Rspamd does not sign my mail with DKIM

Hardware : RPI 3B+
Software : Yunohost 3.3 (stretch)


Hi everyone, i just setup a fresh install of Yunohost further to hardware upgrade.
I setup my mail server, the dns zone. Everything is going fine. I received mail and i can send mail which are not going in spam.

I try mail-tester.com and it confirms i have SPF and DMARC but i have no DKIM signature at all. The message in mail-tester or dkimvalidator is “There is no DKIm signature”. Therefore, this is not a DNS configuration problème as my mail is not signed at all

So i looked after rspamd. The process is running, the permissions are ok (_rspamd). My postfix is connected to rspamd (i didnt change the default main.cf regarding this section).

To test if the mail are going through rspamd i try the spamassassin test (sending a mail with a specific gtube file) and i saw in my logs that rspamd detect it as a spam and reject the mail.

I can’t find anything useful in the log (mail.info and rspamd.log). i looked into the forum and google lots of how-to and i didn’t see any hints to help me.

Any idea ? Many thanks !


Bonjour à tous, j’ai effectué une fresh install de Yunohost sur mon RPI suite à un changement de matériel.
J’ai installé le serveur mail et tout fonctionne bien au premier abord. Je peux recevoir des mails et en envoyer sans que ca tombe dans les spams.

J’ai fait un test sur mail-tester qui me confirme que j’ai bien le SPF et le DMARC mais pas de signature DKIM. Le message est que j’ai pas de signature DKIM. Donc ce n’est même pas un problème de config DNS puisque le mail n’est pas du tout signé.

Donc j’ai regardé rspamd. Le daemon tourne bien j’ai des logs. Les permissiosn sont OK. Et postfix se connecte bien a rspamd puisque je n’ai rien changé dans la config de base du main.cf

J’ai envoyé le mail spamassassin test (le sendmail < gtube.txt) pour voir si le mail passait bien dans le pipe de rspamd. Et effectivement il est rejeté.

Je n’ai rien trouvé dans les logs. J’ai cherché sur le forum et des tuto sur google et je ne trouve rien d’utile ou des indices qui m’aident à avancer.

Des idées ? Merci beaucoup !

I’m still stuck with the problem. Here are the logs when im sending a mail.
Je suis toujours bloqué. Voici mes logs quand j’envoie mon mail :
2018-12-29 13:15:12 #2066(normal) <c5c0ce>; task; spf_symbol_callback: skip SPF checks for local networks and authorized users

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; lua; once_received.lua:95: Skipping once_received for authenticated user or local network

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; lua; dmarc.lua:218: skip DMARC checks for local networks and authorized users

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:34: user is authenticated

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:107: use domain(header) for signature:ndd.info

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:126: final DKIM domain: ndd.info

2018-12-29 13:15:12 #2066(normal) lua; dkim_signing.lua:159: dkim_signing

2018-12-29 13:15:12 #2066(normal) lua; arc.lua:518: arc

2018-12-29 13:15:16 #2066(normal) <c5c0ce>; task; rspamd_task_write_log: id: <test@gmail.com>, qid: <79F7F21B81>, ip: ::1, user: foobar, from: <foobar@ndd.info>, (default: F (no action): [0.40/21.00] [MV_CASE(0.50){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00){},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_TO(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 901, time: 4155.118ms real, 23.230ms virtual, dns req: 0, digest: <3a05e84ad147ce21e55a0d7eb52003b8>, rcpts: <test@pouet.com>, mime_rcpts: <test@pouet.com>

2018-12-29 13:15:16 #2066(normal) <c5c0ce>; task; rspamd_protocol_http_reply: regexp statistics: 63 pcre regexps scanned, 1 regexps matched, 175 regexps total, 11 regexps cached, 2.08k bytes scanned using pcre, 2.08k bytes scanned total

2018-12-29 13:15:17 #2063(rspamd_proxy) <74ab63>; proxy; proxy_milter_finish_handler: finished milter connection

And this is my /etc/rspamd/local.d/dkim_signing.conf
Et voici mon fichier /etc/rspamd/local.d/dkim_signing.xonf

allow_envfrom_empty = true;

allow_hdrfrom_mismatch = false;

allow_hdrfrom_multiple = false;

allow_username_mismatch = true;

auth_only = true;

path = "/etc/rspamd/dkim/$selector.key";

selector = "mail";

sign_local = true;

symbol = "DKIM_SIGNED";

try_fallback = true;

use_domain = "header";

use_esld = false;

use_redis = false;

key_prefix = "DKIM_KEYS";

And the postfix config (only milter part)
et voici ma config postfix (que la partie milter)

# Rmilter

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

milter_protocol = 6

smtpd_milters = inet:localhost:11332

# Skip email without checking if milter has died

milter_default_action = accept

non_smtpd_milters = $smtpd_milters

Thank you for your help. Merci pour votre aide

Hello,
How is the _domainkey’s line in your DNS zone ?

Hi antanof,

This is the result of the website dkimcore.org/c/keycheck :

But When i send a mail to dkimvalidator i have this result :

DKIM Information:

DKIM Signature

This message does not contain a DKIM Signature

Hello @Kuun-Lann of course is not a valid DKIM key : missing h tag
v=DKIM1; h=sha256; k=rsa; p=…

You can check with your new mail._domainkey.domain.tld

Seeyu

Hi Antanof, thank you for following my issue.

I added h=sha256 to my DNS zone. I check with dkimcore and i can see the new line added in the zone.

I send a mail to mail-tester but i have the same message:

Your message is not signed with DKIM

As you can see this is not a error message of no valid DKIM key. It seems there is no signature at all :confused:

I have exactly the same issue, no dkim signing.
When I set debug_modules = [“dkim_signing”]; I don’t see anything about dkim signing. When I do a configuration dump I see all the relevant dkim settings.
What bothers me most is that the log file should show why no signing occurs, but it doesn’t.
I don’t have time for this, I reverted to opendkim and all is working.

Hello,
It seems that in 3.5.6.3 the issue is still there.
Anyone has an idea other than opendkim?

How do you proceed to send the email to mail-tester.com

Command line:

echo "Ceci est un test de mail pour voir si ça marche" |  mail -a "Content-Type: text/plain; charset=UTF-8" -s 'test de mail' adresse@mail-tester.com

The DNS seems fine too:

dig mail._domainkey.mydomain.tld TXT @8.8.4.4 +short
"v=DKIM1; k=rsa; p=MIGfMA0GCS ... blablabla ... QIDAQAB"

Yup, that’s because that’s not the proper way to test this : the current configuration requires the entity sending the mail to be authenticated for the mail to be signed with DKIM. That is, you need to connect to the SMTP server and actually provide credentials - you can’t just be logged on the system as a unix user.

So to actually test it, you need to use a client like Roundcube, Rainloop, Thunderbird, K9mail, anything that actually authenticate on the SMTP server before sending the email…

That might evolve in the future e.g. in this PR

Bingo!
Sending email from K9 worked! Thanks for your help!

Per chance, do you know any way to do it from command line?

1 Like

Nope, though I know how cool that would be because that would allow to easily create some sort of monitoring script :stuck_out_tongue_winking_eye:

Though long time ago I created a script (N.B. : it probably doesnt work anymore?) that did this automatically using python : https://github.com/alexAubin/yunoScripts/blob/master/yunoDKIM.py#L66

But the script had to create a dummy yunohost user (ooooor otherwise would have required to enter a real user/password)