1

Topic: DKIM signing for additional domains

i followed the guide to set up iredmail and also choose to include spf and dkim.
I addedd the dkim and SPF TXT fields in our DNS
everything works fine, but I recently added a second domain and a postmaster
to work only with this new domain, if I try  amavid showkeys second.domain.tld
says:  No DKIM private keys match the selection list
amavisd showkeys show only a key for the first or main domain
how I can generate a dkim key and include it to the iredmail components configuration
and then to our DNS?

Thank you for your help

Juan Bou

2

Re: DKIM signing for additional domains

Assuming you are using iRedOS, and the domain is xyz.com:
1. Generate the new key.

cd /var/lib/dkim/
amavisd genrsa xyz.com.pem
chmod 0644 xyz.com.pem

2. Add it to your amavisd.conf file:
Search for "# Add dkim_key here.", and add it alongside the others, preferably in alphabetic order so you can find it faster.

dkim_key("xyz.com", "dkim", "/var/lib/dkim/xyz.com.pem");

3. Add your new domain to @local_domains_maps in amavisd.conf. The line should now read something like this:

@local_domains_maps = ( [".$mydomain", "firstdomain.com", "xyz.com"] );  # list of all local domains

4. Restart amavisd

/etc/init.d/amavisd restart

5. Test that the key was installed properly

 amavisd showkeys xyz.com

The output should be something like this:

; key#1, domain xyz.com, /var/lib/dkim/xyz.com.pem
dkim._domainkey.xyz.com.   3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEzgjyG2It0ZdQQTgGNj2jNDKe"
  "fsa978sd98fsd9vds97v9fHIUSAFHY(#@*oiu7cs98a9"
  "afljhljoU(*@#&($*#@U9ujw9fewur0932870932"
  "jvAe33lH9tiVljog1QYSUDOEAaads")

6. Add exactly what was printed above to the zone file in you nameserver(s). You should also include SPF and ADSP. For example:

xyz.com.    IN TXT    "v=spf1 +a +mx ~all"
dkim._domainkey.xyz.com.   3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEzgjyG2It0ZdQQTgGNj2jNDKe"
  "fsa978sd98fsd9vds97v9fHIUSAFHY(#@*oiu7cs98a9"
  "afljhljoU(*@#&($*#@U9ujw9fewur0932870932"
  "jvAe33lH9tiVljog1QYSUDOEAaads")
_adsp._domainkey.xyz.com. IN    TXT    "dkim=all"

Make sure you have also updated the serial of the zone file.
Then restart named service:

/etc/init.d/named restart

7. Verify that everything is ok by sending mails from xyz.com to the autoresponders from this page:
DKIM Reflectors.

3

Re: DKIM signing for additional domains

maxie_ro wrote:

Assuming you are using iRedOS, and the domain is xyz.com:

Very clear. Big thanks big_smile

4

Re: DKIM signing for additional domains

ZhangHuangbin wrote:

Very clear. Big thanks big_smile

No problemo.

Just a minor note: if you look at the SPF entry, I put "~all" instead of "-all" (tilde instead of minus), that's a soft-fail instead of hard-fail. This means email originating from another SMTP gateway or IP address will still be accepted by 3rd parties (instead of being discarded), but it should have a high spam score. If the 3rd party server is working properly, that is...

I did that because some of my users send emails directly from a mini-SMTP server to monitor an industrial machine for example.

5

Re: DKIM signing for additional domains

Thank you very much maxie_ro for the detailed instructions,
I think this post is a good candidate to put it into the administrator FAQ


Juan Bou

6

Re: DKIM signing for additional domains

Hi

Sorry for revisiting an old thread - but these are the instructions I followed. I have just installed version 0.51 on Ubuntu 8.04. Great product!

I have set up dkim as suggested but validation fails

Here is the output from amavisd showkeys

:/var/lib/dkim# amavisd-new showkeys artsoafrican.co.uk
; key#1, domain artsoafrican.co.uk, /var/lib/dkim/artsoafrican.co.uk.pem
dkim._domainkey.artsoafrican.co.uk.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIH6Sba7TxrwXR7hMm3RTmRwKh"
  "wfX8O7iDO/7W3lXFRlAzlZzfolYBfnE3fUZiGwL89zCUiIcx5d9br577a0kZth0C"
  "hT3bOSVq+BbcujH/APWLAXCXLohnAX717gQxdMeopE21nrJIB8HuOOciRE5PdLco"
  "EzeZJLHCDVX8jBcClwIDAQAB")

My DNS is set up as in the attached screenshot. I also tried this with stripping out all the quotes and linefeeds etc.

When I run testkeys I get:

TESTING#1: dkim._domainkey.artsoafrican.co.uk => fail (bad RSA signature)

And a test mail to to a reflector shows the ff error:

Authentication System:       DomainKeys Identified Mail
  Result:                   DKIM signature NOT confirmed
  Description:              Signature verification failed; signature is missing or key could not be found
  Reporting host:           sendmail.net        

Hopefully I am missing something obvious - any ideas what?

Post's attachments

Picture-4.jpg
Picture-4.jpg 12.31 kb, 5 downloads since 2010-03-24 

You don't have the permssions to download the attachments of this post.

7 (edited by maxie_ro 2010-03-25 15:43:23)

Re: DKIM signing for additional domains

I will try to help you, but I'm no expert in DNS & DKIM, so don't consider what I say pro advice.

Considering the error message from the reflector, apparently it can't find your DKIM key published. Your testkeys on the other hand says Bad RSA signature. Maybe the DNS has not updated yet? Old data still in cache? Malformed response?

On the other hand, when I query your domain, this is what I get:

[root@mx2 ~]# host -t txt dkim._domainkey.artsoafrican.co.uk
dkim._domainkey.artsoafrican.co.uk descriptive text "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIH6Sba7TxrwXR7hMm3RTmRwKhwfX8O7iDO/7W3lXFRlAzlZzfolYBfnE3fUZiGwL89zCUiIcx5d9br577a0kZth0ChT3bOSVq+BbcujH/APWLAXCXLohnAX717gQxdMeopE21nrJIB8HuOOciRE5PdLcoEzeZJLHCDVX8jBcClwIDAQAB\; s=email\; t=s:y"

Same with dig:

[root@mx2 ~]# dig dkim._domainkey.artsoafrican.co.uk any

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> dkim._domainkey.artsoafrican.co.uk any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14227
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dkim._domainkey.artsoafrican.co.uk. IN ANY

;; ANSWER SECTION:
dkim._domainkey.artsoafrican.co.uk. 123 IN TXT  "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIH6Sba7TxrwXR7hMm3RTmRwKhwfX8O7iDO/7W3lXFRlAzlZzfolYBfnE3fUZiGwL89zCUiIcx5d9br577a0kZth0ChT3bOSVq+BbcujH/APWLAXCXLohnAX717gQxdMeopE21nrJIB8HuOOciRE5PdLcoEzeZJLHCDVX8jBcClwIDAQAB\; s=email\; t=s:y"

;; AUTHORITY SECTION:
artsoafrican.co.uk.     171728  IN      NS      ns0-vh.tagadab.com.
artsoafrican.co.uk.     171728  IN      NS      ns1-vh.tagadab.com.

;; ADDITIONAL SECTION:
ns0-vh.tagadab.com.     2528    IN      A       195.245.201.53
ns1-vh.tagadab.com.     2528    IN      A       194.112.32.53

;; Query time: 1 msec
;; SERVER: 89.35.128.2#53(89.35.128.2)
;; WHEN: Thu Mar 25 09:40:21 2010
;; MSG SIZE  rcvd: 393

Have you added "s=email\; t=s:y" by yourself? Also, if the response is bigger than 255 chars, I think it should be in separate strings delimited by quotes, as in "amavisd showkeys", but your response is concatenated directly, I'm not sure that's correct.

Looks like a DNS response I would not expect to get...

8

Re: DKIM signing for additional domains

maxie_ro wrote:

I will try to help you, but I'm no expert in DNS & DKIM, so don't consider what I say pro advice.

Considering the error message from the reflector, apparently it can't find your DKIM key published. Your testkeys on the other hand says Bad RSA signature. Maybe the DNS has not updated yet? Old data still in cache? Malformed response?

...

Have you added "s=email\; t=s:y" by yourself? Also, if the response is bigger than 255 chars, I think it should be in separate strings delimited by quotes, as in "amavisd showkeys", but your response is concatenated directly, I'm not sure that's correct.

Looks like a DNS response I would not expect to get...

Thanks for the response. I changed it again last night after using dig to compare my own entry with one I knew worked (ebay) and your query showed the current result. This checks out fine with testkeys. I did add "s=email\; t=s:y" myself as I got this from an online key generator.

I'm still getting the same response from the reflector but I guess I'll have to try again later as their DNS cache may not have been updated yet.

9

Re: DKIM signing for additional domains

seangee wrote:

I'm still getting the same response from the reflector but I guess I'll have to try again later as their DNS cache may not have been updated yet.

Yup - it's working fine now. That particular domain still hasn't updated but I have created records for another domain and they work fine.

10

Re: DKIM signing for additional domains

Hi
I am using ISP provider dns, reverse dns is set in there end, in my local machine i configured forward lookup zone,
i pasted dkim this format, but geting error dkim -neutral and if i test dkim- publick key is not available

dkim._domainkey.mydomain.com.      3600 TXT  v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD2x1tgfarduYD7Nfs9IrDL0IzBWNIC6liXdqoF55mU1muFx2QTccfN+MKG/fNhNfpHxNXRESOoFD8ZDzcpnDekB47U208dBoqnB7C6MW6s1kw2HxnUkjo3p5HH4YfBmKsDpAo3CJIuY+tWz6LHivt32O3qfJ3eIQhwN95S+KuCwIDAQAB
this is what i added, what else should i add here, please some one assist me n this

11

Re: DKIM signing for additional domains

again i changed to this format but still dkim fail is showing


dkim._domainkey.mydomain.com.      3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDD2x1tgfarduYD7Nfs9IrDL0Iz"
  "BWNIC6liXdqoF55mU1muFx2QTccfN+MKG/fNhNfpHxNXRESOoFD8ZDzcpnDekB47"
  "U208dBoqnB7C6MW6s1kw2HxnUkjo3p5HH4YfBmKsDpAo3CJIuY+tWz6LHivt32O3"
  "qfJ3eIQhwN95S+KuCwIDAQAB")

_adsp._domainkey.mydomain.com. IN    TXT    "dkim=all"

12

Re: DKIM signing for additional domains

Please post your questions/issues in a new forum topic, do not hijack other's thread.