DKIM strong keys not supported?

Discussion in 'Installation/Configuration' started by Loveless, Apr 25, 2017.

  1. Loveless

    Loveless Member

    DKIM strength when set to "strong (4096)" in the Server Config > Mail section generates false DKIM key records.
    I noticed them failing at the receiving end (google, outlook etc.).

    Set it back to 2048 and all was fine.

    When I checked the 4096 key on http://dkimcore.org/c/keycheck at the bottom with
    Check a DKIM Core Key Record
    I got this:
    Running this on the latest git-stable ISPConfig Version: 3.1dev on up to date Ubuntu 16.04 server.
     
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    I just tested this and i get valid dkim-records and dns-records with 4096 byte.
    You can run amavisd-new showkeys and compare the output with the public-key in your dns. And please check, that the field type of the data column in the dns_rr table in your database is TEXT
     
  3. Loveless

    Loveless Member

    Indeed it does not show the same key when I do 'amavisd-new showkeys' for a test domain. Why is that? I did already restart amavis, any other services that need to pick it up?
    I do see the correct data in the ISPC server config under the domain's DKIM settings, I have copy pasted the key from there to DNS (it's external for me), when I do # dig +short mail._domainkey.domain.nl txt I get the correct one from DNS.
    So I guess amavisd-new is the culprit. Any idea?

    And shouldn't ISPC reload the related services for DKIM keys when they're created anew?
     
  4. Loveless

    Loveless Member

    OK, figured it out. I had /var/lib/amavis (and its subfolders) loaded in RAM (in a ramdisk). Apparently amavis or ispconfig does not like that. Not sure why, to be honest. It sped up the mail-handling by a lot, which is why I did that.
     
  5. florian030

    florian030 Well-Known Member HowtoForge Supporter

    I've /var/lib/amavis/tmp on a ram-disk. Is there any reason why you store /var/lib/amavis on a ram-disk?
     
  6. Loveless

    Loveless Member

    Just the fact that I have about 6 GB of very fast RAM doing nothing I put in it what I can, whatever gets read and written faster is OK. I like the difference in speed, and the fact it saves disk IO. I use this tool: https://github.com/graysky2/anything-sync-daemon rather than tmpfs because it auto-syncs.
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Nice idea. I never thought they can be placed on a ram-disk.
     
  8. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Amavis uses tmp during a scan so there is no need to put the whole amavis into a ram-disk.
    Reallay 6GB? Did you receive mails with such a big size? I think 500MB is always enough.
     
  9. Loveless

    Loveless Member

    I got a server with 8GB. The whole thing, with about ~20 domains with mail/sites on it, takes up only about 1.8 GB of that RAM still, even after I've tweaked it almost every place I could find to have it cache in memory more. Maybe because I only use nginx, no apache, but still, it's a waste to not have as much IO in RAM as possible. I expected linux to do better with that than it actually does when you ask it to, but it's just *not* using up the RAM. I already disabled swap, because even there it would still go take up some of it, even while I had it to 1 in sysctl.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I noted that in Ubuntu 17.04 and may be above, swap will be disabled by default and replace with file/directory.
     

Share This Page