DKIM amavis email not signed

Discussion in 'Installation/Configuration' started by MrWolf, Aug 8, 2013.

  1. andcha

    andcha New Member

    Hi
    I am trying to install this with the instructions on your blog but am stuck on
    Code:
    perl -MCPAN -e 'install Mail::DKIM'
    This is the error I am getting

    Code:
    root@ns01:/tmp# perl -MCPAN -e 'install Mail::DKIM'
    Going to read '/root/.cpan/Metadata'
      Database was generated on Mon, 28 Oct 2013 03:29:02 GMT
    Running install for module 'Mail::DKIM'
    Running make for J/JA/JASLONG/Mail-DKIM-0.40.tar.gz
    Checksum for /root/.cpan/sources/authors/id/J/JA/JASLONG/Mail-DKIM-0.40.tar.gz ok
    
      CPAN.pm: Going to build J/JA/JASLONG/Mail-DKIM-0.40.tar.gz
    
    Checking if your kit is complete...
    Looks good
    Writing Makefile for Mail::DKIM
    Writing MYMETA.yml
    cp lib/Mail/DKIM/AuthorDomainPolicy.pm blib/lib/Mail/DKIM/AuthorDomainPolicy.pm
    cp lib/Mail/DKIM/KeyValueList.pm blib/lib/Mail/DKIM/KeyValueList.pm
    cp lib/Mail/DKIM/PrivateKey.pm blib/lib/Mail/DKIM/PrivateKey.pm
    cp lib/Mail/DKIM/Algorithm/rsa_sha256.pm blib/lib/Mail/DKIM/Algorithm/rsa_sha256.pm
    cp lib/Mail/DKIM/Algorithm/Base.pm blib/lib/Mail/DKIM/Algorithm/Base.pm
    cp lib/Mail/DKIM/Algorithm/rsa_sha1.pm blib/lib/Mail/DKIM/Algorithm/rsa_sha1.pm
    cp lib/Mail/DKIM/Canonicalization/DkimCommon.pm blib/lib/Mail/DKIM/Canonicalization/DkimCommon.pm
    cp lib/Mail/DKIM/MessageParser.pm blib/lib/Mail/DKIM/MessageParser.pm
    cp lib/Mail/DKIM/Policy.pm blib/lib/Mail/DKIM/Policy.pm
    cp lib/Mail/DKIM/DkSignature.pm blib/lib/Mail/DKIM/DkSignature.pm
    cp lib/Mail/DKIM/PublicKey.pm blib/lib/Mail/DKIM/PublicKey.pm
    cp lib/Mail/DKIM/Common.pm blib/lib/Mail/DKIM/Common.pm
    cp sample_mime_lite.pl blib/lib/Mail/sample_mime_lite.pl
    cp lib/Mail/DKIM/Signature.pm blib/lib/Mail/DKIM/Signature.pm
    cp lib/Mail/DKIM/SignerPolicy.pm blib/lib/Mail/DKIM/SignerPolicy.pm
    cp lib/Mail/DKIM/DkPolicy.pm blib/lib/Mail/DKIM/DkPolicy.pm
    cp lib/Mail/DKIM/Canonicalization/nowsp.pm blib/lib/Mail/DKIM/Canonicalization/nowsp.pm
    cp lib/Mail/DKIM/DNS.pm blib/lib/Mail/DKIM/DNS.pm
    cp lib/Mail/DKIM/Signer.pm blib/lib/Mail/DKIM/Signer.pm
    cp lib/Mail/DKIM/TextWrap.pm blib/lib/Mail/DKIM/TextWrap.pm
    cp lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm blib/lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
    cp lib/Mail/DKIM/Verifier.pm blib/lib/Mail/DKIM/Verifier.pm
    cp lib/Mail/DKIM.pm blib/lib/Mail/DKIM.pm
    cp lib/Mail/DKIM/Canonicalization/simple.pm blib/lib/Mail/DKIM/Canonicalization/simple.pm
    cp lib/Mail/DKIM/Canonicalization/dk_simple.pm blib/lib/Mail/DKIM/Canonicalization/dk_simple.pm
    cp lib/Mail/DKIM/Canonicalization/Base.pm blib/lib/Mail/DKIM/Canonicalization/Base.pm
    cp lib/Mail/DKIM/DkimPolicy.pm blib/lib/Mail/DKIM/DkimPolicy.pm
    cp lib/Mail/DKIM/Key.pm blib/lib/Mail/DKIM/Key.pm
    cp lib/Mail/DKIM/Canonicalization/DkCommon.pm blib/lib/Mail/DKIM/Canonicalization/DkCommon.pm
    cp lib/Mail/DKIM/Canonicalization/dk_nofws.pm blib/lib/Mail/DKIM/Canonicalization/dk_nofws.pm
    cp lib/Mail/DKIM/Canonicalization/relaxed.pm blib/lib/Mail/DKIM/Canonicalization/relaxed.pm
    Manifying blib/man3/Mail::DKIM::AuthorDomainPolicy.3pm
    Manifying blib/man3/Mail::DKIM::Algorithm::Base.3pm
    Manifying blib/man3/Mail::DKIM::PrivateKey.3pm
    Manifying blib/man3/Mail::DKIM::Canonicalization::DkimCommon.3pm
    Manifying blib/man3/Mail::DKIM::Policy.3pm
    Manifying blib/man3/Mail::DKIM::DkSignature.3pm
    Manifying blib/man3/Mail::DKIM::PublicKey.3pm
    Manifying blib/man3/Mail::DKIM::Signature.3pm
    Manifying blib/man3/Mail::DKIM::DkPolicy.3pm
    Manifying blib/man3/Mail::DKIM::SignerPolicy.3pm
    Manifying blib/man3/Mail::DKIM::DNS.3pm
    Manifying blib/man3/Mail::DKIM::Signer.3pm
    Manifying blib/man3/Mail::DKIM::TextWrap.3pm
    Manifying blib/man3/Mail::DKIM::Verifier.3pm
    Manifying blib/man3/Mail::DKIM.3pm
    Manifying blib/man3/Mail::DKIM::Canonicalization::Base.3pm
    Manifying blib/man3/Mail::DKIM::DkimPolicy.3pm
      JASLONG/Mail-DKIM-0.40.tar.gz
      /usr/bin/make -- OK
    'YAML' not installed, will not store persistent state
    Running make test
    PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
    t/adsp.t ..................... ok
    t/external_signer.t .......... ok
    t/Mail-DKIM.t ................ ok
    t/policy.t ................... 1/19 DNS query timeout for _domainkey.messiah.edu at /root/.cpan/build/Mail-DKIM-0.40-pfvBmm/blib/lib/Mail/DKIM/DNS.pm line 156.
    # Looks like you planned 19 tests but ran 2.
    # Looks like your test exited with 4 just after 2.
    t/policy.t ................... Dubious, test returned 4 (wstat 1024, 0x400)
    Failed 17/19 subtests
    t/public_key.t ............... DNS query timeout for test1._domainkey.messiah.edu at /root/.cpan/build/Mail-DKIM-0.40-pfvBmm/blib/lib/Mail/DKIM/DNS.pm line 156.
    # Looks like your test exited with 4 before it could output anything.
    t/public_key.t ............... Dubious, test returned 4 (wstat 1024, 0x400)
    Failed 5/5 subtests
    t/signature.t ................ ok
    t/signer.t ................... ok
    t/signer_dk.t ................ ok
    t/signer_policy.t ............ ok
    t/simple_canonicalization.t .. ok
    t/textwrap.t ................. ok
    t/verifier.t ................. ok
    
    Test Summary Report
    -------------------
    t/policy.t                 (Wstat: 1024 Tests: 2 Failed: 0)
      Non-zero exit status: 4
      Parse errors: Bad plan.  You planned 19 tests but ran 2.
    t/public_key.t             (Wstat: 1024 Tests: 0 Failed: 0)
      Non-zero exit status: 4
      Parse errors: Bad plan.  You planned 5 tests but ran 0.
    Files=12, Tests=200, 14 wallclock secs ( 0.08 usr  0.01 sys +  0.74 cusr  0.07 csys =  0.90 CPU)
    Result: FAIL
    Failed 2/12 test programs. 0/200 subtests failed.
    make: *** [test_dynamic] Error 255
      JASLONG/Mail-DKIM-0.40.tar.gz
      /usr/bin/make test -- NOT OK
    //hint// to see the cpan-testers results for installing this module, try:
      reports JASLONG/Mail-DKIM-0.40.tar.gz
    Running make install
      make test had returned bad status, won't install without force
    Is there something I have to do to make it right?
    I am installing this on ubuntu 12.04 x64

    P.s: I tried posting to your blog but the captcha question is stuck at "Total of 59+9" and not accepting the comment.
     
    Last edited: Oct 28, 2013
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    On Ubunto you can use
    Code:
    sudo apt-get install libmail-dkim-perl
     
  3. andcha

    andcha New Member

    Thank you for replying.
    libmail-dkim-perl was already installed so I continued with the installation.
    Now after completing the setting up as per the instructions on your blog, this is what I get in ISP Config

    Unlike a screenshot from your tutorial, I am not getting this section for
    Code:
    DKIM Public-key
    What could have gone wrong?
     
    Last edited: Oct 31, 2013
  4. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Nothing. The public-key will not be displayed in the interface because the dns-record will be created within the dns-module so there is no need to display the public-key anymore. Bit the public-key is stored in DOMAIN.public in the key-directory
     
  5. andcha

    andcha New Member

    Got it, Thank you.
    I will do some testing and revert.
     
  6. andcha

    andcha New Member

    Okay, here it is

    amavisd-new showkeys

    Code:
    root@emone:/var/log# amavisd-new showkeys
    ; key#1, domain xxxxxx.com, /etc/postfix/dkim/xxxxxx.com.private
    default._domainkey.xxxxxx.com.    3600 TXT (
      "v=DKIM1; p="
      "MIGfMA0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Q43MNOGxxxxxxxxxxxx+O8yX"
      "agxxxxxxxxxxxxxxxxFXKOEd8/HjtPxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXbM9q"
      "J96ZDyczEZct4MqCuuscP1GdA9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxgqkVy"
      "z1xxxxxxxxxxxxxxxxxxxAB")
    Mail to [email protected] shows
    Code:
    DKIM check:         pass
    Mail to [email protected] shows
    Code:
    DKIM Check
    Signature Found: Yes
    SM Sig Verification: Passed
    LL Sig Verification: Passed
    From Signed: Yes
    Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc,
    Resent-Bcc, DKIM-Signature should not be signed.
    But, BUT
    amavisd-new testkeys shows

    Code:
    root@emone:/var/log# amavisd-new testkeys
    TESTING#1: default._domainkey.xxxxxx.com => invalid (public key: DNS query timeout for default._domainkey.xxxxxx.com)
    Any idea what is wrong here?

    Also, even though amavis log is enabled, I don't see any log file in /var/log
     
  7. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Did you add the public-key to the DNS? If you´re using ISPConfig to manage your DNS, you can use the DKIM-Button.

    You can check the DNS with

    dig default._domainkey.example.com TXT
     
    Last edited: Oct 30, 2013
  8. andcha

    andcha New Member

    Yep, I already did that before asking, and

    Code:
    dig default._domainkey.xxxx.com TXT
    shows the key in answer section with TTL of 86400 followed by "v=DKIM1\; t=s\; p=MIGfM....

    The mail log shows
    Code:
    Oct 30 19:41:48 emone amavis[1129]: Module Mail::DKIM::Signer  0.39
    Oct 30 19:41:48 emone amavis[1129]: Module Mail::DKIM::Verifier 0.39
    Oct 30 19:41:48 emone amavis[1129]: DKIM code            loaded
    Can it be file/folder permissions at /etc/postfix/dkim?

    Code:
    root@emone:/etc/postfix/dkim# ls -al
    total 16
    drwxr-xr-x 2 root root 4096 Oct 30 19:09 .
    drwxr-xr-x 4 root root 4096 Oct 30 18:51 ..
    -rw-r--r-- 1 root root  902 Oct 30 19:09 xxxx.com.private
    -rw-r--r-- 1 root root  272 Oct 30 19:09 xxxx.com.public
    
     
  9. florian030

    florian030 Well-Known Member HowtoForge Supporter

    if amavisd-new testkey fails, then there might be something wrong with
    your dns. if you´re running your own dns, make sure that amavisd use the
    local dns and check your /etc/resolv.conf
     
    Last edited: Oct 31, 2013
  10. andcha

    andcha New Member

    That was awesome, thanks a ton..

    My /etc/resolv.conf contained

    Code:
    nameserver 127.0.0.1
    nameserver 213.186.33.99
    search ovh.net
    
    I deleted the first line and now the file looks like this:

    Code:
    nameserver 213.186.33.99
    search ovh.net
    Doing amavisd-new testkeys shows
    TESTING#1: default._domainkey.xxxx.com => pass

    But does that mean my local dns is disabled?
     
    Last edited: Oct 31, 2013
  11. florian030

    florian030 Well-Known Member HowtoForge Supporter

    If you remove 127.0.0.1 your local-dns may not be used. Depends on the IP your dns is listen to.

    You can check your own dns with
    dig @127.0.0.1 default._domainkey.example.com TXT

    or

    dig @ns.example.com default._domainkey.example.com TXT
     
  12. andcha

    andcha New Member

    Frankly, this whole DNS system / DNS setup is very confusing to me, but yes, I want to use my local DNS server.

    Doing dig @emone.xxxx.com default._domainkey.xxxx.com TXT gives

    Code:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60169
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    
    ;; QUESTION SECTION:
    ;default._domainkey.xxxx.com. IN        TXT
    
    ;; ANSWER SECTION:
    default._domainkey.xxxx.com. 86400 IN TXT "v=DKIM1\; t=s\; p=MIGfMxxx...
    
    ;; AUTHORITY SECTION:
    xxxx.com.       86400   IN      NS      emone.xxxx.com.
    xxxx.com.       86400   IN      NS      emtwo.xxxx.com.
    
    ;; ADDITIONAL SECTION:
    emone.xxxx.com. 3600    IN      A       198.xxx.xxx.xx
    emtwo.xxxx.com. 3600    IN      A       8.33.137.137
    
    ;; Query time: 1 msec
    ;; SERVER: 198.xxx.xxx.xx#53(198.xxx.xxx.xx)
    ;; WHEN: Thu Oct 31 20:33:18 2013
    ;; MSG SIZE  rcvd: 370
    And doing dig @127.0.0.1 default._domainkey.xxxx.com TXT gives

    Code:
    ; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 default._domainkey.xxxx.com TXT
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    Is it posssible to set amavis in a way that it interact with the second line of /etc/resolv.conf (nameserver of hosting provider)

    Code:
    nameserver 127.0.0.1
    nameserver 213.186.33.99
    search ovh.net
     
  13. florian030

    florian030 Well-Known Member HowtoForge Supporter

    It seems, that your dns isn´t listening to localhost. You can check it with
    Code:
    netstat -nap | grep :53
    You can bind configure to listen on all ip (default) or to only defined ip. If bind is listen to a server-ip, you can add this ip to the resolv-conf.

    You can´t modifie amavis to ignore your basic-network-setup.
     
  14. andcha

    andcha New Member

    Done :)

    Reverted the change in /etc/resolv.conf to
    Code:
    nameserver 127.0.0.1
    nameserver 213.186.33.99
    search ovh.net
    Edited /etc/bind/named.conf.options

    Code:
    [I][COLOR="Red"]from[/COLOR][/I]
    listen-on { 198.xxx.xxx.xxx; };
    [COLOR="Red"][I]to[/I][/COLOR]
    listen-on { 198.xxx.xxx.xxx; 127.0.0.1; };
    
    Now all following tests pass

    dig @127.0.0.1 default._domainkey.xxxx.com TXT
    dig @emone.xxxx.com default._domainkey.xxxx.com TXT
    amavisd-new testkeys
    amavisd-new showkeys

    Email to [email protected] and [email protected]

    I think you should write a blog post for configuring ubuntu also.

    All the best..

    Regards
     
  15. florian030

    florian030 Well-Known Member HowtoForge Supporter

    If you want bind listen to all IPv4, you can comment out
    Code:
    listen-on { 198.xxx.xxx.xxx; 127.0.0.1; };
     
  16. stef157

    stef157 Member

    Hi all,
    For my part when I send an email to : [email protected]

    I get these error :
    Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.

    And idea how to fix it ?

    Thanks
     
  17. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Is the public-key defined in your dns?

    Are you using the latest version (0.2.5)?
     
  18. florian030

    florian030 Well-Known Member HowtoForge Supporter

    I made some tests with three other verifiers. I think you can just ignore the lines from unlocktheinbox.com.
     
  19. florian030

    florian030 Well-Known Member HowtoForge Supporter

    To fix this issue, add

    Code:
    $signed_header_fields{'received'} = 0;  # turn off signing of Received
    to your amavis-config and reload amavis
     
  20. stef157

    stef157 Member

    In witch file ? User-50 ?
     

Share This Page