Hello guys, I am using ISPConfig 3.2.3, Nginx, PHP 7.4 2-3 days ago installed. After testing the DKIM is not working for me. after following this tutorial to debug -> https://blog.schaal-24.de/dkim/debug-2 i get the following error: root@superserver:/var/www/xxx.com/web# amavisd-new testkeys TESTING#1 xxx.com: mail._domainkey.xxx.com => fail (bad RSA signature) I have the DNS entry in place, the keys are in my local: root@superserver:/var/www/xxx.com/web# ls -al /var/lib/amavis/dkim/ total 16 drwxr-x--- 2 amavis amavis 4096 Mar 24 13:45 . drwxr-x--- 7 amavis amavis 4096 Mar 24 13:45 .. -rw-r--r-- 1 root root 902 Mar 24 13:45 xxx.com.private -rw-r--r-- 1 root root 272 Mar 24 13:45 xxx.com.public Any idea what should I do in order to get the mail signed and get the error out? thank you
That seems to indicate the files and dns don't match. I'd try deleting the dkim key in dns, then go to the mail domain and generate a new key, and save there - then double-check dns that the new key is added.
dig mail._domainkey.xxx.com TXT ; <<>> DiG 9.16.1-Ubuntu <<>> mail._domainkey.xxx.com TXT ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39678 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;mail._domainkey.xxx.com. IN TXT ;; ANSWER SECTION: mail._domainkey.xxx.com. 2738 IN TXT "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzOpudyeNxHUAKOYscrv5KqOamtfx6L0kBLzuMNiStsMCpvzUfmJAccHOXxrPZylhUNDu5m/LTTRc1AU/+yhMWlWuVNfg0XzfpNmJHJX8OhivoRLez9Xayyxuoyeb2B+W5h7QxpITNnUWnvCvsSK4pwnoBi8HtQR+nICSEzgUMPwIDAQAB" ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Wed Mar 24 15:25:40 CET 2021 ;; MSG SIZE rcvd: 300 root@superserver:/var/www/xxx.com/web# cat /var/lib/amavis/dkim/xxx.com.public -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcXQFJsytz1Xt/mmPIzbuJeh6y qVhILZZdgKmXMq87Qmm+eWoVRigQ+9THazvVdLLrXd2+IP5aZx4wy0WMhVvTAMlQ uI0mxWw+sBE5V2XfqHs/z19btm8rEck0/uCbaLjeBHo0iRYCJFeo0KEYjGGmwc3y 4+kASUOij9iTyNHH4wIDAQAB -----END PUBLIC KEY----- the the DNS entry is right, the right key is present in my opinion.
That looks fine. Maybe the local mail server has an issue resolving the dns, so that 'amavisd-new testkeys' fails? To be sure, you are using amavis, not rspamd? (The rspamd config still uses the /var/lib/amavis/dkim/ directory for the files, so I think 'amavisd-new testkeys' would still work even if something in rspamd caused the signing to be broken.)
I am no longer 100% sure .. i followed The perfect server setup Ubuntu 20 but I replaced apache with nginx so I am bit mixed in my head. How can I check this to be sure about it?
I did a ps -U clamav and got this back: PID TTY TIME CMD 540 ? 00:00:00 freshclam 621 ? 00:00:19 clamd does this help?
I also did a amavisd-new and got back The amavisd daemon is already running, PID: [1063] so yes, there is amavisd installed, right?
this is the mail log in the time I send an email (tail -f /var/log/mail.log): Code: Mar 24 18:58:14 superserver postfix/smtpd[2064]: connect from localhost[127.0.0.1] Mar 24 18:58:14 superserver postfix/smtpd[2064]: NOQUEUE: filter: RCPT from localhost[127.0.0.1]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxx.com> Mar 24 18:58:14 superserver postfix/smtpd[2064]: B707060CF8: client=localhost[127.0.0.1], sasl_method=LOGIN, [email protected] Mar 24 18:58:14 superserver postfix/cleanup[2067]: B707060CF8: message-id=<[email protected]> Mar 24 18:58:14 superserver postfix/qmgr[1395]: B707060CF8: from=<[email protected]>, size=4430, nrcpt=1 (queue active) Mar 24 18:58:14 superserver postfix/smtpd[2064]: disconnect from localhost[127.0.0.1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6 Mar 24 18:58:14 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2070, secured, session=<wvj9Cky+zq5/AAAB> Mar 24 18:58:14 superserver dovecot: imap([email protected])<2070><wvj9Cky+zq5/AAAB>: Logged out in=4347 out=1126 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Mar 24 18:58:15 superserver postfix/smtpd[2076]: connect from localhost[127.0.0.1] Mar 24 18:58:15 superserver postfix/smtpd[2076]: 0751660CF9: client=localhost[127.0.0.1] Mar 24 18:58:15 superserver postfix/cleanup[2067]: 0751660CF9: message-id=<[email protected]> Mar 24 18:58:15 superserver postfix/qmgr[1395]: 0751660CF9: from=<[email protected]>, size=5387, nrcpt=1 (queue active) Mar 24 18:58:15 superserver amavis[2010]: (02010-01) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: tOPt9hnQJ8Le, Hits: -0.999, size: 4430, queued_as: 0751660CF9, dkim_new=mail:xxx.com, 277 ms Mar 24 18:58:15 superserver postfix/lmtp[2068]: B707060CF8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.31, delays=0.02/0.01/0.01/0.27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 0751660CF9) Mar 24 18:58:15 superserver postfix/qmgr[1395]: B707060CF8: removed Mar 24 18:58:15 superserver postfix/smtp[2077]: 0751660CF9: to=<[email protected]>, relay=reception.mail-tester.com[94.23.206.89]:25, delay=0.4, delays=0.01/0.01/0.27/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5DF37A9588) Mar 24 18:58:15 superserver postfix/qmgr[1395]: 0751660CF9: removed Mar 24 18:58:15 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2079, secured, session=<iIoJC0y+2q5/AAAB> Mar 24 18:58:15 superserver dovecot: imap([email protected])<2079><iIoJC0y+2q5/AAAB>: Logged out in=70 out=668 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Mar 24 18:58:16 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2082, secured, session=<b5kTC0y+3q5/AAAB> Mar 24 18:58:16 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2083, secured, session=<q7UTC0y+3K5/AAAB> Mar 24 18:58:16 superserver dovecot: imap([email protected])<2082><b5kTC0y+3q5/AAAB>: Logged out in=233 out=1071 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 Mar 24 18:58:16 superserver dovecot: imap([email protected])<2083><q7UTC0y+3K5/AAAB>: Logged out in=317 out=5634 deleted=0 expunged=0 trashed=0 hdr_count=10 hdr_bytes=2275 body_count=0 body_bytes=0
Yes, that looks like amavis in use, and looks like it signed "dkim_new=mail:xxx.com". If dkim fails in the real world, my guess is that public dns for mail._domainkey.xxx.com doesn't match the key in the .private file. I would try generating a new key pair and ensuring dns reflects that.
