1 Topic by noob (edited by noob 2018-04-02 17:00:46)

  • noob
  • Member
  • Offline
  • Registered: 2014-03-26
  • Posts: 65

Topic: Dkim invalid public key: not available

======== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.4
- Linux/BSD distribution name and version: Ubuntu 14.04.1 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MYSQL
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I noticed a problem today on my server, the output of  amavisd-new testkeys:

TESTING#1: dkim._domainkey.domain1.com    => invalid (public key: not available)
TESTING#2: dkim._domainkey.domain2.com    => invalid (public key: not available)

Two years ago I setup dkim for my  server and it worked.

Two month ago I  changed the full hostname for my server(in  /etc/host /etc/amavis/conf.d/50-user /etc/postfix/main.cf)  and setup some ssl. And no errors occurred. At that moment I did not tested the amavis keys.

I'm using bind for my dns and I regenerated those keys but they are still invalid.


dns records

; key#1, domain domain1.com, /var/lib/dkim/domain1.com.pem
dkim._domainkey.domain1.com.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJBfaB4FeuCRDC0rvMxUOLYPW"
  "sK5m1DA0e6SzM9jVhCycsIBDgXHPjBKC+IWaZkFnH2GaxgFJ2VUaL4r5Ep1S/ses"
  "5vahGjUbsFmnT7bGdHx7crpdZx15PqSQHZL+tCkcjU+7PUrReCjyz+w9tukTVZdO"
  "hV32LjDcaKG1XQk8KwIDAQAB")




; key#2, domain domain2.com, /var/lib/dkim/domain2.com.pem
dkim._domainkey.domain2.com.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwtyoO5xDIXft/6uVux4dHpD4o"
  "2sxLG0/jZGEj1+gjQPMIGxO9pi0x7+c7ydEvxFM0NEjhMhfXYNMexk+xXvt9KkL7"
  "PrvsBAlL6jbCxvmHCFUPqV2cs5ClZla+NX6xB4dxymnf4jLnEABFft5SJPUUhNHD"
  "TB+6deiICNkFU7IYswIDAQAB")

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Dkim invalid public key: not available

Did you try to check the output with 'dig' command and compare the output with Amavisd output (amavisd-new showkeys)?

3 Reply by noob (edited by noob 2018-04-02 19:20:31)

  • noob
  • Member
  • Offline
  • Registered: 2014-03-26
  • Posts: 65

Re: Dkim invalid public key: not available

ZhangHuangbin wrote:

Did you try to check the output with 'dig' command and compare the output with Amavisd output (amavisd-new showkeys)?

My digs:

; <<>> DiG 9.4-ESV-R4 <<>> domain1.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 95
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain1.com.            IN    A

;; ANSWER SECTION:
domain1.com.        28800    IN    A    xxx.xxx.xxx.xxx

; <<>> DiG 9.4-ESV-R4 <<>> domain2.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14857
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain2.com.            IN    A

;; ANSWER SECTION:
domain2.com.        8819    IN    A    xxx.xxx.xxx.xxx

I don't see anything in common with  Amavisd output.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Dkim invalid public key: not available

Try command like this:

dig -t txt dkim._domainkey.domain1.com

Replace the 'domain1.com' by the real domain name.

5 Reply by noob (edited by noob 2018-04-03 12:00:01)

  • noob
  • Member
  • Offline
  • Registered: 2014-03-26
  • Posts: 65

Re: Dkim invalid public key: not available

; <<>> DiG 9.12.0 <<>> -t txt dkim._domainkey.domain1.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10237
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f82c6c21f2055fb03ed98f2f5ac2faaa82a837d7f3afa843 (good)
;; QUESTION SECTION:
;dkim._domainkey.domain1.com.    IN    TXT

;; ANSWER SECTION:
dkim._domainkey.domain1.com. 3406 IN    TXT    "v=DKIM1; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJBfaB4FeuCRDC0rvMxUOLYPW" "sK5m1DA0e6SzM9jVhCycsIBDgXHPjBKC+IWaZkFnH2GaxgFJ2VUaL4r5Ep1S/ses" "5vahGjUbsFmnT7bGdHx7crpdZx15PqSQHZL+tCkcjU+7PUrReCjyz+w9tukTVZdO" 
"hV32LjDcaKG1XQk8KwIDAQAB"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 03 06:53:14 EEST 2018
;; MSG SIZE  rcvd: 329

; <<>> DiG 9.12.0 <<>> -t txt dkim._domainkey.tehnopol-gl.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21336
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 21bc89f96fddf06d32f20b465ac2fb9cc37de4d5a684600a (good)
;; QUESTION SECTION:
;dkim._domainkey.domain2.com.    IN    TXT

;; ANSWER SECTION:
dkim._domainkey.domain2.com.    3228 IN    TXT    "v=DKIM1; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwtyoO5xDIXft/6uVux4dHpD4o" "2sxLG0/jZGEj1+gjQPMIGxO9pi0x7+c7ydEvxFM0NEjhMhfXYNMexk+xXvt9KkL7" "PrvsBAlL6jbCxvmHCFUPqV2cs5ClZla+NX6xB4dxymnf4jLnEABFft5SJPUUhNHD" 
"TB+6deiICNkFU7IYswIDAQAB"

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 03 06:57:16 EEST 2018
;; MSG SIZE  rcvd: 331

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Dkim invalid public key: not available

noob wrote:

dkim._domainkey.domain1.com. 3406 IN    TXT    "v=DKIM1; p=" "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJBfaB4FeuCRDC0rvMxUOLYPW" "sK5m1DA0e6SzM9jVhCycsIBDgXHPjBKC+IWaZkFnH2GaxgFJ2VUaL4r5Ep1S/ses" "5vahGjUbsFmnT7bGdHx7crpdZx15PqSQHZL+tCkcjU+7PUrReCjyz+w9tukTVZdO"
"hV32LjDcaKG1XQk8KwIDAQAB"

I suppose you should get output like this with 'dig' command (all DKIM characters (v=DKIM1;p=...) in one line):

dkim._domainkey.domain1.com. 3406 IN    TXT    "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbJBfaB4FeuCRDC0rvMxUOLYPWsK5m1DA0e6SzM9jVhCycsIBDgXHPjBKC+IWaZkFnH2GaxgFJ2VUaL4r5Ep1S/ses5vahGjUbsFmnT7bGdHx7crpdZx15PqSQHZL+tCkcjU+7PUrReCjyz+w9tukTVZdOhV32LjDcaKG1XQk8KwIDAQAB"

7 Reply by noob

  • noob
  • Member
  • Offline
  • Registered: 2014-03-26
  • Posts: 65

Re: Dkim invalid public key: not available

The problem was that I used dkim on my dns with public ip, but my server it's on a private ip. Basicaly I have 2 folders with wan dns records and lan dns records. Now I setup dns for my lan records and it works. I'm not sure if to leave the dkim on my wan records.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,792

Re: Dkim invalid public key: not available

You must publish DKIM DNS record on public DNS server also, because other mail servers need to query it.

9 Reply by noob (edited by noob 2018-04-04 03:14:59)

  • noob
  • Member
  • Offline
  • Registered: 2014-03-26
  • Posts: 65

Re: Dkim invalid public key: not available

Ok, I tested my dkim with a validator site and the SpamAssassin score is 0.111, with:

0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

I want to fix this because I have a problem with yahoo:

 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command))

And dkim is very important.