Does anyone know if OpenDKIM needs to be installed in order to get outgoing email signed? I've added the DKIM through the ISPConfig Email, Domain, DKIM section. Then added the key to my DNS. If I test it directly using mxtoolbox or other by entering "Domain.com:selector" it comes back with the key. Now when I run a test on DKIM through appmaildev.com that checks the raw information it outputs: Code: DKIM: none DKIM-Result: none (no signature) I'm also wondering if the default Ubuntu18/Postfix/Dovecot/Apache install looks for SPF/DKIM records and denotes the PASS/FAIL into the message header. In reading a bit more, I don't have Amavis installed in my implementation because i use a relayhost to send mail. Should I be installing Amavis in order to make this work? Nervous to install anything in a working environment that may break the machine. Okay, I'm fairly certain I need to get Amavis installed to make DKIM sign outgoing emails. Is there anyway to reconfigure ISPconfig at this stage in the game without messing up the whole thing? I remember once running an ISPConfig_Update.sh script and it asked if I wanted to enable items... would that be safe at this point? As always, thank you for taking the time to reply in advance. Ben
ISPConfig is not using amavis anymore, it uses Rspamd for DKIM signing on any recent installation. Amavis was used in the past. So please do not try to install Amavis on a system that uses Rspamd as it will completely mess up your system. Yo do not need Amavis when Rspamd is installed and vice versa. And do not install OpenDkim, it is not used on ISPConfig systems and it should not be installed on your server. I do not know that software but I've seen that such test websites show wrong results. So instead of relying on such a test site, better take a look at the email headers yourself. You must check an email that was sent with a normal email client that properly authenticated itself on your system. And you should run the test script and post its output: https://forum.howtoforge.com/threads/please-read-before-posting.58408/ Please run the test script and post the result: https://forum.howtoforge.com/threads/please-read-before-posting.58408/
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 22.04.5 LTS [INFO] uptime: 13:11:53 up 21 days, 16:55, 3 users, load average: 0.16, 0.14, 0.10 [INFO] memory: total used free shared buff/cache available Mem: 62Gi 2.4Gi 58Gi 710Mi 1.7Gi 59Gi Swap: 0B 0B 0B [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. [WARN] /usr/local/ispconfig/server/lib/config.inc.php is missing. ##### VERSION CHECK ##### [INFO] php (cli) version is 8.1.30 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.30 ##### PORT CHECK ##### [WARN] Port 21 (FTP server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [WARN] I could not determine which web server is running. [WARN] I could not determine which mail server is running. [WARN] I could not determine which pop3 server is running. [WARN] I could not determine which imap server is running. [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:6379 (-) [localhost]:783 (-) [localhost]:11334 (-) [localhost]:11333 (-) [localhost]:11332 (-) [localhost]:11211 (-) [anywhere]:4190 (-) [anywhere]:587 (-) ***.***.***.***:53 (-) [anywhere]:995 (-) [anywhere]:993 (-) [anywhere]:22 (-) [anywhere]:25 (-) [anywhere]:110 (-) [anywhere]:143 (-) [anywhere]:465 (-) [anywhere]:3306 (-) *:*:*:*::*:4190 (-) *:*:*:*::*:8081 (-) *:*:*:*::*:8080 (-) *:*:*:*::*:587 (-) *:*:*:*::*:995 (-) *:*:*:*::*:993 (-) *:*:*:*::*:22 (-) *:*:*:*::*:25 (-) *:*:*:*::*:80 (-) [localhost]10 (-) [localhost]43 (-) *:*:*:*::*:443 (-) *:*:*:*::*:465 (-) *:*:*:*::*:3306 (-) ##### IPTABLES ##### ##### LET'S ENCRYPT ##### Can you please help on this. Outgoing Emails are not DKIM signed
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 22.04.5 LTS [INFO] uptime: 13:50:53 up 4 min, 2 users, load average: 0.09, 0.17, 0.09 [INFO] memory: total used free shared buff/cache available Mem: 62Gi 1.9Gi 59Gi 72Mi 1.2Gi 60Gi Swap: 0B 0B 0B [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● unbound-resolvconf.service loaded failed failed Unbound DNS server via resolvconf ● unbound.service loaded failed failed Unbound DNS server LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 2 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.12p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.1.30 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.30 ##### PORT CHECK ##### [WARN] Port 21 (FTP server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 1153) [INFO] I found the following mail server(s): Postfix (PID 2278) [INFO] I found the following pop3 server(s): Dovecot (PID 1642) [INFO] I found the following imap server(s): Dovecot (PID 1642) [WARN] I could not determine which ftp server is running. ##### LISTENING PORTS ##### (only () Local (Address) ***.***.***.***:53 (722/systemd-resolve) [anywhere]:4190 (1642/dovecot) [localhost]:6379 (750/redis-server) [anywhere]:3306 (839/mariadbd) [anywhere]:110 (1642/dovecot) [anywhere]:25 (2278/master) [anywhere]:22 (796/sshd:) [anywhere]:143 (1642/dovecot) [anywhere]:465 (2278/master) [anywhere]:587 (2278/master) [anywhere]:993 (1642/dovecot) [anywhere]:995 (1642/dovecot) [localhost]:11211 (731/memcached) [localhost]:11334 (1647/rspamd:) [localhost]:11332 (1647/rspamd:) [localhost]:11333 (1647/rspamd:) *:*:*:*::*:8081 (1153/apache2) *:*:*:*::*:8080 (1153/apache2) *:*:*:*::*:4190 (1642/dovecot) *:*:*:*::*:3306 (839/mariadbd) *:*:*:*::*:80 (1153/apache2) [localhost]10 (1642/dovecot) *:*:*:*::*:25 (2278/master) *:*:*:*::*:22 (796/sshd:) [localhost]43 (1642/dovecot) *:*:*:*::*:465 (2278/master) *:*:*:*::*:443 (1153/apache2) *:*:*:*::*:587 (2278/master) *:*:*:*::*:993 (1642/dovecot) *:*:*:*::*:995 (1642/dovecot) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh Outgoing emails are not DKIM Signed. Thanks
Mail system is running. Go to email in ISPConfig, open email domain settings, click on "generate dkim key" button to create a dkim key. Then enable the "enable DKIM" checkbox and press save.
I have a similar issue - no DKIM signatures on outgoing emails. I've performed the following steps: delete DKIM DNS entry, disable DKIM in domain email settings, generate new DKIM key (which auto-enables DKIM), save, and it auto-creates the DKIM DNS entry as well. keys match. I'm on a CentOS server, and it uses amavisd, not RSpamd (per the CentOS Perfect Server instructions) is that why the DKIMs aren't getting included? for the Rocky 9 equivalent, should that be using amavisd or RSpamd? are there any HTF instructions on converting from amavisd -> RSpamd in relation to ISPConfig? thanks.
I did find the Ubuntu/Debian conversion instructions here: https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/
DKIM works equally with Amavis and Rspamd. However, generally speaking, there is no support for RHEL9-based systems in ISPConfig; we have not tested them, but they may work, although this is not guaranteed. We only have Amavis instructions for CentOS 8. Rspamd might work on Rocky Linux, but it's also possible that you'll need to write your own custom configuration files. Yes, but Debiand and Ubuntu only.
as always, thanks for the responses. from what I've found, this is all that's needed to implement DKIM with amavis: Code: include_config_files('/etc/amavisd/60-dkim'); $enable_dkim_verification = 1; # enable DKIM signatures verification $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key with my 60-dkim file containing lines like this: Code: dkim_key('mydomain.com', 'default', '/var/lib/amavis/dkim/mydomain.com.private'); with that referenced file containing an actual key value ISPConfig seems to be populating the 60-dkim file correctly There don't seem to be any errors in /var/log/maillog that indicate a configuration issue I've been sending out test messages using Roundcube on that server and the DKIM header is still "none" thoughts on why this may not be working?
getting somewhere.... in the amavisd.conf file, there is a $interface_policy option, and the while the port numbers were set to 10024/10026 (multiples) earlier in the config, the interface_policy port number was never changed - it was still defaulted to 10022. that was changed to 10026 after that, the headers show up, but with an "rsa verify failed" message Code: dkim=fail (rsa verify failed) header.d=mydomain.com header.s=default header.b=KmQiDikg also, in the "$policy_bank["ORIGINATING"}" section, the instructions I found indicate to comment out the forward_method line, as postfix is taking care of adding the DKIM head (apparently) changing that did not change the error message - DKIM still fail
all right. all of the above modifications were the fix. it helps if you do your testing on a domain that does NOT use an OUTSIDE DNS service, because if you change the DKIM key on your local server, but forget to update the outside DNS entry, it's NEVER going to validate Updated the outside DNS record, and it now validates. The modifications above were necessary however to get the DKIM headers included in the outgoing emails, so not a waste of time. in conclusion, the 3 lines in the amavisd.conf file needed to there (in my case, the "include" line was missing), the $interface_policy needed to have the port number (10026) updated, and the "forward" line of the $policy_bank was commented out (not sure if that made a difference, but it's working now) Thanks for the help
and I can verify that testing other domains with internal DNS services via ISPConfig are including the DKIM headers as well, and they are passing.
