DKIM => fail (bad RSA signature) PHP 7.4 ISPConfig 3.2.3

Discussion in 'Installation/Configuration' started by Alecs, Mar 24, 2021.

  1. Alecs

    Alecs New Member

    Hello guys,
    I am using ISPConfig 3.2.3, Nginx, PHP 7.4 2-3 days ago installed. After testing the DKIM is not working for me.
    after following this tutorial to debug -> https://blog.schaal-24.de/dkim/debug-2
    i get the following error:

    root@superserver:/var/www/xxx.com/web# amavisd-new testkeys
    TESTING#1 xxx.com: mail._domainkey.xxx.com => fail (bad RSA signature)​

    I have the DNS entry in place, the keys are in my local:

    root@superserver:/var/www/xxx.com/web# ls -al /var/lib/amavis/dkim/
    total 16
    drwxr-x--- 2 amavis amavis 4096 Mar 24 13:45 .
    drwxr-x--- 7 amavis amavis 4096 Mar 24 13:45 ..
    -rw-r--r-- 1 root root 902 Mar 24 13:45 xxx.com.private
    -rw-r--r-- 1 root root 272 Mar 24 13:45 xxx.com.public​

    Any idea what should I do in order to get the mail signed and get the error out?
    thank you :)
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That seems to indicate the files and dns don't match. I'd try deleting the dkim key in dns, then go to the mail domain and generate a new key, and save there - then double-check dns that the new key is added.
     
  3. Alecs

    Alecs New Member

    dig mail._domainkey.xxx.com TXT

    ; <<>> DiG 9.16.1-Ubuntu <<>> mail._domainkey.xxx.com TXT
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39678
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 65494
    ;; QUESTION SECTION:
    ;mail._domainkey.xxx.com. IN TXT

    ;; ANSWER SECTION:
    mail._domainkey.xxx.com. 2738 IN TXT "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzOpudyeNxHUAKOYscrv5KqOamtfx6L0kBLzuMNiStsMCpvzUfmJAccHOXxrPZylhUNDu5m/LTTRc1AU/+yhMWlWuVNfg0XzfpNmJHJX8OhivoRLez9Xayyxuoyeb2B+W5h7QxpITNnUWnvCvsSK4pwnoBi8HtQR+nICSEzgUMPwIDAQAB"

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.53#53(127.0.0.53)
    ;; WHEN: Wed Mar 24 15:25:40 CET 2021
    ;; MSG SIZE rcvd: 300


    root@superserver:/var/www/xxx.com/web# cat /var/lib/amavis/dkim/xxx.com.public
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcXQFJsytz1Xt/mmPIzbuJeh6y
    qVhILZZdgKmXMq87Qmm+eWoVRigQ+9THazvVdLLrXd2+IP5aZx4wy0WMhVvTAMlQ
    uI0mxWw+sBE5V2XfqHs/z19btm8rEck0/uCbaLjeBHo0iRYCJFeo0KEYjGGmwc3y
    4+kASUOij9iTyNHH4wIDAQAB
    -----END PUBLIC KEY-----

    the the DNS entry is right, the right key is present in my opinion.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That looks fine. Maybe the local mail server has an issue resolving the dns, so that 'amavisd-new testkeys' fails? To be sure, you are using amavis, not rspamd? (The rspamd config still uses the /var/lib/amavis/dkim/ directory for the files, so I think 'amavisd-new testkeys' would still work even if something in rspamd caused the signing to be broken.)
     
  5. Alecs

    Alecs New Member

    I am no longer 100% sure .. i followed The perfect server setup Ubuntu 20 but I replaced apache with nginx so I am bit mixed in my head. How can I check this to be sure about it?
     
  6. Alecs

    Alecs New Member

    I did a

    ps -U clamav

    and got this back:

    PID TTY TIME CMD
    540 ? 00:00:00 freshclam
    621 ? 00:00:19 clamd

    does this help?
     
  7. Alecs

    Alecs New Member

    I also did a

    amavisd-new

    and got back
    The amavisd daemon is already running, PID: [1063]

    so yes, there is amavisd installed, right?
     
  8. Alecs

    Alecs New Member

    this is the mail log in the time I send an email (tail -f /var/log/mail.log):

    Code:
    Mar 24 18:58:14 superserver postfix/smtpd[2064]: connect from localhost[127.0.0.1]
    Mar 24 18:58:14 superserver postfix/smtpd[2064]: NOQUEUE: filter: RCPT from localhost[127.0.0.1]: <[email protected]>: Sender address triggers FILTER lmtp:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<xxx.com>
    Mar 24 18:58:14 superserver postfix/smtpd[2064]: B707060CF8: client=localhost[127.0.0.1], sasl_method=LOGIN, [email protected]
    Mar 24 18:58:14 superserver postfix/cleanup[2067]: B707060CF8: message-id=<[email protected]>
    Mar 24 18:58:14 superserver postfix/qmgr[1395]: B707060CF8: from=<[email protected]>, size=4430, nrcpt=1 (queue active)
    Mar 24 18:58:14 superserver postfix/smtpd[2064]: disconnect from localhost[127.0.0.1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
    Mar 24 18:58:14 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2070, secured, session=<wvj9Cky+zq5/AAAB>
    Mar 24 18:58:14 superserver dovecot: imap([email protected])<2070><wvj9Cky+zq5/AAAB>: Logged out in=4347 out=1126 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
    Mar 24 18:58:15 superserver postfix/smtpd[2076]: connect from localhost[127.0.0.1]
    Mar 24 18:58:15 superserver postfix/smtpd[2076]: 0751660CF9: client=localhost[127.0.0.1]
    Mar 24 18:58:15 superserver postfix/cleanup[2067]: 0751660CF9: message-id=<[email protected]>
    Mar 24 18:58:15 superserver postfix/qmgr[1395]: 0751660CF9: from=<[email protected]>, size=5387, nrcpt=1 (queue active)
    Mar 24 18:58:15 superserver amavis[2010]: (02010-01) Passed CLEAN {RelayedOutbound}, ORIGINATING LOCAL [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: tOPt9hnQJ8Le, Hits: -0.999, size: 4430, queued_as: 0751660CF9, dkim_new=mail:xxx.com, 277 ms
    Mar 24 18:58:15 superserver postfix/lmtp[2068]: B707060CF8: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.31, delays=0.02/0.01/0.01/0.27, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10027): 250 2.0.0 Ok: queued as 0751660CF9)
    Mar 24 18:58:15 superserver postfix/qmgr[1395]: B707060CF8: removed
    Mar 24 18:58:15 superserver postfix/smtp[2077]: 0751660CF9: to=<[email protected]>, relay=reception.mail-tester.com[94.23.206.89]:25, delay=0.4, delays=0.01/0.01/0.27/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5DF37A9588)
    Mar 24 18:58:15 superserver postfix/qmgr[1395]: 0751660CF9: removed
    Mar 24 18:58:15 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2079, secured, session=<iIoJC0y+2q5/AAAB>
    Mar 24 18:58:15 superserver dovecot: imap([email protected])<2079><iIoJC0y+2q5/AAAB>: Logged out in=70 out=668 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
    Mar 24 18:58:16 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2082, secured, session=<b5kTC0y+3q5/AAAB>
    Mar 24 18:58:16 superserver dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, mpid=2083, secured, session=<q7UTC0y+3K5/AAAB>
    Mar 24 18:58:16 superserver dovecot: imap([email protected])<2082><b5kTC0y+3q5/AAAB>: Logged out in=233 out=1071 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0
    Mar 24 18:58:16 superserver dovecot: imap([email protected])<2083><q7UTC0y+3K5/AAAB>: Logged out in=317 out=5634 deleted=0 expunged=0 trashed=0 hdr_count=10 hdr_bytes=2275 body_count=0 body_bytes=0
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Yes, that looks like amavis in use, and looks like it signed "dkim_new=mail:xxx.com". If dkim fails in the real world, my guess is that public dns for mail._domainkey.xxx.com doesn't match the key in the .private file. I would try generating a new key pair and ensuring dns reflects that.
     

Share This Page