Hello,
I configured virtualmin to sign with dkim.
But mail-tester and dkimvalidator.com reports invalid signature.
I added my domain in “Additional domains to sign for”, entered the key in my DNS record, and it is propagated.
Whats could I check ?
Thanks.
On seeing this messsage I decided to make sure the DKIM was working for myself. And it’s not.
I’ve run a VirtualMin check and everything is reported as being OK. Regenerated the DKIM (just used save) and it tells me everything propagated correctly. But when I look at the email headers this is all I see :
Delivered-To: nigel.soft-focus-imagining@apache-web-server.twin-peaks-video.com
Received: from [127.0.0.1] (unknown [192.168.1.50])
by apache-web-server.twin-peaks-video.com (Postfix) with ESMTP id 5EED5C3EB8D6
for <nigel@soft-focus-imagining.com>; Tue, 5 Sep 2017 12:10:07 -0600 (MDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 apache-web-server.twin-peaks-video.com 5EED5C3EB8D6
Reply-To: nigel@twin-peaks-video.com
To: nigel@soft-focus-imagining.com
From: Nigel Aves nigel@twin-peaks-video.com
I do know that this was working sometime ago, as far as I know I’ve not changed anything to do with email services.
Any ideas?
What distro and version are y’all running?
Sorry, should have added this.
Operating system CentOS Linux 7.3.1611
Webmin version 1.852
Virtualmin version 6.00
Postfix Version: 2.10.1
Is the opendkim package installed? (rpm -q opendkim)
We don’t depend on it during installation because I thought Jamie had code to install it automatically when DKIM is enabled, but maybe that’s either not working, or not true, and I need to add a dependency to our yum groups.
If it’s not installed, try installing it:
# yum install opendkim
And, maybe restart postfix:
# systemctl restart postfix
And, see if things behave differently. If so, then it’s just a dependency issue…if not, it’s something we might need to rope Jamie in on (and it might need a Virtualmin update to fix).
Hi,
Debian 9: Turn on DKIM. Then go to the console and enter:
-
/lib/opendkim/opendkim.service.generate
-
systemctl daemon-reload
-
service opendkim restart
For test:
netstat -natpu | grep opendkim
Joe.
Yes, opendkim is installed (and it was installed automatically when I built the server). I looked at the files in /etc/opendkim and none of them are modified, but I am assuming that Virtualmin stores the info somewhere else.
I have stopped and restarted Postfix. No difference.
Nigel
KrisPL
I did try your test netstat -natpu | grep opendkim
I believe this looks good.
[root@apache-web-server ~]# netstat -natpu | grep opendkim
tcp 0 0 127.0.0.1:8891 0.0.0.0:* LISTEN 25876/opendkim
[root@apache-web-server ~]#
I’ll ask Jamie to chime in, as he knows better what magic is supposed to happen to loop DKIM signing into the mix when sending mail.
Here’s the ticket about it, though I’ll relay back any necessary info once I understand what’s happening: https://www.virtualmin.com/node/53420
Joe. it also does not work with debian 9.
Hello,
I am running Debian 8.9
Dkim is installed and running, my emails are signed but the signature is invalid.
Joe,
I was looking through my log files trying to discover if this was a bug in VirtualMin or Operator Error - Me! 
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: connect from unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 4A67DC3EB8D6: client=unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: 774C3C3EB8D6: client=unknown[192.168.1.50]
Sep 8 13:37:20 apache-web-server postfix/cleanup[28647]: 774C3C3EB8D6: message-id=4dc39ace-d347-8788-23cc-f44a2cef20bb@twin-peaks-video.com
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: [192.168.1.50] [192.168.1.50] not internal
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: not authenticated
Sep 8 13:37:20 apache-web-server opendkim[25876]: 774C3C3EB8D6: no signature data
Sep 8 13:37:20 apache-web-server postfix/qmgr[3361]: 774C3C3EB8D6: from=nigel@twin-peaks-video.com, size=1565, nrcpt=1 (queue active)
Sep 8 13:37:20 apache-web-server postfix/smtpd[28643]: disconnect from unknown[192.168.1.50]
Any thoughts?
Nigel
Not sure if this is a bug or not, but discovered what was wrong.
First edit the /etc/opendkim/TrustedHosts filer and add your internal network
OPENDKIM TRUSTED HOSTS
To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
The localhost IP (127.0.0.1) should always be the first entry in this file.
127.0.0.1
::1
#host.example.com
192.168.1.0/24
Then edit /etc/opendkim.conf
and uncheck this line
Identifies a set “internal” hosts whose mail should be signed rather than verified.
InternalHosts refile:/etc/opendkim/TrustedHosts
Now dkim is written to email messages.
There should probably be an option added in Virtualmin dkim setup to add your internal networks.
Nigel.
Hi,
My problem is different :
my emails are signed, but the signature is invalid. I have no dkim error in postfix logs
I would try:
Virtualmin -> Email Messages -> Domain Key Identified Mail
Force generation of new private key -> Yes
Save
Here succeeded to not “”“added my domain in “Additional domains to sign for” “””"
But generate the key in the virtualserver for that domain itself!
( virtual server > server configuration > domainkey options )
Then it should be in the dns ofcourse otherwise they didn’t work, if third party external DNS you have to add this manually
If you use ase key “” default"" then problems could be there so better change “default” in what you like , you can read that her >
https://www.virtualmin.com/documentation/email/dkim
“”"“Do NOT enter
default
, as this can trigger a bug in the current Virtualmin release which deletes the
/etc/default”"""
noisemarine : I already tried that.
Jfro : I already added my domain, changed the “default” prefix, and added the key to my DNS.
I mean not add your domain there in that screen but to do the key generation it in the domain virtualserver itself.
Open that screen on that domain again and you see your key to paste in dns record if needed, then you can check with dns https://mxtoolbox.com/dkim.aspx or these keys are the same!
Ofcourse after ttl time…
And try test first by sending mail out over webmail webmin function
http://dkimvalidator.com/
so go to the ones domain virtual server and generate the key there so > ( virtual server > server configuration > domainkey options )
Jfro : I cannot remove my domain from “Additional domains to sign for” : I get his error :
Finding virtual servers to enable DKIM for …
… no servers with both DNS and email enabled were found!
DKIM setup failed!
I do not host my virtual server DNS, I am using the one from my provider, but I did add my dkim key, I can see it with mxtoolbox
And there is no “virtual server > server configuration > domainkey options” menu
OK i’m only user/admin.
I have that option in menu, so i don’t know how to help you.
Then ask Joe sorry.
We are ourselves only using third party DNS for Domains DKIM with Virtualmin 6 and CENTOS is working here, but it was a fresh VM6 install about 29-08 so not a updated older version of VM.