Configure DKIM for host.domain.com email addresses

2024 January. New install. Had to do this manually. The steps below explain why this must be done manually. imho.

I had no DNS entry for my localhost (server.domain.com), and could not generate the dkim.
grep dkim directadmin.conf
directadmin.conf:dkim=2
! the setting is already set, so no need to change

Steps I took:
1) in the DNS admin I added a new DNS entry for server.domain.com
If I run [root@server scripts]# ./dkim_create.sh $(hostname -f) # I get:
Unable to find /etc/virtual/server.domain.com

Ok, next step:
2) I created the folder: #mkdir /etc/virtual/server.domain.com
and set rights: #chown mail.mail /etc/virtual/server.domain.com

3) run the script again:
[root@server scripts]# ./dkim_create.sh $(hostname -f)
writing RSA key

In DA or SSH check cat /var/named/server.domain.com.db
You should see
x._domainkey 3600 IN TXT ( "v=DKIM1; k=rsa; p=MIIBIjAabcdabcdAabcdabcdAabcdabcd......etcetera " )

In my case, multi DNS is not yet configured, so I go to the DNS manager who own domain.com and I add
x._domainkey.server TXT "v=DKIM1; k=rsa; p=MIIBIjAabcdabcdAabcdabcdAabcdabcd......etcetera "
(yes, the quotes are input as well, but DA will add them for you if you don;t).

Now the main DNS is in sync with the DKIM value of your new server.

If you ever switch on multi-DNS, be sure to remove the manually added record, so DKIM could be updated when needed (I am not sure if this ever happens or is needed)

I did not and will not add server.domain.com as a domain on subdomain on this server! It is just a hostname, and may better be unique (and be pointed to via the IP PTR).
 
Never seen Directadmin autocreate DKIM for a hostname during a fresh install. So the things you've done are fine and excepted I'd rather say. And even more, in my practice emails sent from @hostname are never signed with DKIM. This is true for all servers with Directadmin I have. It seems to be a bug, but still is it a fact.
 
sec-is said:
I did not and will not add server.domain.com as a domain on subdomain on this server!
Click to expand...
Maybe there is a typo in here, but....
sec-is said:
1) in the DNS admin I added a new DNS entry for server.domain.com
Click to expand...
Isn't this what you just did? Add server.domain.com as a domain on the server? That is step one. So what you state is confusing.

Further this has nothing to do with multi-server setup as far as I know. We use it like this for many years with multi-server setup without any issue, never odd things with updating.

sec-is said:
If I run [root@server scripts]# ./dkim_create.sh $(hostname -f) # I get:
Unable to find /etc/virtual/server.domain.com
Click to expand...
That is a bug I already mentioned a long time to the devs but they don't find this has no priority.

If you create a hostname, for some reason DA does not create the directory for the hostname in /etc/virtual always, so this should be checked and if not present created manually and chown and chmod correctly.

Best is to first create DKIM for domain.com (from which server.domain.com is made) and enablel DKIM for it.
Once this is done, and you create DKIM for the hostname, then then entry will be entered in hostnames DNS automatically (at least if dkim=1). You will also see that the DKIM value for server.domain.com will be exactly the same as in domain.com.

If you run your own nameservers, you can also best set dkim=1 in directmin.conf so DKIM will be created automatically when adding a new domain.

However feel free do create things as you like. If they work it's fine.

As for DKIM for hostname, I'm aware of that it did not work in the past, thought this was fixed, but it can well be it's not yet. But at least the SPF record will still work, preventing issues on sending system mails by the server to for example Gmail.
 
Sorry Richard, there was a typo!
I did not and will not add server.domain.com as a domain on subdomain on this server!
should be
I did not and will not add server.domain.com as a domain or subdomain on this server!

This also means you interpreted this incorrect and continued
>>Isn't this what you just did? Add server.domain.com as a domain on the server? That is step one. So what you state is confusing.

No, I did not. I did not go to the domains of any owner, and add a domain.

I started with 1) in the DNS admin I added a new DNS entry for server.domain.com
Creating a DNS zone is not the same as creating a domain in my opinion.

Yes, I had read your comments, which are rather old and confusing to follow, since so many people keep responding. Even now it happens again, I tried to write a short manual, and you are debating parts of it. I'd like to have written a working 'manual'. And yes, you could add different methods. In your example you create DKIM on the main domain name and pass it on to the subdomains of that domain. I was under the impression that i should have different DKIM values, not 'copies'. It works as well of course, I just find it less secure.

It would be nice if Direct Admin would notice this thread, and MAYBE do something about this situation.

I would say that ht urgency is getting higher every month, as I have seen more and more email providers are blocking email on several occasions. And DKIM is part of the solution (like SPF is, and DMARC will be in the future).
 
sec-is said:
I was under the impression that i should have different DKIM values, not 'copies'. It works as well of course, I just find it less secure.
Click to expand...
You don't copy, you create new ones, that is correct. In my case mine were the same so I thought they were always the same.

sec-is said:
I started with 1) in the DNS admin I added a new DNS entry for server.domain.com
Creating a DNS zone is not the same as creating a domain in my opinion.
Click to expand...
Correct. I wanted to be sure about that. It does nothing less to your original manual you created. Many people mistake dns entry with dns zone. I know it's not the same, but lots don't.

Mostly hostname does not send mail, so it's not that bad that hostname has no DKIM if that bug is still present.

sec-is said:
Yes, I had read your comments, which are rather old and confusing to follow, since so many people keep responding.
Click to expand...
No they are not. September 2023. New and clear.

Sll for hostname still getting old hostname

Hi guys, i'm trying to install ssl for my server hostname, but the server refuse to recognize core.mydomain.com as hostname instead the letsencript show me as hostname the one that is setup when DA is installed server-xx-xx-xx-xx.da.direct. What i'm doing wrong? I already checked my hosts file...
forum.directadmin.com forum.directadmin.com
it's a new manual. And it shouldn't matter if people respond. The post if updated if needed.

But it's a different method as your manual. Both can work good, its just a choice. So good to know yours is another method so that is clear to others too.

Indeed DA should finally fix that DKIM for hostname some time.
 
I tried this yesterday myself, used content of post #30 and ran into issues, mail was not delivered for being spam. So I checked my Exim mainlog.

Code: 
[code]2024-04-07 23:11:10 1rtZnC-0000000BhOQ-3tI0 DKIM: d=server.mydomain.com s=x [failed key import]
H=(server.mydomain.com) [2a01:xxxx:xxxx:xxxx:xxxx:1] Warning: DKIM: Invalid. reason='pubkey_unavailable'. <May be a temporary problem.

However, when checking both SPF and DKIM on this server's hostname with external tools like DmarcAdvisor and MXtoolbox, the DKIM record looks good.

What might be going wrong here?
 
Richard G said:
I tried this yesterday myself, used content of post #30 and ran into issues, mail was not delivered for being spam. So I checked my Exim mainlog.

Code: 
[code]2024-04-07 23:11:10 1rtZnC-0000000BhOQ-3tI0 DKIM: d=server.mydomain.com s=x [failed key import]
H=(server.mydomain.com) [2a01:xxxx:xxxx:xxxx:xxxx:1] Warning: DKIM: Invalid. reason='pubkey_unavailable'. <May be a temporary problem.

However, when checking both SPF and DKIM on this server's hostname with external tools like DmarcAdvisor and MXtoolbox, the DKIM record looks good.

What might be going wrong here?
Click to expand...
Got this too, the policy of the domain mailing from the hostname (a vacation message for example) fails if the users domain has a too strict policy (anything other than DMARC none).

Like you said the SPF and DKIM is correct, this puzzles me too!
 
Imtek said:
fails if the users domain has a too strict policy
Click to expand...
What has the users policy to do with that? Because it's the key which seems not to be found/imported. The server is sending to my mail address on the other server. Indeed that policy is very strict on receivers side. But that should not hinder the get the DKIM key.
The sending server's hostname also has SPF set to ~all so not strict at all.

Unfortunately I can't have my firewall mails all being classified as spam so then I have to undo the changes until we can find a solution for this.
 
Just wondering, could it have something to do with these kind of lines? We got 2 lines with this mentioned:
Code: 
{${lookup{${lc:$sender_address_domain}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
it's pointing to /etc/virtual/domainowners here, but as we know, the hostname is never in the domainowners file and also has a different DKIM key than the hostname.
That could explain the problem.
 
Richard G said:
What has the users policy to do with that? Because it's the key which seems not to be found/imported. The server is sending to my mail address on the other server. Indeed that policy is very strict on receivers side. But that should not hinder the get the DKIM key.
The sending server's hostname also has SPF set to ~all so not strict at all.

Unfortunately I can't have my firewall mails all being classified as spam so then I have to undo the changes until we can find a solution for this.
Click to expand...
I got about 5 to 7 domains example which the sender domain (original domain, not the domain) has quarantine dmarc. Once i've set them to none it mailed perfectly. To investigate it further i might have to enable DMARC reporting what might be causing this. Have not done that yet.
 
Imtek said:
which the sender domain
Click to expand...
Ah oke, so then there are 2 issues. Because in my case the sending domain is the server's hostname, which doesn't even has a DMARC record.
And it's the server just sending (forwarding) the CSF firewall messages to me.
 
Richard G said:
Just wondering, could it have something to do with these kind of lines? We got 2 lines with this mentioned:
Code: 
{${lookup{${lc:$sender_address_domain}}lsearch,ret=key{/etc/virtual/domainowners}{$value}}} \
it's pointing to /etc/virtual/domainowners here, but as we know, the hostname is never in the domainowners file and also has a different DKIM key than the hostname.
That could explain the problem.
Click to expand...
Makes sense, maybe @DirectAdmin Support @smtalk @fln have the answer?
 
Richard G said:
Just wondering, could it have something to do with these kind of lines? We got 2 lines with this mentioned:
Click to expand...


Where can I find it, Richard?

I have only:

Code: 
#1.7
  dkim_domain = ${if or { \
                        {eq{$sender_address_domain}{}} \
                        {eq{$sender_address_domain}{$primary_hostname}} \
                        } \
                {$primary_hostname}{${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}}
  dkim_selector = x
  dkim_private_key = ${if exists{/etc/virtual/$dkim_domain/dkim.private.key}{/etc/virtual/$dkim_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0

in my /etc/exim.dkim.conf


And good news, I got emails from a hostname singed with DKIM :D
 
zEitEr said:
Will the things work using exim.dkim.conf of the 1.7 version?
Click to expand...
Seems not as I've seen other very recent threads here point to this solution in post #30.

However, I must declare that I haven't tested that myself, I thought hostname also still didn't work but hadn't tested it again since I've not seen any news about it being improved (or forgot).
 
Richard G said:
But then hostname messages aren't anymore.
Click to expand...
So you have vacation/atoresponder messages with your hostname setup? Or how did you setup the dkim for the root domain? If that is setup correct your subdomain (hostname) should work. You wouldn't need a special DKIM for a subdomain. As far as i know exim is setup to have the alignment for domain and all subdomains.

I also don't have the "DKIM" for hostname setup. This one:
Code: 
/usr/local/directadmin/scripts/dkim_create.sh $(hostname -f)
Never used it.

Because the main domain of the host has DKIM records. For me the hostname is something like server.example.com and the root domain is than example.com. And this domain has DKIM in the DNS (main domain is not on the server btw) and it all works. Also normal hostname messages are send normally.
The whole problem was that messages from other users on the server who setup vacation/autoresponders didn't get DKIM alignment but got the hostname as sender address and that doesn't work.

I even think that maybe the problem is that you have 2 DKIMS.

The RFC says:
Code: 
By default, private keys corresponding to key records can be used to sign messages for any subdomain of the domain in which they reside;

Also DirectAdmin exim sends with these DKIM tags:
Code: 
    v=1;
    a=rsa-sha256;
    q=dns/txt;
    c=relaxed/relaxed; (message canonicalization)
    d=example.com; (the SDID)
    s=x; (selector)
    h=signed header fields;
    bh=the hash of the canonicalized body part of the message;
    b=the signature data;

I thought you needed to setup Exim to send for subdomains specificly with the tag for dkim_identity.
Which is provided in the 'i=' tag of the message's 'DKIM-Signature' header. Then a link is made with a particular sending host.

Although DKIM itself operates exclusively at the domain level

Changes are that you are sending from the hostname now with a DKIM key that is different than the main domain DKIM key and it will not be accepted. I would say if the DKIM for the subdomain is in your DNS zone form the root domain it would work but you will need to inspect headers.
You can always send me a PM with headers from your sending server so i can check but would think you know this. Also check your DMARC for sp=none off course :)
 
Stije said:
So you have vacation/atoresponder messages with your hostname setup?
Click to expand...
No ofcourse not.
System message like the firewall messages will be crippled as is seen in my example.
I do have a hostname and SPF and DKIM record for my hostname yes, how it should be.
Stije said:
Never used it.
Click to expand...
That's your choice. I do have added a DKIM key for my hostname, and as you can read on the forums, I'm really not the only one. I don't have a DMARC record on my hostname record.

Stije said:
For me the hostname is something like server.example.com and the root domain is than example.com. And this domain has DKIM in the DNS (main domain is not on the server btw) and it all works. Also normal hostname messages are send normally.
Click to expand...
For me too. But I think you didn't created a seperate hostname DNS entry, but just used a server A record in your example.com domain.
I use a seperate hostname entry, like a lot of others, which is how DA was configured in the past and I'm still using it as benefits of having a seperate hostname entry in DNS administration.
And yes I've got 2 DKIM keys then, like lots of others. That's not bad configuration, it's just another way of configuration.

To me it seems your autoresponder solution is only valid for users not having a separte hostname entry with a valid DKIM key.

The auto responders in your case will work.

My thought is that the fix presented for this, can easily be changed to include the hostname DKIM record so it will work for both methods of using a hostname.
And I found out that the reason this is not working in the seperate hostname method, is that the line posted in #49 is only looking into domainowners, where only domains are posted and not hostnames.

I'm no coder but I think if something like {$primary_hostname} is put in the solution somewhere so for DKIM is also looked up for the hostname, then it would work for everybody.
But as said, I'm no coder so I could be wrong about this. I have no clue.

If this does not work this way, because of the 2 DKIM records, then this solution is indeed only valid for people not having a seperate hostname entry I guess. But in that case it's good to mention this if that is the case.
 
Richard G said:
No ofcourse not.
System message like the firewall messages will be crippled as is seen in my example.
I do have a hostname and SPF and DKIM record for my hostname yes, how it should be.

That's your choice. I do have added a DKIM key for my hostname, and as you can read on the forums, I'm really not the only one. I don't have a DMARC record on my hostname record.


For me too. But I think you didn't created a seperate hostname DNS entry, but just used a server A record in your example.com domain.
I use a seperate hostname entry, like a lot of others, which is how DA was configured in the past and I'm still using it as benefits of having a seperate hostname entry in DNS administration.
And yes I've got 2 DKIM keys then, like lots of others. That's not bad configuration, it's just another way of configuration.

To me it seems your autoresponder solution is only valid for users not having a separte hostname entry with a valid DKIM key.

The auto responders in your case will work.

My thought is that the fix presented for this, can easily be changed to include the hostname DKIM record so it will work for both methods of using a hostname.
And I found out that the reason this is not working in the seperate hostname method, is that the line posted in #49 is only looking into domainowners, where only domains are posted and not hostnames.

I'm no coder but I think if something like {$primary_hostname} is put in the solution somewhere so for DKIM is also looked up for the hostname, then it would work for everybody.
But as said, I'm no coder so I could be wrong about this. I have no clue.

If this does not work this way, because of the 2 DKIM records, then this solution is indeed only valid for people not having a seperate hostname entry I guess. But in that case it's good to mention this if that is the case.
Click to expand...
Strange, on my servers all emails from CSF, DirectAdmin messaging system etc. are all signed correctly and pass DKIM, SPF and DMARC! I have root emails forwarded to an external email address using /etc/aliases. I have a separate DNS zone for the server hostname (e.g. server.hostname.com) and the hostname DKIM/SPF is set up there, not in the main domain's DNS. Everything is working perfectly with the custom changes above - root emails from the server, user emails, autoresponders and forwarders all pass DKIM/SPF/DMARC.
 
jigster said:
Strange, on my servers all emails from CSF, DirectAdmin messaging system etc. are all signed correctly and pass DKIM, SPF and DMARC!
Click to expand...
That is strange indeed. I have the exact same setup as you. Also with root forward via the /etc/aliases file. Only difference is that I do not have a DMARC for my hostname.

As you can see from post #46 in my case the DKIM key could not be retrieved.
But when checking that server with Dmarcian and others, there was no problem at all receiving SPF and DKIM records.

If you say in your case with the same setup everything works fine. Than I might need to do some additional testing, to see if we can find as to why that DKIM key isn't found in my case.

At this moment I'm busy with @Stije via pm as we then can write in Dutch and exchange some private info, makes life a bit easier when testing.
Thank you for your insight on this!
 
You must log in or register to reply here.
Back
Top