1 Topic by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Topic: DKIM invalid (public key: OpenSSL error: bad base64 decode)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.1 PGSQL edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Centos 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I can't get DKIM to generate properly.

dig -t txt dkim._domainkey.prospectid.com

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t txt dkim._domainkey.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17862
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dkim._domainkey.mydomain.com.        IN      TXT

;; ANSWER SECTION:
dkim._domainkey.mydomain.com. 600 IN  TXT     "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG26OM/bk0vNm/TM2DnOQjPZNLIWspF4xtIX12LGHHjfushjsaudfysuf+DUigzM6h2oJMEdNt1S/CWVXW0pUBqfU0fzdw90+jyqOduh4cCnEk0z0w1w1j4xOYy0FLHhKoeoZJwWQFtwrlhrjxD6jM+sGeeRnbn2rQIDAQAB"

;; Query time: 106 msec
;; SERVER: 50.116.62.5#53(50.116.62.5)
;; WHEN: Mon Sep 13 12:43:24 UTC 2021
;; MSG SIZE  rcvd: 289

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com: dkim._domainkey.mydomain.com => invalid (public key: OpenSSL error: bad base64 decode)


openssl version
OpenSSL 1.1.1g FIPS  21 Apr 2020


amavisd genrsa /var/lib/dkim/mydomain.com.pem
Private RSA key successfully written to file "/var/lib/dkim/mydomain.com.pem" (1024 bits, PEM format)


amavisd -c /etc/amavisd/amavisd.conf showkeys

; key#1 1024 bits, s=dkim, d=mydomain.com, /var/lib/dkim/mydomain.com.pem
dkim._domainkey.mydomain.com. 3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCleGTk61JYko700zqmuqrDvmfM"
  "Rgy27PKwHcfX8ICDtrPWn2XA7jWLpMJHZWu/Jv4Sd7TCQ1fMaZl0sX61h9lCY03P"
  "MFiYO58cozOVn2pBafyV3Qvet+vh9GjpSfufY9XEcEZKRankLk1nrgjC2chXPXj0"
  "x6ljq1GHUXvBKBhI9wIDAQAB")

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com: dkim._domainkey.mydomain.com => invalid (public key: OpenSSL error: bad base64 decode)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Try to use a 2048 bit key instead.

i assume your domain is prospectid.com:

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com

did you just anonymize that part, or is it instead really testing mydomain.com ?

If not, your amavis configuration for dkim singing has a configuration error.

Did you check if your outgoign mails get dkim signed and if the signature is counted as valid?

3 Reply by shane (edited by shane 2021-09-13 23:53:50)

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

Try to use a 2048 bit key instead.

i assume your domain is prospectid.com:

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com

did you just anonymize that part, or is it instead really testing mydomain.com ?

If not, your amavis configuration for dkim singing has a configuration error.

Did you check if your outgoign mails get dkim signed and if the signature is counted as valid?


Yes, that is the domain, I was just anonymising it a bit. Forgot to remove the real domain in the dig command.

I removed the key and regenerated it as 2048:

]# amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 prospectid.com: dkim._domainkey.prospectid.com => invalid (public key: OpenSSL error: bad base64 decode)

DKIM signing failed sending email to port25:

DKIM check:         permerror
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         permerror (invalid key: error reading public key: 139762324170496:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:91:;139762324170496:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1118:;139762324170496:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=X509_PUBKEY;)
ID(s) verified:

DNS record(s):
    dkim._domainkey.prospectid.com. 300 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG26OM/bk0vNm/TM2DnOQjPZNLIWspF4xtIX12LGHHjfushjsaudfysuf+DUigzM6h2oJMEdNt1S/CWVXW0pUBqfU0fzdw90+jyqOduh4cCnEk0z0w1w1j4xOYy0FLHhKoeoZJwWQFtwrlhrjxD6jM+sGeeRnbn2rQIDAQAB"

4 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

did you restart amavis?

what does showkeys display after exchange with the new one?

5 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

ima trying something, give me a second

6 Reply by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

]# sudo systemctl restart amavisd

[root@mail ~]# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 2048 bits, s=dkim, d=prospectid.com, /var/lib/dkim/prospectid.com.pem
dkim._domainkey.prospectid.com. 3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvE3oz1sJjf0mCwNXtpNu"
  "aonYxGkvGTdgDtKFYRtTEoNlRDP9lJTVDHkJHEkRDkrcn/GuCGGkonhvzGxGWxa6"
  "v6LTfFaJkwT8Mj4jpFZVSAN8IHG6xHIJUoBbhaaLYtTgD47hUYx57WtF89HhyXvi"
  "re+a9qddDLv1+VT7EIsLIsfQ7Ro7DPNDoxlqd4IVTa0bQDTSQOLVn5QJOqP0JYez"
  "YmYkzY32Ks164KQUPISWcLF8g4MmFq1vaoV+Jp4Ds1ALXLviEA6ED5A34buvythH"
  "so3/8nA3nlmvyTMxMVTkj5gAw7hMvMEKoN5s1f+JWjoVdzktj8IUKb427PlLm7Cp"
  "jwIDAQAB")

[root@mail ~]# amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 prospectid.com: dkim._domainkey.prospectid.com => invalid (public key: OpenSSL error: bad base64 decode)

7 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

i created you a key and the showkey result, mind testing it out?
not for use, just testing if it works with that

8 Reply by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

i created you a key and the showkey result, mind testing it out?
not for use, just testing if it works with that

Sure, let me know what to do

9 Reply by Cthulhu (edited by Cthulhu 2021-09-14 00:56:50)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc9BMdf8g99M+HzfevRggdoYueO8a6pGyTzW1aBjXp4dW4Nb4VaTQORRDUBSe/hfwEJxzf1Bs62CBp9NsHSENAHpq279GpYo45gpa3Z4eP4bP4C/+AYvE1P+QsGCxS5VI015cZ9eRW54r0+zZRfJZiZAnKjfgiffClaIVC07Ci5H/hdeoeNxnwigjCihiDfw3ubt/QOUwZFaJn3c9c/MsPNs5I9g0O56gdyLSlDj3II5+OR8IxnVGMqDw9ji01TgKYgxm1Vyw48pI0xAJVIdqimIiZU+BY7yx+VeHIIjV5t8kjlrDSbh3VtKXkx3FuufWLQDShTcgOvXRqmmkmPJywIDAQAB"

https://cpanel.coolhost.at/dkim/newkey.pem

10 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

which dns you use? self hosted dns server, or from provider?
try without the qoutes aswell

11 Reply by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

which dns you use? self hosted dns server, or from provider?
try without the qoutes aswell

What's the path again to edit the dkim?
The DNS is with Google domains. Unfortunately I don't have access to the registrar, I have to copy and paste dns entries to the owner of the domain.

12 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

/var/lib/dkim/prospectid.com.pem

13 Reply by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

/var/lib/dkim/prospectid.com.pem

Of course. lol, sorry didn't get much sleep last night and it's been a long day.

Unfortunately still getting error

# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 2048 bits, s=dkim, d=prospectid.com, /var/lib/dkim/prospectid.com.pem
dkim._domainkey.prospectid.com. 3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc9BMdf8g99M+HzfevRg"
  "gdoYueO8a6pGyTzW1aBjXp4dW4Nb4VaTQORRDUBSe/hfwEJxzf1Bs62CBp9NsHSE"
  "NAHpq279GpYo45gpa3Z4eP4bP4C/+AYvE1P+QsGCxS5VI015cZ9eRW54r0+zZRfJ"
  "ZiZAnKjfgiffClaIVC07Ci5H/hdeoeNxnwigjCihiDfw3ubt/QOUwZFaJn3c9c/M"
  "sPNs5I9g0O56gdyLSlDj3II5+OR8IxnVGMqDw9ji01TgKYgxm1Vyw48pI0xAJVId"
  "qimIiZU+BY7yx+VeHIIjV5t8kjlrDSbh3VtKXkx3FuufWLQDShTcgOvXRqmmkmPJ"
  "ywIDAQAB")

14 Reply by Cthulhu (edited by Cthulhu 2021-09-14 02:37:55)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

the dns record still has the old one, either it did not propagate yet, or it was not yet changed

https://mxtoolbox.com/SuperTool.aspx?ac … n=toolpage

15 Reply by shane

  • shane
  • Member
  • Offline
  • Registered: 2021-09-13
  • Posts: 10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

the dns record still has the old one, either it did not propagate yet, or it was not yet changed

https://mxtoolbox.com/SuperTool.aspx?ac … n=toolpage

Finally convinced owner of domain to let me have access to the domain. Changed the DNS and it now passes. Possibly person who put in DNS might have made a mistake?

16 Reply by Cthulhu (edited by Cthulhu 2021-09-14 06:50:49)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 906

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

possible, can`t tell