search

Signum / ispmail-bookworm-ansible

Ansible playbook to set up a mail server as described in the ISPmail guide at workaround.org
MIT License
26 stars 6 forks source link

[Solved] Your message is not signed with DKIM #7

Closed mikysal78 closed 3 months ago

mikysal78 commented 3 months ago

on https://www.mail-tester.com/ i have this:

**Your message is not signed with DKIM**
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

Howto solve? Thanks.

mikysal78 commented 3 months ago

I tried sending an email from the domain to my gmail account. This is the source of the message and there is no trace of DKIM.

Received: by 2002:a05:7110:6182:b0:233:8e8d:a17d with SMTP id g2csp81348gec;
        Tue, 23 Apr 2024 13:42:22 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IEHXMfZRhy41N6ujPvhx4/9LTzS3kMUsUKqrH1CcuhbCvzVYiPBfC2mbUFPDz3EUtkMnEra
X-Received: by 2002:a7b:cb03:0:b0:419:f447:c323 with SMTP id u3-20020a7bcb03000000b00419f447c323mr221128wmj.27.1713904941920;
        Tue, 23 Apr 2024 13:42:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1713904941; cv=none;
        d=google.com; s=arc-20160816;
        b=d5FMK+VVA4834tJs/n60EN6GHssx2a9aPzGtgtqzh/PAyeffti4BGm7L5Kf6JsCHLD
         8bK0YPswW+h3kRX74+Srv7F94iAVrzgVSwI0c3qPkqJ7vGT8JPYtVlo7YkrhSSjseglf
         dt4IgNZ/lsiwBgrtlffchNUEBtTEHykXyDc7bsH+Vz5u5v8xGQoyUa0o5judgv//JvbE
         elHdjRNZsQQaGOJUFompxnA9O4gVYJ3SIQQbQntMDicEgBananzBpLLB0mEmGC452Pg9
         wNWXVz/qUTAgKOhJ/sP+erHskodGtoFmzTvrXLvvUCepAuB4rT7H2JKCMzmG74r0Fz6z
         r7Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:message-id:subject:to:from:date
         :mime-version;
        bh=hq0ouRkCzIGt5QC08xrVsrM3tli1NxHFqrpBAP6W7v8=;
        fh=kCwNR7q8sCVgK/5jjauGQ9WbHTXbky8MM1QTx+CTeUU=;
        b=tFNdFFHseYZxP3bfk9aTVhumg37EXB/pvbNOJuQxQEA5IQn9amlTpOe2gCHea+9q5O
         u7Twq0kN+6WQnllNxVLZ609kqi9AjsefZ+T1CnFwIphCfFibKRChSXMa471gyUyznsjK
         Joj4xMOdw8F56zXpPMsSzAj81/aHKZ4dOKLgfz7X+b9vnoAa0wjy/PgoHk9kabKiMM0I
         p7yFfzGgMg0BL6tHLqkOFhs9ZP+1XVO/BTsuA6llQZDfD2HSjKQeLVDF97/JjE00dslQ
         rbP0Oy1CIbh1no9UJtmEHTuqXKmmHA4B25oDnRdiRMycaW/tkMUzCWiB0wi8a3Mc+EEh
         34iQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of mikytux@nnxx.ninux.org designates 195.32.70.193 as permitted sender) smtp.mailfrom=mikytux@nnxx.ninux.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=nnxx.ninux.org
Return-Path: <mikytux@nnxx.ninux.org>
Received: from mail.nnxx.ninux.org (mail.nnxx.ninux.org. [195.32.70.193])
        by mx.google.com with ESMTPS id je3-20020a05600c1f8300b004163a478cf2si6877124wmb.71.2024.04.23.13.42.21
        for <mikysal78@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Apr 2024 13:42:21 -0700 (PDT)
Received-SPF: pass (google.com: domain of mikytux@nnxx.ninux.org designates 195.32.70.193 as permitted sender) client-ip=195.32.70.193;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of mikytux@nnxx.ninux.org designates 195.32.70.193 as permitted sender) smtp.mailfrom=mikytux@nnxx.ninux.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=nnxx.ninux.org
Received: from mail.nnxx.ninux.org (mail.nnxx.ninux.org [IPv6:2a07:7e81:3f1c::6])
    by mail.nnxx.ninux.org (Postfix) with ESMTPSA id C74F73803AF
    for <mikysal78@gmail.com>; Tue, 23 Apr 2024 22:42:20 +0200 (CEST)
MIME-Version: 1.0
Date: Tue, 23 Apr 2024 22:42:20 +0200
From: mikytux@nnxx.ninux.org
To: Mikysal78 <mikysal78@gmail.com>
Subject: ciccio
Message-ID: <f925105b0dd4ad937d25267d8f858ccc@nnxx.ninux.org>
X-Sender: mikytux@nnxx.ninux.org
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit

pippo
FredMa01 commented 3 months ago

Have you checked the DKIM settings? https://workaround.org/ispmail-bookworm/prevent-spoofing-using-dkim/ And your DKIM record with your selector ? https://mxtoolbox.com/SuperTool.aspx?action=dkim%3annxx.ninux.org&run=toolpage

Fred

mikysal78 commented 3 months ago

Have you checked the DKIM settings? https://workaround.org/ispmail-bookworm/prevent-spoofing-using-dkim/ And your DKIM record with your selector ? https://mxtoolbox.com/SuperTool.aspx?action=dkim%3annxx.ninux.org&run=toolpage

Fred

Hi, Thank you for your reply. The record is pulished: https://mxtoolbox.com/SuperTool.aspx?action=dkim%3annxx.ninux.org:mail&run=toolpage My selector is "mail"

Try with opendkim-testmsg and result is: opendkim-testmsg: dkim_chunk(): No signature

mikysal78 commented 3 months ago

maybe I need to install the package "opendkim" But the role ansible did not install

FredMa01 commented 3 months ago

You need to have this file with the private key : /var/lib/rspamd/dkim/nnxx.ninux.org.mail.key

And /etc/rspamd/local.d/dkim_signing.conf contains

path = "/var/lib/rspamd/dkim/$domain.$selector.key/";
selector_map = "/etc/rspamd/dkim_selectors.map";

And /etc/rspamd/dkim_selectors.map contains nnxx.ninux.org mail

Restart : systemctl restart rspamd

You haven't SSL certificate for nnxx.ninux.org.

mikysal78 commented 3 months ago

You need to have this file with the private key : /var/lib/rspamd/dkim/nnxx.ninux.org.mail.key

Yes

And /etc/rspamd/local.d/dkim_signing.conf contains

path = "/var/lib/rspamd/dkim/nnxx.ninux.org.mail.key/";
selector_map = "/etc/rspamd/dkim_selectors.map";

No, my is:

path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";

And /etc/rspamd/dkim_selectors.map contains nnxx.ninux.org mail

Yes Restart : systemctl restart rspamd

You haven't SSL certificate for nnxx.ninux.org.

Yes, i have let's with wildcard Rspamd is running


root@mail:rspamd # systemctl status rspamd.service 
● rspamd.service - rapid spam filtering system
Loaded: loaded (/lib/systemd/system/rspamd.service; enabled; preset: enabled)
Active: active (running) since Wed 2024-04-24 23:44:53 CEST; 13h ago
Docs: https://rspamd.com/doc/
Main PID: 19266 (rspamd)
Tasks: 6 (limit: 4652)
Memory: 188.3M
CPU: 21.588s
CGroup: /system.slice/rspamd.service
├─19266 "rspamd: main process"
├─19268 "rspamd: rspamd_proxy process (localhost:11332)"
├─19269 "rspamd: controller process (localhost:11334)"
├─19270 "rspamd: normal process (localhost:11333)"
├─19271 "rspamd: normal process (localhost:11333)"
└─19272 "rspamd: hs_helper process"

apr 24 23:44:53 mail.nnxx.ninux.org systemd[1]: Started rspamd.service - rapid spam filtering system. apr 24 23:44:53 mail.nnxx.ninux.org rspamd[19266]: 2024-04-24 23:44:53 #19266(main) <16460a>; main; main: rspamd 3.4 is loading configuration, build id: release apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sent signal SIGUSR1 to main process 19266 (rspamd) on client request. apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sending signal SIGUSR1 to process 19268 (rspamd) on client request. apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sending signal SIGUSR1 to process 19269 (rspamd) on client request. apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sending signal SIGUSR1 to process 19270 (rspamd) on client request. apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sending signal SIGUSR1 to process 19271 (rspamd) on client request. apr 25 00:00:03 mail.nnxx.ninux.org systemd[1]: rspamd.service: Sending signal SIGUSR1 to process 19272 (rspamd) on client request.


I try to send emails from webmail or thunderbird.
They don't get signed
mikysal78 commented 3 months ago

I found the problem: the permissions under /var/lib/rspamd/dkim were root and not _rspamd But the signature is wrong, it does not take the sub-domain, see:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ninux.org; s=mail;
    t=1714048612;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc:mime-version:mime-version:content-type:content-type:
     content-transfer-encoding:content-transfer-encoding;
    bh=WVSSz+To8f6E/EWnyFaJpXklEMFqfOahn9yABkb4mag=;
    b=U+tXJ9mXYnCrFGERwUFGZS8YnCzRp7/jjQFgDFgoOzxExUqDjjPm136VPfuIy3Yq/vfLdD
    j2RIJvARpRx1lsA8y3Ds++0zDLWgiY9zrGWm4jv5TXqu74Q05V3jqZJqxD2S/QKykkvtNf
    xKTphQjpf6cPno0XXxqRSe7tuqvGQKE=

I have 2 domain on server: nnxx.ninux.org and basilicata.ninux.org

selector_map = "/etc/rspamd/dkim_selectors.map";

maybe after the dot switches to the selector, and this, perhaps, jumps the sub-domain How can it be solved?

I see now this: https://github.com/rspamd/rspamd/issues/3531

mikysal78 commented 3 months ago

Solved with local.d/dkim_signing.conf

use_esld = false;
path = "/var/lib/rspamd/dkim/$domain.$selector.key";
selector_map = "/etc/rspamd/dkim_selectors.map";