Hello, I hav a multiserver conf working well. I discover that mails sent by my server are not DKIM signed ! That's very strange because in my domain, there is clearly a dkim setup here below extract of a mail source code : My DNS records are green ! Any idea ?
Yes, I've just did it. Unfortunately, it is unchanged ! How can I check ispconfig conf is really implemented in postfix ?
Dkim signing is not done by postfix, it is done by either Ammavis or Rspamd, depending on which exact setup you use on that server. Which spamfilter system do you use?
I understand better ! Dkim run good months ago It turned from amavis to rspamd something like 2 month ago Something probably went wrong at that time... What should I do to debug ?
Check the files dkim_domains.map and dkim_selectors.map in /etc/rspamd/local.d/ in both of these files the domain that you activated DKIM for should be listet. Is this the case? Make sure to check the content of /var/lib/amavis/dkim/ as well, as the keys should be stored there
I think that's ok: /etc/rspamd/local.d/dkim_domains.map mydom.tld /var/lib/amavis/dkim/mydom.tld.private ... /etc/rspamd/local.d/dkim_selectors.map mydom.tld mykey and ls /var/lib/amavis/dkim/ total 24 -rw-r--r-- 1 root root 1704 Nov 10 07:58 mydom.tld.private -rw-r--r-- 1 root root 451 Nov 10 07:58 mydom.tld.public And I check : above files content match key I can see in GUI The only thing I see is the following - I have a multiVPS conf, with 2 mail servers (it works well up to now) - I have domains on both servers - on one of these server, I have some 'dkim' of the other server, I would say that some domains from the other server are in /etc/rspamd/local.d/dkim_domains.map of that server. Idem for files in /var/lib/amavis/dkim/ BUT, all mail domains have 'dkim: none' in email header wherever there are : one mail or the other mail server !?
You check active modules and make a config dump with rspamadm tool. I'll check tomorrow to make sure what needs to be enabled. In the meantime you could check rspamds logs and may find some more information what is going wrong. I should ne located somewhere at /var/log/rspamd/rspamd.log
I find that Code: 2022-11-10 00:00:09 #1659(normal) <c07882>; task; dkim_module_load_key_format: cannot load dkim key /var/lib/amavis/dkim/mydom.tld.private: cannot stat key file: '/var/lib/amavis/dkim/mydom.tld.private' Permission denied This file is -rw-r--r-- 1 root root I check rspamadm configgraph | grep dkim Code: "local.d/dkim_signing.conf" [shape=box,color=blue]; "modules.d/dkim_signing.conf" [shape=box]; "modules.d/dkim.conf" [shape=box]; "modules.conf" -> "modules.d/dkim.conf" []; "modules.conf" -> "modules.d/dkim_signing.conf" []; "modules.d/dkim_signing.conf" -> "local.d/dkim_signing.conf" [arrowhead=diamond,label="+"]; rspamadm configdump Code: dkim_signing { sign_networks [ "127.2.4.7", ] symbol = "DKIM_SIGNED"; sign_authenticated = true; use_esld = false; selector = "dkim"; use_redis = false; use_domain = "header"; allow_hdrfrom_mismatch = false; path_map = "/etc/rspamd/local.d/dkim_domains.map"; allow_username_mismatch = false; key_prefix = "DKIM_KEYS"; selector_map = "/etc/rspamd/local.d/dkim_selectors.map"; allow_envfrom_empty = true; allow_hdrfrom_multiple = false; try_fallback = false; sign_local = true; }
This is the issue right here. It seems like the _rspamd user is not allowed to read the file. As the file permissions are correct, i guess the underlaying directory /var/lib/amavis/dkim does not have the correct permissions. Code: chmod 750 /var/lib/amavis/dkim This should fix it.
ls -ld /var/lib/amavis/dkim drwxr-x--- 2 amavis amavis 4096 Nov 10 19:45 /var/lib/amavis/dkim ls -ld /var/lib/amavis/ drwxr-x--- 8 amavis amavis 4096 Nov 9 09:30 /var/lib/amavis/ They are both 750... Should I chown amavis:_rspamd ? or add _rspamd to group amavis ? What is the right solution for ispconfig ?
Yes it indeed is not the permission but the owner. My system has Code: root@mail01:/var/lib# ls -ldh amavis/ drwxr-x--- 3 _rspamd _rspamd 4,0K 15. Sep 15:00 amavis/ root@mail01:/var/lib# ls -ldh amavis/dkim/ drwxr-x--- 2 _rspamd _rspamd 4,0K 7. Nov 10:04 amavis/dkim/ Note: the keys themself in the dkim folder are owned by root:root but -rw-r--r--.
Ok thanks a lot I chown that. There is no chown in ispconfig tuto regarding move from amavis to rspamd : https://www.howtoforge.com/replacing-amavisd-with-rspamd-in-ispconfig/ May be it shoul be added
I migrated my own mail server with that guide, no chown needed and a few thousand other users did it as well without having to manually execute chown. So it's more likely that this is something specific to your server than that there is missing something in the guide.
@till Ok, but what is your ls -dh /var/lib/amavis ? Is there a chown in ispconfig code that was not executed on my machine for a whatever reason ? Nevertheless, DKIM is back ! Many thanks
