DKIM Not Signing Email

Hi,
In the process of of setting up DMARC I found I had DKIM problems.

DKIMVALIDATOR (http://dkimvalidator.com) returns "This message does not contain a DKIM Signature"
I've gone through the DKIM debug at https://blog.schaal-24.de/dkim/debug-2/?lang=en
and the commands that did not return valid information were those to "query your own DNS"
dig @ns.example.com default._domainkey.example.com TXT
and
dig @127.0.0.1 default._domainkey.example.com TXT
These did not return an answer.

However netstat -nap | grep \:53 did show it was listening on port 53
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 10.0.0.20:53 0.0.0.0:* LISTEN 1612/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1612/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1612/named
tcp 0 0 10.0.0.20:143 70.88.86.213:53439 ESTABLISHED 29518/dovecot/imap-
tcp6 0 0 :::53 :::* LISTEN 1612/named
udp 0 0 10.0.0.20:53 0.0.0.0:* 1612/named
udp 0 0 q192.168.122.1:53 0.0.0.0:* 1858/dnsmasq
udp 0 0 192.168.122.1:53 0.0.0.0:* 1612/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1612/named
udp6 0 0 :::53 :::* 1612/named
I've checked and double checked the records in Isconfig3 and did a resync as well as checked the records at zoneedit.com
Any suggestions on how to proceed with this problem.

Thanks Ray

 

Let me give a little background on my system:
The Perfect Server w/Centos 7, Maria DB, Nginx, Round Cube.
I am hosting multiple servers.

 

https://blog.schaal-24.de/dkim/debug-2/?lang=en

 

Thanks, Florian. But from my above text, I went through that debug tutorial (a good one at that) [I've gone through the DKIM debug at https://blog.schaal-24.de/dkim/debug-2/?lang=en and the commands that did not return valid information were those to "query your own DNS"]
When I did a query on my own DNS (the one set up by ISPconfig), it did not return an answer with data.
dig @ns.example.com default._domainkey.example.com TXT
dig @127.0.0.1 default._domainkey.example.com TXT

 

if your own dns gives you no dkim, the keys are missing in the zone-files. check the zone in ispconfig and the files in /etc/bind/pri*

 

Well Florian,
I've gone from bad to worse on my troubleshooting this problem.
1) there are dns records in my ISPconfig
2) but /etc/bind does not exist
3) I installed amavisd-new and I lost the ability to send emails. (I removed it but still no email send.) In the maillog I get a refused.
When I do a netstat -tap I cannot find anything on 25 and for 10025 I get (I assume postfix):
localhost:10025 0.0.0.0:* LISTEN 5658/master
At this point I'm not sure what to tackle first???

 

Yes. It was The Perfect Server - CentOS 7 x86_64 (nginx, Dovecot, ISPConfig 3) - 2014/11
I will re-install amavisd-new and take a look at take another look at your tutorial for DKIM.
1) I took a look at the PDF for the install at step #13 it says:
13 Install Amavisd-new, SpamAssassin, And ClamAV
I have a check next to it so I performed it.
Checking Yegors tutorial to patch ispconfig 3 @ http://blog.yegorgavrilov.com/2013/07/fix-dkim-issue-in-ispconfig3.html
I checked and all the steps were there, except the last one on the /etc/amavis.conf file:
#DKIM
$enable_dkim_verification = 1;
$enable_dkim_signing = 1; # load DKIM signing code,
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

I added this.

 

OK. I backed out the old tutorial, rechecked the "Perfect Server for Centos 7, ifconfig 3, etc. But I still am having DKIM problems. Now It looks like I"ve caused a problem that stopped the email from working.
I am doing a tail -f /var/maillog and when I email I get a connection refused:
status=deferred (connect to 127.0.0.1[127.0.0.1]:10026: Connection refused)
I have checked to make sure that port is in the iptables and no other service is using it.
netstat -a -n
To be honest, I wish I had all the background to thoroughly understand this and troubleshoot it but I am beginning to wonder if it would be better to take the system down in the middle of the night and just rebuild???

 

is amavis running and listening on ports 10024 and 10026?
ps -ef|grep amavis
netstat -tanp|grep 1002

 

It looks like amavis is running and its listening on ports 10024, 10025, 10027
[root@avalon ~]# ps -ef|grep amavis
amavis 1769 1 0 Nov12 ? 00:28:47 /usr/sbin/clamd -c /etc/clamd.d/amavisd.conf --foreground=yes
amavis 13590 1 0 Dec03 ? 00:00:03 /sbin/amavisd (master)
amavis 13591 13590 0 Dec03 ? 00:00:02 /sbin/amavisd (ch7-avail)
amavis 13592 13590 0 Dec03 ? 00:00:01 /sbin/amavisd (ch6-avail)

[root@avalon ~]# netstat -tanp|grep 1002
tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 31638/master
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 13590/amavisd (mast
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 31638/master

I do notice from iptables -L -nv I only have 10024 open. Do I need to open 10027, and 10025?

 

Quick update:
I did open up ports 10027 & 10025 in iptables. But still no change.

 

sorry, it's 10024,10026 for amavis. 10025,10027 is for postfix.

 

I opened a port for 10026 tried a test msg and still the same result.
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10024
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10027
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10025
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10026
I changed the /etc/amavisd.conf and set $log_level = 5;

Did a reboot and found the information below in the maillog:

Dec 7 11:30:16 localhost amavis[15475]: starting. /sbin/amavisd at avalon.chi-linux.net amavisd-new-2.11.0 (20160426), Unicode aware, LANG="en_US.UTF-8"
Dec 7 11:30:18 localhost amavis[15476]: Net::Server: Group Not Defined. Defaulting to EGID '995 995'
Dec 7 11:30:18 localhost amavis[15476]: Net::Server: User Not Defined. Defaulting to EUID '996'
Dec 7 11:30:18 localhost amavis[15476]: No ext program for .rar, tried: rar, unrar
Dec 7 11:30:18 localhost amavis[15476]: No ext program for .lha, tried: lha
Dec 7 11:30:18 localhost amavis[15476]: No ext program for .tnef, tried: tnef
Dec 7 11:30:18 localhost amavis[15476]: No decoder for .lha
Dec 7 11:30:18 localhost amavis[15476]: No decoder for .rar
Dec 7 11:30:18 localhost amavis[15476]: Using primary internal av scanner code for ClamAV-clamd
Dec 7 11:30:18 localhost amavis[15476]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Dec 7 11:30:19 localhost amavis[15476]: DKIM signature verification disabled, corresponding features not available. If not intentional, consider enabling it by setting: $enable_dkim_verification to 1, or explicitly disable it by setting it to 0 to mute this warning.
Dec 7 11:30:30 localhost amavis[15476]: (!)Net::Server: 2017/12/07-11:30:30 Re-exec server during HUP

*** To change the problem, I turned off DKIM for all domains. ****
Well, this did not change the problem.

Also, now when I do a ps aux | grep amavis:
amavis 15476 0.7 2.9 379396 112992 ? Ss 11:30 0:03 /sbin/amavisd (master)
amavis 15491 0.0 2.7 380924 104096 ? S 11:30 0:00 /sbin/amavisd (virgin child)
amavis 15492 0.0 2.7 380924 104060 ? S 11:30 0:00 /sbin/amavisd (virgin child)

I have a router between the server and the Internet, does it make sense to open the ports on it also.
Thanks

 

"DKIM signature verification disabled" - please check, that you installed everythin accoring to the perfect-setups.

 

thanks florian, I did and rebuilt the sever with Debian 9.It seems I could not make any progress with this issue.
This post can be closed