search

nodemailer / wildduck

Opinionated email server
https://wildduck.email/
European Union Public License 1.2
1.89k stars 263 forks source link

dkim is not signed #728

Open catthecreator opened 2 weeks ago

catthecreator commented 2 weeks ago

I'm using the container version of wild duck

I created a dkim for the domain using the api method https://docs.wildduck.email/api/#operation/postdkim

I have activated the sign Transport Domain parameter in /config/wildduck/dkim.toml I am sending an email from the same domain for which the signature was generated When sending an email, it is not signed by DKIM

What did I miss?

image

NickOvt commented 1 week ago

Hi!

  1. Are you testing locally or on a public server?
  2. Are you sending the email through the Wildduck API or through IMAP/SMTP Client (such as Thunderbird)?
  3. How do you verify if the email has not been signed? Do you have perhaps an .eml file to show us to check? You need to check the Authentication-Results header and look for dkim=pass. Try sending an email to your gmail or any other account and look for if any text that has something like signed by.
  4. Does the problem appear only on intra-domain emails (i.e emails sent to same domain)? Or do you have an issue with dkim even if you send an email outside your domain?
  5. Check that you have DKIM added on your DNS records
catthecreator commented 1 week ago

1 - public server 2 - via Wildduck API 3 - Welcome.zip 4 - I'm sending it to google 5 - checked

I am replacing the domain name so that it cannot be found in the search

my dns dkim record:

image

Wildduck api dkim:

GET http://apihost:8080/dkim/66d1bbb05c9d6f1d8060d74e

{
    "id": "66d1bbb05c9d6f1d8060d74e",
    "domain": "mysecretdomain.com",
    "selector": "owl",
    "description": "Just description 2",
    "fingerprint": "88:f0:ff:28:ad:7b:65:90:1c:62:2d:ca:78:56:06:3e:74:08:dd:4f:f4:d0:2c:ef:8e:af:71:aa:c9:51:3e:d9",
    "publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5MBNmTjjqdCGQ5PC7CTI\nolpUuvIX25dVwZ9l7RRVilImcWAsIeTuDha1VBZgAzD00iQCiCzigg2oTK3gFPfk\n0FsaSi/NtFWoR9Z9KloPPB5qYppIVKDsWfNFMGUcbuwrw4u71YfidXTouXtdf4HU\nZtVV/cx9PxtgO8f3LIWlI32f44ertm5/DAZ+B55fYbLNcQyYbsHBHcS/XT6Nf7zZ\n2TYCxK39QcKjSlhNhczAdQy+lZXlCSBTE+x7PIEghX2nKTCYY4ozIAR/H2wMrxbx\n67EI8cTBAlZVyoZN6C1pHT2XNGtI7Xo0L3zTb1NknaATOsrfpX7H2J1nq3LgTBwX\nfwIDAQAB\n-----END PUBLIC KEY-----\n",
    "dnsTxt": {
        "name": "owl._domainkey.mysecretdomain.com",
        "value": "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5MBNmTjjqdCGQ5PC7CTIolpUuvIX25dVwZ9l7RRVilImcWAsIeTuDha1VBZgAzD00iQCiCzigg2oTK3gFPfk0FsaSi/NtFWoR9Z9KloPPB5qYppIVKDsWfNFMGUcbuwrw4u71YfidXTouXtdf4HUZtVV/cx9PxtgO8f3LIWlI32f44ertm5/DAZ+B55fYbLNcQyYbsHBHcS/XT6Nf7zZ2TYCxK39QcKjSlhNhczAdQy+lZXlCSBTE+x7PIEghX2nKTCYY4ozIAR/H2wMrxbx67EI8cTBAlZVyoZN6C1pHT2XNGtI7Xo0L3zTb1NknaATOsrfpX7H2J1nq3LgTBwXfwIDAQAB"
    },
    "created": "2024-08-30T16:51:30.711Z",
    "success": true
}

I sent the message like this:

POST http://apihost:8080/users/66cf5c04d9402600076a79ad/submit

{
    "to": [{
        "name": "Catthecreator",
        "address": "mysecretmailbox@gmail.com"
    }],
    "from": {
        "address": "tester@mysecretdomain.com"
    },
    "replyTo": {
        "address": "tester@mysecretdomain.com"
    },
    "subject": "Welcome",
    "text": "Test message from api"
}
NickOvt commented 6 days ago

But why does your DKIM DNS key contain another "? Is that supposed to be how it looks in your dns provider or is that a typo? On the image you sent, there is ... "sHBHcS ....

I just set up a basic wildduck server, added dkim. Sent an email to gmail and the DKIM is working. So I would first check if the dns entry is actually correct and those quotes are not included in the value but just how your provider displays the value,

catthecreator commented 6 days ago

The provider says this is normal behavior, it's just that the txt record is limited to 255 characters

I asked chatgpt and searched the internet - this is really a normal practice

https://support.cpanel.net/hc/en-us/articles/4402114117911-Why-are-DKIM-TXT-records-split

I generally do not understand what the dns record has to do with it, there is no dkim signature in the body of the letter. It will not come to checking dns records, because there is nothing to check

Or am I wrong?

louis-lau commented 6 days ago

Yeah it's just a split record. A lot of people don't know about them, as most dns providers show them as a single string in their panel. But it's how dns works and it's fine.

NickOvt commented 6 days ago

Do you have DKIM enabled in zone-mta plugin? Under zone-mta/plugins/wildduck.yaml. signTransportDomain = true

catthecreator commented 6 days ago

it was disabled. enable and restarted containers, The situation has not changed

Welcome (2).zip

["modules/zonemta-wildduck"]
enabled=["receiver", "sender"]

# to which SMTP interfaces this plugin applies to. Use "*" for all interfaces
interfaces=["feeder"]

# optional hostname to be used in headers
# defaults to os.hostname()
hostname="mysecretdomain.com"

# How long to keep auth records in log
authlogExpireDays=30

# default smtp recipients for 24h (can be overriden per user)
maxRecipients=2000

disableUploads=false # if true then messages are not uploaded to Sent Mail folder
uploadAll=false # if false then messages from Outlook are not uploaded to Sent Mail folder

# SRS settings for forwarded emails
# ---------------------------------

["modules/zonemta-wildduck".srs]
    # Handle rewriting of forwarded emails. If false then SRS is not used
    # Only affect messages that have interface set to "forwarder"
    enabled=true

    # SRS secret value. Must be the same as in the MX side
    secret="supersecretpass"

    # SRS domain, must resolve back to MX
    rewriteDomain="mysecretdomain.com"

# DKIM Settings
# -------------

["modules/zonemta-wildduck".dkim]
    # If true then also adds a signature for the outbound domain
    signTransportDomain=true

    # If set then decrypt encrypted DKIM keys using this password
    #secret="a secret cat"

    # Cipher to use to decrypt encrypted DKIM keys
    #cipher="aes192"

["modules/zonemta-wildduck".gelf]
    enabled=false
    component="mta"

["modules/zonemta-wildduck".gelf.options]
    graylogPort=12201
    graylogHostname='127.0.0.1'
    connection='lan'
louis-lau commented 6 days ago

Is zonemta set to use the same db as wildduck? I think it's probable that the plugin is not finding your dkim keys in the db for some reason.

louis-lau commented 5 days ago

(by the way, signTransportDomain is not needed for your usecase of signing the from address domain. You'd use that to also sign with mta.example.com. So you can leave it false. Signing the from domain should happen automatically if it finds a matching key in the db.)

catthecreator commented 4 days ago

Is zonemta set to use the same db as wildduck? I think it's probable that the plugin is not finding your dkim keys in the db for some reason.

I am using the standard configuration from the repository

https://github.com/nodemailer/wildduck-dockerized

The only thing I changed is I changed the version here to nodemailer/wildduck:1.45.0

in the file https://github.com/nodemailer/wildduck-dockerized/blob/dedc7cacc3e1e942c1f73fe037115eca37d206ee/docker-compose.yml#L8

my /wildduck-dockerized/config/zone-mta/zonemta.toml : https://github.com/nodemailer/wildduck-dockerized/blob/master/default-config/zone-mta/zonemta.toml