Configure DKIM for host.domain.com email addresses

Hi Brent. Yes, I have my email address set for root as you described. Were you going to suggest that I temporarily stick an external address in there (like a gmail or icloud address) so I can check for DKIM signatures when the server emails me? I'll try that. :)

Update: There is no DKIM signature attached to these emails… possibly because the to address is still root@hostname (even though it gets aliased to my iCloud address). So I'm no closer to working out why DKIM is failing for email sent from the hostname.
 
Last edited:
zEitEr said:
Code: 
cd /usr/local/directadmin/scripts
./dkim_create.sh $(hostname -f)

Run the two commands without modifications, as they are shown. There is nothing to replace.
Click to expand...

Note for those who don't see the result when running the above command, the dkim_create.sh script uses taskq to create DNS zone, so you need to wait at least 1 minute to see the dkim value in DNS zone.
 
Last edited:
Richard G said:
It's not the result for the command we're not seeing, it's the actual signing of mails from the hostname which seems not to take place.
Click to expand...
Sorry, by result I mean the DKIM DNS record. If they did not see this DKIM value generated inside DNS record, then they should wait within one minute. I saw this mentioned in here:
dkim-document.JPG
 
maxi32 said:
Sorry, by result I mean the DKIM DNS record.
Click to expand...
No need to be sorry on your part, it was clear to me that this was what you were pointing to.
I only wanted to make clear that this is only half the issue and for some reason hostname mails don't get dkim signed. We're still waiting for a solution to that if I'm not mistaken.
Sorry if I was unclear about that.

Can you confirm this @Kal ?
 
Richard G said:
…lf the issue and for some reason hostname mails don't get dkim signed. We're still waiting for a solution to that if I'm not mistaken. …

Can you confirm this @Kal ?
Click to expand...
(y) Yeah, that's my understanding, although I've not retested since my previous comment.

Update: I just tested again, and there's still no DKIM signature on email from the hostname.
 
Last edited:
@Kal
@MaXi32
@Richard G

Lack of DKIM signing for hostname is 'feature', but I don't know why.
It occurs due to the fact, that hostname is not in /etc/virtual/domainowners and $sender_address_domain is not empty when hostname is set as sender (dkim_domain in Exim is set explicitly to $primary_hostname only if $sender_address_domain is empty).
In my case I simply changed exim DKIM domain probing method in exim.dkim.conf and it is working now

from:

dkim_domain = ${if eq{$sender_address_domain}{}{$primary_hostname}{${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}}
Click to expand...

to:

dkim_domain = ${if or {{eq{$sender_address_domain}{}}{eq{$sender_address_domain}{$primary_hostname}}}{$primary_hostname}{${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}}
Click to expand...

then
chattr +i /etc/exim.dkim.conf
Click to expand...

to prevent accidental override by ./build exim_conf

Now dkim_domain is set to $primary_hostname if $sender_address_domain is empty OR equal to $primary_hostname.

PS: Don't forget about DKIM keys generation via /usr/local/directadmin/scripts/dkim_create.sh host.domain.com
 
Last edited:
@Kal @MaXi32 @Richard G @smtalk @DirectAdmin Support
If someone wonders why vacation / autoresponder messages are not signed with the DKIM key - it is result of changing the dkim_domain set method from the domain value in 'From header' to envelope-from in exim.dkim.conf version 1.5 (autoresponder messages have empty envelope-from)
As a workaround I build such a monster to combine both pre- and post- exim.dkim.conf change behavior + signing mail from server hostname.

Code: 
dkim_domain = ${if !eq{$sender_address_domain}{}\
                        {${if eq{$sender_address_domain}{$primary_hostname}\
                          {$primary_hostname}\
                          {${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}\
                        }}\
                        {${if or {{eq{${lc:${domain:${address:$h_from:}}}}{}}{eq{${lc:${domain:${address:$h_from:}}}}{$primary_hostname}}}\
                          {$primary_hostname}\
                          {${lookup{${lc:${domain:${address:$h_from:}}}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}\
                        }}\
                 }
 
Last edited:
Small changes.
I removed secondary, extended condition, because there is absolutely no point in signing mails without envelope-from and From header.
I also changed $h_From to $rh_From due to possible address extraction issues from $h_From (e.g if there is comma in Sender name, in this case raw header works better).

Code: 
  dkim_domain = ${if def:sender_address_domain \
                     {${if eq{$sender_address_domain}{$primary_hostname} \
                       {$primary_hostname} \
                       {${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                     {${if eq{${lc:${domain:${address:$rh_From:}}}}{$primary_hostname} \
                       {$primary_hostname} \
                       {${lookup{${lc:${domain:${address:$rh_From:}}}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                 }
 
Follow up:
I made domains comparision case-insensitive.
I added convert to lowercase for primary_hostname and sender_address_domain, because domains created via DA are always lowercase + filepaths in e.g. Linux are case-sensitive + users sometimes do weird things and sender_domains/From starts with capital letter, so change eliminates some corner-cases.
The problem may occur only if letsencrypt.sh doesn't convert domain name to lowercase (I didn't check it) and someone created DKIM keys for a hostname that contains uppercase letters.

Code: 
  dkim_domain = ${if def:sender_address_domain \
                     {${if eqi{$sender_address_domain}{$primary_hostname} \
                       {${lc:$primary_hostname}} \
                       {${lookup{${lc:$sender_address_domain}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                     {${if eqi{${domain:${address:$rh_From:}}}{$primary_hostname} \
                       {${lc:$primary_hostname}} \
                       {${lookup{${lc:${domain:${address:$rh_From:}}}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                 }
 
Last edited:
Nice work, however I still think this should be implemented by default by DA for fixing the hostname dkim issue.
 
kam821 said:
Follow up:
I made domains comparision case-insensitive.
I added convert to lowercase for primary_hostname and sender_address_domain, because domains created via DA are always lowercase + filepaths in e.g. Linux are case-sensitive + users sometimes do weird things and sender_domains/From starts with capital letter, so change eliminates some corner-cases.
The problem may occur only if letsencrypt.sh doesn't convert domain name to lowercase (I didn't check it) and someone created DKIM keys for a hostname that contains uppercase letters.

Code: 
  dkim_domain = ${if def:sender_address_domain \
                     {${if eqi{$sender_address_domain}{$primary_hostname} \
                       {${lc:$primary_hostname}} \
                       {${lookup{${lc:$sender_address_domain}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                     {${if eqi{${domain:${address:$rh_From:}}}{$primary_hostname} \
                       {${lc:$primary_hostname}} \
                       {${lookup{${lc:${domain:${address:$rh_From:}}}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
                     }} \
                 }
Click to expand...
Nice work!
saved my day...
is there a possible way to restrict sending to specific users (eg: root? )
 
Looks like something has changed regarding configuring DKIM with hostname .. when I try this:



cd /usr/local/directadmin/scripts
./dkim_create.sh $(hostname -f)
Click to expand...

I got the following message:

Unable to find /etc/virtual/server.domain.com
Click to expand...

The previous installer automatically created this file during setup but now it is missing after a fresh install.
 
MaXi32 said:
The previous installer automatically created this file during setup but now it is missing after a fresh install.
Click to expand...
It's not only a file. It's a hostname domain. Indeed some time ago this was created automatically on a fresh install.
That is not the case anymore. I don't quite remember why.

It was mentioned in a thread somewhere, but I can't find it that quickly again.

Solution is to create the hostname domain yourself via the DNS manager. Then you can create SPF and DKIM records for the hostname.
 
Richard G said:
It's not only a file. It's a hostname domain. Indeed some time ago this was created automatically on a fresh install.
That is not the case anymore. I don't quite remember why.

It was mentioned in a thread somewhere, but I can't find it that quickly again.

Solution is to create the hostname domain yourself via the DNS manager. Then you can create SPF and DKIM records for the hostname.
Click to expand...

I thought so and I'm wondering what the purpose of supplying the environment variable 'DA_HOSTNAME' during setup but DA did not use it to create this hostname automatically.

Have to make changes to a lot of things in my automated script. Thanks @Richard G
 
MaXi32 said:
I thought so and I'm wondering what the purpose of supplying the environment variable 'DA_HOSTNAME' during setup but DA did not use it to create this hostname automatically.
Click to expand...
Maybe you have to take this up with DA. Because I thought using the DA_HOSTNAME variable during setup, should take care of things if I understand correctly.
 
@Richard Just want to update. This is a new fresh install. I created the hostname (server.domain.com) manually like screenshot below:

screenshot1.png

But it did not create that file in /etc/virtual:

1666712817925.png

Something is wrong here. Can you help @smtalk @fln ?
 
MaXi32 said:
But it did not create that file in /etc/virtual:
Click to expand...
It's not a file, it should be a directory. But it's indeed not present, odd.

But the hostname -should- be present in the /etc/virtual/domains file and -not- in the /etc/virtual/domainowners file. Can you verify those?

Also check if the hostname is in the /var/named directory like stated before.

If that all is the case you could just create the hostname directory in the /etc/virtual and chown it to mail:mail so it will be OK.

If you are missing parts of this, you might want to try and remove the hostname from the DNS manager, wait a few seconds, and then create the hostname again and see if that creates the correct entry's.

I don't see any other domains in /etc/virtual either, don't you have any domains created yet?
 
Richard G said:
It's not a file, it should be a directory. But it's indeed not present, odd.
Click to expand...

I understand it now. I thought it was a file with something in it. Thanks, I created an empty directory and it's working

1666714461211.png

This server is empty and I have no other domains in it. The content at /etc/virtual/domainowners is empty but this file /etc/virtual/domains contain only one hostname entry. Thank you Richard.
 
You're welcome.
As you will see, when you start creating domains, they will also appear in both domains and the /etc/virtual directory and the owners of the domains will be in the domainowners file.

Nice to see it's working now.
 
You must log in or register to reply here.
Back
Top