1

Topic: DKIM Mail signing

Hi,

i followed the guide to set up iredmail and also choose to include spf and dkim. i set up my dns records for both spf and dkim like mentioned here http://code.google.com/p/iredmail/wiki/DNS_DKIM and here http://code.google.com/p/iredmail/wiki/DNS_SPF. but when i sent mail they are not signed with dkim, there are no header entries in the mail? amavisd-new testkeys show pass. must there something more be done to get this working? spf is working really good for me. i tested both with sending a mail to check-auth@verifier.port25.com and they also say that the mail is not dkim signed. mail sending is done from console with simple mail command on debian 5.0.3. Any help would be great to get that working.

Regards

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: DKIM Mail signing

You need to put the correct entries in the nameserver(s) that's holding your domain.

E.g.:

dkim._domainkey.yourdomain.com.        3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYwEXrQqGpvGm3TS7O3oob6Plh"
  [....................]
_adsp._domainkey.yourdomain.com. IN    TXT    "dkim=all"

You can find the generated DKIM key for your domain:

[root@mx2 ~]# amavisd showkeys yourdomain.com
; key#16, domain yourdomain.com, /var/lib/dkim/yourdomain.com.pem
dkim._domainkey.yourdomain.com.        3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYwEXrQqGpvGm3TS7O3oob6Plh"
  [....................]

and copy/paste it from there to your zone file.

3

Re: DKIM Mail signing

it is not the problem to get the key and enter it to the dns zone file, the problem is that messages are not signed by dkim no header information at all. dns entry is verified by amavisd testkeys which shows PASS

4

Re: DKIM Mail signing

chek your server memory, if the memory run out. would lead to the dkim not sign.

I have test in debian 5.01 and iredmail 0.51 , and have no problem.

sent email to gmail can find dkim head.

5

Re: DKIM Mail signing

there are more than 3 GB free, are there any ways to debug signing to to print some verbose messages to a log file?

6

Re: DKIM Mail signing

BigMichi1 wrote:

mail sending is done from console with simple mail command on debian 5.0.3.

Could you please try to send mail via MUA or webmail?

7

Re: DKIM Mail signing

i sent now mail through horde imp webmail frontend and got this message header:

Received: from [188.40.84.226] (helo=mail.bigmichi1.de)
by mx38.web.de with esmtp (WEB.DE 4.110 #314)
id 1N8Tzz-0000ur-00
for bigmichi1@web.de; Thu, 12 Nov 2009 08:21:43 +0100
Received: by mail.bigmichi1.de (iRedMail, from userid 33)
id EEA957CE4; Thu, 12 Nov 2009 08:22:36 +0100 (CET)
Received: from mail.salt-solutions.de (mail.salt-solutions.de
[217.7.51.164]) by horde.bigmichi1.de (Horde Framework) with HTTP; Thu, 12
Nov 2009 08:22:36 +0100
Message-ID: <20091112082236.18626y8zeyr0egn0@horde.bigmichi1.de>
X-Priority: 3 (Normal)
Date: Thu, 12 Nov 2009 08:22:36 +0100
From: Michael Cramer <michael@bigmichi1.de>
To: bigmichi1@web.de
Subject: Testmail
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Internet Messaging Program (IMP) H3 (4.3.5)
Return-Path: michael@bigmichi1.de
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit

no dkim at all

8

Re: DKIM Mail signing

Could you please try to send a mail via MUA like Outlook or Thunderbird? Not webmail this time.

9 (edited by maxie_ro 2009-11-12 19:55:28)

Re: DKIM Mail signing

Are you sure they are not signed? Most mail servers only check the DKIM signature and then discard it, so the client can't see it. Send a mail to yahoo.com, they don't discard it.

Also, check amavisd.conf and make sure dkim email signing is enabled for outgoing.

LE:

Please use all reflectors from this page:

http://testing.dkim.org/reflector.html

10

Re: DKIM Mail signing

BigMichi1 wrote:

i sent now mail through horde imp webmail frontend and got this message header:

Are you add the horde yourslef ? you can try to use roundcube test it.

11

Re: DKIM Mail signing

when sending through horde the result will be:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail.bigmichi1.de
Source IP:      188.40.84.226
mail-from:      michael@bigmichi1.de

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mail=michael@bigmichi1.de
DNS record(s):
    bigmichi1.de. 86400 IN TXT "v=spf1 mx mx:mail.bigmichi1.de -all"
    bigmichi1.de. 86400 IN MX 10 mail.bigmichi1.de.
    srv03.bigmichi1.de. 86400 IN A 188.40.84.226

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=michael@bigmichi1.de
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified:

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: header.From=michael@bigmichi1.de
DNS record(s):
    bigmichi1.de. 86400 IN TXT "v=spf1 mx mx:mail.bigmichi1.de -all"
    bigmichi1.de. 86400 IN MX 10 mail.bigmichi1.de.
    srv03.bigmichi1.de. 86400 IN A 188.40.84.226

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.2.5 (2008-06-10)

Result:         ham  (0.9 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS               SPF: sender matches SPF record
0.0 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html MIME
0.0 HTML_MESSAGE           BODY: HTML included in message
2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO
-0.7 BAYES_20               BODY: Bayesian spam probability is 5 to 20%
                            [score: 0.1824]
-0.6 AWL                    AWL: From: address is in the auto white-list


when sending through thunderbird from my home machine the result is:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         pass
Sender-ID check:    pass
SpamAssassin check: ham

==========================================================
Details:
==========================================================

HELO hostname:  mail.bigmichi1.de
Source IP:      188.40.84.226
mail-from:      michael@bigmichi1.de

----------------------------------------------------------
SPF check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: smtp.mail=michael@bigmichi1.de
DNS record(s):
    bigmichi1.de. 86400 IN TXT "v=spf1 mx mx:mail.bigmichi1.de -all"
    bigmichi1.de. 86400 IN MX 10 mail.bigmichi1.de.
    srv03.bigmichi1.de. 86400 IN A 188.40.84.226

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: header.From=michael@bigmichi1.de
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         pass (matches From: michael@bigmichi1.de)
ID(s) verified: header.d=bigmichi1.de
Canonicalized Headers:
    content-transfer-encoding:7bit'0D''0A'
    content-type:text/plain;'20'charset=ISO-8859-15;'20'format=flowed'0D''0A'
    subject:Check'0D''0A'
    to:check-auth@verifier.port25.com'0D''0A'
    mime-version:1.0'0D''0A'
    user-agent:Thunderbird'20'2.0.0.23'20'(Windows/20090812)'0D''0A'
    from:Michael'20'Cramer'20'<michael@bigmichi1.de>'0D''0A'
    date:Sat,'20'14'20'Nov'20'2009'20'13:33:57'20'+0100'0D''0A'
    message-id:<4AFEA3B5.2030507@bigmichi1.de>'0D''0A'
    x-virus-scanned:Debian'20'amavisd-new'20'at'20'mail.bigmichi1.de'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed/simple;'20'd=bigmichi1.de;'20'h='20'content-transfer-encoding:content-type:subject:to:mime-version'20':user-agent:from:date:message-id:x-virus-scanned;'20's=dkim;'20't='20'1258205711;'20'x=1259069711;'20'bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKd'20'LCPjaYaY=;'20'b=

Canonicalized Body:
    '0D''0A'
   

DNS record(s):
    dkim._domainkey.bigmichi1.de. 3600 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDd7Ayf1dZ1ycq2lEO2rH7YJVL1luac4pKSZd1B+JwjXQezZECL26kz4ko3WMLMXnXQSBxLQa2NUeUIhz/BoEBqJXacETzYYKM95Q5gHWA/oec57A/Vf26Mxy8jNRKYF+WSFYuqL7fZUff9frWyF7wlDz0acS+jVVwILQ9vvh7bgwIDAQAB"

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

----------------------------------------------------------
Sender-ID check details:
----------------------------------------------------------
Result:         pass
ID(s) verified: header.From=michael@bigmichi1.de
DNS record(s):
    bigmichi1.de. 86400 IN TXT "v=spf1 mx mx:mail.bigmichi1.de -all"
    bigmichi1.de. 86400 IN MX 10 mail.bigmichi1.de.
    srv03.bigmichi1.de. 86400 IN A 188.40.84.226

----------------------------------------------------------
SpamAssassin check details:
----------------------------------------------------------
SpamAssassin v3.2.5 (2008-06-10)

Result:         ham  (-0.4 points, 5.0 required)

pts rule name              description
---- ---------------------- --------------------------------------------------
-0.0 SPF_PASS               SPF: sender matches SPF record
-2.6 BAYES_00               BODY: Bayesian spam probability is 0 to 1%
                            [score: 0.0000]
2.2 TVD_SPACE_RATIO        BODY: TVD_SPACE_RATIO

in both cases one check fails, any solutions or hints for that failing test?
also any suggestion, tip, hint for the different behavior?