW21PGOKB/ZrLiliKfdJbd3Wo7AN7bWsZpQsei2Hsv1niQIDAQAB
« Last Edit: June 05, 2020, 07:47:34 PM by warren »

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: DKIM sign
« Reply #3 on: June 05, 2020, 07:53:59 PM »
Many thanks warren; try this on weekend.
Can be problem if SME don't send direct but use smarthost?

Offline warren

  • *
  • 291
  • +0/-0
Re: DKIM sign
« Reply #4 on: June 05, 2020, 09:06:09 PM »

Can be problem if SME don't send direct but use smarthost?

I 've tested it using another SME server as my smart host, when i view the original headers in gmail I see that dkim passes.

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: DKIM sign
« Reply #5 on: June 05, 2020, 09:47:49 PM »
@Fumetto  @Mophilly

you will see that their is a ""  in that string. That needs to come out. ( above is the example from https://wiki.fws.fr/smedev/qpsmtpd_096#publishing_your_dns_entries ).

You can then check the validity of the key here : https://dkimcore.org/c/keycheck

I tried that; see my post. Nevertheless, I will try it again and use the dkimcore.org validator.
- Mark

Offline warren

  • *
  • 291
  • +0/-0
Re: DKIM sign
« Reply #6 on: June 05, 2020, 10:23:39 PM »
Are you using the DKIM Record Lookup ? https://easydmarc.com/tools/dkim

Have you created the DKIM DNS Records for your domain ?  example below

Name                    Type    TTL              RDATA
default._domainkey    TXT          1800            v=DKIM1;p=M.......




Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: DKIM sign
« Reply #7 on: June 07, 2020, 12:32:18 AM »
Are you using the DKIM Record Lookup ? https://easydmarc.com/tools/dkim

Have you created the DKIM DNS Records for your domain ?  example below

Name                    Type    TTL              RDATA
default._domainkey    TXT          1800            v=DKIM1;p=M.......

Yes. The DKIM signature validates, but in the email reports under "compliant sources" I see that the DKIM test is failing.
« Last Edit: June 07, 2020, 12:37:07 AM by Mophilly »
- Mark

Offline jameswilson

  • ****
  • 739
  • +0/-0
    • Security Warehouse, trade security equipment
Re: DKIM sign
« Reply #8 on: June 09, 2020, 01:09:58 AM »
Yes. The DKIM signature validates, but in the email reports under "compliant sources" I see that the DKIM test is failing.
Having moved stuff recently I had to redo this
I added the things provided from the console, 3 records iirc
One for dkim, one for spf and the other for dmarc
I used the info from this command

qpsmtpd-print-dns <domain name>

That gives all the info you need to create the records
Bear in mind the txt and spf ones are duplicated if using 1and1 like me.
The output will give you 3 entries you need

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: DKIM sign
« Reply #9 on: June 09, 2020, 10:10:40 AM »
You might want to check your emails with this tool: https://www.mail-tester.com/

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM sign
« Reply #10 on: June 09, 2020, 10:13:44 AM »
Not sure if they are there already but can someone scoop up some notes on testing sites and stuff them in the wiki please
?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: DKIM sign
« Reply #11 on: June 09, 2020, 09:10:43 PM »
Thanks for the mail-tester and other links. That reveals quite a lot. I have homework to do. :-)

I will summarize my notes and add them to the wiki. (If you don't see an addition in a couple days, please check with the local constabulary in case I happened to submit myself to their care.)
- Mark

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM sign
« Reply #12 on: June 09, 2020, 11:35:05 PM »
:lol:
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: DKIM sign
« Reply #13 on: June 09, 2020, 11:48:58 PM »
Think it's works... in the next few days we will see "dead and injured"... ^_^

A bit of history and notes; the situation is a SME with two cards, lan and wan (class C both). Direct reception and sending via smarthost of the domain service provider ... if the server (sending) is blacklisted, they are "cocks" of the aforementioned domain service provider, not the person in charge of the "mail with the pigeon" ^ _ ^

TIP: The username used for the smarthost connection was of the "username" type without the "@ domain.it" as on SME. This is BAD as I found that some servers were reporting mail for this "discrepancy".

Once the provider's technical support has created the necessary "standard" keys, I have only changed the key by replacing the content with that indicated by SME with the qpsmtpd-print-dns command

so I replaced value of "default._domainkey.domain.it" with the content of SME data.

This is what have
Code: [Select]
[root@server ~]# qpsmtpd-print-dns domain.it

Here are sample DNS entries you should add in your public DNS
The DKIM entry can be copied as is, but others will probably need to be adjusted
to your need. For example, you should either change the reporting email adress
for DMARC (or create the needed pseudonym)

default._domainkey IN TXT "v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHs3KyAcdQArmHV7601b9WJR5FCUL3zCcUwD980sKLxMeIIpsTw5dLdQ0gVsHM4RH5jAL2NYG2Wl4G/lYOIIG1T1IEcWwpp5wzZxHTt/Cbp9vAoz50Yf01YpU/dnIDxcNhGHaFzIsgr35SA0P78tAUkhW4TbpXGjxAW6wpklzEt1N+cfbIUGMQyk7lqsKZo8JP/wgqj8+TmnA8i3ycOdY/va58BIn4dq4niwTzgUykYaMoJdcDgCLTONuWy9s8WIbhenf9tc1qevYWqLQBklZWfrHKDBm18fooMcbNfmel6yMreDGrQtqsgstGxGqPD6lEsIswNA91uBJdN+hd2X6QIDAQAB;t=y"

@ IN SPF "v=spf1 mx a -all"
@ IN TXT "v=spf1 mx a -all"
_dmarc IN TXT "v=DMARC1; p=none; adkim=s; aspf=r; rua=mailto:dmarc-feedback@domain.it; pct=100"

[root@server ~]#

so i used only this
Code: [Select]
"v=DKIM1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHs3KyAcdQArmHV7601b9WJR5FCUL3zCcUwD980sKLxMeIIpsTw5dLdQ0gVsHM4RH5jAL2NYG2Wl4G/lYOIIG1T1IEcWwpp5wzZxHTt/Cbp9vAoz50Yf01YpU/dnIDxcNhGHaFzIsgr35SA0P78tAUkhW4TbpXGjxAW6wpklzEt1N+cfbIUGMQyk7lqsKZo8JP/wgqj8+TmnA8i3ycOdY/va58BIn4dq4niwTzgUykYaMoJdcDgCLTONuWy9s8WIbhenf9tc1qevYWqLQBklZWfrHKDBm18fooMcbNfmel6yMreDGrQtqsgstGxGqPD6lEsIswNA91uBJdN+hd2X6QIDAQAB;t=y"
With these settings, the tests on dkimvalidator have passed
Quote
DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed;........

Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed
d= Domain:          domain.it.it
s= Selector:        default
q= Protocol:       
bh=                 eRtHzJ7CTkah3t5pvCAO7Rq0dnoONNmihs/7+mkRUzE=
h= Signed Headers:  from:to:subject:date:message-id:mime-version:content-type
b= Data:            VItx+80NT8E+drOlHGtoPUM/........

Public Key DNS Lookup

Building DNS Query for default._domainkey.domain.it
Retrieved this publickey from DNS: v=DKIM1;p=MIIBIjANBgkqhkiG9w0BA.......

Validating Signature

result = pass
on mailtester I managed to reach a score of 8.2 (with object and content "test" and "test" ... ^ _ ^)

I will update you as soon as google and yahoo send daily reports.

Big thanks to warren for this big tips
Quote
...you will see that their is a ""  in that string. That needs to come out.

Thank you all!!! ^ _ ^

Offline Fumetto

  • *
  • 874
  • +1/-0
Re: DKIM sign
« Reply #14 on: June 10, 2020, 09:38:53 PM »
Google likes DKIM ...
Quote
-<record>
-<row>
<source_ip>89.xx.xx.116</source_ip>
<count>2</count>
-<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
-<identifiers>
<header_from>domain.it</header_from>
</identifiers>
-<auth_results>
-<dkim>
<domain>domain.it</domain>
<result>pass</result>
<selector>default</selector>
</dkim>
-<spf>
<domain>domain.it</domain>
<result>pass</result>
</spf>
</auth_results>
</record>