1

Topic: DKIM invalid (public key: OpenSSL error: bad base64 decode)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.1 PGSQL edition.
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Centos 8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I can't get DKIM to generate properly.

dig -t txt dkim._domainkey.prospectid.com

; <<>> DiG 9.11.26-RedHat-9.11.26-4.el8_4 <<>> -t txt dkim._domainkey.mydomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17862
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dkim._domainkey.mydomain.com.        IN      TXT

;; ANSWER SECTION:
dkim._domainkey.mydomain.com. 600 IN  TXT     "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG26OM/bk0vNm/TM2DnOQjPZNLIWspF4xtIX12LGHHjfushjsaudfysuf+DUigzM6h2oJMEdNt1S/CWVXW0pUBqfU0fzdw90+jyqOduh4cCnEk0z0w1w1j4xOYy0FLHhKoeoZJwWQFtwrlhrjxD6jM+sGeeRnbn2rQIDAQAB"

;; Query time: 106 msec
;; SERVER: 50.116.62.5#53(50.116.62.5)
;; WHEN: Mon Sep 13 12:43:24 UTC 2021
;; MSG SIZE  rcvd: 289

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com: dkim._domainkey.mydomain.com => invalid (public key: OpenSSL error: bad base64 decode)


openssl version
OpenSSL 1.1.1g FIPS  21 Apr 2020


amavisd genrsa /var/lib/dkim/mydomain.com.pem
Private RSA key successfully written to file "/var/lib/dkim/mydomain.com.pem" (1024 bits, PEM format)


amavisd -c /etc/amavisd/amavisd.conf showkeys

; key#1 1024 bits, s=dkim, d=mydomain.com, /var/lib/dkim/mydomain.com.pem
dkim._domainkey.mydomain.com. 3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCleGTk61JYko700zqmuqrDvmfM"
  "Rgy27PKwHcfX8ICDtrPWn2XA7jWLpMJHZWu/Jv4Sd7TCQ1fMaZl0sX61h9lCY03P"
  "MFiYO58cozOVn2pBafyV3Qvet+vh9GjpSfufY9XEcEZKRankLk1nrgjC2chXPXj0"
  "x6ljq1GHUXvBKBhI9wIDAQAB")

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com: dkim._domainkey.mydomain.com => invalid (public key: OpenSSL error: bad base64 decode)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Try to use a 2048 bit key instead.

i assume your domain is prospectid.com:

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com

did you just anonymize that part, or is it instead really testing mydomain.com ?

If not, your amavis configuration for dkim singing has a configuration error.

Did you check if your outgoign mails get dkim signed and if the signature is counted as valid?

3 (edited by shane 2021-09-13 23:53:50)

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

Try to use a 2048 bit key instead.

i assume your domain is prospectid.com:

amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 mydomain.com

did you just anonymize that part, or is it instead really testing mydomain.com ?

If not, your amavis configuration for dkim singing has a configuration error.

Did you check if your outgoign mails get dkim signed and if the signature is counted as valid?


Yes, that is the domain, I was just anonymising it a bit. Forgot to remove the real domain in the dig command.

I removed the key and regenerated it as 2048:

]# amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 prospectid.com: dkim._domainkey.prospectid.com => invalid (public key: OpenSSL error: bad base64 decode)

DKIM signing failed sending email to port25:

DKIM check:         permerror
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         permerror (invalid key: error reading public key: 139762324170496:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:91:;139762324170496:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1118:;139762324170496:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:290:Type=X509_PUBKEY;)
ID(s) verified:

DNS record(s):
    dkim._domainkey.prospectid.com. 300 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCG26OM/bk0vNm/TM2DnOQjPZNLIWspF4xtIX12LGHHjfushjsaudfysuf+DUigzM6h2oJMEdNt1S/CWVXW0pUBqfU0fzdw90+jyqOduh4cCnEk0z0w1w1j4xOYy0FLHhKoeoZJwWQFtwrlhrjxD6jM+sGeeRnbn2rQIDAQAB"

4

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

did you restart amavis?

what does showkeys display after exchange with the new one?

5

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

ima trying something, give me a second

6

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

]# sudo systemctl restart amavisd

[root@mail ~]# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 2048 bits, s=dkim, d=prospectid.com, /var/lib/dkim/prospectid.com.pem
dkim._domainkey.prospectid.com. 3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvE3oz1sJjf0mCwNXtpNu"
  "aonYxGkvGTdgDtKFYRtTEoNlRDP9lJTVDHkJHEkRDkrcn/GuCGGkonhvzGxGWxa6"
  "v6LTfFaJkwT8Mj4jpFZVSAN8IHG6xHIJUoBbhaaLYtTgD47hUYx57WtF89HhyXvi"
  "re+a9qddDLv1+VT7EIsLIsfQ7Ro7DPNDoxlqd4IVTa0bQDTSQOLVn5QJOqP0JYez"
  "YmYkzY32Ks164KQUPISWcLF8g4MmFq1vaoV+Jp4Ds1ALXLviEA6ED5A34buvythH"
  "so3/8nA3nlmvyTMxMVTkj5gAw7hMvMEKoN5s1f+JWjoVdzktj8IUKb427PlLm7Cp"
  "jwIDAQAB")

[root@mail ~]# amavisd -c /etc/amavisd/amavisd.conf testkeys
TESTING#1 prospectid.com: dkim._domainkey.prospectid.com => invalid (public key: OpenSSL error: bad base64 decode)

7

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

i created you a key and the showkey result, mind testing it out?
not for use, just testing if it works with that

8

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

i created you a key and the showkey result, mind testing it out?
not for use, just testing if it works with that

Sure, let me know what to do

9 (edited by Cthulhu 2021-09-14 00:56:50)

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

"v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc9BMdf8g99M+HzfevRggdoYueO8a6pGyTzW1aBjXp4dW4Nb4VaTQORRDUBSe/hfwEJxzf1Bs62CBp9NsHSENAHpq279GpYo45gpa3Z4eP4bP4C/+AYvE1P+QsGCxS5VI015cZ9eRW54r0+zZRfJZiZAnKjfgiffClaIVC07Ci5H/hdeoeNxnwigjCihiDfw3ubt/QOUwZFaJn3c9c/MsPNs5I9g0O56gdyLSlDj3II5+OR8IxnVGMqDw9ji01TgKYgxm1Vyw48pI0xAJVIdqimIiZU+BY7yx+VeHIIjV5t8kjlrDSbh3VtKXkx3FuufWLQDShTcgOvXRqmmkmPJywIDAQAB"

https://cpanel.coolhost.at/dkim/newkey.pem

10

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

which dns you use? self hosted dns server, or from provider?
try without the qoutes aswell

11

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

which dns you use? self hosted dns server, or from provider?
try without the qoutes aswell

What's the path again to edit the dkim?
The DNS is with Google domains. Unfortunately I don't have access to the registrar, I have to copy and paste dns entries to the owner of the domain.

12

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

/var/lib/dkim/prospectid.com.pem

13

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

/var/lib/dkim/prospectid.com.pem

Of course. lol, sorry didn't get much sleep last night and it's been a long day.

Unfortunately still getting error

# amavisd -c /etc/amavisd/amavisd.conf showkeys
; key#1 2048 bits, s=dkim, d=prospectid.com, /var/lib/dkim/prospectid.com.pem
dkim._domainkey.prospectid.com. 3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc9BMdf8g99M+HzfevRg"
  "gdoYueO8a6pGyTzW1aBjXp4dW4Nb4VaTQORRDUBSe/hfwEJxzf1Bs62CBp9NsHSE"
  "NAHpq279GpYo45gpa3Z4eP4bP4C/+AYvE1P+QsGCxS5VI015cZ9eRW54r0+zZRfJ"
  "ZiZAnKjfgiffClaIVC07Ci5H/hdeoeNxnwigjCihiDfw3ubt/QOUwZFaJn3c9c/M"
  "sPNs5I9g0O56gdyLSlDj3II5+OR8IxnVGMqDw9ji01TgKYgxm1Vyw48pI0xAJVId"
  "qimIiZU+BY7yx+VeHIIjV5t8kjlrDSbh3VtKXkx3FuufWLQDShTcgOvXRqmmkmPJ"
  "ywIDAQAB")

14 (edited by Cthulhu 2021-09-14 02:37:55)

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

the dns record still has the old one, either it did not propagate yet, or it was not yet changed

https://mxtoolbox.com/SuperTool.aspx?ac … n=toolpage

15

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

Cthulhu wrote:

the dns record still has the old one, either it did not propagate yet, or it was not yet changed

https://mxtoolbox.com/SuperTool.aspx?ac … n=toolpage

Finally convinced owner of domain to let me have access to the domain. Changed the DNS and it now passes. Possibly person who put in DNS might have made a mistake?

16 (edited by Cthulhu 2021-09-14 06:50:49)

Re: DKIM invalid (public key: OpenSSL error: bad base64 decode)

possible, can`t tell