Mailcow UI does not display custom dkim domain selector

[thumpco]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

On one of my mailcow instances I have setup a few domains strictly as relayhost domains (as backup mx).  Since the primary mailcow server hosting these domains is already using the dkim._domainkey selector, I created the domains on the backup mailcow using "relay" as the selector to avoid conflict on the dns record.  I have since noticed two issues:

1) If you view the newly created relay domain in the UI (E-Mail > Configuration > Domains > Edit domain), the bottom of the domain edit page still displays the dkim section label as "(dkim._domainkey)", instead of the "(relay._domainkey)" it was created with.

2) There does not seem to be any way to edit the dkim selector after a domain is created.  Not sure if this is intended behavior, but it causes one to entirely delete/recreate a domain if a different selector is needed.

As always, thank you for the excellent platform!

Logs:

Only an aesthetic error / feature.

Steps to reproduce:

Please see description (can't seem to find any function to attach a screenshot on this form?).

Which branch are you using?

master

Operating System:

Ubuntu 22.04 LTS

Server/VM specifications:

6GB, 2 Cores

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Linode/Akamai

Docker version:

24.0.7, build afdd53b

docker-compose version or docker compose version:

v2.21.0

mailcow version:

2023-11a

Reverse proxy:

no

Logs of git diff:

No

Logs of iptables -L -vn:

Not relevant

Logs of ip6tables -L -vn:

Not relevant

Logs of iptables -L -vn -t nat:

Not relevant

Logs of ip6tables -L -vn -t nat:

Not relevant

DNS check:

Not relevant

[thumpco]

Screenshot of relevant UI section:

[DerLinkman]

Cannot reproduce that... at my instance it works as expected.

You can delete the DKIM Key and recreate one with the expected selector at the System -> Configuration -> ARC/DKIM keys panel.

[thumpco]

@DerLinkman Thank you. Looking under the ARC/DKIM panel it seems you're right. Mailcow ignored my custom selector when creating the domains and created the keys using the "dkim" selector anyway. I tried creating new keys with "relay" as the selector and the UI throws an error saying "invalid selector". It doesn't seem to allow me to create any selector except "dkim".

If this is by design, then how do setup dkim dns entries on these domains for the backup mailcow relay to use? The normal "dkim._domainkey" entry is already in use by the primary mailcow server. I've been assuming the mailcow relay needs to use it's own keys under a separate selector?

[DerLinkman]

As you can see here:

I can create also relay DKIM keys within the ARC/DKIM Keys Page.

How do you enter the key selector?

[thumpco]

@DerLinkman - thank you again. I have watched your video multiple times and tried to reproduce the exact steps with the same result. In the Domain/s field I'm entering my exact domain as "example.com" without quotes. In the Selector field I'm entering "relay", again without quotes, and then selecting 2048 bits.

I have 2 mailcow installations (both running 2023-11a) and have tried it with multiple domains on both. Each time I click "Add", I'm getting a red error message saying "DKIM domain or selector invalid: example.com". This seems to happen when I enter any selector except "dkim".

[thumpco]

The only thing I can see that might be different with my config than what I see in your video is that both my servers also have an Alias Domain with a dkim selector assigned, but the new selectors I'm trying to create are for "regular" domains. I've tried it with both my relay and direct hosted domains with the same result.

[thumpco]

@DerLinkman DOH!! Just figured it out. In both cases the domains already had a DKIM key using the "dkim" selector. When I delete these I'm able to add a "relay" selector instead.

So the only remaining issue is that when I created the domains, the UI ignored the "relay" selector entered on the creation screen and instead created the keys with "dkim" selectors. Then already having keys with the "dkim" selector, it was blocking me from creating the new one with a "relay" selector without first deleting the "dkim" ones.

THANK YOU

[DerLinkman]

Bit messed up due to the modals but i think you can see that it is working for me either if i select a different dkim selector on domain creation:

[thumpco]

@DerLinkman You are right again! I've done some more testing and finally figured out how I got here:

a) My domains had already existed and I wanted to change the dkim selector. Not finding it under the domain edit screen I thought I could just delete and re-add the domain with a new selector.

b) When I deleted the domains I was not aware the old dkim keys still existed. (Not being aware of the separate System > Config > Option > ARC/DKIM Keys option).

c) When re-adding the domains using a new selector I clearly must have missed the pop-up saying "dkim key already existed". (Since it's a fast pop-up and in color green, I likely though it was just a confirmation of the domain being added.) So of course the system ignored my relay selector because a key with a dkim selector already existed.

My apologies for submitting as a bug report. Maybe a few items for consideration:

1) Maybe add an option (or default behavior) to delete dkim keys when deleting a domain to avoid building up key cruft (or a warning that keys will still remain)?

2) When creating a new domain with a pre-existing dkim key, maybe make the warning pop-up last longer (or in red) and provide a reference to the DKIM management page (e..g. see System > Config etc)

3) If Mailcow wants to eventually support TLS Reporting, then I assume we'll need a way to support separate/multiple dkim selectors for the domain sending/signing the outbound TLS Reports. Per RFC, it appears the outbound TLS reports should be signed by a dkim key with the service type declaration, "s=tlsrpt" (vs "s=email" as used by mailcow). It's unclear to me if "s=*" would suffice or if multiple service types can be listed for a single dkim key. https://www.rfc-editor.org/rfc/rfc8460.html#page-6

(Item 3 probably a much bigger/separate feature request given it should also support URI POST reporting, must ignore TLS errors and exempt the reporting email session from the report).

THANK YOU again for the assistance and amazing platform!

[DerLinkman]

Thanks for clarification!

Could you open up enhancement issues as they will get lost when they are listed here?

Would really help us to order this.

[thumpco]

@DerLinkman will do. Thank you.