dkim not working for Server's Hostname

[Amplificator]

I see lot of manual work there, we have never edit a single file to add DKIM

Did you try to setup DKIM as described here? : https://help.directadmin.com/item.php?id=569

Their guide is only to get MailChannels working with DA.

I did follow the guide to get DKIM working, and confirmed that it's done exactly as stated. DA does generate and add a DKIM record, but mails are just not signed anyway :/

 

[wtptrs]

Is the DNS-zone for the domain your server hostname uses managed by the server itself? If not, you have to copy the DKIM record to the authoritative DNS-server of the main domain for them to be active.

 

[wtptrs]

Disregard my last post, it's not working for me either when just following the DA tutorials.

@smtalk , there seem to be 2 inconsistencies in this tutorial: https://help.directadmin.com/item.php?id=16

- "3) The hostname must *not* be in the /etc/virtual/domainowners file." <-> but the emails from the hostname are only being DKIM signed when the hostname is added to /etc/virtual/domainowners

- "5) The directory /etc/virtual/hostname must exist.. (eg: /etc/virtual/server.domain.com). It must not contain any files." <-> but when running the ./dkim_create.sh $(hostname -f) command, the DKIM public/private keys get stored in the /etc/virtual/hostname directory

 

[wtptrs]

Bumping this thread.

Is this working for anyone at the moment by just by just using the

./dkim_create.sh $(hostname -f)

command? Should anything else be set?

 

[factor]

there seem to be 2 inconsistencies in this tutorial: https://help.directadmin.com/item.php?id=16

That is the old help section.
Try https://docs.directadmin.com/

Perfect E-Mail Setup | Directadmin Docs

./dkim_create.sh $(hostname -f)

-f is not domain it is FQDN. aka server.domain.com
server name aka node name < is not a subdomain its a server name.
You need to put -d in for just domain name. OR just type in domain.com.

Usage: hostname [-b] {hostname|-F file} set host name (from file)
hostname [-a|-A|-d|-f|-i|-I|-s|-y] display formatted name
hostname display host name

{yp,nis,}domainname {nisdomain|-F file} set NIS domain name (from file)
{yp,nis,}domainname display NIS domain name

dnsdomainname display dns domain name

hostname -V|--version|-h|--help print info and exit

Program name:
{yp,nis,}domainname=hostname -y
dnsdomainname=hostname -d

Program options:
-a, --alias alias names
-A, --all-fqdns all long host names (FQDNs)
-b, --boot set default hostname if none available
-d, --domain DNS domain name
-f, --fqdn, --long long host name (FQDN)
-F, --file read host name or NIS domain name from given file
-i, --ip-address addresses for the host name
-I, --all-ip-addresses all addresses for the host
-s, --short short host name
-y, --yp, --nis NIS/YP domain name

Description:
This command can get or set the host name or the NIS domain name. You can
also get the DNS domain or the FQDN (fully qualified domain name).
Unless you are using bind or NIS for host lookups you can change the
FQDN (Fully Qualified Domain Name) and the DNS domain name (which is
part of the FQDN) in the /etc/hosts file.

Configuring and customizing Exim | Directadmin Docs

https://www.directadmin.com/features.php?id=1189Alternate way is to use a script from console:

cd /usr/local/directadmin/scripts./dkim_create.sh domain (nodns) (force)
Options:

• domain : Required. Name of the domain to enable dkim for.
• nodns : Optional. Prevents adding the keys to the zone.
• force : Optional. Force overwrite of the keys with new values.

only domain is supported ^^^^ in the script.

 

[Richard G]

The new docs are also confusing when looking at the perfect mail setup section:

The hostname must not match any domain that is being used on the system. We recommend using server.domain.com or web1.domain.com instead. (Taking server1.domain.com as example.)

This gives the impression that when "server.domain.com" is used as hostname, the domain named domain.com may not be used on the system.
I'm sure this is not what is means, but it's written in a confusing way, because you can explain it like that.

only domain is supported ^^^^ in the script.

So why is it creating the correct dkim records in /etc/virtual/hostname when only domain is supported, and mentioned that it should be created like that in the original (old) docs?
In the past it was also told us in the forums to create dkim for the hostname this way.

 

[factor]

I separate it all out in my mind

server

Is the hosts name aka node name. The physical servers name. It's not a subdomain is the confusing part alot of people think "server" is a sub domain but its not. I think the documentation means you cant have a host named "server" and a subdomain "server" at the same time. Example You shouldn't name your server www.

domain.com

is the domains name.

server.domain.com

This is the FQDN which is a bit of a misnomer as well.

to create dkim for the hostname this way

Well if that is the case the script needs to be documented better. It states

• domain : Required. Name of the domain to enable dkim for.

cd /usr/local/directadmin/scripts./dkim_create.sh domain (nodns) (force)

It doesn't say fdqn or host or server name. It says Domain.

 

[Richard G]

I know the difference between hostname and domain name, but it's this part of the sentence which is very confusing:

The hostname must not match any domain that is being used on the system.

So as said, server.domain.com is hostname, and domain.com is domain name. So the hostname matches the domain name. At least that is what people (especially non-english languaged) can conclude about this sentence.
It would be way better to say "The hostname should not be a domain name" which is more correct imho and not confusing.
FQDN is indeed a bit of a misnomer as well, that's correct.

It doesn't say fdqn or host or server name. It says Domain.

Yes, but as you can see from the old help file, it is also used for the hostname. It also generates the dkim files in /etc/virtual/hostname.

 

[factor]

I know the difference between hostname and domain name, but it's this part of the sentence which is very confusing:

So as said, server.domain.com is hostname, and domain.com is domain name. So the hostname matches the domain name. At least that is what people (especially non-english languaged) can conclude about this sentence.
It would be way better to say "The hostname should not be a domain name" which is more correct imho and not confusing.
FQDN is indeed a bit of a misnomer as well, that's correct.


Yes, but as you can see from the old help file, it is also used for the hostname. It also generates the dkim files in /etc/virtual/hostname.

Well if either ones of us is confused. It must be an issue for sure.

 

[factor]

Ok here is the first sentence from the old help file and I will do the rest for clarity

1) hostname must not match any domain that is being used on the system. Example, if you have a domain called domain.com and you want to receive mail on [email protected], you must *not* set your hostname to domain.com. We recommend using server.domain.com instead. You must make sure that you add the A record for server.domain.com so that it resolves.

To me this (you must *not* set your hostname to domain.com) means
don't do
hostnamectl set-hostname mydomain.com (Please never do this)
you need to do
hostnamectl set-hostname hostnamectl set-hostname coolservername.mydomain.com

and in DNS you have an a record for hostnamectl set-hostname coolservername.mydomain.com

2) The hostname must be in the /etc/virtual/domains file.

cat /etc/virtual/domains

should return the FDQN from above coolservername.mydomain.com and mydomain.com

3) The hostname must *not* be in the /etc/virtual/domainowners file.

cat /etc/virtual/domainowners

should NOT return the FDQN from above coolservername.mydomain.com
it should be just domain.com and owner

4) The hostname must resolve. If not, add the required A records to the dns zone such that it does.
DNS check

5) The directory hostname must exist.. (eg: /etc/virtual/server.domain.com). It must not contain any files.

ls /etc/virtual/coolservername.mydomain.com

6) Any domains that you want to use for email (eg: domain.com) must be in both the /etc/virtual/domains file and the /etc/virtual/domainowners file. The directory /etc/virtual/domain.com must exist and the files /etc/virtual/domain.com/passwd and /etc/virtual/domain.com/aliases exist.

ls /etc/virtual/coolservername.mydomain.com

See passwd and aliases check

7) File permissions for virtual pop inboxes should be (not applicable with Dovecot/Maildir):
NA everyone should be on Dovecot

If you've made any changes to you /etc/exim.conf file and require a fresh copy, you can retrieve one with this guide:
http://help.directadmin.com/item.php?id=51
nope

8) Ensure your hostname does not contain any upper case letters.

never ever

9) Make sure that your main server IP has a reverse lookup on it.

for sure

Is this what you get out of it?

 

[Richard G]

Example, if you have a domain called domain.com and you want to receive mail on [email protected], you must *not* set your hostname to domain.com.

Ah oke. I missed that part. So this example is not confusing anymore. Still I don't like that "match any domain" sentence. Mine is better.
A hostname shouldn't be a domain name in *any* case anyway.

2+3 understandable and correct.

4.) As far as I know a hostname should always have an A record to be able to resolve. And for good practice.

5-8 Correct

9.) Since some people use another ip for sending mail, it should read "make sure that the IP you are sending and receiving mail on (the ip exim uses) has a reverse lookup on it, and use correct A and MX records for mail.

But yes that's what I get out of it.

 

[factor]

4.) As far as I know a hostname should always have an A record to be able to resolve. And for good practice.

totally

9.) Since some people use another ip for sending mail, it should read "make sure that the IP you are sending and receiving mail on (the ip exim uses) has a reverse lookup on it, and use correct A and MX records for mail.

I think it assumes Standard or default build. Whenever I read guides like this i dont assume non standard or non default build. I see the point though.

 

[wtptrs]

Sorry for being thick today , but I'm still not sure what's the correct configuration here. To make it clear, I know it's possible to DKIM sign emails sent out by the hostname (i.e. server.domain.com), which helps with delivery of emails such as password resets etc. I know this works because I've set it up like this (using the ./dkim_create.sh server.domain.com command and adding server.domain.com to /etc/virtual/domainowners, although the old guide tells me not to), and when I check on the receiving end, I can see that the mail is being signed by DKIM.

My question is if running this command and adding the server.domain.com to /etc/virtual/domainowners, which seems to make DKIM for the server hostname work correctly, is fine or if this is a misconfiguration and has negative consequences on anything else.

EDIT: I'm just pressing on this because implementing this feature would help us greatly as a lot of our customers are complaining about not receiving system emails sent out by @server.domain.com .

 

[factor]

Sorry for being thick today , but I'm still not sure what's the correct configuration here. To make it clear, I know it's possible to DKIM sign emails sent out by the hostname (i.e. server.domain.com), which helps with delivery of emails such as password resets etc. I know this works because I've set it up like this (using the ./dkim_create.sh server.domain.com command and adding server.domain.com to /etc/virtual/domainowners, although the old guide tells me not to), and when I check on the receiving end, I can see that the mail is being signed by DKIM.

My question is if running this command and adding the server.domain.com to /etc/virtual/domainowners, which seems to make DKIM for the server hostname work correctly, is fine or if this is a misconfiguration and has negative consequences on anything else.

EDIT: I'm just pressing on this because implementing this feature would help us greatly as a lot of our customers are complaining about not receiving system emails sent out by @server.domain.com .

To me it is No you cant do that per the docs. I would log a ticket and get there help.

3) The hostname must *not* be in the /etc/virtual/domainowners file.

Code:
cat /etc/virtual/domainowners

should NOT return the FDQN from above coolservername.mydomain.com
it should be just domain.com and owner
and here as well

Perfect E-Mail Setup | Directadmin Docs

system emails sent out by @server.domain.com .

They should not be going out on server.domain.com

System email accounts | Directadmin Docs

Overview | Directadmin Docs

1. Custom Email and ns1/ns2 can be declared by creating the following files with your desired email and nameservers before running setup.sh:

 

[peps03]

Sorry for being thick today , but I'm still not sure what's the correct configuration here. To make it clear, I know it's possible to DKIM sign emails sent out by the hostname (i.e. server.domain.com), which helps with delivery of emails such as password resets etc. I know this works because I've set it up like this (using the ./dkim_create.sh server.domain.com command and adding server.domain.com to /etc/virtual/domainowners, although the old guide tells me not to), and when I check on the receiving end, I can see that the mail is being signed by DKIM.

My question is if running this command and adding the server.domain.com to /etc/virtual/domainowners, which seems to make DKIM for the server hostname work correctly, is fine or if this is a misconfiguration and has negative consequences on anything else.

EDIT: I'm just pressing on this because implementing this feature would help us greatly as a lot of our customers are complaining about not receiving system emails sent out by @server.domain.com .

@wtptrs Have you noticed any (negative) side effects yet af using this setup for a while?

Is adding the hostname to `/etc/virtual/domainowners` the only workaround at this moment to get DKIM working for the hostname? (Although not advised...)

 

[peps03]

**BUMP**
Does anybody have a (semi) definitive solution yet to get this working?

 

[kam821]

**BUMP**
Does anybody have a (semi) definitive solution yet to get this working?

Configure DKIM for host.domain.com email addresses

Hi Brent. Yes, I have my email address set for root as you described. Were you going to suggest that I temporarily stick an external address in there (like a gmail or icloud address) so I can check for DKIM signatures when the server emails me? I'll try that. :) Update: There is no DKIM...

forum.directadmin.com

 

[Richard G]

I think your solution could be added by DA since if I'm not mistaken the exim.dkim.conf is something DA builds, or am I wrong?

 

[kam821]

I think your solution could be added by DA since if I'm not mistaken the exim.dkim.conf is something DA builds, or am I wrong?

Yup, it is maintained by Directadmin and available in their repository: http://files.directadmin.com/services/exim.dkim.conf

 

[Richard G]

Right. So @smtalk or @DirectAdmin Support, why not using that solution (in the thread pointed to) to fix this once and for all?