DKIM amavis email not signed

Hi
I am trying to install this with the instructions on your blog but am stuck on

Code:

perl -MCPAN -e 'install Mail::DKIM'

This is the error I am getting

Code:

root@ns01:/tmp# perl -MCPAN -e 'install Mail::DKIM'
Going to read '/root/.cpan/Metadata'
  Database was generated on Mon, 28 Oct 2013 03:29:02 GMT
Running install for module 'Mail::DKIM'
Running make for J/JA/JASLONG/Mail-DKIM-0.40.tar.gz
Checksum for /root/.cpan/sources/authors/id/J/JA/JASLONG/Mail-DKIM-0.40.tar.gz ok

  CPAN.pm: Going to build J/JA/JASLONG/Mail-DKIM-0.40.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for Mail::DKIM
Writing MYMETA.yml
cp lib/Mail/DKIM/AuthorDomainPolicy.pm blib/lib/Mail/DKIM/AuthorDomainPolicy.pm
cp lib/Mail/DKIM/KeyValueList.pm blib/lib/Mail/DKIM/KeyValueList.pm
cp lib/Mail/DKIM/PrivateKey.pm blib/lib/Mail/DKIM/PrivateKey.pm
cp lib/Mail/DKIM/Algorithm/rsa_sha256.pm blib/lib/Mail/DKIM/Algorithm/rsa_sha256.pm
cp lib/Mail/DKIM/Algorithm/Base.pm blib/lib/Mail/DKIM/Algorithm/Base.pm
cp lib/Mail/DKIM/Algorithm/rsa_sha1.pm blib/lib/Mail/DKIM/Algorithm/rsa_sha1.pm
cp lib/Mail/DKIM/Canonicalization/DkimCommon.pm blib/lib/Mail/DKIM/Canonicalization/DkimCommon.pm
cp lib/Mail/DKIM/MessageParser.pm blib/lib/Mail/DKIM/MessageParser.pm
cp lib/Mail/DKIM/Policy.pm blib/lib/Mail/DKIM/Policy.pm
cp lib/Mail/DKIM/DkSignature.pm blib/lib/Mail/DKIM/DkSignature.pm
cp lib/Mail/DKIM/PublicKey.pm blib/lib/Mail/DKIM/PublicKey.pm
cp lib/Mail/DKIM/Common.pm blib/lib/Mail/DKIM/Common.pm
cp sample_mime_lite.pl blib/lib/Mail/sample_mime_lite.pl
cp lib/Mail/DKIM/Signature.pm blib/lib/Mail/DKIM/Signature.pm
cp lib/Mail/DKIM/SignerPolicy.pm blib/lib/Mail/DKIM/SignerPolicy.pm
cp lib/Mail/DKIM/DkPolicy.pm blib/lib/Mail/DKIM/DkPolicy.pm
cp lib/Mail/DKIM/Canonicalization/nowsp.pm blib/lib/Mail/DKIM/Canonicalization/nowsp.pm
cp lib/Mail/DKIM/DNS.pm blib/lib/Mail/DKIM/DNS.pm
cp lib/Mail/DKIM/Signer.pm blib/lib/Mail/DKIM/Signer.pm
cp lib/Mail/DKIM/TextWrap.pm blib/lib/Mail/DKIM/TextWrap.pm
cp lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm blib/lib/Mail/DKIM/Algorithm/dk_rsa_sha1.pm
cp lib/Mail/DKIM/Verifier.pm blib/lib/Mail/DKIM/Verifier.pm
cp lib/Mail/DKIM.pm blib/lib/Mail/DKIM.pm
cp lib/Mail/DKIM/Canonicalization/simple.pm blib/lib/Mail/DKIM/Canonicalization/simple.pm
cp lib/Mail/DKIM/Canonicalization/dk_simple.pm blib/lib/Mail/DKIM/Canonicalization/dk_simple.pm
cp lib/Mail/DKIM/Canonicalization/Base.pm blib/lib/Mail/DKIM/Canonicalization/Base.pm
cp lib/Mail/DKIM/DkimPolicy.pm blib/lib/Mail/DKIM/DkimPolicy.pm
cp lib/Mail/DKIM/Key.pm blib/lib/Mail/DKIM/Key.pm
cp lib/Mail/DKIM/Canonicalization/DkCommon.pm blib/lib/Mail/DKIM/Canonicalization/DkCommon.pm
cp lib/Mail/DKIM/Canonicalization/dk_nofws.pm blib/lib/Mail/DKIM/Canonicalization/dk_nofws.pm
cp lib/Mail/DKIM/Canonicalization/relaxed.pm blib/lib/Mail/DKIM/Canonicalization/relaxed.pm
Manifying blib/man3/Mail::DKIM::AuthorDomainPolicy.3pm
Manifying blib/man3/Mail::DKIM::Algorithm::Base.3pm
Manifying blib/man3/Mail::DKIM::PrivateKey.3pm
Manifying blib/man3/Mail::DKIM::Canonicalization::DkimCommon.3pm
Manifying blib/man3/Mail::DKIM::Policy.3pm
Manifying blib/man3/Mail::DKIM::DkSignature.3pm
Manifying blib/man3/Mail::DKIM::PublicKey.3pm
Manifying blib/man3/Mail::DKIM::Signature.3pm
Manifying blib/man3/Mail::DKIM::DkPolicy.3pm
Manifying blib/man3/Mail::DKIM::SignerPolicy.3pm
Manifying blib/man3/Mail::DKIM::DNS.3pm
Manifying blib/man3/Mail::DKIM::Signer.3pm
Manifying blib/man3/Mail::DKIM::TextWrap.3pm
Manifying blib/man3/Mail::DKIM::Verifier.3pm
Manifying blib/man3/Mail::DKIM.3pm
Manifying blib/man3/Mail::DKIM::Canonicalization::Base.3pm
Manifying blib/man3/Mail::DKIM::DkimPolicy.3pm
  JASLONG/Mail-DKIM-0.40.tar.gz
  /usr/bin/make -- OK
'YAML' not installed, will not store persistent state
Running make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/adsp.t ..................... ok
t/external_signer.t .......... ok
t/Mail-DKIM.t ................ ok
t/policy.t ................... 1/19 DNS query timeout for _domainkey.messiah.edu at /root/.cpan/build/Mail-DKIM-0.40-pfvBmm/blib/lib/Mail/DKIM/DNS.pm line 156.
# Looks like you planned 19 tests but ran 2.
# Looks like your test exited with 4 just after 2.
t/policy.t ................... Dubious, test returned 4 (wstat 1024, 0x400)
Failed 17/19 subtests
t/public_key.t ............... DNS query timeout for test1._domainkey.messiah.edu at /root/.cpan/build/Mail-DKIM-0.40-pfvBmm/blib/lib/Mail/DKIM/DNS.pm line 156.
# Looks like your test exited with 4 before it could output anything.
t/public_key.t ............... Dubious, test returned 4 (wstat 1024, 0x400)
Failed 5/5 subtests
t/signature.t ................ ok
t/signer.t ................... ok
t/signer_dk.t ................ ok
t/signer_policy.t ............ ok
t/simple_canonicalization.t .. ok
t/textwrap.t ................. ok
t/verifier.t ................. ok

Test Summary Report
-------------------
t/policy.t                 (Wstat: 1024 Tests: 2 Failed: 0)
  Non-zero exit status: 4
  Parse errors: Bad plan.  You planned 19 tests but ran 2.
t/public_key.t             (Wstat: 1024 Tests: 0 Failed: 0)
  Non-zero exit status: 4
  Parse errors: Bad plan.  You planned 5 tests but ran 0.
Files=12, Tests=200, 14 wallclock secs ( 0.08 usr  0.01 sys +  0.74 cusr  0.07 csys =  0.90 CPU)
Result: FAIL
Failed 2/12 test programs. 0/200 subtests failed.
make: *** [test_dynamic] Error 255
  JASLONG/Mail-DKIM-0.40.tar.gz
  /usr/bin/make test -- NOT OK
//hint// to see the cpan-testers results for installing this module, try:
  reports JASLONG/Mail-DKIM-0.40.tar.gz
Running make install
  make test had returned bad status, won't install without force

Is there something I have to do to make it right?
I am installing this on ubuntu 12.04 x64

P.s: I tried posting to your blog but the captcha question is stuck at "Total of 59+9" and not accepting the comment.

 

On Ubunto you can use

Code:

sudo apt-get install libmail-dkim-perl

 

Thank you for replying.
libmail-dkim-perl was already installed so I continued with the installation.
Now after completing the setting up as per the instructions on your blog, this is what I get in ISP Config

Unlike a screenshot from your tutorial, I am not getting this section for

Code:

DKIM Public-key

What could have gone wrong?

 

Nothing. The public-key will not be displayed in the interface because the dns-record will be created within the dns-module so there is no need to display the public-key anymore. Bit the public-key is stored in DOMAIN.public in the key-directory

 

Got it, Thank you.
I will do some testing and revert.

 

Okay, here it is

amavisd-new showkeys

Code:

root@emone:/var/log# amavisd-new showkeys
; key#1, domain xxxxxx.com, /etc/postfix/dkim/xxxxxx.com.private
default._domainkey.xxxxxx.com.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/Q43MNOGxxxxxxxxxxxx+O8yX"
  "agxxxxxxxxxxxxxxxxFXKOEd8/HjtPxxxxxxxxxxxxxxxxxxxxxxxxxxxxxXbM9q"
  "J96ZDyczEZct4MqCuuscP1GdA9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxgqkVy"
  "z1xxxxxxxxxxxxxxxxxxxAB")

Mail to [email protected] shows

Code:

DKIM check:         pass

Mail to [email protected] shows

Code:

DKIM Check
Signature Found: Yes
SM Sig Verification: Passed
LL Sig Verification: Passed
From Signed: Yes
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc,
Resent-Bcc, DKIM-Signature should not be signed.

But, BUT
amavisd-new testkeys shows

Code:

root@emone:/var/log# amavisd-new testkeys
TESTING#1: default._domainkey.xxxxxx.com => invalid (public key: DNS query timeout for default._domainkey.xxxxxx.com)

Any idea what is wrong here?

Also, even though amavis log is enabled, I don't see any log file in /var/log

 

Did you add the public-key to the DNS? If you´re using ISPConfig to manage your DNS, you can use the DKIM-Button.

You can check the DNS with

dig default._domainkey.example.com TXT

 

Yep, I already did that before asking, and

Code:

dig default._domainkey.xxxx.com TXT

shows the key in answer section with TTL of 86400 followed by "v=DKIM1\; t=s\; p=MIGfM....

The mail log shows

Code:

Oct 30 19:41:48 emone amavis[1129]: Module Mail::DKIM::Signer  0.39
Oct 30 19:41:48 emone amavis[1129]: Module Mail::DKIM::Verifier 0.39
Oct 30 19:41:48 emone amavis[1129]: DKIM code            loaded

Can it be file/folder permissions at /etc/postfix/dkim?

Code:

root@emone:/etc/postfix/dkim# ls -al
total 16
drwxr-xr-x 2 root root 4096 Oct 30 19:09 .
drwxr-xr-x 4 root root 4096 Oct 30 18:51 ..
-rw-r--r-- 1 root root  902 Oct 30 19:09 xxxx.com.private
-rw-r--r-- 1 root root  272 Oct 30 19:09 xxxx.com.public

 

if amavisd-new testkey fails, then there might be something wrong with
your dns. if you´re running your own dns, make sure that amavisd use the
local dns and check your /etc/resolv.conf

 

That was awesome, thanks a ton..

My /etc/resolv.conf contained

Code:

nameserver 127.0.0.1
nameserver 213.186.33.99
search ovh.net

I deleted the first line and now the file looks like this:

Code:

nameserver 213.186.33.99
search ovh.net

Doing amavisd-new testkeys shows
TESTING#1: default._domainkey.xxxx.com => pass

But does that mean my local dns is disabled?

 

If you remove 127.0.0.1 your local-dns may not be used. Depends on the IP your dns is listen to.

You can check your own dns with
dig @127.0.0.1 default._domainkey.example.com TXT

or

dig @ns.example.com default._domainkey.example.com TXT

 

Frankly, this whole DNS system / DNS setup is very confusing to me, but yes, I want to use my local DNS server.

Doing dig @emone.xxxx.com default._domainkey.xxxx.com TXT gives

Code:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60169
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;default._domainkey.xxxx.com. IN        TXT

;; ANSWER SECTION:
default._domainkey.xxxx.com. 86400 IN TXT "v=DKIM1\; t=s\; p=MIGfMxxx...

;; AUTHORITY SECTION:
xxxx.com.       86400   IN      NS      emone.xxxx.com.
xxxx.com.       86400   IN      NS      emtwo.xxxx.com.

;; ADDITIONAL SECTION:
emone.xxxx.com. 3600    IN      A       198.xxx.xxx.xx
emtwo.xxxx.com. 3600    IN      A       8.33.137.137

;; Query time: 1 msec
;; SERVER: 198.xxx.xxx.xx#53(198.xxx.xxx.xx)
;; WHEN: Thu Oct 31 20:33:18 2013
;; MSG SIZE  rcvd: 370

And doing dig @127.0.0.1 default._domainkey.xxxx.com TXT gives

Code:

; <<>> DiG 9.8.1-P1 <<>> @127.0.0.1 default._domainkey.xxxx.com TXT
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Is it posssible to set amavis in a way that it interact with the second line of /etc/resolv.conf (nameserver of hosting provider)

Code:

nameserver 127.0.0.1
nameserver 213.186.33.99
search ovh.net

 

It seems, that your dns isn´t listening to localhost. You can check it with

Code:

netstat -nap | grep :53

You can bind configure to listen on all ip (default) or to only defined ip. If bind is listen to a server-ip, you can add this ip to the resolv-conf.

You can´t modifie amavis to ignore your basic-network-setup.

 

Done

Reverted the change in /etc/resolv.conf to

Code:

nameserver 127.0.0.1
nameserver 213.186.33.99
search ovh.net

Edited /etc/bind/named.conf.options

Code:

[I][COLOR="Red"]from[/COLOR][/I]
listen-on { 198.xxx.xxx.xxx; };
[COLOR="Red"][I]to[/I][/COLOR]
listen-on { 198.xxx.xxx.xxx; 127.0.0.1; };

Now all following tests pass

dig @127.0.0.1 default._domainkey.xxxx.com TXT
dig @emone.xxxx.com default._domainkey.xxxx.com TXT
amavisd-new testkeys
amavisd-new showkeys

Email to [email protected] and [email protected]

I think you should write a blog post for configuring ubuntu also.

All the best..

Regards

 

If you want bind listen to all IPv4, you can comment out

Code:

listen-on { 198.xxx.xxx.xxx; 127.0.0.1; };

 

Hi all,
For my part when I send an email to : [email protected]

I get these error :
Restricted Headers Signed: Yes - Return-Path, Received, Comments, Keywords, Bcc, Resent-Bcc, DKIM-Signature should not be signed.

And idea how to fix it ?

Thanks

 

Is the public-key defined in your dns?

Are you using the latest version (0.2.5)?

 

I made some tests with three other verifiers. I think you can just ignore the lines from unlocktheinbox.com.

 

To fix this issue, add

Code:

$signed_header_fields{'received'} = 0;  # turn off signing of Received

to your amavis-config and reload amavis

 

In witch file ? User-50 ?