discuss.freedombox.org
Open in
urlscan Pro
2a01:7e01:e001:2c5::fbf1
Public Scan
URL:
https://discuss.freedombox.org/t/solved-email-messages-not-signed-with-dkim/2387
Submission: On July 11 via manual from CA — Scanned from CA
Submission: On July 11 via manual from CA — Scanned from CA
Form analysis 1 forms found in the DOM
POST /login
<form id="hidden-login-form" method="post" action="/login" style="display: none;">
<input name="username" type="text" id="signin_username">
<input name="password" type="password" id="signin_password">
<input name="redirect" type="hidden">
<input type="submit" id="signin-button" value="Log In">
</form>Text Content
FreedomBox Forum
[SOLVED] EMAIL MESSAGES NOT SIGNED WITH DKIM
Support
Ged296123 December 15, 2022, 7:10pm 1
Problem Description
Mail-testers (specifically Port25 Verifer) are responding to my emails with
dkim=none reason="message not signed"
Steps to Reproduce
1. Login to Roundcube
2. Compose message with subject, body and add mail-tester to recipient
3. Send Email
4. Received email report / test result fails dkim because message is not
signed.
Expected Results
Pass dkim tests
Additional Info
Checking DNS records with dkim selector respond with a positive key result. No
issues with DNS settings - they comply to plinth specified keys.
Information
* FreedomBox version: FreedomBox version 22.26
* Hardware: Raspberry Pi4
* How did you install FreedomBox?: Through Debian repos
Note: Anyone with a brief description on how FBX signs emails would also be
appreciated. As far as I understand, FBX doesnt use tools like OpenDKIM so I
cant seem to find any online resources to actually know where I can intervene or
understand what may cause the problem. Thanks again.
Ged296123 December 16, 2022, 7:21pm 2
Looks like rspamd is resposible for signing DKIM.
in /etc/postfix/main.cf noticed
> non_smtpd_milters = inet:127.0.0.1:11332
> smtpd_milters = inet:127.0.0.1:11332
additionally, /var/lib/rspamd/dkim/ holds a key to the domain…
why then doesn’t rspamd sign the outgoing e-mails?
also noticed that as per DKIM signing module there should be a dkim_signing.conf
file somewhere under /etc/rspamd/local.d which doesnt seem to exist…
or am I all in the wrong direction ?.. hmph…
Ged296123 February 2, 2023, 3:51pm 3
Anyone have any thoughts about this… my self - hosted email is now being blocked
by google…
timmy February 2, 2023, 5:59pm 4
Is there a sample of the dkim_signing.conf you could use to create a correct
config for yourself?
I’m woefully inexperienced on email setups.
Ged296123 February 2, 2023, 8:52pm 5
There are samples online (i.e. rspamd dkim signing module web page). Though,
Freedombox setup does not align with the file locations stated on this website.
So, a. I dont know where I should place a config file for dkim signing b. rspamd
configuration is also different from default rspamd setup - I cant even figure
out how to check if its configured to sign.
ziomatt February 5, 2023, 1:05am 6
Have you found out anything new? I’m pretty sure I’m having the same problem.
For me, the mail check reports that the DKIM is not aligned. However, if I look
at an email I sent to my gmail account, I’m not seeing the DKIM line like I do
on emails I’ve received from other senders.
FreedomBox version: 23.2
Hardware: Pioneer Edition FreedomBox
How did I install FreedomBox? Pioneer Edition Images
I also found the private key in the same location that you did, and I also found
an error message in the logs via Cockpit along these lines:
https://lists.rspamd.com/pipermail/users/2019-July/000831.html
When I looked at the permissions, it was read-only for root. So, I tried
changing the ownership to the _rspamd user, and I updated the permissions to
include the write permission. I also rebooted the FreedomBox. I no longer saw
the error message in the logs (not even the prior one), but email messages still
aren’t being signed.
Oddly, I don’t see the error message coming up after changing the ownership and
permissions back, restarting the server, and sending an email.
As for knowing whether it is set up to sign emails, I do see an entry in the log
(via Cockpit) about loading a module:
kecb3d>; cfg; rspamd_init_lua_filters: init lua module dkim_signing from
/usr/share/rspamd/plugins/dkim_signing.lua; digest: 58702b0f6d
I’m looking at “Debug” level logs. Though, I’m not familiar enough to read the
code.
1 Like
ziomatt February 6, 2023, 3:20pm 7
Okay, over the weekend, I was able to find some more information on this.
Apparently, a good portion of the capability was added over the summer of '21 as
part of the Google Summer of Code. As part of that effort, a checklist was
created and it does look like the work stopped short of implementing full DKIM
functionality:
GitLab
ADD APP FOR MANAGING A FULL MAIL SERVER SETUP (#56) · ISSUES · FREEDOMBOX /...
Tasks The following is the implementation plan/TODOs for mail server app in
FreedomBox:
I did also notice that there are a number of entries in the historical Release
Notes. So, more may have been done, but it’s a start. One nice thing is that
there are paths to files and at least initial information about enabling it. So,
we should be able to check that. Anyway, I probably won’t get back to this until
at least this coming weekend, but I thought I’d pass this along.
1 Like
ziomatt February 18, 2023, 9:08pm 9
Yeah, it would be nice if the wiki pages and the manual were more clear about
what is implemented and what will be implemented. That said, I love the fact
that they have created a project where we can collaborate in standing up what we
want. Once I finish getting the main things working for myself, I think the
first thing I’ll do is to try to clean up the existing documentation. Then,
maybe I’ll be in a position to actually contribute to the functionality.
Anyway, I was finally able to get back to this, and it was about as easy as
following the instructions in that issue I referenced above. Here are the notes
(verbose for anyone else who happens to come across this).
I started with the example dkim_signing.conf file on the page you referenced
(DKIM signing module). Saving it to /etc/rspamd/local.d/dkim_signing.conf. I
then made sure these options (referenced in the issue) were set as indicated:
> path = “/var/lib/rspamd/dkim/$domain.$selector.key”;
> selector_map = “/etc/rspamd/dkim_selectors.map”;
> allow_username_mismatch = true;
> use_esld = false;
rspamd replaces $domain and $selector with the entries from the map file
(covered in the next paragraph). After that, I updated these settings in hopes
of seeing log messages if the DNS configuration happened to be wrong:
> check_pubkey = true;
> allow_pubkey_mismatch = false;
Then, I created the file /etc/rspamd/dkim_selectors.map with the two values. In
this case, the “timestamp” is the selector (“dkim”). So, it’s
> {domain} dkim
with {domain} replaced with the actual domain.
Next, I updated the owner and permissions of
/var/lib/rspamd/dkim/{domain}.dkim.key:
> chown _rspamd:_rspamd /var/lib/rspamd/dkim/{domain}.dkim.key
> chmod u+w /var/lib/rspamd/dkim/{domain}.dkim.key
With that, I restarted rspamd:
> /etc/init.d/rspamd restart
and the next email I sent was signed.
Let me know if you are able to get it to work.
2 Likes
Ged296123 February 19, 2023, 10:29am 10
Worked like a charm, thank you : )
Ged296123 March 14, 2023, 9:09am 12
A side note:
While reading through this, I discovered that you can easily configure ARC once
you have DKIM working.
To do so, (after configuring DKIM) copy configuration for ARC (with sudo as
necessary)
cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
antidoto April 1, 2023, 3:10pm 13
Although I did all the steps as described by ziomatt my mail is still getting
marked as spam by gmail.
Also when I send message to another carrier (posteo) I get the response:
--------------------------------------------------------------------------------
This is the mail system at host mygreatdomain.net.
I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
anotheruser@posteo.net: host mx03.posteo.de[185.67.36.70] said: 550 5.7.1
Service
unavailable; client [hidden by me] blocked using zen.spamhaus.org (in
reply to RCPT TO command)
--------------------------------------------------------------------------------
Is there a way to troubleshoot?
Is it possible that the reason is that my ISP doesn’t provide me with a static
ip ?
I got two test results in mail-tester.com, one was 7.9 and the other was 5.9
Lastly when I create /etc/rspamd/local.d/arc.conf I get a message connection
failed from two e-mail clients.
antidoto April 2, 2023, 12:52pm 14
screen1355×258 33.9 KB
This is the Dmarc Report from google
Ged296123 April 3, 2023, 7:01am 15
Both 5.9 and 7.9 on mail-tester are low even without DKIM signature.
You may have misconfigured your signature file but it may also be that your
server is somewhat compromised (which happened to me).
I suggest revert back to the initial installation configuration and check your
mail queue and logs with ;
a. run mailq in terminal. Check if you have outgoing mails that you didnt
actually send.
b. check your logs with journalctl -u postfix@-.service to see if there is any
mail you didnt actually send.
If you think there are any problems, I suggest take it from there.
Hope it helps.
antidoto April 3, 2023, 10:08am 16
Thank you for your suggestions,
I did run the commands you proposed and:
a. empty
b. Didn’t showed something suspicius, although I do not know exactly what I
should look
About mail-tester. the main problem is:
→ |-1.274|RDNS_NONE|Delivered to internal network by a host with no rDNS
This may indicate you do not have a rDNS configured for your hostname or the
rDNS does not match your sending IP|
YOUR REVERSE DNS DOES NOT MATCH WITH YOUR SENDING DOMAIN.
Your IP address *MY ACTUAL PUBLIC IP is associated with the domain 3(NXDOMAIN).
Nevertheless your message appears to be sent from my domain.net.
You may want to publish a pointer (PTR type) DNS record with a value of
mydomain.net or use 3(NXDOMAIN) as hostname in your mail software
Here are the tested values for this check:
* IP: (MY ACTUAL PUBLIC IP)
* HELO: mydomain.net
* rDNS: 3(NXDOMAIN)
So my question is:
Is it possible to set rdns without an external static ip?
Ged296123 April 3, 2023, 12:11pm 17
Hi,
Sorry, I believe thats something you can only solve with your ISP.
Here in my country, I practically sent an email to my ISP for rDNS (PTR) and
they changed it. I was not something in my control.
antidoto April 3, 2023, 4:32pm 18
I am now a little bit lost.
I will continue to expand my noobness though in the pursuit to understand. Maybe
it will help others in the future…
What am I expecting from my ISP? an ipv4 address? a domain name?
Will I need to update my DNS records with the value/address/domain that my ISP
will provide me in order to enable reverse dns to my domain? Is there an example
I can follow?
Thank you all for your patience.
1 Like
Avron April 3, 2023, 7:36pm 19
antidoto:
> What am I expecting from my ISP? an ipv4 address? a domain name?
If your IPv4 address is a.b.c.d, you need a DNS record such as:
d.c.b.a.in-addr.arpa PTR mydomain.net
It points an IP address to a name (instead of the opposite in the usual usage of
DNS). Only the entity that owns the address a.b.c.d can do that, so probably
your ISP. Some ISPs accept doing that, others don’t (one ISP in my country
provides an interface to do that, my current ISP simply does not allow that at
all).
* Home
* Categories
* FAQ/Guidelines
* Terms of Service
* Privacy Policy
Powered by Discourse, best viewed with JavaScript enabled
Skip to main content
Sign UpLog In
*
*
Welcome to the FreedomBox forum. Ask questions about issues you are facing as a
user of FreedomBox and find answers provided by other users and community
contributors. Stay up-to-date with new releases, announcements and advisories.
[SOLVED] EMAIL MESSAGES NOT SIGNED WITH DKIM
Support
You have selected 0 posts.
select all
cancel selecting
Dec 2022
1 / 17
Dec 2022
Apr 3
Ged296123
2
Dec '22
Problem Description
Mail-testers (specifically Port25 Verifer) are responding to my emails with
dkim=none reason="message not signed"
Steps to Reproduce
1. Login to Roundcube
2. Compose message with subject, body and add mail-tester to recipient
3. Send Email
4. Received email report / test result fails dkim because message is not
signed.
Expected Results
Pass dkim tests
Additional Info
Checking DNS records with dkim selector respond with a positive key result. No
issues with DNS settings - they comply to plinth specified keys.
Information
* FreedomBox version: FreedomBox version 22.26
* Hardware: Raspberry Pi4
* How did you install FreedomBox?: Through Debian repos
Note: Anyone with a brief description on how FBX signs emails would also be
appreciated. As far as I understand, FBX doesnt use tools like OpenDKIM so I
cant seem to find any online resources to actually know where I can intervene or
understand what may cause the problem. Thanks again.
* CREATED
Dec '22
* LAST REPLY
Apr 3
* 16
REPLIES
* 643
VIEWS
* 5
USERS
* 5
LIKES
* 4
LINKS
* 8
4
3
Ged296123
1
Dec '22
Looks like rspamd is resposible for signing DKIM.
in /etc/postfix/main.cf noticed
> non_smtpd_milters = inet:127.0.0.1:11332
> smtpd_milters = inet:127.0.0.1:11332
additionally, /var/lib/rspamd/dkim/ holds a key to the domain…
why then doesn’t rspamd sign the outgoing e-mails?
also noticed that as per DKIM signing module 2 there should be a
dkim_signing.conf file somewhere under /etc/rspamd/local.d which doesnt seem to
exist…
or am I all in the wrong direction ?.. hmph…
1 Reply
2 months later
Ged296123
Feb 2
Anyone have any thoughts about this… my self - hosted email is now being blocked
by google…
timmy
Ged296123
Feb 2
Is there a sample of the dkim_signing.conf you could use to create a correct
config for yourself?
I’m woefully inexperienced on email setups.
Ged296123
Feb 2
There are samples online (i.e. rspamd dkim signing module web page 1). Though,
Freedombox setup does not align with the file locations stated on this website.
So, a. I dont know where I should place a config file for dkim signing b. rspamd
configuration is also different from default rspamd setup - I cant even figure
out how to check if its configured to sign.
ziomatt
Feb 5
Have you found out anything new? I’m pretty sure I’m having the same problem.
For me, the mail check reports that the DKIM is not aligned. However, if I look
at an email I sent to my gmail account, I’m not seeing the DKIM line like I do
on emails I’ve received from other senders.
FreedomBox version: 23.2
Hardware: Pioneer Edition FreedomBox
How did I install FreedomBox? Pioneer Edition Images
I also found the private key in the same location that you did, and I also found
an error message in the logs via Cockpit along these lines:
https://lists.rspamd.com/pipermail/users/2019-July/000831.html
When I looked at the permissions, it was read-only for root. So, I tried
changing the ownership to the _rspamd user, and I updated the permissions to
include the write permission. I also rebooted the FreedomBox. I no longer saw
the error message in the logs (not even the prior one), but email messages still
aren’t being signed.
Oddly, I don’t see the error message coming up after changing the ownership and
permissions back, restarting the server, and sending an email.
As for knowing whether it is set up to sign emails, I do see an entry in the log
(via Cockpit) about loading a module:
kecb3d>; cfg; rspamd_init_lua_filters: init lua module dkim_signing from
/usr/share/rspamd/plugins/dkim_signing.lua; digest: 58702b0f6d
I’m looking at “Debug” level logs. Though, I’m not familiar enough to read the
code.
1
ziomatt
Feb 6
Okay, over the weekend, I was able to find some more information on this.
Apparently, a good portion of the capability was added over the summer of '21 as
part of the Google Summer of Code. As part of that effort, a checklist was
created and it does look like the work stopped short of implementing full DKIM
functionality:
GitLab
ADD APP FOR MANAGING A FULL MAIL SERVER SETUP (#56) · ISSUES · FREEDOMBOX /... 2
Tasks The following is the implementation plan/TODOs for mail server app in
FreedomBox:
I did also notice that there are a number of entries in the historical Release
Notes. So, more may have been done, but it’s a start. One nice thing is that
there are paths to files and at least initial information about enabling it. So,
we should be able to check that. Anyway, I probably won’t get back to this until
at least this coming weekend, but I thought I’d pass this along.
1
12 days later
ziomatt
1
Ged296123
Feb 18
Yeah, it would be nice if the wiki pages and the manual were more clear about
what is implemented and what will be implemented. That said, I love the fact
that they have created a project where we can collaborate in standing up what we
want. Once I finish getting the main things working for myself, I think the
first thing I’ll do is to try to clean up the existing documentation. Then,
maybe I’ll be in a position to actually contribute to the functionality.
Anyway, I was finally able to get back to this, and it was about as easy as
following the instructions in that issue I referenced above. Here are the notes
(verbose for anyone else who happens to come across this).
I started with the example dkim_signing.conf file on the page you referenced
(DKIM signing module 3). Saving it to /etc/rspamd/local.d/dkim_signing.conf. I
then made sure these options (referenced in the issue) were set as indicated:
> path = “/var/lib/rspamd/dkim/$domain.$selector.key”;
> selector_map = “/etc/rspamd/dkim_selectors.map”;
> allow_username_mismatch = true;
> use_esld = false;
rspamd replaces $domain and $selector with the entries from the map file
(covered in the next paragraph). After that, I updated these settings in hopes
of seeing log messages if the DNS configuration happened to be wrong:
> check_pubkey = true;
> allow_pubkey_mismatch = false;
Then, I created the file /etc/rspamd/dkim_selectors.map with the two values. In
this case, the “timestamp” is the selector (“dkim”). So, it’s
> {domain} dkim
with {domain} replaced with the actual domain.
Next, I updated the owner and permissions of
/var/lib/rspamd/dkim/{domain}.dkim.key:
> chown _rspamd:_rspamd /var/lib/rspamd/dkim/{domain}.dkim.key
> chmod u+w /var/lib/rspamd/dkim/{domain}.dkim.key
With that, I restarted rspamd:
> /etc/init.d/rspamd restart
and the next email I sent was signed.
Let me know if you are able to get it to work.
2
Ged296123
Feb 19
Worked like a charm, thank you : )
22 days later
Ged296123
Ged296123
Mar 14
A side note:
While reading through this, I discovered that you can easily configure ARC once
you have DKIM working.
To do so, (after configuring DKIM) copy configuration for ARC (with sudo as
necessary)
cp /etc/rspamd/local.d/dkim_signing.conf /etc/rspamd/local.d/arc.conf
18 days later
antidoto
Apr 1
Although I did all the steps as described by ziomatt my mail is still getting
marked as spam by gmail.
Also when I send message to another carrier (posteo) I get the response:
--------------------------------------------------------------------------------
This is the mail system at host mygreatdomain.net.
I’m sorry to have to inform you that your message could not
be delivered to one or more recipients. It’s attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
anotheruser@posteo.net: host mx03.posteo.de[185.67.36.70] said: 550 5.7.1
Service
unavailable; client [hidden by me] blocked using zen.spamhaus.org (in
reply to RCPT TO command)
--------------------------------------------------------------------------------
Is there a way to troubleshoot?
Is it possible that the reason is that my ISP doesn’t provide me with a static
ip ?
I got two test results in mail-tester.com, one was 7.9 and the other was 5.9
Lastly when I create /etc/rspamd/local.d/arc.conf I get a message connection
failed from two e-mail clients.
antidoto
Apr 2
screen1355×258 33.9 KB
This is the Dmarc Report from google
Ged296123
Apr 3
Both 5.9 and 7.9 on mail-tester are low even without DKIM signature.
You may have misconfigured your signature file but it may also be that your
server is somewhat compromised (which happened to me) 1.
I suggest revert back to the initial installation configuration and check your
mail queue and logs with ;
a. run mailq in terminal. Check if you have outgoing mails that you didnt
actually send.
b. check your logs with journalctl -u postfix@-.service to see if there is any
mail you didnt actually send.
If you think there are any problems, I suggest take it from there.
Hope it helps.
antidoto
Apr 3
Thank you for your suggestions,
I did run the commands you proposed and:
a. empty
b. Didn’t showed something suspicius, although I do not know exactly what I
should look
About mail-tester. the main problem is:
→ |-1.274|RDNS_NONE|Delivered to internal network by a host with no rDNS
This may indicate you do not have a rDNS configured for your hostname or the
rDNS does not match your sending IP|
YOUR REVERSE DNS DOES NOT MATCH WITH YOUR SENDING DOMAIN.
Your IP address *MY ACTUAL PUBLIC IP is associated with the domain 3(NXDOMAIN).
Nevertheless your message appears to be sent from my domain.net.
You may want to publish a pointer (PTR type) DNS record with a value of
mydomain.net or use 3(NXDOMAIN) as hostname in your mail software
Here are the tested values for this check:
* IP: (MY ACTUAL PUBLIC IP)
* HELO: mydomain.net
* rDNS: 3(NXDOMAIN)
So my question is:
Is it possible to set rdns without an external static ip?
Ged296123
Apr 3
Hi,
Sorry, I believe thats something you can only solve with your ISP.
Here in my country, I practically sent an email to my ISP for rDNS (PTR) and
they changed it. I was not something in my control.
antidoto
Apr 3
I am now a little bit lost.
I will continue to expand my noobness though in the pursuit to understand. Maybe
it will help others in the future…
What am I expecting from my ISP? an ipv4 address? a domain name?
Will I need to update my DNS records with the value/address/domain that my ISP
will provide me in order to enable reverse dns to my domain? Is there an example
I can follow?
Thank you all for your patience.
1
Avron
Apr 3
antidoto:
> What am I expecting from my ISP? an ipv4 address? a domain name?
If your IPv4 address is a.b.c.d, you need a DNS record such as:
d.c.b.a.in-addr.arpa PTR mydomain.net
It points an IP address to a name (instead of the opposite in the usual usage of
DNS). Only the entity that owns the address a.b.c.d can do that, so probably
your ISP. Some ISPs accept doing that, others don’t (one ISP in my country
provides an interface to do that, my current ISP simply does not allow that at
all).
Reply
SUGGESTED TOPICS
Topic Replies Views Activity Share media content inside a Syncthing folder with
MiniDLNA
Support
2 116 Apr 3 [SOLVED] Ejabberd MAM Not Working
Support
5 123 Apr 5 Rockpro64 image wont boot from eMMC
Support
5 358 Sep '22 X86 (amd64) bullseye stable image won’t boot from USB
Support
6 198 Oct '22 Where to report bugs?
Support
1 92 Nov '22
WANT TO READ MORE? BROWSE OTHER TOPICS IN SUPPORT OR VIEW LATEST TOPICS.
Share
Invalid date Invalid date