Jump to content
Froxlor Forum
  • 0

Is DKIM broken on latest Froxlor 0.10.22 update? (no key for signature)


llucps

Question

Hi,

I just found out the that starting on the 8th of November which I believe is when I updated to the latest 0.10.22 froxlor the DKIM fails to send the public key. Looking at the email message source:

 dkim=temperror (no key for signature) header.i=@xxxxxxxxx.com header.s=dkim1.priv header.b=kWkNNAzJ;

I just checked the froxlor database and the public and private keys are there. I also check the /etc/postfix/dkim/ and all the keys are also there, including dkim-keys.conf which lists all domains and its keys

In fact I haven't changed or modified anything related to this, not at that I'm aware of anyway.

I found this post

But I don't know if it's related to my problem,

I also restart postfix, dkim-filter, dovecot and the same dkim=temperror (no key for signature)

Are you aware if there is change on the latest froxlor update that could cause this? or any idea how else to debug this? It's really strange since nothing seems to be changed from my side.

Thanks,

Lluc

P.D. Could it be a permissions problem? I checked the /etc/postfix/dkim/ directory and the owner is root:root. Is this correct? I don't recall changing this neither. Just in case rings a bell.

OK.. could it be this change? I suspect is coming from this change.. maybe?

https://github.com/Froxlor/Froxlor/commit/15a13a7783d85f77efe1619ed85bd46e9ad3935b

More things:

On my /etc/postfix/dkim/ I have:

drwxr-xr-x 2 root root 4096 Nov  7 11:32 .
drwxr-xr-x 7 root root 4096 Aug 20 11:39 ..
-rw-r----- 1 root root  887 Aug  9 10:58 dkim1
-rw-r----- 1 root root  887 Nov  7 11:32 dkim1.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim1.public
-rw-r----- 1 root root  887 Aug  9 10:58 dkim2
-rw-r----- 1 root root  887 Nov  7 11:32 dkim2.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim2.public
-rw-r----- 1 root root  887 Aug  9 10:58 dkim3
-rw-r----- 1 root root  887 Nov  7 11:32 dkim3.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim3.public
-rw-r----- 1 root root  887 Aug  9 10:58 dkim4
-rw-r----- 1 root root  887 Nov  7 11:32 dkim4.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim4.public
-rw-r----- 1 root root  887 Aug  9 10:58 dkim6
-rw-r----- 1 root root  887 Nov  7 11:32 dkim6.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim6.public
-rw-r----- 1 root root  887 Aug  9 10:58 dkim7
-rw-r----- 1 root root  887 Nov  7 11:32 dkim7.priv
-rw-r--r-- 1 root root  272 Aug  9 10:58 dkim7.public

which the dkim1, dkim2 etc.. are the "old" private files, and the dkim1.priv dkim2.priv etc. are the new private keys file created with the latest commit I just published above.

In the dkim-keys.conf I have:

*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim1.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim2.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim3.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim4.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim5.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim6.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim7.priv

Although it looks ok to me... it's pointing the the dkim*.priv files

Link to post
Share on other sites

12 answers to this question

Recommended Posts

  • 0

Since according to DomainKeys settings in Froxlor, only dkim-filter is supported, I'm using dkim-filter with this following config:

# Log to syslog
Syslog                  yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask                   002

# Sign for example.com with key in /etc/mail/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain                  /etc/postfix/dkim/domains
#KeyFile                /etc/mail/dkim.key
#Selector               2007

# Common settings. See dkim-filter.conf(5) for more information.
#AutoRestart            no
#Background             yes
#Canonicalization       simple
#DNSTimeout             5
#Mode                   sv
#SignatureAlgorithm     rsa-sha256
#SubDomains             no
#ADSPDiscard            no
#Version                rfc4871
#X-Header               no

###############################################
# Other (less-standard) configuration options #
###############################################
#
# If enabled, log verification stats here
#Statistics             /var/run/dkim-filter/dkim-stats
#
# KeyList is a file containing tuples of key information. Requires
# KeyFile to be unset. Each line of the file should be of the format:
#    sender glob:signing domain:signing key file
# Blank lines and lines beginning with # are ignored. Selector will be
# derived from the key's filename.
KeyList         /etc/postfix/dkim/dkim-keys.conf
#
# If enabled, will generate verification failure reports for any messages
# that fail signature verification. These will be sent to the r= address
# in the policy record, if any.
#SendReports            yes
#
# If enabled, will issue a Sendmail QUARANTINE for any messages that fail
# signature verification, allowing them to be inspected later.
#Quarantine             yes
#
# If enabled, will check for required headers when processing messages.
# At a minimum, that means From: and Date: will be required. Messages not
# containing the required headers will not be signed or verified, but will
# be passed through
#RequiredHeaders        yes

Socket          inet:8891@localhost
On-Default accept
On-BadSignature accept
On-DNSError accept
On-InternalError accept
On-NoSignature accept
On-Security accept

and frolxor settings:

995104090_Screenshot2020-11-19at19_26_23.thumb.jpg.41c1a3c0170cfc5e45f6db6a798ec105.jpg

Link to post
Share on other sites
  • 0

Yes I posted the dkim-keys.conf on my previous post, which every line is for every domain I have on my system

*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim1.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim2.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim3.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim4.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim5.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim6.priv
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim7.priv

What I could try is to undo the .priv change on the commit you did on october the revert it how it was and see if it's working.

Link to post
Share on other sites
  • 0
7 minutes ago, d00p said:

Shouldnt the public key be in that reference file?

Both .priv and .public files are inside /etc/postfix/dkim directory.. but I don't recall at all the the public keys were referenced on the dkim-config.keys file, I'm pretty sure only the private keys are referenced.

So....

I just removed the .priv extension that was added to the commit https://github.com/Froxlor/Froxlor/commit/15a13a7783d85f77efe1619ed85bd46e9ad3935b

so the dkim-config.keys looks for:

*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim1
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim2
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim3
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim4
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim5
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim6
*@xxxxxx.com:xxxxxxx.com:/etc/postfix/dkim/dkim7

and it WORKS

Authentication-Results: mx.google.com;
       dkim=pass header.i=@xxxxxxxxx.com header.s=dkim1 header.b=MAWt7cPM;

I don't know what to do now... :(

Link to post
Share on other sites
  • 0
4 minutes ago, d00p said:

I think the problem is "Selector will be derived from the key's filename." ... so the key name is dkim1 and not dkim1.priv 

umm. sorry I'm not sure I quite follow you.. Do you mean that commit should be revert it? and leave the key name as it was:

$privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id']);

 

Link to post
Share on other sites
  • 0

Seems to be necessary for dkim-milter which to be fank noone i know uses anymore...you might want to consider switching to something like rspamd or amavsid. As almost noone runs their own nameserver this is sadly something where not much work is put into - sorry. If this works for you for now, patching the filename could be a solution.

What I could do to satisfy both needs is make adding the extension a setting so you can chose

Link to post
Share on other sites
  • 0
1 minute ago, d00p said:

Seems to be necessary for dkim-milter which to be fank noone i know uses anymore...you might want to consider switching to something like rspamd or amavsid. As almost noone runs their own nameserver this is sadly something where not much work is put into - sorry. If this works for you for now, patching the filename could be a solution.

What I could do to satisfy both needs is make adding the extension a setting so you can chose

I understand.. I would change to openkdim, but since it's not supported and I'm a bit afraid to make the change in case I screw up my email setup.

I'll leave the change I did to remove .priv from lib/Froxlor/Cron/Dns/DnsBase.php for the moment.

I would really appreciate if you can add the option the chose both options on the dkim Froxlor settings so I can continue it to use it with dkim-keys for the moment. eventually I'll have to make the change.. I know.

Thanks @d00p

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...