Dear ISPConfig, I have successfully installed an ISPConfig server behind an OPNSense Firewall for our assembly. Using the links of MX Record header check below, you will see that when I send email from Protonmail, all is green checked and looks great, hence proton is signing their Emails with signature the way it should be, but when I send Email from our Assembly domain to my personal Email ISPConfig server, there is no signature at all. However, If I send email from my personal Email server, it got signed, but my personal ISPConfig server is not behind OPNSense Firewall and uses only local ufw. Is it the OPNSense preventing the signing or am I missing something at our assembly ISPConfig Server? Header analyses sent by Protonmail to our assembly server https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=a5499b4b-ff84-4bec-9415-f746d3f91e42 Header analyses sent by our assembly server to my personal server https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=b2c96a00-ddf4-48e4-8a36-52f343199d7d Header analyses sent by my personal server to our assembly server https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx?huid=244cadc2-09a8-47c2-97f9-39c7dafa13d0 Here is the spf, DMARC, and DKIM result for our assembly all seems good. https://mxtoolbox.com/SuperTool.aspx?action=dmarc:georgianationals.org&run=toolpage https://mxtoolbox.com/SuperTool.aspx?action=dmarc:georgianationals.org&run=toolpage https://mxtoolbox.com/SuperTool.aspx?action=dkim:default._domainkey.georgianationals.org&run=toolpage What is it am missing, please help. Source from our Assembly domain missing the signature Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from whs.imaddaou.com by whs.imaddaou.com (Dovecot) with LMTP id RGTxIxC5cmK5DAAAUyo7cQ for <[email protected]>; Wed, 04 May 2022 10:34:08 -0700 Received: from localhost (localhost.localdomain [127.0.0.1]) by whs.imaddaou.com (Postfix) with ESMTP id 8CCC03A0958 for <[email protected]>; Wed, 4 May 2022 10:34:08 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com Received: from whs.imaddaou.com ([127.0.0.1]) by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BQS_0cgAYkn0 for <[email protected]>; Wed, 4 May 2022 10:34:08 -0700 (PDT) Received: from mail.georgianationals.org (fw.georgianationals.org [209.145.56.136]) by whs.imaddaou.com (Postfix) with ESMTPS id EF3573A0581 for <[email protected]>; Wed, 4 May 2022 10:34:07 -0700 (PDT) Received: from [192.168.11.10] (107-213-209-81.lightspeed.tukrga.sbcglobal.net [107.213.209.81]) (Authenticated sender: [email protected]) by mail.georgianationals.org (Postfix) with ESMTPSA id 827AA100070 for <[email protected]>; Wed, 4 May 2022 13:34:06 -0400 (EDT) To: Imad Daou <[email protected]> From: Georgia Assembly IT <[email protected]> Subject: Test DKIM Message-ID: <[email protected]> Date: Wed, 4 May 2022 13:34:06 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------3B28DB28D79F7C4406BD27EF" Content-Language: en-US This is a multi-part message in MIME format. --------------3B28DB28D79F7C4406BD27EF Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit --------------3B28DB28D79F7C4406BD27EF Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body> <p><br> </p> </body> </html> --------------3B28DB28D79F7C4406BD27EF-- Source by my personal Email ISPConfig server showing the signature Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from mail.georgianationals.org by mail.georgianationals.org with LMTP id sEizNd64cmI5bAAA+/slsg (envelope-from <[email protected]>) for <[email protected]>; Wed, 04 May 2022 13:33:18 -0400 Received: from fw.georgianationals.org (fw.georgianationals.org [10.20.50.1]) by mail.georgianationals.org (Postfix) with ESMTPS id D82E3100070 for <[email protected]>; Wed, 4 May 2022 13:33:18 -0400 (EDT) Received: from pmg.georgianationals.org (pmg.georgianationals.org [209.145.56.137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by fw.georgianationals.org (Postfix) with ESMTPS id 23661943091 for <[email protected]>; Wed, 4 May 2022 13:33:18 -0400 (EDT) Received: from pmg.georgianationals.org (localhost [127.0.0.1]) by pmg.georgianationals.org (Proxmox) with ESMTP id 6E23B3019B3F for <[email protected]>; Wed, 4 May 2022 13:33:17 -0400 (EDT) Received: from whs.imaddaou.com (whs.imaddaou.com [173.249.0.39]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pmg.georgianationals.org (Proxmox) with ESMTPS id 045713019B36 for <[email protected]>; Wed, 4 May 2022 13:33:17 -0400 (EDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by whs.imaddaou.com (Postfix) with ESMTP id B3E153A0958 for <[email protected]>; Wed, 4 May 2022 10:33:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=imaddaou.com; h= content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from; s= default; t=1651685596; x=1653499997; bh=gRq59MPff1u6Uu8QZgBrLExA mRz4W3vgOwCLTtYyrLc=; b=NPq2vgwUk6m1ZDrmooHvUu4qUtBu9faIPOwwHo9n 2l8ESILJMSHD9ASOwotur2Z1QOA6lnsDAB8w5rQFE6nnqHWZ5nWLvLP/+H3jAqzr QhQtrQVESlPSI+0UGHuYZ7cwykhQ6P7dYrFzF7++7B8z/23289ILAbobrhE1K52T uE9JqU7gVneRwI+4n8S9xUkDeCbEBBJfa/7lbRbhlT9++kBre/4bs7nkrL794+II LVFVVvEoqX9BBCLMAKXnGttA8dzv7O0bICeKLze11cQAeY4VhRnXV8cdFsx9Tpqk zYnInfe8z76b4UQHSpEcbqbBgf3N+mYdi81sX9fiVoLChw== X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com Received: from whs.imaddaou.com ([127.0.0.1]) by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10026) with LMTP id WlJhiCeoIgI0 for <[email protected]>; Wed, 4 May 2022 10:33:16 -0700 (PDT) Received: from [IPv6:2600:1700:3210:4f70:8eae:4cff:fef4:bc25] (unknown [IPv6:2600:1700:3210:4f70:8eae:4cff:fef4:bc25]) (Authenticated sender: [email protected]) by whs.imaddaou.com (Postfix) with ESMTPSA id 2356C3A0581 for <[email protected]>; Wed, 4 May 2022 10:33:16 -0700 (PDT) To: Imad Daou <[email protected]> From: Imad Daou <[email protected]> Subject: Test DKIM Message-ID: <[email protected]> Date: Wed, 4 May 2022 13:33:15 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------216538DB2E7796DCC10C5EF0" Content-Language: en-US X-SPAM-LEVEL: Spam detection results: 0 AWL 2.316 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain HTML_MESSAGE 0.001 HTML included in message RCVD_IN_DNSWL_HI -5 Sender listed at https://www.dnswl.org/, high trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [obelievers.com,imaddaou.com] X-Spamd-Bar: / Authentication-Results: fw.georgianationals.org; dkim=pass header.d=imaddaou.com header.s=default header.b=NPq2vgwU; dmarc=pass (policy=quarantine) header.from=imaddaou.com; spf=softfail (fw.georgianationals.org: 209.145.56.137 is neither permitted nor denied by domain of [email protected]) [email protected] X-Rspamd-Server: fw.georgianationals.org X-Rspamd-Queue-Id: 23661943091 X-Spamd-Result: default: False [-0.81 / 15.00]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; R_DKIM_ALLOW(-0.20)[imaddaou.com:s=default]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; MX_GOOD(-0.01)[]; DKIM_TRACE(0.00)[imaddaou.com:+]; DMARC_POLICY_ALLOW(0.00)[imaddaou.com,quarantine]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; R_SPF_SOFTFAIL(0.00)[~all]; RCVD_COUNT_FIVE(0.00)[6]; ARC_NA(0.00)[]; ASN(0.00)[asn:40021, ipnet:209.145.48.0/20, country:US]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[[email protected]]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[] This is a multi-part message in MIME format. --------------216538DB2E7796DCC10C5EF0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit -- Imad Daou https://www.obelievers.com/ Podcast https://www.obelievers.com/podcast --------------216538DB2E7796DCC10C5EF0 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body> <p><br> </p> <pre class="moz-signature" cols="72">-- Imad Daou <a class="moz-txt-link-freetext" href="https://www.obelievers.com/">https://www.obelievers.com/</a> Podcast <a class="moz-txt-link-freetext" href="https://www.obelievers.com/podcast">https://www.obelievers.com/podcast</a></pre> </body> </html> --------------216538DB2E7796DCC10C5EF0--
No. Dkim requires a public key in public DNS to correspond with a private key in the mail server which is used for signing. From the logs it looks like the sender is using authentication, so from there I would check that the domain is in amavis config with a dkim key set (I forget the exact file name) and that the public DNS key is complete/correct.
Hello Jesse, thank you for your quick response. DKIM Private and Public Key has been generated using https://easydmarc.com/tools/dkim-record-generator And the reason we used EasyDmarc is because ISPConfig generated Public Key was giving us Syntax error when it's being verified by MX Record DMARC/DKIM check, I noticed due to " " being part of the public when ISPConfig creates those keys was the problem, is there a way to have ISPConfig generates PUBLIC DKIM keys without the " " quotes among the other characters? Please check the following, Public key has been set and MX DKIM check verifies it all good. DKIM Public key of our assembly domain was set as follows using Cloudflare Code: v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs3KRFwhHEha2EEglw5Fo/YEUD22AfLyXVH3nQkXJLRWHGiGlAuhouI5ZJiadwHEclswLxBgjggsy+7n85a3lCqEpoTU5aX+nuE8f6n4gIQsJ2r5E8BjMSwwWxCyaW56X3mgV7s07OkmZsrZ2R2Ik7dc61VZRURcjiWQ9fVl8rVBZ9GXXu4TRdDA2OfTGLBEQaM8rLnx1wwNw54GwMK+j/zI72bUynQgW2CNndid5iK+sMzM8gcAoAsOyDHvF3UQAV0vfgtdSwUtG/SrlA+tGvrqH39gmb9vt9O60uBmw/zWChmNmy49l8KA0JV29fqUwsDrVSGsS87tuNL6KBwA+mwIDAQAB Here is the problematic Key being generated by ISPConfig - Note the " " Code: default._domainkey.georgianationals.org. 3600 IN TXT "v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvSFlK2n5i2cdQS316qUkMwRTXAsggGaWF7XQvAFlfysO+yfxez0BPOPVvyUNvLme+7QSoxMj5WiWIDyf4a5XUyMJiSdnKt45hVkO1ZqIOHje4bZMgurmj1+Mqz3uRHjBi5hT9+1uPC5u""1FRAw1493uTBnPmSqWgqXZ5w6IVj/aZ3iSxyi7mu3dW3k3DX56nKKAMO9IxreocwWe3A1bxhdwxZ7T++vgQZ+LyRBTv3qK93/Sy2lIZJFhLKg1upMJiynssfOo85Uw4TGma+KZLCTqsh4svYGndKeLlN2tTZNvFKxTfW1I1YssXplnr1ppmELawzILe/xMHBjacjmRdm""sQIDAQAB" And verified using DKIM Checked by MX Tools https://mxtoolbox.com/SuperTool.aspx?action=dkim:default._domainkey.georgianationals.org&run=toolpage Hmmm...We don't use any SPAM or virus checks at ISPConfig server, hence, I have shutdown all related services such as amavis and spam checking tools. That's because we use ProxMox Mail Gateway to receive emails located at the DMZ network, OPNSense as Firewall being used as out-GW. If PMG MX record is down, then the second MX record is the OPNSense with priority 20. With this being said, are you saying that I need to re-enable amavis and spam check services at ISPConfig Mail server in order for our Assembly emails to be signed using the DKIM key? I never thought about that and that might be the coz?? :0) If that's the case, what Services I need to make sure it's up and running?
You don't need to use spam scanning, but dkim signing on a standard ispconfig server is done by amavis or rspamd. If you are generating your own DKIM keys and keeping them in sync with an external server/service, and you don't want to run amavis, it might make sense for you to setup opendkim for your signing instead?
Thank you Jesse for confirming, I never heard or configured opendkim before, I see, now I know why. Would you please when possible is point me to a Howto you trust and compatible with ISPConfig in order to configure opendkim on ispconfig server debian 10. Thank you again, your time is highly appreciated.
Oh wait, wouldn't that effect the relation between the private key part and its Public key if you alter it? If not, that would be awesome easy fix for me to just remove the "" characters. I thought you are not suppose to touch it.
No. You don't alter the key, these are just there to split the key in length for DNS server that support short TXT records only and the tool you used to verify the key does not support split TXT records as it seems, that#s why it shows it as invalid.
That's correct. I didn't understand the quotes - and was struggling with the DNS form of a DNS provider: https://www.howtoforge.com/community/threads/resolved-issue-with-dkim-record.88907/#post-435500 After removing the quotes the DNS record works properly. I was able to test/verify this by sending an e-mail to my GMail account and by using the DKIM Validator: https://dkimvalidator.com/
Dear all, here what I did: I read the following thread https://www.howtoforge.com/community/threads/how-to-install-opendkim-on-ispconfig-3-1-2.75543/ and I seen Till is not recommending opendkim since ISPConfig can do this already by default. So, I went a head installed, amavisd, enabled rspamd back again, updated the system, ran ispconfig_uodate.sh --force, made sure I chose to reconfigure the services, and rebooted the server. However, still my outgoing emails not being signed please check below: Code: Return-Path: <[email protected]> Delivered-To: [email protected] Received: from whs.imaddaou.com by whs.imaddaou.com (Dovecot) with LMTP id itYXAdLfdWLIDwAAUyo7cQ for <[email protected]>; Fri, 06 May 2022 19:56:18 -0700 Received: from localhost (localhost.localdomain [127.0.0.1]) by whs.imaddaou.com (Postfix) with ESMTP id F0F523A36D1 for <[email protected]>; Fri, 6 May 2022 19:56:17 -0700 (PDT) X-Virus-Scanned: Debian amavisd-new at whs.imaddaou.com Received: from whs.imaddaou.com ([127.0.0.1]) by localhost (whs.imaddaou.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id rx5sKn86EzpX for <[email protected]>; Fri, 6 May 2022 19:56:03 -0700 (PDT) Received: from mail.georgianationals.org (fw.georgianationals.org [209.145.56.136]) by whs.imaddaou.com (Postfix) with ESMTPS id 0E2503A0599 for <[email protected]>; Fri, 6 May 2022 19:55:58 -0700 (PDT) Received: from [192.168.11.10] (107-213-209-81.lightspeed.tukrga.sbcglobal.net [107.213.209.81]) (Authenticated sender: [email protected]) by mail.georgianationals.org (Postfix) with ESMTPSA id B08AD10007D for <[email protected]>; Fri, 6 May 2022 22:55:56 -0400 (EDT) To: Imad Daou <[email protected]> From: Imad Daou <[email protected]> Subject: Sending from logwatch Message-ID: <[email protected]> Date: Fri, 6 May 2022 22:55:55 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------81BD506F352724A09DA2E778" Content-Language: en-US Authentication-Results: mail.georgianationals.org; auth=pass [email protected] [email protected] This is a multi-part message in MIME format. --------------81BD506F352724A09DA2E778 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit test --------------81BD506F352724A09DA2E778 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> </head> <body> <p><font face="Cantarell">test</font><br> </p> </body> </html> --------------81BD506F352724A09DA2E778--
You will need to edit the mail domain and save again, or maybe disable dkim and enable again, so it writes the key in amavis config.
