Hi,

I've upgraded to 0.10.20 and I noticed the removal of underscore in the DKIM selector.

I know it's old but I've been using dkim-filter perfectly for 6 years, I don't know if it's coincidence but after the upgrade Google and Outook give a:

Authentication-Results: mx.google.com;
    dkim=temperror (no key for signature) header.i=@xxxxxxxx.com header.s=dkim_1 header.b=gJgMgR3B;

DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=xxxxxxx.com;
	s=dkim_1; t=1596958620;
	bh=OcFrXmsxPwiq9nLiqWOthXQmkOsI8oRkgTPZrapwNcQ=;
	h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type:
	 Content-Transfer-Encoding;
	b=i6AsOFO6zo8/9OX4mnKexsYMhCkmmD6kwZKOGlCv841/2/6GnifTBNwb0G22llbj8
	 l4A55phHEFtxWpxqTeremRJRe0pDB8cFwRZ0gc7LWCH5+wJm+1wiK6IA1pMgMF6uVk
	 WOUqByJPsLB0GFVxwAPr/G1Ri+0HtmdhG8lPtTT8=

See that the tag s=dkim_1 still has the underscore in it.. I suspect the error comes from this.. Could it be that there is a cache on Google and Outlook servers?

I tested the record with "dig" and it seems to be fine.

dig dkim1._domainkey.xxxxxxxx.com IN TXT

; <<>> DiG 9.10.6 <<>> dkim1._domainkey.xxxxxxxx.com IN TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47910
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dkim1._domainkey.xxxxxxxxx.com. IN	TXT

;; ANSWER SECTION:
dkim1._domainkey.xxxxxxxxx.com. 41008 IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNM1lxpivQagMjp2KAk0wVUw+OeXFKYyzZ1qbTCUQbvWsFmKPasIOq6dK7F+BMYihelr+T4FP5/GFzwcYEZbA9GxOjpW87iVF7qXgOiYndEpu7ELz9sCrx4AQaXwdGMn/4sAIvTtK6hzqehgulWlTAw59grv4WBOx76ss/m0Ui/wIDAQAB;t=s"

I also manually  deleted the dkim keys from /etc/postfix/dkim and run /usr/bin/php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --debug to regenerate all the files which it did.

And I did also send an  email to auth-results@verifier.port25.com and the result is still showing the underscore on DKIM selector:

DKIM check details:
----------------------------------------------------------
Result:         permerror (syntax error in s= tag: Error in "dkim_1": invalid character U+005F ('_') in domain label)
ID(s) verified: 

DNS record(s):

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

The TXT record is due to 43200 seconds (7 hours) so maybe I have to wait those hours for all the servers to replicate the dkim selector change?

Any idea where else could i look?

Thanks!

 

Sounds most likey like DNS yes. I would be able to check from here but you anonymized your domain

I just sent you a private message with the domain

Thanks!

nice, it's a valid entry and the dns records are just fine, so i'd say give it a bit more time, most likely dns-cache stuff

Yes.. I'll wait and check again at the end of the day or tomorrow and see if it's a cache problem. I hope it is and it seems so, otherwise I don't know where else to look at. As you see the entry is valid and all looks good fingers crossed!

Thanks and I let you know!

 

as my server resolves the entry correctly, you might want to send a test-mail to mk@froxlor.support and I can tell you whether it all works fine

Email sent

hm, still sends the wrong identifiert: 

dkim=none (invalid DKIM record) header.d=yourdomain.com header.s=dkim_1 header.b=Us+Rd1Zt;

So the problem seems to be a wrong config, i wasnt aware of the way dkim-filter works (way too old never used that anyway), the manpages say:

Quote

[...] The selector used in the signature will be the filename portion of keypath.  If the file referenced by keypath cannot be opened, the filter will try again by appending ".pem" and then ".private" before giving up.

So this means, the following changes to lib/Froxlor/Cron/Dns/DnsBase.php.php are necessary:

diff --git a/lib/Froxlor/Cron/Dns/DnsBase.php b/lib/Froxlor/Cron/Dns/DnsBase.php
index f51ff6bc..820c9df2 100644
--- a/lib/Froxlor/Cron/Dns/DnsBase.php
+++ b/lib/Froxlor/Cron/Dns/DnsBase.php
@@ -195,8 +195,8 @@ abstract class DnsBase
 
                        while ($domain = $result_domains_stmt->fetch(\PDO::FETCH_ASSOC)) {
 
-                               $privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim_' . $domain['dkim_id']);
-                               $pubkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim_' . $domain['dkim_id'] . '.public');
+                               $privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id']);
+                               $pubkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id'] . '.public');
 
                                if ($domain['dkim_privkey'] == '' || $domain['dkim_pubkey'] == '') {
                                        $max_dkim_id_stmt = Database::query("SELECT MAX(`dkim_id`) as `max_dkim_id` FROM `" . TABLE_PANEL_DOMAINS . "`");

 

Yes! that was it It works now.

For the moment I just modified the file manually until a new froxlor version comes out

Thanks!

 

First friday of the months  too bad i just releases 0.10.20 xD

It's ok! I'll wait it doesn't bother me at all. What's important is now we know why it was failing.

Thanks.