DKIM signing not working

[ThbtSprt]

Version

6.2.60

Installation method

debian binary (apt install sympa) (installation on Debian 11, with Postfix)

Expected behavior

DKIM headers of received emails from lists should be populated.

Actual behavior

Message is not signed.

Additional information

/etc/sympa/sympa/sympa.conf :

dkim_feature on
dkim_add_signature_to list,robot
dkim_signature_apply_on any
dkim_private_key_path  /etc/opendkim/keys/listes.sympa/default.private
dkim_signer_domain listes.mydomain.fr
dkim_selector default
arc_feature on
dmarc_protection.mode all

The TXT record containing the public key well is deployed at default._domainkey.

The private key has been created with opendkim, and sympa has permissions on it.

[ikedas]

Please check the Summary of parameters in the Administration Manual and confirm you are setting appropriate parameters for your version of Sympa.

[ThbtSprt]

Hello @ikedas , thank you, I just checked ; my parameters in sympa.conf were right.

The messages have DKIM signature when sent from an user to the list, but not when sent from the robot. Here is the headers of a welcom message:

Return-Path: tests-owner@mydomain.fr X-Original-To: usertest@domain.com Delivered-To: usertest@domain.com Received: from mydomain.fr (mydomain.fr [46.226.107.xxx]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mailin036.protonmail.ch (Postfix) with ESMTPS id 4R9ngS0ts5z9vNPp for usertest@domain.com; Wed, 26 Jul 2023 08:51:16 +0000 (UTC) Received: by mydomain.fr (Postfix, from userid 110) id C8FD923114; Wed, 26 Jul 2023 08:51:15 +0000 (UTC) Authentication-Results: mailin036.protonmail.ch; dmarc=pass (p=quarantine dis=none) header.from=mydomain.fr Authentication-Results: mailin036.protonmail.ch; spf=pass smtp.mailfrom=mydomain.fr Authentication-Results: mailin036.protonmail.ch; arc=none smtp.remote-ip=46.226.107.xxx Authentication-Results: mailin036.protonmail.ch; dkim=none Message-Id: sympa.1690361475.14810.34@mydomain.fr Date: Wed, 26 Jul 2023 08:51:15 +0000 To: usertest@domain.com Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: QUOTED-PRINTABLE Auto-Submitted: auto-generated From: tests-request@mydomain.fr Subject: Bienvenue sur la liste tests X-Mailer: Sympa 6.2.60 X-Rspamd-Queue-Id: 4R9ngS0ts5z9vNPp X-Rspamd-Server: cp5-mailin-036.plabs.ch X-Spamd-Result: default: False [-0.70 / 25.00]; DMARC_POLICY_ALLOW(-0.50)[mydomain.fr,quarantine]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; BAYES_HAM(-0.00)[42.06%]; R_DKIM_NA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; FROM_NEQ_ENVFROM(0.00)[tests-request@mydomain.fr,tests-owner@mydomain.fr]; ASN(0.00)[asn:203476, ipnet:46.226.104.0/22, country:FR]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM(-0.00)[-0.932]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; FROM_NO_DN(0.00)[]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+] X-Rspamd-Action: no action X-Pm-Spam: 0yezJI6cihyJeYR3pi42biOpJJvbmsCIeI1msjN3X3blJp7IjBlNIIojwsAjLlITJ otIj3C4MLJCQE9kUjItogsMjSlBITR0fFJFUERDllPVE6iITMwCilR2XnYnVluX2im8ZOsniPJFU CR6IJweyw3NXY0WiuAjODMxAEyMzyTYOMMD03EzNjMyAwiMihW1aZV2ftFmbSZ6IhzImjGFda91z p1WZ2Xi9Vyc2kmVdXIzwwMjMzN0AwiIiunVcX52hiUWbiOhJwtbGhmVZdVHyiMXZCLtJlsYWh2NX dVGn5J3b2Xh5UibWViJOUREBTVEViIiwFpbWjF9bYRXly92ZVew99icmwjoILcj45QTNXf91JzLC kmlcIojijRjNGMlRQ5OD2DUZZImyiNGNzNkhQyN2sn0IINnh7pjImIzlNwX3iW0YOAjsjNnI3blJ owIjzCJLY92yiQWZjOuAwiMCwmVcbJ307pjIlIQN9QRlTVNQIpjbuATLFMs0NQIlIl9RRxUPBB1X 1UiMstOlwC4MXwSiT9FV0QfN9EQkUV9WRhVUJx0XkTiUstOlwC4MX1X9fQ== X-Pm-Origin: external X-Pm-Transfer-Encryption: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) X-Pm-Content-Encryption: on-delivery X-Pm-Spamscore: 0 X-Pm-Spam-Action: inbox

Additional information

I haven't filled the form in the web interface, in order to let the global config apply :

[ikedas]

@ThbtSprt ,

You wrote that you are using Sympa 6.2.60. Please check the section "6.2.58 to 6.2.70" in the Summary of parameters.

[ThbtSprt]

Yes, thank you @ikedas , I edited the issue in this way, but I still get the same results, after restart of sympa + postfix.

[ikedas]

Could you please show the full (except db_XXX parameters) configuration in sympa.conf?

Besides, which location of the file are you using, /etc/sympa/sympa.conf, /etc/sympa/sympa/sympa.conf or the both!?

[ThbtSprt]

Here it is (I use the path /etc/sympa/sympa/sympa.conf on Debian 11) : (I replaced my real domain with "mydomain.fr"

lang fr domain mydomain.fr listmaster adress@mydomain.fr cookie 3870e7c0ce14c9d0c2defaae1fc9e5f9ebb67590 db_type mysql db_name xxx db_host xxx db_user xxx db_passwd xxx db_port xxx static_content_path /usr/share/sympa/static_content static_content_url /static css_path /var/lib/sympa/css css_url /css pictures_path /var/lib/sympa/pictures pictures_url /pictures use_fast_cgi 1 wwsympa_url https://mydomain.fr/sympa sendmail_aliases /etc/sympa/sympa_transport aliases_program postmap aliases_db_type hash dkim_feature on dkim_add_signature_to list,robot dkim_signature_apply_on any dkim_private_key_path /etc/opendkim/keys/mydomain.fr/default.private dkim_signer_domain mydomain.fr dkim_selector default arc_feature on dmarc_protection.mode all

[ikedas]

Please check if:

• The file /etc/opendkim/keys/mydomain.fr/default.private exists and it can be read by sympa user;
• the DNS resource record default._domainkey.mydomain.fr exists and is resolvable on the host of Sympa;
• and the contents of the above two are indeed keys of the same key pair.

[ThbtSprt]

yes, i just checked.

1. Output of ls- l /etc/opendkim/keys/mydomain.fr/default.private = -rw-r--r-- 1 sympa sympa 1679 Jul 17 18:24 default.private

2. dig -t txt default._domainkey.mydomain.fr (executed from the host of Sympa) returns the correct public key

3. I compared the modulus of private and public keys with openssl, and it outputs the same

[ikedas]

Anyways 6.2.60 is a bit older. Please update sympa and dependent packages (especially libmail-dkim-perl) to the recent release.

[ThbtSprt]

Ok, thank you, I'll try that way.

Unfortunately, it is still this version 6.2.60 that comes with the command apt install sympa

[ikedas]

You may use bullseye-backports package.

[ThbtSprt]

Thank you, the problem disappeared with upgrade to 6.2.70