Want more timely Centmin Mod News Updates?
Become a Member

Email DKIM issues for @mydomain.com

Discussion in 'Domains, DNS, Email & SSL Certificates' started by pamamolf, Mar 3, 2017.

  1. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    On one of my servers i have an issue with Opendkim not working correctly....

    I have done this many times with no issues at it is very easy to do with this Automated script....

    Checking the logs i found this:

    Code:
    no signing table match for 'info@mydomain.com'
    Any ideas on what to check?

    Thank you
     
    Last edited: Mar 3, 2017
  2. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    Last edited: Mar 4, 2017
  3. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Problem found but not sure how to fix.....

    Checking using:

    Code:
    cat /etc/opendkim/SigningTable
    Code:
    *@server.maindomain.com default._domainkey.server.maindomain.com
    *@domain2.com default._domainkey.domain2.com
    *@domain3.com default._domainkey.domain3.com
    There my main domain is missing like this line:

    Code:
    *@maindomain.com default._domainkey.maindomain.com
    But there is a log about my maindomain so i didn't forgot to run Opendkim for it:

    Code:
    dkim_spf_dns_maindomain.com_150916-012841.txt
    But don't know what else i should edit to get this work.....

    Which other files need to be edited......Or should i go ahead with a clean option and re run?

    I think just running:

    Code:
    /usr/local/src/centminmod/addons/opendkim.sh maindomain.com
    should solve the issue :)
     
    Last edited: Mar 3, 2017
  4. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I just test this one:

    Code:
    /usr/local/src/centminmod/addons/opendkim.sh maindomain.com
    and i can see listed now at /etc/opendkim/SigningTable

    but now i am getting this error at online mail tester :

    Code:
    Your DKIM signature is not valid
    :(
     
  5. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    The DKIM signature of your message is:

    Code:
       v=1;
       a=rsa-sha256;
       c=relaxed/simple;
       d=maindomain.com;
       s=default;
       t=1488488270;
       bh=uIa6+XxGOoa1gFu4+4mwiFJBs1Bt81F8Zdqr2uV72JY=;
       h=To:Subject:Date:From:Reply-To:From;
       b=hzpCJ7Z+vR7aeZa8dFfR4WVI6iYrfo5Ta4wu36UJpHdeWSpazkDFMmUfzBmyflarJcfZm7DF+tcHb19wghQ0JQOuK1tmrixBnlP564In1/iFXpXmOP9xaVtx9XxgfGNEaAbpV5Wh9byO3D95Wid8rqMzzEM6xaKcJXieR1m2zO4=
    Your public key is:

    Code:
    "v=DKIM1;
    k=rsa;
    p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvJLxDK3jbcm4owWz1asY/B/fjgprvymH/p7GFE0FHl84Ndae85rInYZfRDYmE4EgXCp0ayvasxZWl94JxR8oRetuzYCQdpOu3QlCXOC4bdON7w9xij2JJxli3PBxwkf0XrAdUErRaaGtdrT3QYg3ZsOjJhVj0K6j5z4jFsOWUjQIDAQAB"
    Key length: 1024bits

    Your DKIM signature is not valid

    Algorithm doesn't much ? rsa vs rsa-sha256 ?

    Just tested on another online service with result:

    Code:
    Validating Signature:
    
    result = fail
    Details: bad RSA signature
    But don't know why as i have the same settings for Postifix and Opendkim on my other servers and never had that issue :(
     
    Last edited: Mar 3, 2017
  6. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    Remember, addons/opendkim.sh is officially only meant for main server hostname i.e. hostname.domain.com of your server and not other domains. So running
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh maindomain.com
    

    while is supported, the DKIM entry generated on server might not match the DKIM entry sent from emails @maindomain.com if you use a recommended 3rd party @yourdomain.com provider i.e. Zoho Mail, Google Gsuite, Microsoft Live/One domains etc as they have their own DKIM generated DNS TXT entry you would be directed to add.

    To troubleshoot addons/opendkim.sh setup post to pastebin.com or gist.github.com the contents of the following files. You can use cat command to output them to display and then highlight and copy and paste the contents.
    • /etc/opendkim/KeyTable
      Code (Text):
      cat /etc/opendkim/KeyTable
    • /etc/opendkim/SigningTable
      Code (Text):
      cat /etc/opendkim/SigningTable
    • /etc/opendkim/TrustedHosts
      Code (Text):
      cat /etc/opendkim/TrustedHosts
    • /root/centminlogs/dkim_spf_dns_domain.com_${DT} where domain.com is domain name and/or server main hostname.domain.com you are setting up
      Code (Text):
      cat /root/centminlogs/dkim_spf_dns_domain.com_${DT}
    If you run the clean command below, you will reset and wipe all OpenDKIM KeyTable, SigningTable, TrustedHosts entriesin for main hostname for server ONLY leaving any vhostname sites you added as clean command is only for main hostname. And then opendkim.sh will auto re-run addons/opendkim.sh for main hostname to regenerate a new DKIM signature TXT entry and require you to update your main hostname's domain DNS TXT entry for DKIM again.
    Code (Text):
    /usr/local/src/centminmod/addons/opendkim.sh clean
    
     
  7. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Then the issue may be that i use zoho for my @maindomain.com and the server (opencart) send a mail when a user register using the @maindomain.com and rsa doesn't much?
     
  8. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    yes Zoho has it's own DKIM generation key for TXT DNS record you have to setup :) Most 3rd party @yourdomain.com email providers have their own recommended instructions for DKIM and SPF so consult their documentation and tech support :)
     
    • Informative Informative x 1
  9. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Doesn't seem to have a fix for it :(

    So creating a DKIM there will not help....

    When i enable the DKIM there i can see from mail logs that Opencart is trying to send all mails that a user tries to use to root@domain.com

    When i disable the Dkim at Zoho all emails are routed at the correct mails that every user uses but signature not match :(

    Hope someone that uses Zoho can help with it ....
     
  10. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    8:27 AM
    1
    10
    I personally use the dkims from opendkim and also the zoho mail ones all for different domains and it works perfectly, are you forgetting to add your dkim lines in dns?

    Examples:
    Code:
    _dmarc    v=DMARC1; p=none; pct=100; rua=mailto:sdhflsdhflsjdflskf@dmarc.postmarkapp.com; sp=none; aspf=r;
    
    default._domainkey      v=DKIM1; k=rsa; p=kfljsfhwifhuiwieudwoeuidbwfbwcwiubiwfwieiweuhpwnpwbpeiuhdwiuhwieuhwiofowiufwioufwiufwoifbwoifbiwubfwiubfwiubfiwubfiwubefiwubfiwubfiwf
    both as type text, and don't forget about your spf line as well, then send a test to your gmail account and look at the header source to see what google thinks about all this
     
  11. SFLC

    SFLC Active Member

    224
    59
    28
    Dec 4, 2016
    The Canadas
    Ratings:
    +112
    Local Time:
    8:27 AM
    1
    10
    if you're using zoho on the same server or for subdomains then change the key names to something else like xyz.domainkey etc.. because you can't have multiple dkim keys with the same name, and if your dns manager allows you to do that for some reason the outcome would be unknown as im not sure how itll decide between which one to go for
     
    • Informative Informative x 1
  12. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    I have done the above ....

    It seems some keys doesn't much or something related is wrong :(

    When a user registers the server generate a welcome email and send it to the user using info@mydomain.com

    I am using ZOHO to handle that domain info@mydomain.com but i think there is no related to zoho settings.....

    Let me troubleshoot and post here some info that may help....
     
  13. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    From check-auth2@verifier.port25.com:

    ----------------------------------------------------------
    DomainKeys check details:
    ----------------------------------------------------------
    Result: neutral (message not signed)

    Just found that i miss at:

    Code:
    /etc/opendkim/keys
    and
    Code:
    /etc/opendkim/keys/mydomain.com

    the file:
    Code:
    default.private
    as i can see on another server that is working i have that file there......

    I can see only two files (default and default.txt)

    I think that i will need to regenerate opendkim keys to fix that......?

    If yes how?
     
    Last edited: Mar 4, 2017
  14. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Code:
    Mar  4 03:25:57 server postfix/pickup[16973]: 2B574A033E: uid=1001 from=<info@mydomain.com>
    Mar  4 03:25:57 server postfix/cleanup[19128]: 2B574A033E: message-id=<20170304032557.2B574A033E@server.mydomain.com>
    Mar  4 03:25:57 server opendkim[16994]: 2B574A033E: DKIM-Signature field added (s=default, d=mydomain.com)
    Mar  4 03:25:57 server postfix/qmgr[16974]: 2B574A033E: from=<info@mydomain.com>, size=1675, nrcpt=1 (queue active)
    Mar  4 03:25:57 server postfix/pickup[16973]: 3C7E4A017E: uid=1001 from=<info@mydomain.com>
    Mar  4 03:25:57 server postfix/cleanup[19128]: 3C7E4A017E: message-id=<20170304032557.3C7E4A017E@server.mydomain.com>
    Mar  4 03:25:57 server opendkim[16994]: 3C7E4A017E: DKIM-Signature field added (s=default, d=mydomain.com)
    Mar  4 03:25:57 server postfix/qmgr[16974]: 3C7E4A017E: from=<info@mydomain.com>, size=1043, nrcpt=1 (queue active)
    Mar  4 03:25:57 server postfix/local[19136]: 3C7E4A017E: to=<root@mydomain.com>, orig_to=<info@mydomain.com>, relay=local, delay=0.14, delays=0.09/0.04/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
    Mar  4 03:25:57 server postfix/qmgr[16974]: 3C7E4A017E: removed
    Mar  4 03:25:59 server postfix/smtp[19133]: Untrusted TLS connection established to mailtest.com[94.23.206.89]:25: TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
    Mar  4 03:26:00 server postfix/smtp[19133]: 2B574A033E: to=<blabla@mailtest.com>, relay=mail-tester.com[94.23.206.89]:25, delay=3, delays=0.1/0.12/2.6/0.19, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 181469F7A6)
    Mar  4 03:26:00 server postfix/qmgr[16974]: 2B574A033E: removed
    And as i can check at online validation services using as selector: default i pass with no issues all checks for Dkim....

    So my DNS should be ok..... The sha1 and sha-256 doesn't seem to match :(
     
  15. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    then you shouldn't be using local Postfix for anything, your web application should have support for using external smtp server at Zoho and emails sent from info@mydomain.com should be sent from the defined Zoho smtp server within your web app and mail servers should look up the DKIM and SPF DNS TXT entries that Zoho got you to setup for their servers. None of the emails from info@mydomain.com should be sent from local Postfix in this case and by default Centmin Mod doesn't configure Postfix to send emails from @mydomain.com anyway. Centmin Mod default for locally sent email is from root@mainhostname.mydomain.com which is what addons/opendkim.sh runs setup for @mainhostname.mydomain.com sent emails and what Getting Started Guide Step 1 mainhostname.mydomain.com DNS setup outline and https://community.centminmod.com/th...ver-email-doesnt-end-up-in-spam-inboxes.6999/ is for.
     
  16. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok thanks George :)

    I am trying to avoid the SMTP and try to use a valid Dkim signature on my server ....

    I always do it that way and works... Now i don't know why it doesn't work only for this server....

    I just check again on another server and is working...

    The only difference is the bounce address that on working server is:

    nginx@mydomain.com

    and the not working one has:

    info@mydomain.com

    Also the signed email that is working has the sha256 on it so there is no related issues there...

    Anyway i will try to figure it out....

    Thanks !

    @SFLC

    Do you use SMTP for your emails?

    Can you please send a mail and check that your Dkim is ok at mail-tester.com ?
     
    Last edited: Mar 4, 2017
    • Informative Informative x 1
  17. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Another one that i thing the added header may cause this issue:

    On working one:
    h=To:Subject:Date:From;

    On not working one:
    h=To:Subject:Date:From:Reply-To:From;

    I think the issue may be here at Reply-To:From; but don't know how to remove it yet :)

    Both checks here are ok:

    Check a DKIM Core Key

    It has to do with the headers i think and the bounce mail.....
     
    Last edited: Mar 4, 2017
  18. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    FYI, sending emails via smtp server are more reliable especially if you're using 3rd party smtp transactional providers like Amazon SES, Sendgrid, Mailgun etc :)
     
  19. pamamolf

    pamamolf Well-Known Member

    2,819
    253
    83
    May 31, 2014
    Ratings:
    +447
    Local Time:
    8:27 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Ok problem solved :)

    Please don't hit me on the head :p

    Checking the Dkim key was look at least the first digits and the digits at the end like the ones that i had on my DNS provider and i didn't replace it ...

    Now i replace my old key with the key that i was generated and i am getting 10/10 on tests !

    It seems the key was not the same but starting and ending with the same letters/digits!

    WOW

    I will do a test after a few hours just to be sure about it and all seems to be good :)
     
    • Informative Informative x 1
  20. eva2000

    eva2000 Administrator Staff Member

    30,938
    6,912
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,408
    Local Time:
    4:27 PM
    Nginx 1.13.x
    MariaDB 5.5
    where did old and new DKIM keys come from ? addons/opendkim.sh right ?