1 Topic by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Topic: dkim stays invalid

Hi,

I have installed iredmail and everything works well i must say except dkim.
I did the command amvis-new showkeys but the key is invalid .
So i went searching on this forum for a solution and found the command "amavisd-new testkeys".
This command gives me the following output : TESTING#1: dkim._domainkey.example.net         => invalid (public key: not available) .
A this point i don't know what to do to get a correct dkim key so i can add it to my dns from my domain (namecheap).
If anybody knows how i could fix this is would be very happy.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

Do you add the DKIM in DNS record? Reference:
http://www.iredmail.org/docs/setup.dns.html

3 Reply by ronartos

  • ronartos
  • Member
  • Offline
  • Registered: 2014-08-13
  • Posts: 3

Re: dkim stays invalid

Is it also possible to have 2 DKIM keys if example you're also using other service like Google App Gmail? or can I replace the one generate in IREDMAIL and use the one with Google?

ZhangHuangbin wrote:

Do you add the DKIM in DNS record? Reference:
http://www.iredmail.org/docs/setup.dns.html

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

Do you mean that your mail domain name is hosted on both Google Apps and iRedMail server?

5 Reply by ronartos

  • ronartos
  • Member
  • Offline
  • Registered: 2014-08-13
  • Posts: 3

Re: dkim stays invalid

Yes, but currently we only have around 10 users registered to Google Apps, so others stay on iREDMAIL server. Is it possible to have 2 DKIM, one from Google and other generate with IREDMAIL, but same domain name?

ZhangHuangbin wrote:

Do you mean that your mail domain name is hosted on both Google Apps and iRedMail server?

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

Why you host the same mail domain name on both Google Apps and iRedMail server?

Since this mail domain is hosted locally, all emails sent to this domain will be delivered locally, if recipient (under same domain) doesn't exist, local delivery agent will report this error, it won't deliver email to anther server.

Back to the DKIM issue, if you really need to sign the same DKIM on two servers, you can copy the DKIM key on one server to another server.

7 Reply by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Re: dkim stays invalid

Hi ZhangHuangbin ,
Back to my problem smile i have did the command amvis new and add the dkim key to dns in namecheap .
the output from the command = amavisd-new showkey
; key#1, domain labie.net, /var/lib/dkim/labie.net.pem
dkim._domainkey.labie.net.      3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCv"
  "mXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88ptl7VvkDjS4ubBxRUcwk+"
  "0+kC0oBKGu5Z36fMTQtD6O1wA5F85xpWBt6PqautDdxP+U4rYBudKUSpJiylPxpZ"
  "0jOWiPEiBOaOXAcq90M9B85EARB27THCixGI72WavkC43X6tLyWRCIkJYBBtw9Me"
  "aHMeIxDht8CfrkyhImug0A5hl00hAYC4+PZLu2YQyNeErIBovnWvkhPtrfMkGOrL"
  "7qox/u1Q97pYGRe52iglo8+f0QsC6bnoavYRYlJt4SZCH9IYner0Il7cgpYJPL20"
  "owIDAQAB")
So i past the following in my dns :
v=DKIM1; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCvmXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88ptl7VvkDjS4ubBxRUcwk+0+kC0oBKGu5Z36fMTQtD6O1wA5F85xpWBt6PqautDdxP+U4rYBudKUSpJiylPxpZ0jOWiPEiBOaOXAcq90M9B85EARB27THCixGI72WavkC43X6tLyWRCIkJYBBtw9MeaHMeIxDht8CfrkyhImug0A5hl00hAYC4+PZLu2YQyNeErIBovnWvkhPtrfMkGOrL7qox/u1Q97pYGRe52iglo8+f0QsC6bnoavYRYlJt4SZCH9IYner0Il7cgpYJPL20owIDAQAB

What am i doing wrong because i cant understand what is wrong at this moment ...

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

I did a quick dns query and get this:

$ dig -t txt dkim._domainkey.labie.net
...
dkim._domainkey.labie.net. 180    IN    TXT    "v=DKIM1\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCvmXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88ptl7VvkDjS4ubBxRUcwk+0+kC0oBKGu5Z36fMTQtD6O1wA5F85xpWBt6PqautDdxP+U4rYBudKUSpJiylPxpZ0jOWiPEiBOaOXAcq90M9B85EARB27THCixGI72WavkC43X6tLyW"

It's shorter than the 'amavisd showkeys' output.

9 Reply by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Re: dkim stays invalid

ZhangHuangbin wrote:

I did a quick dns query and get this:

$ dig -t txt dkim._domainkey.labie.net
...
dkim._domainkey.labie.net. 180    IN    TXT    "v=DKIM1\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCvmXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88ptl7VvkDjS4ubBxRUcwk+0+kC0oBKGu5Z36fMTQtD6O1wA5F85xpWBt6PqautDdxP+U4rYBudKUSpJiylPxpZ0jOWiPEiBOaOXAcq90M9B85EARB27THCixGI72WavkC43X6tLyW"

It's shorter than the 'amavisd showkeys' output.

I have removed the record and entered it again .
I have double checked it and now its correct pasted but on mail-checker.com it keeps saying dkim fault

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

What's the command output on your server or laptop?

$ dig -t txt dkim._domainkey.labie.net

Is it same as the output of 'amavisd showkeys'? Looks like your DNS servicer provider doesn't support long DKIM key.

11 Reply by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Re: dkim stays invalid

ZhangHuangbin wrote:

What's the command output on your server or laptop?

$ dig -t txt dkim._domainkey.labie.net

Is it same as the output of 'amavisd showkeys'? Looks like your DNS servicer provider doesn't support long DKIM key.

on my home computer i get following output :
# dig -t txt dkim._domainkey.labie.net

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> -t txt dkim._domainkey.labie.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35218
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dkim._domainkey.labie.net.     IN      TXT

;; ANSWER SECTION:
dkim._domainkey.labie.net. 180  IN      TXT     "v=DKIM1\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCvmXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88"

;; Query time: 43 msec
;; SERVER: 192.168.20.1#53(192.168.20.1)
;; WHEN: Sat Aug 08 14:56:32 CEST 2015
;; MSG SIZE  rcvd: 174

on vps with command amavisd-new showkeys :

# amavisd-new showkeys
; key#1, domain labie.net, /var/lib/dkim/labie.net.pem
dkim._domainkey.labie.net.      3600 TXT (
  "v=DKIM1; p="
  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArNI4vc1zuQqKNpGEIDCv"
  "mXyvBTeX7Q+8yJm/kSClGMiAxmFqfLmkDAmwFKTzF88ptl7VvkDjS4ubBxRUcwk+"
  "0+kC0oBKGu5Z36fMTQtD6O1wA5F85xpWBt6PqautDdxP+U4rYBudKUSpJiylPxpZ"
  "0jOWiPEiBOaOXAcq90M9B85EARB27THCixGI72WavkC43X6tLyWRCIkJYBBtw9Me"
  "aHMeIxDht8CfrkyhImug0A5hl00hAYC4+PZLu2YQyNeErIBovnWvkhPtrfMkGOrL"
  "7qox/u1Q97pYGRe52iglo8+f0QsC6bnoavYRYlJt4SZCH9IYner0Il7cgpYJPL20"
  "owIDAQAB")

So to me it looks like the key is changed again ...

12 Reply by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Re: dkim stays invalid

So i try to past it in on namecheap and i cant past the full string on there .
Can i fix it an other way?

13 Reply by the.ptr

  • the.ptr
  • Member
  • Offline
  • Registered: 2015-08-07
  • Posts: 27

Re: dkim stays invalid

Okay I contacted the support of namecheap they say that i can't use a key longer then 128 characters .
Now is my question how to generate a shorter key and will gmail accept my mail when its that short ?

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: dkim stays invalid

try this:

# amavisd-new genrsa /var/lib/dkim/labie.net.pem 1024

Key length shorter than 1024 is insecure, at least 2014 is recommended.