DKIM with Rspamd on current version not working, key length 2048, was 1024

Discussion in 'General' started by tal56, Sep 21, 2021.

  1. tal56

    tal56 Member

    Hi guys,
    I recently updated Ispconfig, and have noticed that a new domain that I added does not have DKIM signed emails. Even though it's setup exactly like my previous domains. I tested on some dkim mail testing sites, and it does send the correctly setup DKIM, but it's "not valid", says "The public key contains invalid characters."

    Also in comparing the keys, I noticed the newly generated ones are much longer, and have confirmed through the mail checking sites the new key is 2048 length and not 1024 like my previous domains. Has the encryption method changed in the recent version? A change that may cause problems when working with Rspamd? Cuz I'm using Rspamd to instead of Amavis to sign the emails. Has anyone else with this config noticed any problems? Emails are sent fine, but just not DKIM signed correctly.

    Sorry forgot to include I'm on Debian 10, with the Perfect Server Nginx install, and recently updated to the latest version of Ispconfig.

    Last edited: Sep 21, 2021
  2. tal56

    tal56 Member

    So I did some more digging and found in "Server Config - Mail" you can set the DKIM Strength, mine is set to 1024 (weak), but for some reason it's creating a 2048 key. I found this post that says a previous bug was fixed for this, could it be possible the fix was reverted back, or was was left out of a recent update?
  3. tal56

    tal56 Member

    So trying to figure this out some more, I deleted the domain in email, then created it again with the dkim key, again it created a 2048 key that is invalid. So after that, I disabled dkim on the domain, then re-enabled it again and generated a new key, now this key is the right length, 1024, but when copy the key onto my registar (cloudflare), it still does not work. On any DKIM validator website, it still says the key is available but invalid and has invalid characters. I'm not sure what the issue is as I'm setting up this domain exactly how I have previously and they all work, but all the previous were setup before the recent update to Ispconfig. Thanks
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    There has nothing been changed in Dkim key generation in the last few ISPConfig releases and I'm not aware of any other user having issues with that yet.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    But some providers require the dkim key to be split in several sections while others don't support this format. maybe that's the reason for your issue? If your provider does not support splitter dkim keys, then remove the "" within the public key of the DNS record.
    calbasi likes this.
  6. tal56

    tal56 Member

    Thanks for the reply Till, I use the same provider "cloudflare" for most of my domains currently so am familiar with their setup. I'm a little stumped by this if nothing has changed. I'll see if I can play around with it some more and figure out the problem. I did notice Rspamd had an update recently too, but if Rspamd was the issue, then my other domains shouldn't be working either.

    Anyways really appreciate the reply, I'll look into it some more.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Try removing the "" in the public key.
  8. tal56

    tal56 Member

    I think I figured it out, and it most likely is a bug in Ispconfig, with how the DNS-Record is listed. It looks like there are some quotes in the dkim key that I didn't see, which also shouldn't be there. Because if you copy and paste that into your registar dkim, it will cause problems. Pretty sure it was not like this before, but here's what my DNS-Record looks like :

    Code: 3600  IN  TXT   "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCze0msJRF1rD3/R6klQjEtYqTO53MJRIm0SS9P4nViUNAWe5/FODgaDmQBgKot2Xo1UFqFA8ixwo3ZOcOdCDNrd6ROVcScR8ocNrygBWI3zqI8VO0RSi08p3un85ueqoc1/vXPIhI1cwmT8saq""0QWt/Y5gwf7NcMiMcIPWkCdfwQIDAQAB"
    Notice the quotes in the part I bolded. Those should not be there.

    I looked into the file at /var/lib/amavis/dkim and did not see the quotes in the key. So I copied the key from the file and used it directly at the registar and it works fine now. As far as I can tell the only difference is the 2 double quotes, but I haven't compared very carefully. I looked at my previous domains, they also have the 2 double quotes at the same spot now on Ispconfig, so I'm pretty sure if I was to update the dkim key on those and tried to copy it on the registar, it'll break as well. It definitely was not like this before, as those previous domains, I just copied from the same part too, the DNS-Record. So the dkim key is right, but not sure how the quotes get inserted, even old ones that are working correctly have the quotes now too.

    Also there is another bug too, if you create a mail domain and setup the dkim right away, it will not setup the correct encryption level according to server config, mine will setup a 2048 key even though my server config is set to 1024. If you create the domain first, then setup the dkim key afterward I think it's fine, I haven't confirmed, but it did work fine after I deleted the dkim, then set it up again. But of course still had the double quote which should not be there.

    Thanks guys.
  9. tal56

    tal56 Member

    Yup, caught that right after I posted too. I wrote a whole long post to try and explain clearly so you guys can create a bug report. Thanks again Till.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    What you describe is no bug, it's a feature (and requirement) that exists in ISPConfig for many years as most DNS Servers incl. BIND require longer keys to be split like this. That you are using an external DNS service that lacks support for this is actually a problem of that service and not an issue in ISPConfig.
    ahrasis likes this.
  11. tal56

    tal56 Member

    The external DNS is Cloudflare, since there may be others using Cloudflare because of their popularity, this issue could pop up again because most people will just copy and paste from the same spot I got the key. I'll pass it along to Cloudflare though, whether they do anything about it is anyone's guess.
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Different services require the key to be entered in different (usually one of the two) formats, it would indeed be nice if cloudflare would change their interface to allow you to enter it either way. Creating an initial 2048 bit key when set to 1024 is indeed a bug.
    tal56 likes this.
  13. calbasi

    calbasi Member

    That solves my problem... But I wonder if this could not be improved... Users can not have idea about what "" are for (split a key) not if they dns provider accept or not this... Maybe would be better use the "not split format" or show a warning/notice on ISPConfig screen to avoid users looking here or there about what the hell is happening with their DKIM register :)

Share This Page