Opendkim No Key

  • Hallo zusammen, ich habe mein Server so eingestellt das imscp DNS verwaltet.
    Unter Domains ist der Key auch im Panel eingetragen wenn ich aber eine Abfrage mache kommt No key
    opendkim-testkey -d domain -s mail -vvv
    Die Domains liegen bei Domainoffensive.
    Muss ich da vielleicht auch ein Eintrag machen das auch opendkim Einträge die ja von imscp verwaltet werden auf den Server zeigen? Wenn man die Verwaltung auf extern stellt in imscp dann muss ich ja den dkim Eintrag bei Domainsoffensive machen aber wie ist das wenn das imscp verwaltet?

  • @lugau45



    As I understand, your're using an external DNS server at https://www.do.de/ and you want add your opendkim key for your domain, right?


    Questions:

    • i-MSCP version in use?
    • i-MSCP OpenDKIM plugin version in use?
    • Which domain did you used for the opendkim-testkey test command? The parent domain or a subdomain?
    • Result of the following command: ls -la /etc/opendkim/keys/*?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hello, I use the local dns resolver under imscp. The domains are at domainsoofensive.


    • The version of imscp is 1.5.1
    • Opendkim Plugin 2.0.0.
    • opendkim-testkey -d webhosting-waldhufe.de -s mail -vvv


    Should I change dns resolver to external?


    Code
    1. /etc/opendkim/keys/webhosting-waldhufe.de:
    2. insgesamt 16
    3. drwxr-x--- 2 opendkim opendkim 4096 Sep 9 10:22 .
    4. drwxr-x--- 10 opendkim opendkim 4096 Sep 9 10:06 ..
    5. -rw------- 1 opendkim opendkim 1675 Sep 9 10:22 mail.private
    6. -rw------- 1 opendkim opendkim 545 Sep 9 10:22 mail.txt
    7. ......

    with domainsoofensive is a-record to the ip from the server

  • @lugau45


    On your i-MSCP server, result of the following commands please:

    Shell-Script
    1. cat /etc/resolv.conf
    Shell-Script
    1. dig txt mail._domainkey.webhosting-waldhufe.de

    Hello, I use the local dns resolver under imscp.

    Ok but did you set the DKIM TXT record too in the webhosting-waldhufe.de zone at domainsoofensive? A dig currently give no result:

    Shell-Script
    1. root@stretch:~# dig txt mail._domainkey.webhosting-waldhufe.de; <<>> DiG 9.10.3-P4-Debian <<>> txt mail._domainkey.webhosting-waldhufe.de;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8226;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;mail._domainkey.webhosting-waldhufe.de. IN TXT;; AUTHORITY SECTION:webhosting-waldhufe.de. 10665 IN SOA ns1.resellerinterface.de. info.waldhufe.eu. 2017090903 10800 3600 604800 86400;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Sat Sep 09 11:35:00 CEST 2017;; MSG SIZE rcvd: 141root@stretch:~#

    The DKIM key is shown in customer interface (i-MSCP control panel, at the mail section --> DKIM DNS records).


    When all is properly configured, you should get a result such as:



    Shell-Script
    1. root@stretch:~# dig txt mail._domainkey.bbox.nuxwin.com; <<>> DiG 9.10.3-P4-Debian <<>> txt mail._domainkey.bbox.nuxwin.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64418;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;mail._domainkey.bbox.nuxwin.com. IN TXT;; ANSWER SECTION:mail._domainkey.bbox.nuxwin.com. 60 IN TXT "v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3LIXF7u2Dz77cMchCHV6jQSQllBEfG5df0GlnRYE6dQs/Fceb2rWo0Jt68hNRGvNGO/vObmmoY6enGMuVBBNb5BXhI7J285uRfFke9fks5MMNg0dCDXv+ccoAOjTpQSyTy62Ub7Z6N3IwfiSO03nhJ0xIN8WwMMQ+UnYmeR37bFGNi" "TGkB7COMT2iLqVTaz526IzV6jF5ja/2U6Ta7Q5k4F7O+6Q2Uus2EYi0NLxOANB5zb7vhyRREDTel0rqHcizYwBLjR2Mm4Ys1xlOWYMkNkHxHxVMQ+Dv3m5xiLrHFzmYA4hOgx5ep9SsvXwKaQJz+p/TQejpbgWfsV7Rmfa5wIDAQAB";; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Sat Sep 09 11:41:21 CEST 2017;; MSG SIZE rcvd: 503


    Shell-Script
    1. root@stretch:~# opendkim-testkey -d bbox.nuxwin.com -s mail -vvv
    2. opendkim-testkey: using default configfile /etc/opendkim.conf
    3. opendkim-testkey: checking key 'mail._domainkey.bbox.nuxwin.com'
    4. opendkim-testkey: key not secure
    5. opendkim-testkey: key OK
    6. root@stretch:~#

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I have tried to add the data as txt to domainoffensive but there is an error.
    With older keys it only works with the newly created one comes with an error.
    The key looks like this:

    Code
    1. "v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdVXpLr2jp+b9zfOono8sOLMo+k+2diHlqunX4b9KZjrVVIc4QWyg0PHBtT7zTNl2hJA6lt7MHREKePQ0SKEl0o7k/kp3RBMXgUpzzgcIXUeVAYRV6TPBI2UxHdor812QgwfnZu2zmzNacZz1enuoOBCvuCF32bdMAFD0P9bQB+QBT" "963DKrTMSFpiU9kUDMdaLb8oaIyfG0qVp6lSK3nvkRE5nsONs7nVlshajDY6/TAds3U/TDzYtSOM+huW7ziXueFHfoCrpDUMEmLTRjL2Dd4BXTiIAxmm3i2KvAYhQhXzZKTv5o7HoaDENPXHSfJViJpv3gDIIPlpRXDhRfnQIDAQAB"


    can it be that the key is incorrectly created?

    Code
    1. T" "9
  • i don't have a txt record on domainoffensive since i thought imscp would take care of that.

    Please just answer my questions.


    You're using an external DNS server! Thus, you must add the DKIM TXT DNS record in your DNS zone, through your domain registrar interface, the registrar that provides you with the DNS servers. Here, all is about your lack of knownlege regarding how DNS is working. You're emitting assumptions without thinking more and that becomes really annoying for us because we lose our time for nothing. Even worse when you don't answer our questions.


    The OpenDKIM plugin and i-MSCP add the DNS records for the locally hosted DNS zones only. i-MSCP and the OpenDKIM plugin cannot handle DNS zone files hosted on a remote server that they are not aware of... There is nothing magic here.


    Anyway, even if a DNS server is installed locally and even if i-MSCP add the records in locally hosted zones, you must still add the DNS records in the remotely hosted zones. Why? Because if you use an external DNS server, people/services will resolve your names by querying the external DNS server, not the one installed on i-MSCP server. Adding the DNS records into locally hosted zones would allows local resolving and only if the local DNS server is set as primary resolver into your /etc/resolv.conf file. This would for instance let's your Postfix instance make use of that local resolver but not more... Remote MTA implementing DKIM check would be unable to find your DKIM key...

    I have tried to add the data as txt to domainoffensive but there is an error.
    With older keys it only works with the newly created one comes with an error.
    The key looks like this:

    can it be that the key is incorrectly created?

    Pleas stop with your assumptions :cursing: The key is valid here. The fact is that your registrar DNS interface don't allow adding the key AS THIS (multiple quoted <character-string>s). So here, retry with the same key without the quotes:

    Code
    1. v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsdVXpLr2jp+b9zfOono8sOLMo+k+2diHlqunX4b9KZjrVVIc4QWyg0PHBtT7zTNl2hJA6lt7MHREKePQ0SKEl0o7k/kp3RBMXgUpzzgcIXUeVAYRV6TPBI2UxHdor812QgwfnZu2zmzNacZz1enuoOBCvuCF32bdMAFD0P9bQB+QBT963DKrTMSFpiU9kUDMdaLb8oaIyfG0qVp6lSK3nvkRE5nsONs7nVlshajDY6/TAds3U/TDzYtSOM+huW7ziXueFHfoCrpDUMEmLTRjL2Dd4BXTiIAxmm3i2KvAYhQhXzZKTv5o7HoaDENPXHSfJViJpv3gDIIPlpRXDhRfnQIDAQAB

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thank you for the explanation.
    As far as the code is concerned, this works without quotation marks, but why is the code with quotation marks displayed in the email settings of DKIM DNS records?
    I copy the key directly with the button and then it is as above with ".... and also in the middle of the code is "".
    That I have to remove this at the beginning and at the end was only known to me in the middle of the code, that's new to me and that caused the error when entering the code.

  • As far as the code is concerned, this works without quotation marks, but why is the code with quotation marks displayed in the email settings of DKIM DNS records?
    I copy the key directly with the button and then it is as above with ".... and also in the middle of the code is "".
    That I have to remove this at the beginning and at the end was only known to me in the middle of the code, that's new to me and that caused the error when entering the code.

    Because normaly, your registrar should conform to RFC's and accep TXT rdata field as unquoted string and quoted strings as well. See that thread for the story: Wrong Public OpenDKIM key in GUI under Debian Stretch


    See

    To resume, instead of asking us WHY this and that, ask your registrar WHY he do not conform to RFC's ;)


    Thank you.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206