Closed thumpco closed 7 months ago
Screenshot of relevant UI section:
Cannot reproduce that... at my instance it works as expected.
You can delete the DKIM Key and recreate one with the expected selector at the System -> Configuration -> ARC/DKIM keys
panel.
@DerLinkman Thank you. Looking under the ARC/DKIM panel it seems you're right. Mailcow ignored my custom selector when creating the domains and created the keys using the "dkim" selector anyway. I tried creating new keys with "relay" as the selector and the UI throws an error saying "invalid selector". It doesn't seem to allow me to create any selector except "dkim".
If this is by design, then how do setup dkim dns entries on these domains for the backup mailcow relay to use? The normal "dkim._domainkey" entry is already in use by the primary mailcow server. I've been assuming the mailcow relay needs to use it's own keys under a separate selector?
As you can see here:
I can create also relay DKIM keys within the ARC/DKIM Keys Page.
How do you enter the key selector?
@DerLinkman - thank you again. I have watched your video multiple times and tried to reproduce the exact steps with the same result. In the Domain/s field I'm entering my exact domain as "example.com" without quotes. In the Selector field I'm entering "relay", again without quotes, and then selecting 2048 bits.
I have 2 mailcow installations (both running 2023-11a) and have tried it with multiple domains on both. Each time I click "Add", I'm getting a red error message saying "DKIM domain or selector invalid: example.com". This seems to happen when I enter any selector except "dkim".
The only thing I can see that might be different with my config than what I see in your video is that both my servers also have an Alias Domain with a dkim selector assigned, but the new selectors I'm trying to create are for "regular" domains. I've tried it with both my relay and direct hosted domains with the same result.
@DerLinkman DOH!! Just figured it out. In both cases the domains already had a DKIM key using the "dkim" selector. When I delete these I'm able to add a "relay" selector instead.
So the only remaining issue is that when I created the domains, the UI ignored the "relay" selector entered on the creation screen and instead created the keys with "dkim" selectors. Then already having keys with the "dkim" selector, it was blocking me from creating the new one with a "relay" selector without first deleting the "dkim" ones.
THANK YOU
Bit messed up due to the modals but i think you can see that it is working for me either if i select a different dkim selector on domain creation:
@DerLinkman You are right again! I've done some more testing and finally figured out how I got here:
a) My domains had already existed and I wanted to change the dkim selector. Not finding it under the domain edit screen I thought I could just delete and re-add the domain with a new selector.
b) When I deleted the domains I was not aware the old dkim keys still existed. (Not being aware of the separate System > Config > Option > ARC/DKIM Keys option).
c) When re-adding the domains using a new selector I clearly must have missed the pop-up saying "dkim key already existed". (Since it's a fast pop-up and in color green, I likely though it was just a confirmation of the domain being added.) So of course the system ignored my relay selector because a key with a dkim selector already existed.
My apologies for submitting as a bug report. Maybe a few items for consideration:
1) Maybe add an option (or default behavior) to delete dkim keys when deleting a domain to avoid building up key cruft (or a warning that keys will still remain)?
2) When creating a new domain with a pre-existing dkim key, maybe make the warning pop-up last longer (or in red) and provide a reference to the DKIM management page (e..g. see System > Config etc)
3) If Mailcow wants to eventually support TLS Reporting, then I assume we'll need a way to support separate/multiple dkim selectors for the domain sending/signing the outbound TLS Reports. Per RFC, it appears the outbound TLS reports should be signed by a dkim key with the service type declaration, "s=tlsrpt" (vs "s=email" as used by mailcow). It's unclear to me if "s=*" would suffice or if multiple service types can be listed for a single dkim key. https://www.rfc-editor.org/rfc/rfc8460.html#page-6
(Item 3 probably a much bigger/separate feature request given it should also support URI POST reporting, must ignore TLS errors and exempt the reporting email session from the report).
THANK YOU again for the assistance and amazing platform!
Thanks for clarification!
Could you open up enhancement issues as they will get lost when they are listed here?
Would really help us to order this.
@DerLinkman will do. Thank you.
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
master
Operating System:
Ubuntu 22.04 LTS
Server/VM specifications:
6GB, 2 Cores
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
Linode/Akamai
Docker version:
24.0.7, build afdd53b
docker-compose version or docker compose version:
v2.21.0
mailcow version:
2023-11a
Reverse proxy:
no
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: