1 Topic by mike175de (edited by mike175de 2020-03-06 16:53:28)

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Topic: [Closed] SMTP Connection Time and DKIM_invalid

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.1
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGinx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hey there,

two little problems with my iRedMail-Server I couldn't find an answer for in the forum or in the docs.

1 - SMTP Connection Time: When ever I send an email the smtp connection takes about 5 to 10 sec before the mail is accepted by the server. Is there any way to speed this up? I guess it has something to do with postfix in the first place?

2 - DKIM_invalid: The mail test on mail-tester.com shows me that my dkim is invalid:

X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail-tester.com
X-Spam-Level:
X-Spam-Status: No/0.1/5.0
X-Spam-Test-Scores: DKIM_SIGNED=0.1,SPF_PASS=-0.001,T_DKIM_INVALID=0.01,
    T_SPF_HELO_TEMPERROR=0.01,URIBL_BLOCKED=0.001
...
X-Spam-Date-of-Scan: Thu, 05 Mar 2020 10:42:16 +0100
X-Spam-Report:
    *  0.0 T_SPF_HELO_TEMPERROR SPF: test of HELO record failed
    *      (temperror)
    * -0.0 SPF_PASS SPF: sender matches SPF record
    *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
    *       valid
    *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was
    *      blocked.  See
    *      http://wiki.apache.org/spamassassin/Dns … nsbl-block
    *      for more information.
    *  0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid

The test passes but I am afraid that some mail servers won't accept my mails at all. The amavisd-new testkeys on the server is positiv and passes. I did the configuration of the domains as described in Sign DKIM signature on outgoing emails for new mail domain.

Especially the T_DKIM_INVALID DKIM-Signature header exists but is not valid part confuses me.

Any hints on the two issues?

Thx for your help, Mike

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

What's your domains DNS setup for dkim? If it fails, you might have a failure here.

Check:
https://docs.iredmail.org/setup.dns.htm … omain-name

The SMTP connection time is due to postix DNSBL lookups.
You can speed this up by useing an own dns resolver (unbound or pdns_recursor do a good job)

But this is outside of iredmail configuration.

You can use this guide:
https://calomel.org/unbound_dns.html

3 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Thx Cthulhu for your reply.

Here are the test results:

root@mbox:~# amavisd-new showkeys

; key#4 1024 bits, i=dkim, d=domain.de, /var/lib/dkim/domain.de.pem
dkim._domainkey.domain.de.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfUuV+O7SNv7zeJBQ088rX8OxH"
  "fBDWuHTt7E8y5CKf82Utk7UxIqJczl3YC6GUioWNFMfhkwm/96zW8y32OssdMd6L"
  "JQSv5NlFLSrOLcbOLRxezgWWUTsYZIONY6gGM5jDQSwzhNJ/iC/3u4NWMy8Uxq11"
  "tVps/X5/phovODpZMwIDAQAB")

root@mbox:~# dig -t txt dkim._domainkey.domain.de

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> -t txt dkim._domainkey.domain.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55110
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dkim._domainkey.domain.de. IN    TXT

;; ANSWER SECTION:
dkim._domainkey.domain.de. 300 IN TXT    "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDfUuV+O7SNv7zeJBQ088rX8OxHfBDWuHTt7E8y5CKf82Utk7UxIqJczl3YC6GUioWNFMfhkwm/96zW8y32OssdMd6LJQSv5NlFLSrOLcbOLRxezgWWUTsYZIONY6gGM5jDQSwzhNJ/iC/3u4NWMy8Uxq11tVps/X5/phovODpZMwIDAQAB"

;; Query time: 28 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 05 14:30:29 CET 2020
;; MSG SIZE  rcvd: 302

root@mbox:~# amavisd-new testkeys
TESTING#4 domain.de: dkim._domainkey.domain.de => pass

Looks everything as it should for me. The DNS-settings on the domain are also correct as the dig shows.

Thx again for another view on the issue.

Mike

P.S. I will check out what you wrote due to the the SMTP connection.

4 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Cthulhu wrote:

The SMTP connection time is due to postix DNSBL lookups.
You can speed this up by useing an own dns resolver (unbound or pdns_recursor do a good job)

But this is outside of iredmail configuration.

As I use also OpenVPN with Pi-hole on the server I installed unbound as mentioned in the docs of pi-hole (https://docs.pi-hole.net/guides/unbound/). Now it is running as my old mail server ;o) All the time consuming DNS queries are now handled by unbound/pi-hole.

Thx again. Maybe you have also a little hint on the smtp connection time problem ;o)

Greets Mike

5 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

key#4 1024 bits can cause this, you should use a 2048bit key

Even if your configuration seems okay, it can happen that keys below 2048 get rejected.

Test your config on this site:

https://dkimvalidator.com/

If this site passes it, then you should consider changeing to a 2048 key

6 Reply by Cthulhu (edited by Cthulhu 2020-03-05 22:40:53)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

cat /var/log/mail.log | grep dnsblog

This shows the DNSBL lookups which are performed on every connection to postfix.

Can you check the SMTP connection time with mxtoolbox again after changeing the dns resolver?

Edit:

The DNS Resolver thingy just helps to speed thins up a very little bit, but the most part on the connection time is caused by postscreen and is intended behaviour.

A serious MTA will wait for this time if he tries to deliver a mail, but bulk mailers/spam servers just ignore everything, even they dont wait the EHLO and cause a PREGREET.

Even if the bad connection time maybe sound bad at first, it is used to keep away spammers.

7 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

I tried the DKim with a 2048-key and the validation says:

DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
    domain.det; h=content-transfer-encoding:content-language
    :content-type:mime-version:user-agent:date:message-id:subject
    :from:to; s=dkim; t=1583421762; x=1584285763; bh=guF64sP0aatsp/v
    2tUuD4nI/91txoEBZZpjq0+4opas=; b=C6HAmuoentqx61k1x+dOykk3xlH81Mm
    qN6d66Vr4PRp4nhjfsIolngO2cWkIjHKmwK/Ic27As/mBwKKr+J8Yxz1Su//AKj1
    v1YdTTV81EhyOONo8pDv5SNO/rKbKUcXe4ufdfZkFyE7hwhapvkUTjFj/l1to6FL
    ez1FVd4CtCRU=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/simple
d= Domain:          domain.de
s= Selector:        dkim
q= Protocol:       
bh=                 guF64sP0aatsp/v
    2tUuD4nI/91txoEBZZpjq0+4opas=
h= Signed Headers:  content-transfer-encoding:content-language
    :content-type:mime-version:user-agent:date:message-id:subject
    :from:to
b= Data:            C6HAmuoentqx61k1x+dOykk3xlH81Mm
    qN6d66Vr4PRp4nhjfsIolngO2cWkIjHKmwK/Ic27As/mBwKKr+J8Yxz1Su//AKj1
    v1YdTTV81EhyOONo8pDv5SNO/rKbKUcXe4ufdfZkFyE7hwhapvkUTjFj/l1to6FL
    ez1FVd4CtCRU=
Public Key DNS Lookup

Building DNS Query for dkim._domainkey.domain.de
Retrieved this publickey from DNS: v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl0z+Or+9UuZmPyI790oD0RdqmIqs6LW4Z+HZSpo9x9F35eDnv0hng/LJBrhNzsruOXokys9glroXuJ5crMZ9PS5Ki9qBm4bf+sznIWTy7W9ae4Rbx7WkdIEuO/hPJIiKxC03N+iWqgaQJ94laheq53HpYo0TLLafSMQ7GfWxvS6OpXokoOmWTLbsl5LSy31KYX0MwqN5bQV5HIDD/M++eTfrUGXm7F7ne+FCzP9Z6az2T/ZTtEMhMuE/5GtOMNDEvGv3KgOiDWljVo/dGANyIA761RP2qYYtO/oWgQ+zhCYOfIubb6JXlSP0rbvP1lQ/0bMMF4XpXj82wqnDw47zfQIDAQAB
Validating Signature

result = fail
Details: OpenSSL error: data too small for key size

Strange. The entry in amavisd.conf is also

"domain.de"  => { d => "domain.de", a => 'rsa-sha256', ttl => 10*24*3600 },

with a 2048-key?

Greets, Mike

8 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

This is okay, check it with a dkim validator instead of test-keys

amavisd-new test-keys can't validate 2048 bit keys, so just use the dkimvalidator i posted above to check the validity

9 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

The log with the

result = fail
Details: OpenSSL error: data too small for key size

comes from https://dkimvalidator.com/ not via testkeys.

So https://dkimvalidator.com/ says that there is an OpenSSL error.

Greets

10 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

I assume that you come from germany? I can try to solve it with voice com if you want, you got teamspeak?

11 Reply by mike175de (edited by mike175de 2020-03-05 23:58:50)

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Thx for the offer. but I don't have Teamspeak. Has the error something to do with the length of the dellhie-parameter (or something with that name ;o) )? So that the dkim is not generated correctly?

greets

12 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

no, i also use rsa-sha256 with my setup and it works.

Did you update the dns record?

amavisd-new showkeys

is it showing the new 2048 bit key or the old one?

13 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Yes i updated the DNS record and amavid-new showkeys shows the 2048-key.

14 Reply by Cthulhu (edited by Cthulhu 2020-03-06 00:28:45)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 815

Re: [Closed] SMTP Connection Time and DKIM_invalid

send me a mail to <removed>, maybe dkimvalidator still has your old dns record cached

15 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Thx for your help.
Mail is out. ;o)

16 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

Thx to Cthulhu I was able to fix the problem. Tank you very much for that!

To be fair, it was just a stupid mistake by myself. Forgot to restart amavis. Shit happens ;o)

But there is still the T_DKIM_INVALID Your DKIM signature is not valid when I try to test it via mail-tester.com.

;o(

Greets

17 Reply by mike175de

  • mike175de
  • mike175de
  • Member
  • Offline
  • Registered: 2019-02-27
  • Posts: 73

Re: [Closed] SMTP Connection Time and DKIM_invalid

After another 48h of waiting all the tests are now positive for DKIM.

Maybe it was just an DNS-Root-Problem that the DKIM signature was not forced to the different DNS-Servers?

I will close the issue.

Greets