Vps – opendkim fail | bad RSA signature | verification failed unprotected key

opendkimpostfixvps

I have fully manageable VPS running Ubuntu 14.04 which hosts websites for several domains. Recently I have tried to add DKIM signatures to avoid spam filters. I've followed ubuntu-postfix-dkim tutorial, using KeyTable and SigningTable as explained in well written post askubuntu.com. Each domain has its own public and private key and txt DNS zone record.

After testing via check-auth@verifier.port25.com, sa-test@sendmail.net or even via http://dkimvalidator.com/ the response is quite the same:
DKIM: fail (signature doesn't verify)

Mail is signed and signature looks OK but it fails verification test. The only thing that comes to my mind is that message is somehow modified after calculating the signature hash. My question is:

Is it possible to debug the sending process? It would be great to check what and when is calculated for DKIM signature. I have tried OmitHeaders To,to,TO in configuration file but strangly To: value still appears in h= param.

I have googled a lot but still no luck. Thanks in advance.
Output from dkimvalidator.com:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inhillz.com; s=mail;
    t=1429184641; bh=g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=;
    h=Date:From:To:Subject;
    b=fccxI1j/+InWdupEY1/hAYCUeSAlTHo3tr/594sOqETs6kEzRlyXWZDLib1b1WqV0
    xN/wr0Io+OGTJOTChp+cJ/H/KrODt1mzGgDA/O/AKWUPEGKODgk9iO03/o6DpLB4bM
    t5GVSKdBQna7sYkQJM2mGtCNgswydgsgytb0J9QA=

Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          inhillz.com
s= Selector:        mail
q= Protocol:        
bh=                 g3zLYH4xKxcPrHOD18z9YfpQcnk/GaJedfustWU5uGs=
h= Signed Headers:  Date:From:To:Subject
b= Data:            fccxI1j/+InWdupEY1/hAYCUeSAlTHo3tr/594sOqETs6kEzRlyXWZDLib1b1WqV0
    xN/wr0Io+OGTJOTChp+cJ/H/KrODt1mzGgDA/O/AKWUPEGKODgk9iO03/o6DpLB4bM
    t5GVSKdBQna7sYkQJM2mGtCNgswydgsgytb0J9QA=
Public Key DNS Lookup

Building DNS Query for mail._domainkey.inhillz.com
Retrieved this publickey from DNS: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpLxuEApOG3ubulSygyEMAVsGHnBUDdYfCHJpGzMguNOCPSpQSdHxUFS+AGKwwyYTLs0X9kP7KUKLhY5TcxJgFPpSl6DOkkjs7Yd/njdg5o/DZe4Ey1hv+XqquEwGh7mqH3049ph2DUA7w3sm6gEgcydYTcyR5ykZ8nQMSIoeRKQIDAQAB
Validating Signature

result = fail
Details: bad RSA signature

EDIT
I have tried to generate new keys, also changed the DNS records and tested them with

opendkim-testkey -d inhillz.com -s mail -k mail.private -vvv

The output is:

opendkim-testkey: using default configfile /etc/opendkim.conf
opendkim-testkey: key loaded from mail.private
opendkim-testkey: checking key 'mail._domainkey.inhillz.com'
opendkim-testkey: key not secure
opendkim-testkey: key OK

After verifing via check-auth@verifier.port25.com still the same error.

Best Answer

When changing your DNS settings, make sure to update the serial number of the SOA record, ie; 2016092601 ; serial number, where yyyymmddhhvv = year month day hour version. If the serial number doesn't change, some DNS won't update their cache.

Also, make ABSOLUTELY SURE the dkim matches the txt record in your DNS record:

dkim._domainKey TXT ( "p=very-long-text-string")

Related Solutions

Debian – DKIM header exists but signature is not valid

Now the validator at mail-tester.com says the DKIM signature is fine. On the other hand the isnotspam.com still doesn't seem to like it. I assume it is working fine now. Also gmail accepts the email.

The change I made:

I changed the smtpd_tls_cert_file=.. smtpd_tls_key_file=..

to hold the keys for the primary domain. However my VPS contains several domains, so it still remains to be seen what happens with mails from

someone@example2.com

First the postfix SSL certs have absolutely nothing to do with DKIM so that was different issue you had.

Second if you still are getting errors at isnotspam.com then don't assume everything is alright until you get a green light on all tests.

Third create new signatures for each domain and make sure the DNS entry is correct as well as permissions on the signature files.

Also make sure your postfix/main.cf has the proper entries and the .sock actually exists.

    # DKIM / SPF
# --------------------------------------
milter_default_action = accept
milter_protocol = 6
smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Check mail logs for errors, warnings after restart opendkim, should look something like this:

Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter: mi_stop=1
Feb 21 17:18:23 serverdcu opendkim[2078]: OpenDKIM Filter v2.11.0 terminating with status 0, errno = 0
Feb 21 17:18:23 serverdcu opendkim[37449]: OpenDKIM Filter v2.11.0 starting (args: -P /var/run/opendkim/opendkim.pid -p local:/var/run/opendkim/opendkim.sock)

OpenDKIM – Troubleshooting Mail Signing Issues

Issues I see:

Your use of refile
From the documentation:

If the string begins with "refile:", then the remainder of the string is presumed to specify a file that contains a set of patterns, one per line, and their associated values. The pattern is taken as the start of the line to the first whitespace, and the portion after that whitespace is taken as the value to be used when that pattern is matched. Patterns are simple wildcard patterns, matching all text except that the asterisk ("*") character is considered a wildcard. If a value contains multiple entries, the entries should be separated by colons.

The KeyTable doesn't follow that pattern, so it doesn't need the refile keyword. Maybe it doesn't hurt, I don't know. I don't use it in my config there, and it works for me.
```
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
```
Your KeyTable

The lines are supposed to start with the domain, not with the domainkey record:
```
example.com example.com:default:/etc/opendkim/keys/example.com/default.private
```
SigningTable

The signing table should map Email-Addresses to the domain. It should look like this:
```
*@example.com example.com
```
Here the refile keyword is needed.

I don't know about ExternalIgnoreList and InternalHosts, as I don't use them. The rest of the configuration looks good to me.

Best Answer

Related Solutions

Debian – DKIM header exists but signature is not valid

OpenDKIM – Troubleshooting Mail Signing Issues

Related Topic