Wrong Public OpenDKIM key in GUI under Debian Stretch

  • Hi..
    There is a problem with the export of the public key under Debian Stretch.
    In Debian Jessie the public key has only one line:

    Code
    1. mail._domainkey IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIDSDV<SXVBS<Vb3DQEBAQUAA4GNADCBiQKBgQDHJ+8pG+jUnkP6166v7vecRiJeFmMaNyxcyxcwPPfKF869Z0A7TOOLXbtqGRPaoC38NUWznmiJ5+k2fPY8dfZgOkF76Dtafsrg<vbe+Pu+zfNHh4AF8ZNLc6ZP+p5Jr0iVtZ/LIXsM4kqKo+s39Tc5994EPNJYlkvihoRXVan4ye3tjbSA4Zrrede44wW6o4yO6wIDAQAB" ; ----- DKIM key mail for nodomain.tld


    Under Debian Stretch the public key has 3 lines

    Code
    1. mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; "
    2. "p=MIIBIjANBgkqhkiG9w0vds<xdvbBAQEFAAOCAQ8AMIIBCgKCAQEAwrBTXhnPAwcUouftzopl8L0vOgrVdfgdfgafgWFgIt+HuXOVDV81a/H3Z492TbrV/C2DPHalI0aWlyx83457IYPq1pz72reygBXuvByNT4HIZZAmsdgfgdfgdj1UsVo+JQKniT9U60Ae1Fdi5wRpB48wyXNTEj7456RamhHrEuwsTufdfgdfgdfgT9VyhT6KPTzoRxddgpeMHF65LJgHeOpKCg1Yf+es4+/egbR57HYq1b7+p"
    3. "41Cn19ZoVdn7UD67kL3A+rasd+ggfgJyqatnqwdjXZfsqo/Bgb79ZiMFCifUaTazoSnw/IBSk5iIov7M6AoC5G5zeGd+b6uV/HC3tLNCWlKloLhjjH8jN7Xvysc/fv3dffdsdasSAAEQnWXjfPIPp30eaP6o+3fnfQIDAQAB" ) ; ----- DKIM key mail for nodomain.tld


    I think the public key parser have to be changed for Debian Strecht. At the moment i get the public key on the console


    Regards
    Sascha

  • @TheCry


    That is not a problem normaly. Simply put, the key is cut in several chunks to fit with TXT DNS Record length restriction. In Debian Stretch, I think that the key is strongly encrypted. That could explain why the keysize is bigger ;)


    Could you clarify a bit about export issue? Does the key is added as expected in DNS zone file (chunked) or only the first chunk is added? What is the parser for you?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • That's clear with the several parts. I'd figuret this out.


    But the key in i-MSCP GUI is not the same like the key in the file "mail.txt". The parser only gets the first 2 lines.
    So if you copy paste from the GUI you add the wrong public key on the external DNS.

  • @TheCry


    Ok so the key inserted in DNS zone file (when using local DNS server) should be also wrong.


    To resume, what you mean is that the key that is pulled from the mail.txt file and which is inserted into the domain_dns.domain_text column is truncated, right? Can you check that?


    Relevant code part in backend side of the plugin is:

    Perl
    1. $file = iMSCP::File->new( filename => "/etc/opendkim/keys/$domain/mail.txt" );
    2. my $fileContent = $file->get( );
    3. unless (defined $fileContent) {
    4. error( sprintf( "Couldn't read %s file", $file->{'filename'} ) );
    5. return 1;
    6. }
    7. $fileContent =~ s/"\n(.*)"p=/ p=/sgm; # Fix for Ubuntu 14.04 Trusty Tahr
    8. (my $txtRecord) = ($fileContent =~ /(".*")/);

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Yes.. That is the code part

    Code
    1. $file = iMSCP::File->new( filename => "/etc/opendkim/keys/$domain/mail.txt" );my $fileContent = $file->get( );unless (defined $fileContent) {error( sprintf( "Couldn't read %s file", $file->{'filename'} ) );return 1;}$fileContent =~ s/"\n(.*)"p=/ p=/sgm; # Fix for Ubuntu 14.04 Trusty Tahr(my $txtRecord) = ($fileContent =~ /(".*")/);


    This code will only take the first 2 lines.

    Code
    1. mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; s=email; ""p=MIIBIjANBgkqhkiG9w0vds<xdvbBAQEFAAOCAQ8AMIIBCgKCAQEAwrBTXhnPAwcUouftzopl8L0vOgrVdfgdfgafgWFgIt+HuXOVDV81a/H3Z492TbrV/C2DPHalI0aWlyx83457IYPq1pz72reygBXuvByNT4HIZZAmsdgfgdfgdj1UsVo+JQKniT9U60Ae1Fdi5wRpB48wyXNTEj7456RamhHrEuwsTufdfgdfgdfgT9VyhT6KPTzoRxddgpeMHF65LJgHeOpKCg1Yf+es4+/egbR57HYq1b7+p""41Cn19ZoVdn7UD67kL3A+rasd+ggfgJyqatnqwdjXZfsqo/Bgb79ZiMFCifUaTazoSnw/IBSk5iIov7M6AoC5G5zeGd+b6uV/HC3tLNCWlKloLhjjH8jN7Xvysc/fv3dffdsdasSAAEQnWXjfPIPp30eaP6o+3fnfQIDAQAB" ) ; ----- DKIM key mail for nodomain.tld


    This line

    Code
    1. "41Cn19ZoVdn7UD67kL3A+rasd+ggfgJyqatnqwdjXZfsqo/Bgb79ZiMFCifUaTazoSnw/IBSk5iIov7M6AoC5G5zeGd+b6uV/HC3tLNCWlKloLhjjH8jN7Xvysc/fv3dffdsdasSAAEQnWXjfPIPp30eaP6o+3fnfQIDAQAB"

    is not available in the GUI.

  • @TheCry


    .Confirmed. I'll release a new version this evening.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @TheCry


    Question: How do you copy the key into your registrar DNS interface? AS THIS, without any modification:


    Code
    1. "v=DKIM1; h=sha256; k=rsa; s=email; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/ExVpY7kE26VJFY1jiTSfxtZFaT/wZYsGNF4900TTpSZH055vECA67TRb+kzq1bsP0i+5yLrPZO02Kh6sGHc1k44WpzdlNv+mKpZrw8/Z1++OcrP1JnfM9OIyq1aY2C0ex7XdEaHRldpcTdqWDjBPAEEDW+W809xGVQNEV1rnlhcDCWet5na2D3nBnUit8IBLo8FyOxiI3STE""mExqt6SBaeGJLpNNbnm741byRrr6qHf1sq6xyk0EKbJfLyOJrk20FJeva3o1AXwuOV9A9fbObjCpTzQlZdMTf0yHY2aS7nCzWnTsFDyt7uAotHstLjove3HhsXEIGM/tLRej1fyQIDAQAB"

    or you first remove all quotes as follow:

    Code
    1. v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/ExVpY7kE26VJFY1jiTSfxtZFaT/wZYsGNF4900TTpSZH055vECA67TRb+kzq1bsP0i+5yLrPZO02Kh6sGHc1k44WpzdlNv+mKpZrw8/Z1++OcrP1JnfM9OIyq1aY2C0ex7XdEaHRldpcTdqWDjBPAEEDW+W809xGVQNEV1rnlhcDCWet5na2D3nBnUit8IBLo8FyOxiI3STEmExqt6SBaeGJLpNNbnm741byRrr6qHf1sq6xyk0EKbJfLyOJrk20FJeva3o1AXwuOV9A9fbObjCpTzQlZdMTf0yHY2aS7nCzWnTsFDyt7uAotHstLjove3HhsXEIGM/tLRej1fyQIDAQAB


    I ask this for a good reason: Should we merge all quoted strings in one chunck and insert it without quotes in database (our DNS backend is able to cut the string in several quoted strings when needed), or should we include all quoted strings?, in which case, that will need a review of our backend (core)?


    As far as I known, most of providers DNS interfaces accept unquoted strings. When the string is longer than 255 bytes, the backend cut them (create the quoted strings).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • As far as I known, most of providers DNS interfaces accept unquoted strings. When the string is longer than 255 bytes, the backend cut them (create the quoted strings).

    Correct... My DNS provider only allows 255 bytes. So i must split the hole string in different parts like this

    Code
    1. "v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz/ExVpY7kE26VJFY1jiTSfxtZFaT/wZYsGNF4900TTpSZH055vECA67TRb+kzq1bsP0i+5yLrPZO02Kh" "6sGHc1k44WpzdlNv+mKpZrw8/Z1++OcrP1JnfM9OIyq1aY2C0ex7XdEaHRldpcTdqWDjBPAEEDW+W809xGVQNEV1rnlhcDCWet5na2D3nBnUit8IBLo8FyOxiI3STE" "mExqt6SBaeGJLpNNbnm741byRrr6qHf1sq6xyk0EKbJfLyOJrk20FJeva3o1AXwuOV9A9fbObjCpTzQlZdMTf0yHY2aS7nCzWnTsFDyt7uAotHstLjove3HhsXEIGM/tLRej1fyQIDAQAB"


    The quotes are ok. This will work

  • @TheCry


    So best is to show quoted-like without further treatment in imscp interface. At this moment, there is a bug in the i-MSCP custom DNS module:



    The problem here is that only one quoted string is assumed... This issue must be fixed too. You're not affected by this issue because you use an external DNS server but....


    We need also fix the custom DNS interface to handle the following cases for TXT/SPF records:

    • The user provides an un-quoted string which can contains escaped quotes or not
    • The user provides only one quoted-string which can contains escaped quotes or not
    • The user provides multiple quoted-strings and each of them can contains escaped quotes or not
    • The user provides multiple quoted-strings on several lines (surounded by parenthesis), and each quoted-string can contains escaped quotes or not.

    On validation, we need also check that quotes are correctly balanced. For instance:

    • "bla" "bla" would be valid
    • "bla "bla" would be invalid
    • "bla" "bla \" bla" would be valid
    • "bla" "bla " bla" would be invalid
    • ...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206