DKIM - exclude domain, not working

Dibs · June 29, 2020, 3:10pm

Hi folks

My VPS

Ubuntu 18.04
Virtualmin 6.09.gpl
PHP version 7.2.31
Apache 2.4.29
Postfix 3.3.0
BIND - NOT IN USE

I’ve enabled DKIM and added the relevant TXT record at the Registrar and for the 1st mail enabled Virtual Server - outbound emails sign as expected.

I’ve created a 2nd Virtual Server - just HTTP & HTTPS, with no mail. It’s mail is hosted elsewhere.

A webpage has a contact form - it works, as in the email arrives in the yahoo inbox (for testing purposes). Looking at the headers - the message is DKIM signed.

I’ve gone into Virtualmin >> Email Settings >> DomainKeys Identified Mail and added the domain associated with this new Virtual Server in the “Never Sign for domains” field, clicked save and even reloaded\restarted Postfix for good measure.

Sending another email via the webform and examining the headers, it is still DKIM signed.

Any help\advice\pointers would be greatly appreciated.

Thanks

Dibs

Dibs · June 29, 2020, 4:23pm

/etc/opendkim.conf has the following lines:

Syslog yes
UMask 007

Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 2020_v1

#Socket local:/var/run/opendkim/opendkim.sock ## Original Live entry
Socket inet:8891@localhost

PidFile /var/run/opendkim/opendkim.pid

OversignHeaders From

TrustAnchorFile /usr/share/dns/root.key

UserID opendkim
SigningTable refile:/etc/dkim-signingtable
KeyTable /etc/dkim-keytable

All the comments have been removed in the above - just to shorten the post.

/etc/dkim-signingtable has

default

the above line says star(*) default.

and /etc/dkim-domains.txt

myHost.myDomain.com

i.e. the FQDN of the server\VPS.

From reading the documentation on opendkim I am expecting that the entry for /etc/dkim-signingtable would not be (if I’ve added a domain not to sign for)

default

the above line says star(*) default.

because that means sign for everything. I’m going to alter the signing-table file to sign for the 1 (other) domain that is mail enabled and effectively ignore all other domains and see what happens, as a test, and see what happens. Always set it back if it goes weird.

If you add a domain to the field for ignoring in the DKIM form - should it not change the values in /etc/dkim-signingtable file?

Thanks

Dibs

Dibs · June 29, 2020, 4:47pm

Update:

I changed the value in /etc/dkim-signingtable from

* default

to

*@myOtherDomain.com default

restarted opendkim & Postfix for good measure. I sent a mail via the contact form on domain2 (the non mail enabled Virtual Server) and checking the headers in Yahoo, no trace of DKIM.

Sending an email from myOtherDomain.com which is mail enabled and checking the headers, the email is DKIM signed.

So, is this a bug? i.e. entering a value in the ignore field on\in the DKIM form doesn’t change anything as /etc/dkim-signingtable continues to have the

* default

entry. Or have I made a mistake in setting up DKIM somewhere? The DKIM form has the following values:

Signing of outgoing mail enabled? - Yes
Selector for DKIM record name - mySelector
Reject incoming email with invalid DKIM signature? - No
Force generation of new private key? - No
Size of new DKIM key - 2048
Additional domains to sign for - myHost.MasterDomain.com
Never sign for domains - noMailDomain.com
DNS records for additional domains - Normal Looking Key

noMailDomain.com (the Virtual Server) is not mail enabled - just HTTP & HTTPS.

Thanks

Dibs

system · July 29, 2020, 4:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.