Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dkim is not signed #728

Open
catthecreator opened this issue Aug 31, 2024 · 10 comments
Open

dkim is not signed #728

catthecreator opened this issue Aug 31, 2024 · 10 comments

Comments

@catthecreator
Copy link

I'm using the container version of wild duck

I created a dkim for the domain using the api method https://docs.wildduck.email/api/#operation/postdkim

I have activated the sign Transport Domain parameter in /config/wildduck/dkim.toml
I am sending an email from the same domain for which the signature was generated
When sending an email, it is not signed by DKIM

What did I miss?

image
@NickOvt
Copy link
Contributor

NickOvt commented Sep 5, 2024

Hi!

  1. Are you testing locally or on a public server?
  2. Are you sending the email through the Wildduck API or through IMAP/SMTP Client (such as Thunderbird)?
  3. How do you verify if the email has not been signed? Do you have perhaps an .eml file to show us to check? You need to check the Authentication-Results header and look for dkim=pass. Try sending an email to your gmail or any other account and look for if any text that has something like signed by.
  4. Does the problem appear only on intra-domain emails (i.e emails sent to same domain)? Or do you have an issue with dkim even if you send an email outside your domain?
  5. Check that you have DKIM added on your DNS records

@catthecreator
Copy link
Author

1 - public server
2 - via Wildduck API
3 - Welcome.zip
4 - I'm sending it to google
5 - checked

I am replacing the domain name so that it cannot be found in the search

my dns dkim record:

image

Wildduck api dkim:

GET http://apihost:8080/dkim/66d1bbb05c9d6f1d8060d74e

{
	"id": "66d1bbb05c9d6f1d8060d74e",
	"domain": "mysecretdomain.com",
	"selector": "owl",
	"description": "Just description 2",
	"fingerprint": "88:f0:ff:28:ad:7b:65:90:1c:62:2d:ca:78:56:06:3e:74:08:dd:4f:f4:d0:2c:ef:8e:af:71:aa:c9:51:3e:d9",
	"publicKey": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5MBNmTjjqdCGQ5PC7CTI\nolpUuvIX25dVwZ9l7RRVilImcWAsIeTuDha1VBZgAzD00iQCiCzigg2oTK3gFPfk\n0FsaSi/NtFWoR9Z9KloPPB5qYppIVKDsWfNFMGUcbuwrw4u71YfidXTouXtdf4HU\nZtVV/cx9PxtgO8f3LIWlI32f44ertm5/DAZ+B55fYbLNcQyYbsHBHcS/XT6Nf7zZ\n2TYCxK39QcKjSlhNhczAdQy+lZXlCSBTE+x7PIEghX2nKTCYY4ozIAR/H2wMrxbx\n67EI8cTBAlZVyoZN6C1pHT2XNGtI7Xo0L3zTb1NknaATOsrfpX7H2J1nq3LgTBwX\nfwIDAQAB\n-----END PUBLIC KEY-----\n",
	"dnsTxt": {
		"name": "owl._domainkey.mysecretdomain.com",
		"value": "v=DKIM1;t=s;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5MBNmTjjqdCGQ5PC7CTIolpUuvIX25dVwZ9l7RRVilImcWAsIeTuDha1VBZgAzD00iQCiCzigg2oTK3gFPfk0FsaSi/NtFWoR9Z9KloPPB5qYppIVKDsWfNFMGUcbuwrw4u71YfidXTouXtdf4HUZtVV/cx9PxtgO8f3LIWlI32f44ertm5/DAZ+B55fYbLNcQyYbsHBHcS/XT6Nf7zZ2TYCxK39QcKjSlhNhczAdQy+lZXlCSBTE+x7PIEghX2nKTCYY4ozIAR/H2wMrxbx67EI8cTBAlZVyoZN6C1pHT2XNGtI7Xo0L3zTb1NknaATOsrfpX7H2J1nq3LgTBwXfwIDAQAB"
	},
	"created": "2024-08-30T16:51:30.711Z",
	"success": true
}

I sent the message like this:

POST http://apihost:8080/users/66cf5c04d9402600076a79ad/submit

{
	"to": [{
		"name": "Catthecreator",
		"address": "[email protected]"
	}],
	"from": {
		"address": "[email protected]"
	},
	"replyTo": {
		"address": "[email protected]"
	},
	"subject": "Welcome",
	"text": "Test message from api"
}

@NickOvt
Copy link
Contributor

NickOvt commented Sep 9, 2024
edited
Loading

But why does your DKIM DNS key contain another "? Is that supposed to be how it looks in your dns provider or is that a typo? On the image you sent, there is ... "sHBHcS ....

I just set up a basic wildduck server, added dkim. Sent an email to gmail and the DKIM is working. So I would first check if the dns entry is actually correct and those quotes are not included in the value but just how your provider displays the value,

@catthecreator
Copy link
Author

The provider says this is normal behavior, it's just that the txt record is limited to 255 characters

I asked chatgpt and searched the internet - this is really a normal practice

https://support.cpanel.net/hc/en-us/articles/4402114117911-Why-are-DKIM-TXT-records-split

I generally do not understand what the dns record has to do with it, there is no dkim signature in the body of the letter. It will not come to checking dns records, because there is nothing to check

Or am I wrong?

@louis-lau
Copy link
Member

Yeah it's just a split record. A lot of people don't know about them, as most dns providers show them as a single string in their panel. But it's how dns works and it's fine.

@NickOvt
Copy link
Contributor

NickOvt commented Sep 9, 2024

Do you have DKIM enabled in zone-mta plugin? Under zone-mta/plugins/wildduck.yaml.
signTransportDomain = true

@catthecreator
Copy link
Author

it was disabled. enable and restarted containers, The situation has not changed

Welcome (2).zip

["modules/zonemta-wildduck"]
enabled=["receiver", "sender"]

# to which SMTP interfaces this plugin applies to. Use "*" for all interfaces
interfaces=["feeder"]

# optional hostname to be used in headers
# defaults to os.hostname()
hostname="mysecretdomain.com"

# How long to keep auth records in log
authlogExpireDays=30

# default smtp recipients for 24h (can be overriden per user)
maxRecipients=2000

disableUploads=false # if true then messages are not uploaded to Sent Mail folder
uploadAll=false # if false then messages from Outlook are not uploaded to Sent Mail folder

# SRS settings for forwarded emails
# ---------------------------------

["modules/zonemta-wildduck".srs]
    # Handle rewriting of forwarded emails. If false then SRS is not used
    # Only affect messages that have interface set to "forwarder"
    enabled=true

    # SRS secret value. Must be the same as in the MX side
    secret="supersecretpass"

    # SRS domain, must resolve back to MX
    rewriteDomain="mysecretdomain.com"

# DKIM Settings
# -------------

["modules/zonemta-wildduck".dkim]
    # If true then also adds a signature for the outbound domain
    signTransportDomain=true

    # If set then decrypt encrypted DKIM keys using this password
    #secret="a secret cat"

    # Cipher to use to decrypt encrypted DKIM keys
    #cipher="aes192"


["modules/zonemta-wildduck".gelf]
    enabled=false
    component="mta"

["modules/zonemta-wildduck".gelf.options]
    graylogPort=12201
    graylogHostname='127.0.0.1'
    connection='lan'

@louis-lau
Copy link
Member

Is zonemta set to use the same db as wildduck? I think it's probable that the plugin is not finding your dkim keys in the db for some reason.

@louis-lau
Copy link
Member

(by the way, signTransportDomain is not needed for your usecase of signing the from address domain. You'd use that to also sign with mta.example.com. So you can leave it false. Signing the from domain should happen automatically if it finds a matching key in the db.)

@catthecreator
Copy link
Author

Is zonemta set to use the same db as wildduck? I think it's probable that the plugin is not finding your dkim keys in the db for some reason.

I am using the standard configuration from the repository

https://github.com/nodemailer/wildduck-dockerized

The only thing I changed is I changed the version here to nodemailer/wildduck:1.45.0

in the file
https://github.com/nodemailer/wildduck-dockerized/blob/dedc7cacc3e1e942c1f73fe037115eca37d206ee/docker-compose.yml#L8

my /wildduck-dockerized/config/zone-mta/zonemta.toml :
https://github.com/nodemailer/wildduck-dockerized/blob/master/default-config/zone-mta/zonemta.toml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@louis-lau @catthecreator @NickOvt