1 (edited by webstudio 2009-07-08 04:11:12)

Topic: [SOLVED] DKIM permissions error and not signing in authenticated users

Hi, I've installed iRedMail in several VPS and after installation and rebbot amavis is dwon with this error:
# service amavisd restart
Shutting down Mail Virus Scanner (amavisd):                [FAILED]
Starting Mail Virus Scanner (amavisd): Error in config file "/etc/amavisd.conf": Can't open PEM file /var/lib/dkim/########.pem: Permission denied at /usr/sbin/amavisd line 551.

after givin permission to the file amavis starts correctly. Is this a bug in installation?

The other problem is signing mails, if I send a mail using a mail client with an authenticated account the message is not DKIM signed, but if Isend the message from localhost without authenticating the message is signed, how can I change the behaviour for signing all messages??

These are the message headers the first with an authenticated user using a mail client the second sent from localhost usin telnet to the 25 port:

Delivered-to: *****
Recibido: by ***** with SMTP id t15cs26868wet; Fri, 3 Jul 2009 08:54:24 -0700 (PDT)
Recibido: by ***** with SMTP id k8mr1394605bkq.117.1246636464213; Fri, 03 Jul 2009 08:54:24 -0700 (PDT)
Return-path: <info@*****>
Recibido: from ***** ([*****]) by ***** with ESMTP id 2si400038bwz.21.2009.07.03.08.54.21; Fri, 03 Jul 2009 08:54:21 -0700 (PDT)
Received-spf: neutral (*****: **** is neither permitted nor denied by best guess record for domain of info@*****) client-ip=*****;
Authentication-results: *****; spf=neutral (*****: ***** is neither permitted nor denied by best guess record for domain of info@*****) smtp.mail=info@*****
Recibido: from localhost (***** [*****]) by ***** (iRedMail) with ESMTP id 360B81AE8E56 for <*****>; Fri,  3 Jul 2009 15:54:21 +0000 (UTC)
X-virus-scanned: amavisd-new at *****
Recibido: from ***** ([127.0.0.1]) by localhost (**** [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20v66WS6s6jW for <****>; Fri,  3 Jul 2009 17:54:21 +0200 (CEST)
Recibido: from [192.168.0.120] (***** [*****]) by ***** (iRedMail) with ESMTPSA id 2E0F01AE8E50 for <*****>; Fri,  3 Jul 2009 17:47:59 +0200 (CEST)


Delivered-to: *****
Recibido: by ***** with SMTP id t15cs26460wet; Fri, 3 Jul 2009 08:42:28 -0700 (PDT)
Recibido: by ***** with SMTP id e15mr223982ebo.90.1246635748455; Fri, 03 Jul 2009 08:42:28 -0700 (PDT)
Return-path: <info@*****>
Recibido: from ***** ([*****]) by ***** with ESMTP id 6si6822199ewy.6.2009.07.03.08.42.26; Fri, 03 Jul 2009 08:42:26 -0700 (PDT)
Received-spf: neutral (*****: ***** is neither permitted nor denied by best guess record for domain of info@*****) client-ip=*****;
Authentication-results: *****; spf=neutral (*****: ***** is neither permitted nor denied by best guess record for domain of info@*****) smtp.mail=info@*****; dkim=neutral (no key) header.i=@*****
Recibido: from localhost (***** [127.0.0.1]) by ***** (iRedMail) with ESMTP id 7C838BC8004 for <*****>; Fri,  3 Jul 2009 15:42:26 +0000 (UTC)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d= *****; h=to:from:date:message-id:subject: x-virus-scanned; s=dkim; t=1246635746; x=1247499746; bh=frcCV1k9 oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=tljmcyx8OWi9HoTyMRYa+y0Z 9pGBArLoO/oi3GvUW3iOCXLONs07xbldVj1Z4rxC/bIVfEETEAEYVCER8mp4jThM Mn0q4Rnnim9PdMx5FvgEYCeU2Jf53pXg+/tPVYvEhqG6qB0bDTOh1k0G5xSR7Fed PPjG+E8KbcRqjfTLGNs=
X-virus-scanned: amavisd-new at ****
X-amavis-alert: BAD HEADER SECTION, MIME error: error: unexpected end of header
Recibido: from ***** ([127.0.0.1]) by localhost (***** [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UDzqD70eFF-Q for <*****>; Fri,  3 Jul 2009 17:42:26 +0200 (CEST)
Recibido: from ***** (***** [127.0.0.1]) by ***** (iRedMail) with ESMTP id A4FC0BC8002 for <*****>; Fri,  3 Jul 2009 15:42:06 +0000 (UTC)

2

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

Please post the output of below command:

# amavisd testkeys
# amavisd showkeys

It seems there are some issues in Amavisd while you deploy iRedMail on VPS (OpenVZ), but no issues in real hardware.

3

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

These are the outputs:

# amavisd testkeys
TESTING#1: dkim._domainkey.***** => invalid (public key: not available)

(At this moment the DNS public key is not configured, so this error seems normal)

# amavisd showkeys
; key#1, domain *****, /var/lib/dkim/*****.pem
dkim._*****.    3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVtPefvZuLQd9aw2WEe8j5FX4n"
  "WkPMY8IXjCvQgcOVY/3xJ/dv4K/1xLjR8r1XOmf2jSwxWzHr7acpY5CRnDVQeoHF"
  "a1s9gYFrkxyFYeqN0UdnpfPVOjiVnu0IuZan3UjC77dYosvdRM1tx8NH51FZNRHF"
  "RiJ+VFkp8ygkNvnrAwIDAQAB")

4

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

webstudio wrote:

These are the outputs:

# amavisd testkeys
TESTING#1: dkim._domainkey.***** => invalid (public key: not available)

can not find the pbulic key in your dns.
you can check your dns setting.

5

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

Hi again, I know that the DNS is not properly configured. But the main question is why if I send a message from localhost with telnet it is signed and if I send it from an authenticated user using a MUA the messege is not signed. It seems a postfix/amavis config error.


PD: The DNS is not configured because it is a preproduction system, we are proving the system and need all messages signed beeing from local host or from an authenticated user.

Regards in advance.

6

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

Please try to debug it yourself:

# File: /etc/amavisd.conf
$log_level = 5;
$sa_debug = 1;

Restart amavisd service, and monitor /var/log/maillog, try to find out the root case and resolv it.

7

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

The problem was with the default configuration in amavisd.conf, in the original config a line in ORIGINATING pilicy bank was uncommented and was not valid for the config used in iredmail:

$policy_bank{'ORIGINATING'} = {  # mail supposedly originating from our users
  originating => 1,  # declare that mail was submitted by our smtp client
  allow_disclaimers => 1,  # enables disclaimer insertion if available
  # notify administrator of locally originating malware
  virus_admin_maps => ["root\@$mydomain"],
  spam_admin_maps  => ["root\@$mydomain"],
  warnbadhsender   => 1,
  # forward to a smtpd service providing DKIM signing service
  #forward_method => 'smtp:[127.0.0.1]:10027',   <==== this line has to be commented for signing messages that are sended thought authenticated user
  # force MTA conversion to 7-bit (e.g. before DKIM signing)
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  bypass_banned_checks_maps => [1],  # allow sending any file names and types
  terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};


I dont know if this is a bug in iredmail or is an effect of installing it in VPSs, the other problems with the default permission of the DKIM key has been reproduced  in several isntallations of iredmail in another VPSs.

8

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

I have test iredmail in openvz vps, the DKIM always have problem.

but when I run iredmail in vmware and have no problem.


so Ibelieve this is vps bug.

9

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

webstudio wrote:

The problem was with the default configuration in amavisd.conf, in the original config a line in ORIGINATING pilicy bank was uncommented and was not valid for the config used in iredmail:

$policy_bank{'ORIGINATING'} = {
  ...
  #forward_method => 'smtp:[127.0.0.1]:10027',   <==== this line has to be commented for signing messages that are sended thought authenticated user
  ...

Fixed:
http://code.google.com/p/iredmail/sourc … 5e34d05294

Thanks for your report. smile

10 (edited by cvelbar 2009-07-23 18:58:41)

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

Checked now on Debian Lenny and still a no go...
I commented the line

# forward_method => 'smtp:[127.0.0.1]:10027',

and restarted amavisd-new and also rebooted the machine.

The emails are DKIM signed only when sent from localhost and not for the authenticated users.

Any clue on what else to check?

11

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

cvelbar wrote:

The emails are DKIM signed only when sent from localhost and not for the authenticated users.

Works for me here. Debian Lenny

12

Re: [SOLVED] DKIM permissions error and not signing in authenticated users

ZhangHuangbin wrote:

Works for me here. Debian Lenny

I have already checked in the postfix and the amavis configuration, but I have lost myself... hmm
Where exactly should the equivalence of the local mail and the mail coming from the authenticated users be set?

Correct me if I'm wrong. The signing is done by Amavis, which based on the rules in /etc/amavis/conf.d/50-user
signs the outgoing messages.
My line is as follows:

@dkim_signature_options_bysender_maps = ( {
    # ------------------------------------
    # For domain: domain.tld.
    # ------------------------------------
    # 'd' defaults to a domain of an author/sender address,
    # 's' defaults to whatever selector is offered by a matching key 

    'postmaster@domain.tld'    => { d => "domain.tld", a => 'rsa-sha256', ttl =>  7*24*3600 },
    #"spam-reporter@domain.tld"    => { d => "domain.tld", a => 'rsa-sha256', ttl =>  7*24*3600 },

    # explicit 'd' forces a third-party signature on foreign (hosted) domains
    "domain.tld"  => { d => "domain.tld", a => 'rsa-sha256', ttl => 10*24*3600 },
    #"host1.domain.tld"  => { d => "host1.domain.tld", a => 'rsa-sha256', ttl => 10*24*3600 },
    #"host2.domain.tld"  => { d => "host2.domain.tld", a => 'rsa-sha256', ttl => 10*24*3600 },
    # ---- End domain: domain.tld ----

    # catchall defaults
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
} );
$enable_dkim_verification = 1;  # enable DKIM signatures verification
$enable_dkim_signing = 1;    # load DKIM signing code, keys defined by dkim_key

Is the catchall line wrong?
Thank you for your help.