How to disable DKIM for the admin account?

[patrickkasie]

Dear DirectAdmin forum,

The message system does not send E-mails anymore to my mailbox of [email protected]. The inbox is at Microsoft's. I was thinking it could be the DKIM, but I can't find a way to disable it. The option to enable or disable DKIM only shows up for users, but not for the admin account.

 

[Richard G]

Have you also checked in Enhanced skin? Sometimes one can find things there.

Otherwise remove these:
dkim.private.key
dkim.public.key
from /etc/virtual/admindomain

and remove the DKIM key from DNS from the admin domain and then it should be removed too.

However, there should also be a disable option for admin too.

 

[patrickkasie]

It's not anywhere in /etc/virtual, nor in /var/lib/ and /usr/local/directadmin/data/ using the find and grep commands. [email protected] where vps21.domain.nl would be the sender. As a matter of fact, the same thing goes for every VPS

 

[zEitEr]

Hello,

Actually emails are sent, but Microsoft Email servers reject them. You will need to check logs for outgoing emails not bounced, and/or read content of bounced emails. You might find a clue there.

As root run:

exigrep [email protected] /var/log/exim/mainlog

and let us know what you find.

p.s. Make sure to change the FAKE email address to a real one in the suggested command.

The message system does not send E-mails anymore to my mailbox of [email protected].

 

[Richard G]

It's not anywhere in /etc/virtual

and

vps21.domain.nl would be the sender

In that case look in the /etc/virtual/vps21.domain.nl folder.
If the dkim keys are not in there, then dkim is not enabled for your hostname. So DKIM is not the issue here because it's not active.

For the rest, check above reply of @zEitEr which is more helpful.

 

[patrickkasie]

@zEitEr

https://imgur.com/a/7MbMvaQ

@Richard G

https://imgur.com/a/y2IF8Vx

You can check in the previous image what mail account is attempting to send the email.

If DKIM is not enabled for my hostname, but it's still attempting to use a DKIM, then idk where it would be at as it is clearly using it here, where DKIM=domain.nl:

https://imgur.com/a/0fnI7hM

 

[zEitEr]

OK, Microsoft Mail servers accept emails from your server for a delivery. This is good, and DKIM is not the culprit here. The one thing is not clear though, if they accept the emails for further delivery, why do you have bounces? I guess you need to read bounces. For this you will need to use exim in CLI:

exim -bp

to list emails in a queue, something like:

2h  4.6K 1s4E4b-000000000Bp-3MWY <> *** frozen ***
          [email protected]

 2h  4.6K 1s4E4n-000000000CG-1QZU <> *** frozen ***
          [email protected]

 2h  4.6K 1s4E5o-000000000Dd-0gPz <> *** frozen ***
          [email protected]

34m  4.6K 1s4F0f-000000003nW-1Phr <> *** frozen ***
          [email protected]

Find a bounced email from Outlook and run:

exim -Mvb 1s4F0f-000000003nW-1Phr

to read a body of an email with ID=1s4F0f-000000003nW-1Phr, you might change it to your actual one.

Do you have the emails in SPAM/Junk folder of your account at Outlook?

Meanwhile you might update /etc/aliases and route emails for root to your inbox.

@zEitEr

https://imgur.com/a/7MbMvaQ

 

[patrickkasie]

It's not in my inbox, nor in junkmail

https://imgur.com/1MOC1rw

exim -bp has no results and the mailqueue is empty:

https://imgur.com/a/0NrP6vp

 

[zEitEr]

OK, in any case. The DKIM is not the issue. Correct? And you don't need to disable it.

If you want to identify why emails get bounced, you need to read their content. And/Or examine the exim logs for other errors from Outlook servers.

something like:

zgrep -i outlook /var/log/exim/mainlog* | grep -i error

 

[patrickkasie]

Why does it say DKIM=domain.nl, implying as if it's used? This server doesn't have DKIM enabled for its users, so idk why it does that for itself.

If you want to identify why emails get bounced, you need to read their content. And/Or examine the exim logs for other errors from Outlook servers.

I don't know where to look that up. I've just executed the above command, no results. I also don't have access to the mail account, it has been set up by my employer who manages the mail account.

Meanwhile you might update /etc/aliases and route emails for root to your inbox.

You mean from the message system, right?

https://imgur.com/a/9Gmt07C

Update: that did not work either, it's also not arriving in my personal inbox, which is also at Microsoft's.

 

[Richard G]

Why does it say DKIM=domain.nl, implying as if it's used

Where do you see that? Because you say you see DKIM, but I don't see it that quickly in the logs posted.
Also, if it would be like that, then the key wouldn't be in the /etc/virtual/vps.domain.nl directory but in one of the /etc/virtual/domain.nl directory's.
Otherwise it would say DKIM=vps.domain.nl and not domain.nl

It's very hard to look at without specific information.

You mean from the message system, right?

No, he clearly says /etc/aliases and that is not in the message system.

Login via SSH, edit the /etc/aliases file.
At the bottom it says something like:
# root: john
or some other example.
Just remove the comment and use your address like
root: [email protected]

or another e-mail addres you can use to receive root mails for time being.

Restart Exim after making the change.

 

[zEitEr]

Why does it say DKIM=domain.nl, implying as if it's used?

The DKIM= part presents in lines related to bounces from Microsoft OutLook. It means they DKIM-sign bounces coming from their servers, but not your server. Since emails for your domain (which is masked) are handled by Microsoft OutLook, and if you want to stop using DKIM sign, you should do that at Microsoft OutLook interface.

Is there anything else troubles you?

 

[patrickkasie]

If DKIM is not enabled for my hostname, but it's still attempting to use a DKIM, then idk where it would be at as it is clearly using it here, where DKIM=domain.nl:

@Richard G

That is so confusing that it would use DKIM=vps.domain.nl instead of DKIM=domain.nl

No, he clearly says /etc/aliases and that is not in the message system.

Login via SSH, edit the /etc/aliases file.
At the bottom it says something like:
# root: john
or some other example.
Just remove the comment and use your address like
root: [email protected]

or another e-mail addres you can use to receive root mails for time being.

Restart Exim after making the change.

This actually did help! I can now see the following error coming into my inbox:

Delivery has failed to these recipients or groups:
[email protected]
Your message wasn't delivered because the recipient's email provider rejected it.




Diagnostic information for administrators:
Generating server: DB8P194MB0519.EURP194.PROD.OUTLOOK.COM
[email protected]
Remote server returned '550 5.7.509 Access denied, sending domain vps21.domain.nl does not pass DMARC verification and has a DMARC policy of reject.'
Original message headers:
Received: from AS4P189CA0044.EURP189.PROD.OUTLOOK.COM (2603:10a6:20b:5dd::13)
 by DB8P194MB0519.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:156::20) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.42; Wed, 8 May
 2024 07:47:28 +0000
Received: from AM4PEPF00025F96.EURPRD83.prod.outlook.com
 (2603:10a6:20b:5dd:cafe::d3) by AS4P189CA0044.outlook.office365.com
 (2603:10a6:20b:5dd::13) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.42 via Frontend
 Transport; Wed, 8 May 2024 07:47:28 +0000
Authentication-Results: spf=none (sender IP is SERVERIP)
 smtp.mailfrom=vps21.domain.nl; dkim=none (message not signed)
 header.d=none;dmarc=fail action=oreject header.from=vps21.domain.nl;compauth=fail
 reason=000
Received-SPF: None (protection.outlook.com: vps21.domain.nl does not designate
 permitted sender hosts)
Received: from vps21.domain.nl (SERVERIP) by
 AM4PEPF00025F96.mail.protection.outlook.com (10.167.16.5) with Microsoft SMTP
 Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7565.0 via
 Frontend Transport; Wed, 8 May 2024 07:47:28 +0000
Received: from root by vps21.domain.nl with local (Exim 4.97.1)
    (envelope-from <[email protected]>)
    id 1s4c1Q-00000000GKq-09Qc
    for [email protected];
    Wed, 08 May 2024 09:47:28 +0200
To: [email protected]
Subject: lfd on vps21.domain.nl: SSH login alert for user root from OUR.IP.ADDR.ESS (NL/The Netherlands/dhcp-OUR-IP-ADDR-ESS.nl)
From: <[email protected]>
Message-ID: <[email protected]>
Date: Wed, 08 May 2024 09:47:28 +0200
Return-Path: [email protected]
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 58419507-a05b-478a-b1bd-456f387e224f:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM4PEPF00025F96:EE_|DB8P194MB0519:EE_
MIME-Version: 1.0
Content-Type: text/plain
X-MS-Office365-Filtering-Correlation-Id: 1940f965-cbe0-4f57-da9c-08dc6f331bff
X-Forefront-Antispam-Report:
    CIP:SERVERIP;CTRY:NL;LANG:en;SCL:9;SRV:;IPV:NLI;SFV:SPM;H:vps21.domain.nl;PTR:vps21.domain.nl;CAT:SPOOF;SFS:(13230031);DIR:INB;
X-Microsoft-Antispam: BCL:0;ARA:13230031;
X-Microsoft-Antispam-Message-Info:
    =?us-ascii?Q?vPffGzQPL7deVaG4VfTvSCjAyqh4xUeOSNgn95r5cJIZDmbdGNhEdNft4R7H?=
 =?us-ascii?Q?GO8CnyuzZv5yxAbuTUe4hhTSdcNsU1UAP+paXS6pMm1cQDUGOfF5UBOXn1wu?=
 =?us-ascii?Q?js+kuNWvebkWN9hDoALuuyK7+2OE9hTA7ZRzi7bUw2G+xpBWL60DtWoqdyfR?=
 =?us-ascii?Q?7G4V+kWvJnBCgQY2/eTIlR2HZ3UP25z0Zv5X0FhDQpzc0hWhRYcTQ8yqQ+79?=
 =?us-ascii?Q?16vKsBjABs0eaTtI360Y65bVq4VIUUTIYKXj8a48bSPg3EIW+4EmWVAoPBLF?=
 =?us-ascii?Q?ycvjnK8YneIB1kYxAIw6YH1mRyQERiZBgXDk4oNgYyN5mjdccvIdygOM3Ze9?=
 etc
 etc
 etc

Edit: That means Zeiter was right that DKIM probably wasn't the problem

 

[zEitEr]

550 5.7.509 Access denied, sending domain vps21.domain.nl does not pass DMARC verification and has a DMARC policy of reject.

And now you will need to check and fix the issue with:

1. rDNS (if it's actual)
2. SPF (if it's actual)
3. DKIM (if it's actual)

if you want emails to your domain.nl to reach your INBOX at OutLook.

DMARC might fail because of wrong SPF and DKIM.

Since DKIM is not used yet, then you will need to create a valid key and make sure it's in DNS.

Then you will need to update existing SPF record for your domain.nl and vps21.domain.nl and allow sending from server's IPv4 and IPv6.

And even if you fix the mentioned issue OutLook might still filter incoming emails and move them to a Junk folder.

 

[Richard G]

That is so confusing that it would use DKIM=vps.domain.nl instead of DKIM=domain.nl

That might be a mistake of mine, because I thought it was your server saying that about DKIM, but @zEitEr said it relates to the Outlook bounces which seems correct to me.

and has a DMARC policy of reject.

It's a choice, but I woulnd't use a reject policy on the hostname ever, since sometimes also the system sends messages from the domain, on vacation messages for example. But as said, that is your choice. I don't use any DMARC on my hostnames (or with open policy), only on domain names.

And indeed you can't use DMARC without DKIM. Things might already been fixed if you remove the DMARC record from your hostname.
If you want to use it, then create a DKIM record too.

 

[patrickkasie]

The SPF record for domain.nl works though. It has never had trouble sending mail to [email protected]. However, we do not use the DNS administration by DirectAdmin. We use another program on a completely different server, and it includes all IP addresses from vps21.domain.nl among others, which looks like this:

OUR PROGRAM
spf.domain.nl TXT "v=spf1 ip4:our.ip.addr.ess ip6:our:ip:add:res::s -all"

 

[zEitEr]

The SPF record for domain.nl works though.

We don't have real domain names, so the only thing left for us is to guess. We don't know your DMARC as well. So you will need to double check everything once again or provide a real domain name if you need any further assistance.

 

[patrickkasie]

This message has been answered by @zEitEr

It's about vps21.domain.nl in this case

 

[zEitEr]

- There is no SPF record for the hostname in DNS. You should create one.
- rDNS is fine.
- There is no DKIM record in DNS for the hostname either. You might create it as well, or ignore for now.

 

[patrickkasie]

Thank you Zeiter. My question is, how is that possible? The TXT record shows a bunch of IP4 and 6 addresses which include that subdomain. Do I need to make another subdomain which has the record?

spf.vps21.domain.nl TXT "v=spf1 ip4:our.ip.addr.ess ip6:our:ip:add:res::s -all"

I'm not sure how this would mess up other records, so I'd like to wait for your response first.
Also, what place or methods did you use to figure those out?