When I try to use POP3 with SSL, Gmail complains: "Certificate is self-signed"

[Richard G]

Am I supposed to also create the subdomain: server.primarydomain.com

No please don't do that, most likely it own't even be possible because it's already existing seperately.

This week I discovered that crt.sh does not seem the update almost realtime anymore. I don't know why.
So if you were sure you did the step and things went fine, then you should be ok.

The hostname (server.primarydomain.com) is correctly listed in the certificate.

There you go. If those are saying it's fine then it is. Otherwise you would also get a browser complaint if you would visit https://server.primarydomain.com also.

If you also have mail_sni=1 in the directadmin.conf then all is fine. And I presume it all is otherwise mail-tester would have thrown some issue.

You could also try this one just for fun.

Free Email Spam and Deliverability Testing Tool by MailGenius

Stop landing in promotions. Get 3 free spam tests to check your email deliverability and spam score using MailGenius's email testing tool. Click to test.

www.mailgenius.com

 

[cmyden]

Hi Richard,

Thanks to your help, I've learned a lot, and all of the testing tools I've tried seem happy with my setup. And I've setup DMARC reports and have been analyzing the results, and they look good to me.

I had a question though: Should my hostname (server.primarydomain.com) have an SPF record?

I've been looking at these 3 threads:

1. https://forum.directadmin.com/threa...es-failed-because-of-dmarc-restriction.69819/

2. https://forum.directadmin.com/threads/how-to-enable-dkim-spf-for-server-domain.66593/

3. https://forum.directadmin.com/threa...age-to-sender-for-diradmin.69678/#post-369233

Particularly the first thread where you mentioned:

I -always- use SPF and DKIM in my hostname

when I create the hostname record (if not present) the SPF record for the hostname is created automatically by DA.

I only have to do the DKIM record for the servers domain name first, and then afterwards I create the DKIM record for the hostname which will then be in DNS automatically also.

How come DA does not create the SPF record automatically at your server?

It does not seem to me like an SPF record was created for my hostname.

I have the following SPF record in Admin -> Server Manager -> DNS Administration -> PrimaryDomain.com

primarydomain.com.

14400

TXT

"v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com ~all"

Should I change the value from:

"v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com ~all"

to

"v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com include:server.primarydomain.com ~all"

?

Thank you

 

[Richard G]

I had a question though: Should my hostname (server.primarydomain.com) have an SPF record?

Yes and if possible also a DKIM record. If you follow my manual, normally on creation of the fqdn hostname in DNS administration, DA will automatically create an SPF record for it. Unless some bug prevents that now, but until end of November last year this was still the case.

It does not seem to me like an SPF record was created for my hostname.

That is very strange.
It's a bit late and I don't remember everything. Do you use your own DNS or remote DNS?
If you use your own DNS you should have an SPF record in your hostname DNS record which should exist anyway.
Admin -> Server Manager -> DNS Administration -> server.primarydomain.com
if you don't have server.primarydomain.com seperately in there, then you do not have a dns record for your hostname as instructed.
If you do, then this record should already contain an SPF record.
This doesn't matter if you use internal or external DNS.

The only difference is that external DNS don't have seperate records, so you could include it in the SPF of primarydomain.com in external DNS, however, it should in fact not fail because MX is already pointing to the mailserver (so the hostname). But one never knows. I don't work with external DNS, it can't hurt in anyway to add it.
But locally in the DA server it should be present also.

 

[cmyden]

Yes and if possible also a DKIM record. If you follow my manual, normally on creation of the fqdn hostname in DNS administration, DA will automatically create an SPF record for it. Unless some bug prevents that now, but until end of November last year this was still the case.


That is very strange.
It's a bit late and I don't remember everything. Do you use your own DNS or remote DNS?
If you use your own DNS you should have an SPF record in your hostname DNS record which should exist anyway.
Admin -> Server Manager -> DNS Administration -> server.primarydomain.com
if you don't have server.primarydomain.com seperately in there, then you do not have a dns record for your hostname as instructed.
If you do, then this record should already contain an SPF record.
This doesn't matter if you use internal or external DNS.

The only difference is that external DNS don't have seperate records, so you could include it in the SPF of primarydomain.com in external DNS, however, it should in fact not fail because MX is already pointing to the mailserver (so the hostname). But one never knows. I don't work with external DNS, it can't hurt in anyway to add it.
But locally in the DA server it should be present also.

Thank you for the info. So to refresh, this is what I have currently:


1. Admin -> Server Manager -> DNS Administration -> primarydomain.com



2. And then in CloudFlare -> primarydomain.com I have:



Questions:

1. Should I take all of those A), B), C) and D) records from Admin -> Server Manager -> DNS Administration -> primarydomain.com

and recreate them in: Admin -> Server Manager -> DNS Administration -> server.primarydomain.com

?

(The server.primarydomain.com zone, aka my hostname, does not currently exist)


2. After that, should I delete any of the A), B), C) or D) records from:

Admin -> Server Manager -> DNS Administration -> primarydomain.com

?


3. And then in CloudFlare -> primarydomain.com I would change it from:

TXT
primarydomain.com
v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com include:amazonses.com ~all

to

TXT
primarydomain.com
v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com include:amazonses.com include:server.primarydomain.com ~all

?


Thank you

 

[Richard G]

Phoe lot of questions, LoL. Lets see if I can answer them in the correct order. This is the way I do things. Others sometimes don't use a seperate hostname record. I find it easy because it sometimes prevent some issues and I like to be better safe than sorry.

1.) No, certainly not. Just create the hostname zone record as in my manual.
Leave that also as is. You can create a DKIM record for the hostname via a command via SSH.

cd /usr/local/directadmin/scripts
./dkim_create.sh server.primarydomain.com

if all is correct it will create the same DKIM record as in your primarydomain.com dns. Or didn't you create DKIM for primarydomain.com?

2.) Only A, B and C. Do not delete D because that is primarydomain.com and not server. I presume you have others in there too like mail and pop and ftp and www and such, you can keep them also. Only remove the server records.

3.) I don't use Cloudflare so I'm not 100% sure how it works, but just to be sure in Cloudflare I would add include:server.primarydomain.com in the existing SPF record of primarydomain.com or you have to wait until I get the answer of a question I asked elsewhere on the forums.
But what you suggest seems right to me.
Either that or create another TXT records for server.primarydomain.com if that is possible. However most likely this isn't necessary and your solution is good.

I only don't understand why you include amazonses and google in your spf record.
Are you aware that (without DKIM), you would give way free for all Gmail and Amazonses abuses to send mail in behalve of your name because their SPF records are included?

 

[cmyden]

1.) No, certainly not. Just create the hostname zone record as in my manual.

Leave that also as is.

You can create a DKIM record for the hostname via a command via SSH.
Code:
cd /usr/local/directadmin/scripts
./dkim_create.sh server.primarydomain.com

if all is correct it will create the same DKIM record as in your primarydomain.com DNS.

Or didn't you create DKIM for primarydomain.com?

Thank you,

Before I went down this road, I'm pretty sure I already had DKIM set up correctly for primarydomain.com

These are the DKIM records I have always had:



One is for a Google Gmail account that I setup with my domain, and the other one is for a project involving Amazon Simple Email Service.

Amazon has some verification steps involving DKIM that you need to go through before you can use it, so I'm pretty sure all is well with that.

Just create the hostname zone record as in my manual.

Leave that also as is.

You can create a DKIM record for the hostname via a command via SSH.
Code:
cd /usr/local/directadmin/scripts
./dkim_create.sh server.primarydomain.com

Ok, so I will try this now:

1. "Create the hostname zone record as in my manual"

Go to DNS Adminstration as admin in admin level.

DirectAdmin -> Admin -> Server Manager -> DNS Administration

There you enter server.primarydomain.com as new domain and your server ipv4 and then ns1.primarydomain.com and ns2.primarydomain.com and save.

Then don't forget to via SSH in /etc/virtual create the server.primarydomain.com directory and chown it to mail:mail.


2. Create a DKIM record for the hostname

cd /usr/local/directadmin/scripts
./dkim_create.sh server.primarydomain.com

- If all is correct it will create the same DKIM record as in your primarydomain.com


3. Delete A), B), C) records from Admin -> Server Manager -> DNS Administration -> primarydomain.com

I presume you have others in there too like mail and pop and ftp and www and such, you can keep them also. Only remove the server records.

Yes thank you, I have others. I was just showing the records that seemed relevant.


4. In CloudFlare -> primarydomain.com change it from:

TXT
primarydomain.com
v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com include:amazonses.com ~all

to

TXT
primarydomain.com
v=spf1 a mx ip4:ip.add.re.ss include:_spf.google.com include:amazonses.com include:server.primarydomain.com ~all


Thanks

 

[Richard G]

Then you will have kind of the same as you now have for the same www record (which you will delete).

Don't delete the www record from the server.domain.com entry. I was most likely referring here to the server entry's in primarydomain.com so what is done in 3.

As far as I can see it's good like this.
Just be aware of 1 thing. It's possible hostname system mails are not signed by DKIM. It's a know bug and probably still not fixed. However, the SPF record should work fine to get system mails to Gmail. I never had issues with it.

 

[cmyden]

Don't delete the www record from the server.domain.com entry. I was most likely referring here to the server entry's in primarydomain.com so what is done in 3.

As far as I can see it's good like this.
Just be aware of 1 thing. It's possible hostname system mails are not signed by DKIM. It's a know bug and probably still not fixed. However, the SPF record should work fine to get system mails to Gmail. I never had issues with it.

Thank you, I see now my stupid mistake was going to Admin -> Server Manager -> DNS Administration -> PrimaryDomain.com and adding the hostname records there.

It should have been Admin -> Server Manager -> DNS Administration -> Add DNS Zone

For anyone that might be reading this thread in the future, I've kept post #26 updated and corrected with the steps I've taken to get to this point.

 

[Richard G]

Thank you, I see now my stupid mistake

That is not a stupid mistake, but just another way of doing things. It can be done like that also, but I never do it like that, it uses a bit of other instructions and a seperate hostname in DNS administration has it's benefits.

Yes for the hostname server.primarydomain.com it's DNS administration and then add DNS zone. I will update my manual to make that more clear.

 

[cmyden]

When adding the new DNS Zone for server.primarydomain.com I noticed a few things:




1. Under DNS Administration, it changed my Local Mail status for primarydomain.com from Yes to No

Under further investigation, I noticed that it deleted the MX record I used to have...


Is this supposed to happen ? Should I recreate this record?


2. I notice the Local Data status for server.primarydomain.com is "No". That's OK ?


3. After adding the DNS Zone for server.primarydomain.com, it also automatically created records for FTP, POP, etc.

I deleted those records, leaving only these 3 records:

server.primarydomain.com. 3600 A ip.add.re.ss

server.primarydomain.com. NS ns1.primarydomain.

server.primarydomain.com. NS ns2.primarydomain.


4. Everything went fine with creating the DKIM record for the hostname.

It created the same DKIM record as my primarydomain.com


Thanks

 

[Richard G]

1. Under DNS Administration, it changed my Local Mail status for primarydomain.com from Yes to No

That should not happen, so that is odd. Unless you deselected the option on the MX page of primarydomain.com that this local server is handling your e-mail. If you set this to gmail, then this also can be the cause.
This can normally not happen if you only enter a hostname in DNS administration.

Under further investigation, I noticed that it deleted the MX record I used to have...

I would doublecheck the MX page of primarydomain.com to see what caused this.

2.) Yes that is correct and normal. Local data no and local mail yes.

3.)

I deleted those records, leaving only these 3 records:

That wasn't necessary. They might not be needed but to be sure I would leave www in there and for sure also mail because the MX points to that so it should have an A record. I don't know 100% if that makes any difference, but I would leave those in there just to be sure.
If you use ipv6 then also for ipv6.

4.) Great. Yes correct if all is well it creates the same DKIM record.

 

[cmyden]

That should not happen, so that is odd. Unless you deselected the option on the MX page of primarydomain.com that this local server is handling your e-mail. If you set this to gmail, then this also can be the cause.
This can normally not happen if you only enter a hostname in DNS administration.

Weird, I definitely didn't deselect that option before adding the server.primarydomain.com DNS Zone.

I wasn't even sure where to find it at first, but I did find it under User Level -> PrimaryDomain -> E-mail manager -> MX Records

So in an attempt to do this properly, this is what I've done...

1. I re-added the MX record that seemed to somehow be deleted from PrimaryDomain.com DNS

primarydomain.com.

14400

MX

10 mail.primarydomain.com.

2. I added the checkmark back under: User Level -> PrimaryDomain.com -> E-mail manager -> MX Records

3. I deleted the server.primarydomain.com DNS Zone, and re-added it. This time I didn't delete any records.

4. I re-added the DKIM for server.primarydomain.com and it matches.

Local Data and Local Mail settings are now as expected.

 

[cmyden]

One thing I'm wondering, should all of these 3 SPF records match?

The Cloudflare one is the most complete.

I do have DKIM records for Google and Amazon.

Right now I have...


I'm just wondering if the top 2 records should also have the missing 'includes'

 

[Richard G]

Seems fine to me.

Since you are using external DNS, the SPF is checked at the external DNS so if they are present there, things should be fine if I'm correct.

Just to be sure I would send a test mail by using mail-tester.com and the instructions there and see if you get a 10/10 or 9.8/10 score or something like that.

 

[cmyden]

Thank you,

I tried sending a message from [email protected] to mail-tester


Your message passed the DMARC test

Your server IP.ADD.RE.SS is successfully associated with server.primarydomain.com

Your domain name primarydomain.com is assigned to a mail server.

Your hostname server.primarydomain.com is assigned to a server.

Your DKIM signature is not valid



It turns out I was wrong about my DKIM record for the hostname matching my primarydomain.com DKIM record.

I thought they were the same because I quickly scanned the beginning and end of the keys.

But upon closer inspection they are different.


This is what I currently have as my 5 DKIM records.

There are 3 unique keys involved.

I was noticing in this thread that you mentioned ...

Configure DKIM for host.domain.com email addresses

2024 January. New install. Had to do this manually. The steps below explain why this must be done manually. imho. I had no DNS entry for my localhost (server.domain.com), and could not generate the dkim. grep dkim directadmin.conf directadmin.conf:dkim=2 ! the setting is already set, so no need...

forum.directadmin.com

Once this is done, and you create DKIM for the hostname, then then entry will be entered in hostnames DNS automatically (at least if dkim=1). You will also see that the DKIM value for server.domain.com will be exactly the same as in domain.com.

In directadmin.conf I have dkim=2

Perhaps that is why my DKIM value for server.primarydomain.com was not set to be the same when running this command?

cd /usr/local/directadmin/scripts
./dkim_create.sh server.primarydomain.com

Thank you

 

[Richard G]

It turns out I was wrong about my DKIM record for the hostname matching my primarydomain.com DKIM record.

Oke that is good to know. However it's odd because how can the DKIM signature be wrong if the hostname does not send it? With mail-tester.com you should test mail from primarydomain.com not really from server.primarydomain.com
I always have the same DKIM key as far as I remember (have to check again), but if your DA server generates a different DKIM key for your hostname (server.primarydomain.com) then ofcourse you should use that one. As I said before... copy what is present in DA.
Exactly these kind of things are the benefit of running own nameservers.

Seems something is wrong or I don't understand. 1 and 3 are the same but using a different key??? That I don't understand.
I even think it might be that 3 must be removed and 4 too, because you already have them in 1 and 2. Although in that case I don't understand why there is key 1 and 2. Or you have different records because of google and amazonses or something.

For DA there should be 2 dkim keys present. Both in DA and Cloudflare. 1 for primarydomain.com and 1 for server.primarydomain.com. Other dkim keys for Google and Amazonses is not my department.

In directadmin.conf I have dkim=2

Yes, that's why I wrote it will happen if dkim=1 because I'm not sure if it will also happen if dkim=2 because I don't use that.
Maybe it does, maybe it doesn't, you have to doublecheck. But as far as I know it's done too. But I normally don't write things I'm not sure about, or else I write that I'm not sure.
If it's present in server.primarydomain.com then it's fine.

But this setting doesn't have to to with having a different hostname key. I will doublecheck mine later again to verify if I have different ones on some of the servers.

 

[cmyden]

For DA there should be 2 dkim keys present. Both in DA and Cloudflare. 1 for primarydomain.com and 1 for server.primarydomain.com. Other dkim keys for Google and Amazonses is not my department

Thank you, I purposefully left out my Google DKIM keys. They match in DA and Cloudflare and I didn't want to add to the confusion.

So maybe let's start with what *should* be there and how it should look, involving DA and Cloudflare only.

For DA there should be 2 dkim keys present. Both in DA and Cloudflare.

1 for primarydomain.com and 1 for server.primarydomain.com.

Am I correct to understand that these keys (p=) can be different ?

Maybe that's what confused me. I thought perhaps the key values (p=) should match between primarydomain.com and server.primarydomain.com

Focusing on DA and Cloudflare only (leaving Amazon/Google up to me), is it my goal to end up with this:



And then this record can presumably be deleted...


Thank you

 

[cmyden]

Ok, mail-tester seems happy now.

The only kind of tricky part (for someone that's never done this before) was learning how to set the server.primarydomain.com key on CloudFlare.

It goes under CloudFlare -> PrimaryDomain.com but the 'Name' of the record should be: x._domainkey.server

In the end, I have these 4 DKIM records between DirectAdmin and CloudFlare:

 

[Richard G]

Am I correct to understand that these keys (p=) can be different ?

They might be. As said I haven't have time yet to doublecheck on my servers, probably will do that after I'm ready here. But in fact it doesn't really matter. If DA gives a different key then a different key is to be used.

Focusing on DA and Cloudflare only (leaving Amazon/Google up to me), is it my goal to end up with this:

That one looks correct to me.

In the end, I have these 4 DKIM records between DirectAdmin and CloudFlare:

In this one I'm confused about 3 and 4. They are switched now compared to the previous one but that could be due to cloudflare. So you might be correct there with 4, I don't know as I don't use cloudflare.

However, in directadmin it's x._domainkey.server.domain.com and not x._domainkey.domain for the hostname.
So in the last example 1 and 2 look good, but be aware that in Directadmin, the domain is always added, so if DNS there says x._domainkey it will end up in being (for number 3) x._domainkey.server.primarydomain.com. in fact.
As long as you're aware about that, then it's fine by me, but since on 3 it only shows x._domainkey it might give me the wrong impression.

 

[Richard G]

Doublechecked. On new server dkim from server is different than domain it's from so yes they are different.