Some local emails do not have DKIM

[awzeak]

Hello,

I have enabled DKIM (per instructions here), generated DKIM keys (/usr/local/directadmin/scripts/dkim_create.sh %% nodns, where %% is pl-vhost-01.businessdomain and businessdomain, both were configured manually in DNS to include DKIM records and appropriate selector from the configuration), however only half of the service emails are signed by DKIM:

Spoiler: DKIM present

Return-Path: <[email protected]>

Delivered-To: myname@businessdomainbusinessdomain

Received: from pl-vhost-01.businessdomain (pl-vhost-01.businessdomain [directadmin-ipaddress])

by personaldomain (Postfix) with ESMTPS id 613F416E00EE

for <abuse@businessdomain>; Tue, 2 Jan 2024 14:40:23 +0200 (EET)

Authentication-Results: personaldomain; dmarc=pass (p=reject dis=none) header.from=pl-vhost-01.businessdomain

Authentication-Results: personaldomain; spf=pass smtp.mailfrom=pl-vhost-01.businessdomain

Authentication-Results: personaldomain;

dkim=pass (2048-bit key) header.d=pl-vhost-01.businessdomain [email protected] header.b=ZUTrmjWI;

dkim-atps=neutral

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;

d=pl-vhost-01.businessdomain; s=plv01; h=Date:Message-Id:Subject:To:From:

Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:

Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:

Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:

List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;

bh=lLAZK2SGgfOzlFpdipqueqReoOSGMV8bTMJYgTxk6QA=; b=ZUTrmjWId/XcOCj0qxGQbukcrG

ENpJbXiPqo/jFoeO/XOpi1i3TIwayxhWRUo/jjeC5jvLWT3d4PbQFUR3IuYel18+nptsmzx5615kp

a5DWnuoz0rBiZAQA2XE/leFZzZ4EkhbMpoNsX8UN9yphpppvGnNHQl1VlZTTB8hbBNGSrxjUHZ6jQ

U2TJfp39hr39nyTWyVGrbyQGxFCDMtSCCZ8I/ffQMk1xiw0StRa77l+c/y2kGqzN4pYcJDtHbUclP

av9uH172oDJDS1+sQbk72fkOGimJvhcMgxvHnz+YF+RhEGHxNDVUycrUo4+DO/EKZFfwKIRxRMhY6

parlhX0w==;

Received: from root by pl-vhost-01.businessdomain with local (Exim 4.97)

(envelope-from <[email protected]>)

id 1rKe4D-000000037y0-2ILU

for abuse@businessdomain;

Tue, 02 Jan 2024 13:40:21 +0100

From: [email protected]

To: abuse@businessdomain

Subject: lfd on pl-vhost-01.businessdomain: blocked 167.172.235.223 (Unknown)

Message-Id: <[email protected]>

Date: Tue, 02 Jan 2024 13:40:21 +0100

X-DCC-x.dcc-servers-Metrics: flopster; whitelist




Time: Tue Jan 2 13:40:21 2024 +0100

IP: 167.172.235.223 (Unknown)

Failures: 5 (sshd)

Interval: 3600 seconds

Blocked: Temporary Block for 86400 seconds [LF_SSHD]




Log entries:




Jan 2 13:13:20 pl-vhost-01 sshd[745069]: Invalid user app from 167.172.235.223 port 43308

Jan 2 13:20:05 pl-vhost-01 sshd[745201]: Invalid user appuser from 167.172.235.223 port 39056

Jan 2 13:26:50 pl-vhost-01 sshd[745353]: Invalid user bigdata from 167.172.235.223 port 53952

Jan 2 13:33:35 pl-vhost-01 sshd[745481]: Invalid user bot from 167.172.235.223 port 45372

Jan 2 13:40:20 pl-vhost-01 sshd[745602]: Invalid user centos from 167.172.235.223 port 57556

Spoiler: DKIM absent

Return-Path: <abuse@businessdomain>

Delivered-To: myname@businessdomain

Received: from pl-vhost-01.businessdomain (pl-vhost-01.businessdomain [directadmin-ipaddress])

by personaldomain (Postfix) with ESMTPS id C1CBA16E00EE

for <abuse@businessdomain>; Tue, 2 Jan 2024 14:40:23 +0200 (EET)

Authentication-Results: personaldomain; dmarc=pass (p=reject dis=none) header.from=businessdomain

Authentication-Results: personaldomain; spf=pass smtp.mailfrom=businessdomain

Received: from root by pl-vhost-01.businessdomain with local (Exim 4.97)

(envelope-from <abuse@businessdomain>)

id 1rKe4E-000000037y9-0BA6;

Tue, 02 Jan 2024 13:40:22 +0100

From: abuse@businessdomain

To: abuse@businessdomain,[email protected]

Auto-Submitted: auto-generated

X-XARF: PLAIN

Content-Type: multipart/mixed;

boundary="csf-1704199221"

MIME-Version: 1.0

Subject: abuse report about 167.172.235.223 - 2024-01-02T13:40:21+0100

Message-Id: <[email protected]>

Date: Tue, 02 Jan 2024 13:40:22 +0100

X-DCC-x.dcc-servers-Metrics: flopster; whitelist




This is a multi-part message in MIME format.

--csf-1704199221

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset=utf-8




The IP address 167.172.235.223 (Unknown) was found attacking sshd on pl-vhost-01.businessdomain 5 times in the last 3600 seconds.




Attached is an X-ARF report (see http://www.xarf.org/specification.html) and the original log report that triggered this block.




Abuse Contact for 167.172.235.223: [[email protected]]




The Abuse Contact of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email ([email protected]). Information about the Abuse Contact Database can be found here:




https://abusix.com/global-reporting/abuse-contact-db




abusix.com is neither responsible nor liable for the content or accuracy of this message.




--csf-1704199221

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="report.txt"

Content-Type: text/plain; charset=utf8; name="report.txt";




Reported-From: abuse@businessdomain

Report-ID: [email protected]

Category: abuse

Report-Type: login-attack

Service: sshd

User-Agent: csf v14.20

Date: 2024-01-02T13:40:21+0100

Source: 167.172.235.223

Source-Type: ipv4

Attachment: text/plain

Schema-URL: https://download.configserver.com/abuse_login-attack_0.2.json




--csf-1704199221

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="logfile.log"

Content-Type: text/plain; charset=utf8; name="logfile.log";




Jan 2 13:13:20 pl-vhost-01 sshd[745069]: Invalid user app from 167.172.235.223 port 43308

Jan 2 13:20:05 pl-vhost-01 sshd[745201]: Invalid user appuser from 167.172.235.223 port 39056

Jan 2 13:26:50 pl-vhost-01 sshd[745353]: Invalid user bigdata from 167.172.235.223 port 53952

Jan 2 13:33:35 pl-vhost-01 sshd[745481]: Invalid user bot from 167.172.235.223 port 45372

Jan 2 13:40:20 pl-vhost-01 sshd[745602]: Invalid user centos from 167.172.235.223 port 57556







--csf-1704199221--

Spoiler: DKIM keys presence proof

[root@pl-vhost-01 ~]# ls /etc/virtual/pl-vhost-01.businessdomain/
dkim.private.key  dkim.public.key
[root@pl-vhost-01 ~]# ls /etc/virtual/businessdomain/
dkim.private.key  dkim.public.key

 

[Richard G]

If you have to put in DKIM records manually anyway (for example if you use external DNS) and you don't use an automatic system for customers where they can pay for an account and it will automatically be created, then you can better use dkim=1 so all is created automatically and you only have to copy the records to your external DNS. Much easier.

Unfortunately, without a real domain name, we're looking in the dark here. To hae a good look, it's required, either here or by pm if you don't want to put it publicly.

 

[awzeak]

1. I have configured DNS records for DKIM (both pl-vhost-01.businessdomain and businessdomain) for the keys DirectAdmin generated
2. It is NOT customers domains, it is my own domains I use to send service emails (like notifications, abuse complaints, lfd IP address block notifications)
3. When DKIM is used, signing works flawlessly - the issue is that some emails sent by DirectAdmin are not signed by DKIM

 

[Richard G]

the issue is that some emails sent by DirectAdmin are not signed by DKIM

Which is why I asked you for real data so I can see what is going on.

From your headers, the only difference I see is that the mails with DKIM missing are from the main businessdomain and the mail is correct DKIM is from the hostname.

I also see postfix in there, and DA does not use Postfix, but you use the same domains as example.

Sorry can't help you further with decent info, give by pm if needed, otherwise I will keep guessing and I don't like to guess, I want to be able to help decently.
And please explain the postfix part in there too.