1 (edited by Jef7 2018-10-17 10:54:55)

Topic: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.8 MARIADB edition
- Linux/BSD distribution name and version: Ubuntu 18.04.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Up front this was first attempt at installing an email server.  iRedMail made it easy.

Observations: If I sent an email from Roundcube (internal) to a gmail account it would show mailed-by and signed-by my sending email domain and under the original tab in gmail it would show the DKIM as "Pass" with my mail domain.  Which is what I was hoping for.

Problem: If I sent an email from Thunderbird or K9 Mail to a gmail account it would show mailed-by my sending email domain but not show "signed-by".  When I checked original tab under gmail it did not list DKIM at all.

Solution:  Upgrade amavisd-new (1:2.11.0-1ubuntu1) to  amavisd-new (1:2.11.0-1ubuntu2).

Why: amavisd-new (1:2.11.0-1ubuntu1) is bugged and DKIM signing is not work properly.

How: 
1) Check to see if you have the bugged version by issuing the following command:
apt-cache policy amavisd-new. 
If you have the bugged version continue on.

2) Currently Bionic (18.04.1) does not have the new version available.  I recommend making a backup copy of the repo list by copy the sources.list by issuing the following command:
cp /etc/apt/sources.list sources.list.bak
I changed the reference of bionic to cosmic. 
vi,vim,nano /etc/apt/sources.list 
This allows us to use Ubuntu 18.10 - Cosmic Cuttlefish repos instead of 18.04 - Bionic Beaver

I only upgrade a single package.  Issuing a normal upgrade command may cause issues.  So I issued the following command:  apt-get update
The above command loads the new repos and then I excuted the following command:
apt-get install --only-upgrade amavisd-new
This updates the single package not the entire system.  Upon successful upgrade I changed the source.list back to bionic from cosmic.

3) Reboot server or restart amavisd.

Result: Emails from Roundcube (Server), Thunderbird (PC) and K9 Mail (Phone) all show a passed DKIM and show mailed-by and signed-by my sending email domain.

Ps. Hope this saves someone a few/several hours of searching.

Pps.  RedMail Developers please feel free to move to a better location if you determine there is a better location or cleanup the post.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by spartan631 2018-10-17 16:35:44)

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

Distro: Ubuntu 18.04
iRedMail 0.9.8 / MariaDB / SOGo / RoundCube (installed both for fun)

I have been having the same issue. I followed the process for your solution but it yielded no results. It will not sign when I send from SOGo or roundcube.

When that didn't work I added this line to /usr/sbin/amavisd-new

    Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
    $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;

Verified that /etc/amavis/conf.d/21-ubuntu_defaults

$enable_dkim_signing = 1;

I run: amavisd-new testkeys gives -> pass

I am not sure what my next step would be. Any suggestions?

3

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

@spartan631, I am leaning towards a possible setup issue since the DKIM signing is not occurring on the internal or external email client.  I am off to work.  Hopefully in 10 to 12 hours I can respond back with a brief overview of how I setup my mail server and you can compare notes.

4

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

That would be helpful. I am also leaning towards a setup issue. No config files have really been touched. This was for the most part, a default install by the iRedMail. I am not sure how to troubleshoot this issue or where to start. I am halfway tempted to start fresh but down't want to transfer all the mailboxes.

5 (edited by Jef7 2018-10-18 08:34:04)

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

A quick run down of my current install.  At a later time I may try to expound upon this if needed.

I followed the instructions for the Install iRedMail on Debian or Ubuntu Linux located at https://docs.iredmail.org/install.iredm … buntu.html

I did need to adjust the informationat /etc/host as my vps defaulted to localhost and ubuntu
to  vps.example.com vps localhost localhost.localdomain

Note: vps is my hostname located at /etc/hostname and example.com is your actual domain name.   

Continue following instructions, I chose to use MariaDB, you should be able to use whatever you prefer.
Once I got down to the first mail domain option I chose mail.example.com.  Please note that I have CNAME record and MX record for the mail subdomain.  Also my email format is name@mail.example.com so keep that in mind when selecting the first mail domain.

Once installation is complete I add my free Let's Encrypt Certificates that I use for NGINX, Postfix and Dovecot.

In the iRedMail.tips file located at /root/iRedMail-0.9.8/iRedMail.tips (adjust accordingly) or the first email you receive as the postmaster user.  It gives you the information you need for you DKIM setup.  To be honest I saw the information but did not fully realize that it gave me the exact layout for the text name.  I my case I went to the DNS section of cloudflare or your registrars dns section added  a text record.  For name I used
dkim._domainkey.mail.example.com.  Note the period after example.com would be necessary if I were directing to a different domain name.  My dns provider  automatically drops anything after mail on the text name if the period is not present.  I believe it automatically appends the  domain name of the registered name if the period is not added.  So in my case the text record name shows dkim._domainkey.mail as I did not add the period behind example.com

The other information for DKIM in the tips file or your first email should look similar to the information below:
"v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC042jxNjCAqYbIQyfEc1JBz6LQ"
  "aOC9BaqPU/d/ZfZ0yJ3ygHC/rfoBVtxuIAdV+fnBL3/Iqj6Gg3S5rY9IKeiKzUqA"
  "xHqTfxyehOzWqaK45NlVvljngC0ronFmnphUKQ9/USNoiuqE0fndrlwkYWzggU9D"
  "rhkpG+HDd6CzBzQZAQIDAQAB")

I ended getting rid of all the "" and combining the above into string suchas:

v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC042jxNjCAqYbIQyfEc1JBz6LQaOC9BaqPU/d/ZfZ0yJ3ygHC/rfoBVtxuIAdV+fnBL3/Iqj6Gg3S5rY9IKeiKzUqAxHqTfxyehOzWqaK45NlVvljngC0ronFmnphUKQ9/USNoiuqE0fndrlwkYWzggU9DrhkpG+HDd6CzBzQZAQIDAQAB

Note the above starts off as v=DKIM1; p=MIG....  It looks different because of formatting.

I add the full line above into the text content / value area for the text record.
At this point other than upgrading amavisd-new package as mentioned in the first post and waiting on the DNS propagation to take place to reflect your changes and that is pretty much the extent of my install process. I did not mention above but I had already setup the DMARC and SPF information prior to the install.

I use mxtoolbox to check the DKIM status to see if the DNS is updated.  In the example above, the domain information that I would use is mail.example.com with the selector being dkim.  At https://mxtoolbox.com/dkim.aspx  you will  enter dkim as the selector and specify mail.example.com as your domain (adjust example.com to your domain).  Please note it could be near instant or take 24 hours or more before the DNS updates so that is why I recommend checking whether your DKIM changes have been updated.

Another way to check the DNS update is by issuing the following command:
amavisd-new testkeys
If the DNS is updated you should see something similar to:
TESTING#1 mail.example.com: dkim._domainkey.mail.example.com => pass

And for fun or trouble shooting you can issue the following command:
amavisd-new showkeys
this show you the following:
; key#1 1024 bits, i=dkim, d=mail.example.com, /var/lib/dkim/mail.example.com.pem
dkim._domainkey.mail.example.com.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC042jxNjCAqYbIQyfEc1JBz6LQ"
  "aOC9BaqPU/d/ZfZ0yJ3ygHC/rfoBVtxuIAdV+fnBL3/Iqj6Gg3S5rY9IKeiKzUqA"
  "xHqTfxyehOzWqaK45NlVvljngC0ronFmnphUKQ9/USNoiuqE0fndrlwkYWzggU9D"
  "rhkpG+HDd6CzBzQZAQIDAQAB")

Which is the information you used to create the text record for DKIM signing in your DNS.

6 (edited by spartan631 2018-10-18 08:40:03)

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

Thank you for your reply, I did get it working. So what I decided to do was just build another VM side by side, same everything. During my first install the iRedMail installer could not download from SOGo from the repository. APT was trying to install a version that was not there. I went to the url and installed the deb packages manually and ran the script which seemed to work fine. However, the DKIM signing wasn't working. Given all the variables, I thought....might as well go with a fresh VM.

So what I did. After I used your method to update Amavis, I created one domain / email address. I sent a test email to gmail, DKIM passed. Okay that was good. So I created one more domain / email.

I opened up /etc/amavis/conf.d/50-users and edited the file. I applied the concept of "Use one DKIM key for all mail domains" and restarted amavis. I created the TXT record for the new domain and verified with dig that everything was good and sent a test email to gmail.

Both emails from either domain showed "dkim=none" in the headers. So that narrowed it down further. It was perhaps a syntax issues. I then removed "the-new-domain" from /etc/amavis/conf.d/50-user and restarted amavis. Gmail was now showing dkim=pass from the initial email domain I created.

So what I ended up doing was creating a dkim key for each domain and editing the "50-user" conf file accordingly. Each domain sends from SOGo and Roundcube with a dkim=pass.

I am not sure why the one key for all domains did not work. I used the method outlined in documentation.

So this is my edited section of my 50-user conf:

# Add dkim_key here.
dkim_key('domain1.com', 'dkim', '/var/lib/dkim/domain1.com.pem');
dkim_key('domain2.com', 'dkim', '/var/lib/dkim/domain2.com.pem');
dkim_key('domain3.com', 'dkim', '/var/lib/dkim/domain3.com.pem');

@dkim_signature_options_bysender_maps = ({
    # 'd' defaults to a domain of an author/sender address,
    # 's' defaults to whatever selector is offered by a matching key

    # Per-domain dkim key
    'domain1.com' => {d => 'domain1.com', a => 'rsa-sha256', ttl => 30*24*3600 },
    'domain2.com' => {d => 'domain2.com', a => 'rsa-sha256', ttl => 30*24*3600 },
    'domain3.com' => {d => 'domain3.com', a => 'rsa-sha256', ttl => 30*24*3600 },
   
    # catch-all (one dkim key for all domains)
});

I guess the next big test will be to see if "ORIGINATION" is working when I send some test emails from my android or my desktops webmail client... Fingers crossed!

PS. Slick fix on the Amavis update. I am adding that to my notes. I didn't even think of that.

7 (edited by Jef7 2018-10-18 08:45:20)

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

Congratulations on getting it to work.  Not sure why you had to create additional keys.  I have just started experimenting with  multiple domains and I chose to go with separate keys so I did not run into this issue.   Also the same I am glad you got it working.

8

Re: DKIM Signing not work on Ubuntu 18.04.1 with Thunderbird or K9(Fixed!)

Jef7 wrote:

Congratulations on getting it work.  Not sure why you had create additional keys.  I have just started experimenting with  multiple domains and I chose to go with separate keys so I did not run into this issue.   Also the same I am glad you got it working.


It was really driving me crazy. ....until our next great adventure! THNX!