DKIM not signing on Almalinux 9

I installed Virtualmin 7 on an AlmaLinux 9.2 exclusively for email server purposes.

Sending and receiving emails works

Each domain has an exclusive virtual server with only two features enabled:

• Mail for domain
• Spam filtering

I did not enabled DNS for the virtual servers since it is configured externally

• External DNS records are fine, including all email related: MX, SPF, DKIM, DMARC
• Testing with Gmail and email-tester . com confirms all records, except that the email isn’t being signed with DKIM

Opendkim is listening on 127.0.0.1:8891 after checking with ss -tulpn | grep 8891

• tcp LISTEN 0 128 127.0.0.1:8891 0.0.0.0:* users:(("opendkim",pid=11546,fd=3))

Postfix is configured to use Opendkim, with the following on /etc/postfix/main.cf:

• milter_default_action = accept
• smtpd_milters = inet:localhost:8891
• non_smtpd_milters = inet:localhost:8891

compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

smtp_tls_security_level = dane
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/dependent
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unknown_recipient_domain reject_rbl_client zen.spamhaus.org check_policy_service unix:/var/spool/postfix/postgrey/socket
smtp_dns_support_level = dnssec
smtp_host_lookup = dns
mailbox_size_limit = 0
allow_percent_hack = no
resolve_dequoted_address = no
message_size_limit = 102400000
milter_default_action = accept
tls_server_sni_maps = hash:/etc/postfix/sni_map
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtp_use_tls = yes

Checking Opendkim with systemctl status opendkim I identified that:

• current command is: /usr/sbin/opendkim -f -b s
• if I change it to /usr/sbin/opendkim -x /etc/opendkim.conf and restarts it (after a proper systemctl daemon-reload), it still doesn’t sign anything

On Virtualmin → Email Settings → DomainKeys Identified Mail

• Signing of outgoing mail enabled? is Yes
• Extra domains to sign for have all the domains added as “virtual servers” on the server
• The tab Domains currently signed for presents a list with all the domains as well
• The DKIM DNS records for domains is correctly added on the DNS records of all the domains listed

Strangely, when I send an email, nothing is written on /var/log/mail.log

When sending an email to check-auth@verifier.port25.com, I get:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         none

...

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         none (message not signed)
ID(s) verified: 

About valid SSL certificates

To automatically generate (and renew) valid SSL certificates for each domain, to be used by Dovecot and Postfix, this is my process:

• each domain have a mail.my-domain.com subdomain pointed to the email server through an A record
• the MX record of each domain is mail.my-domain.com
• on the email server, each domain have a virtual server with an additional sub-server mail.my-domain.com configured with Nginx and Nginx SSL
• each of these sub-servers is configured to generate and renew automatically its SSL certificate through Let’s Encrypt, certificates that are automatically linked to the respective domain by Virtualmin
• each domain uses mail.my-domain.com as the incoming and outgoing server
• the secure connection works flawlessly

Out of the box Virtualim can handle Dkim you just turn it on in control panel and add the DNS record if your using a external DNS, have you edited files?

I did’t edit anything.

And to ensure everything is only touched by Virtualmin, I uninstalled and installed Opendkim twice (removing /etc/opendkim and /etc/opendkim.conf) after I tried to run the service with the same parameters I found on ubuntu server (with -x /etc/opendkim.conf).

On every time, I “reinstalled” Opendkim by enabling it through Virtualmin → Email Settings → DomainKeys Identified Mail, which in turn proceeds with the installation and configuration.

Edit: But I fully agree with you. On Ubuntu servers, for example, it simply works after enabling it on Virtualmin, and no manual configuration is necessary.

I use Rocky 9 and have had no issue, Almalinux9 is basically the same. Docs say it need to be installed but I can’t remember doing that, I presume its either done by the OS or VM install script did it.

https://www.virtualmin.com/documentation/email/dkim/

Maybe it was a bad install.
If its not working for Almilinux 9 I would of thought a bug would have been reported by now.

Yes, Almalinux 9 is 1:1 binary compatible with both Rocky 9 and RHEL 9. They are all both the same.

But regardless of the OS, Opendkim is always installed by Virtualmin, and only when we enable the feature on Virtualmin → Email Settings → DomainKeys Identified Mail.

To eliminate the possibility of a bad install, I completely removed Opendkim and let Virtualmin install it again (twice). To no avail.

Edit: Agree. I will file a bug on Virtualmin github repository.

I could try a install on my VPS, shouldn’t take long.

That would be a lot of work!

Not really, vps installs are quick, then just the one install command.

ie while I was talking the vps has installed it and now just running updates (automatically)

VM now installing

Install did produce one error @staff on clean Almalinux 9 install on Vultr

image1876×431 11.4 KB

At least the error is on Virtualmin configuration files regarding Fail2Ban, which I understand it’s unrelated to the Opendkim/Postfix pair.

Edit: and on my installation, Fail2Ban is running fine nonetheless.

Got another error, gave it ip6 and ip4

image911×221 5.47 KB

ignore I think that dns not up to date yet for ssl

Wow. I never saw this error before.

Nope can’t finish post install.No errors on check config

image872×777 50.3 KB

Since I work exclusively with OpenVZ, my network adapters are always named with something like venet0 and venet0:0 and Virtualmin install script always asked me to manually answer which is the main interface name.

I already reported this on Github, but I’m used to it and everything always worked fine (network related).

I don’t understand. Is it working despite the post-install errors?

Edit: I’m feeling bad because I’m causing a lot of work to you

Weird I get I can’t even install a Virtual Server, first time I ever had this issue installing

image1383×830 57.8 KB

I’m semi-retired so its fine

Ok
I can’t thank you enough!

Obs: please, change your virtual server password, since everything is visible from the screenshot (both IP and password)

Its ok, I’ll burn this machine, there’s no Create button due to that fatal error

If Virtualmin isn’t allowing you to even create a virtual server, it seems to me that we arrived at the end of the road. What do you think?

Edit: I’m searching for solutions for this error, just in case