1 Topic by lug (edited by lug 2017-03-23 22:15:19)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Topic: DKIM Key - bad RSA signature

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5
- Linux/BSD distribution name and version: ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- Related log if you're reporting an issue:
====

Hi,

I want to use DKIM records for my mail server, but it doesn't work to create a valid key.

with the iredmail installation there was already a key generated, when I do 

amavisd-new testkeys

the output is 

TESTING#1 mydomain.de: dkim._domainkey.mydomain.de => fail (bad RSA signature)

when i create a new key like

amavisd-new genrsa /var/lib/dkim/mydomain.de.pem 1024

or

amavisd-new -c /etc/amavis/conf.d/50-user genrsa /var/lib/dkim/mydomain.de.pem 1024

i get the same error when doing the test.

why is that, what am i doing wrong?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by lug (edited by lug 2017-03-24 14:59:18)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

I just turned on my PC, connected to the server and did "amavisd-new testkeys" again

=> pass

just wtf?!

as it says pass i tried http://dkimvalidator.com
luckily, the message is not marked as spam, but there are still some issues

SpamAssassin Score: 0.11
Message is NOT marked as spam
Points breakdown:
0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID         DKIM-Signature header exists but is not valid

any idea why this happens?

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: DKIM Key - bad RSA signature

Might be caused due to DNS cache.

4 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

I tried it again today, still the same issue.
TTL is 1 hour, so DNS Cache ist not the problem, i guess.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: DKIM Key - bad RSA signature

If amavisd testkey shows "pass", please try to send email to Gmail, then check the mail headers in Gmail, it will show you whether it's DKIM signed and verified. If it's ok, then it's ok.

6 Reply by lug (edited by lug 2017-03-28 14:42:02)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

gmail shows 

dkim=pass (1024-bit key) reason="pass (just generated, assumed good)"

well, pass is ok, but i want it to be verified, not just to be assumed good. (-> not every mailserver assumes it to be good)

I tried multiple dkim tools, they all show that theres a key, but it can not be validated.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: DKIM Key - bad RSA signature

It sounds like a DNS issue.

What's your real mail domain name? Did you try to query DKIM dns record from external network?

8 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

ZhangHuangbin wrote:

What's your real mail domain name?

Due to privacy I am not allowed to tell, sorry. I could send it to you via private mail if thats possible.

ZhangHuangbin wrote:

Did you try to query DKIM dns record from external network?

How to do that? I just used mxtoolbox, dkimvalidator etc. to test my settings.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,787

Re: DKIM Key - bad RSA signature

It sounds like a DNS issue, only your internal servers can get the DKIM dns record, but external servers cannot get it.

The reason why i asked you to show us the real domain name is, we can help query DKIM DNS record on our side to verify it. It's ok if you don't want to show it. You can verify it yourself with command like below:

dig -t txt dkim._domainkey.<your_mail_domain_name>

Replace "<your_mail_domain_name>" by the real domain name.

NOTE: try it from external servers.

10 Reply by lug (edited by lug 2017-03-31 14:28:10)

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

Edit: just wanted to notice, that my dns server is not the same as the mail server

dig -t txt dkim._domainkey.***.de

; <<>> DiG 9.9.5-9+deb8u10-Debian <<>> -t txt dkim._domainkey.***.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7623
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dkim._domainkey.***.de.        IN      TXT

;; ANSWER SECTION:
dkim._domainkey.***.de. 3599 IN TXT     "v=DKIM1\; k=rsa\; p=" "MIGfMA0G                                                                                                                               CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxRG6yVKUsjMqiYOXyaERJpAZn" "K5hgBTRBJxHPsP5EP+A9q                                                                                                                               6Ts0KIZ1RYq55OPb4TdKiPjxktkCE6UtTcAomXH5ClQ" "KbJ+YZ0rssa9m657J3JSEQ8DFFIjiMcjSW                                                                                                                               dN+u65WimyGRFBGJgAUyGgB6fmAF+S" "UFBmoiyUXawBWSgmYwIDAQAB"

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Mar 31 01:28:58 EDT 2017
;; MSG SIZE  rcvd: 310

I tried with this: 

dkim._domainkey.***.de.    3600 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxRG6yVKUsjMqiYOXyaERJpAZnK5hgBTRBJxHPsP5EP+A9q6Ts0KIZ1RYq55OPb4TdKiPjxktkCE6UtTcAomXH5ClQKbJ+YZ0rssa9m657J3JSEQ8DFFIjiMcjSWdN+u65WimyGRFBGJgAUyGgB6fmAF+SUFBmoiyUXawBWSgmYwIDAQAB"

and with this dns entry: 

dkim._domainkey.***.de. 3600 TXT (
  "v=DKIM1; k=rsa; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxRG6yVKUsjMqiYOXyaERJpAZn"
  "K5hgBTRBJxHPsP5EP+A9q6Ts0KIZ1RYq55OPb4TdKiPjxktkCE6UtTcAomXH5ClQ"
  "KbJ+YZ0rssa9m657J3JSEQ8DFFIjiMcjSWdN+u65WimyGRFBGJgAUyGgB6fmAF+S"
  "UFBmoiyUXawBWSgmYwIDAQAB")

and also without the k=rsa

11 Reply by centosnoob

  • centosnoob
  • Member
  • Offline
  • Registered: 2017-03-03
  • Posts: 7

Re: DKIM Key - bad RSA signature

Your DKIM score is the standard nonsense that amivis and its compatriots put out. Cpanel is the same, default 0.11.

I fixed this myself for iredmail with my own custom installation, scroll down to the relevant DKIM section: https://centosnoob.com/email-web-server … p-7-x/144/

DKIM is trickier than it seems to get right. Cpanel is the worst for tricking people into thinking that ticking a box will give them DKIM, when it doesn't give them a correct passable signing request.

12 Reply by lug

  • lug
  • Member
  • Offline
  • Registered: 2016-12-07
  • Posts: 146

Re: DKIM Key - bad RSA signature

Thx for the hint, i'lll try it.