Rspamd does not sign my mail with DKIM


#1

Hardware : RPI 3B+
Software : Yunohost 3.3 (stretch)


Hi everyone, i just setup a fresh install of Yunohost further to hardware upgrade.
I setup my mail server, the dns zone. Everything is going fine. I received mail and i can send mail which are not going in spam.

I try mail-tester.com and it confirms i have SPF and DMARC but i have no DKIM signature at all. The message in mail-tester or dkimvalidator is “There is no DKIm signature”. Therefore, this is not a DNS configuration problème as my mail is not signed at all

So i looked after rspamd. The process is running, the permissions are ok (_rspamd). My postfix is connected to rspamd (i didnt change the default main.cf regarding this section).

To test if the mail are going through rspamd i try the spamassassin test (sending a mail with a specific gtube file) and i saw in my logs that rspamd detect it as a spam and reject the mail.

I can’t find anything useful in the log (mail.info and rspamd.log). i looked into the forum and google lots of how-to and i didn’t see any hints to help me.

Any idea ? Many thanks !


Bonjour à tous, j’ai effectué une fresh install de Yunohost sur mon RPI suite à un changement de matériel.
J’ai installé le serveur mail et tout fonctionne bien au premier abord. Je peux recevoir des mails et en envoyer sans que ca tombe dans les spams.

J’ai fait un test sur mail-tester qui me confirme que j’ai bien le SPF et le DMARC mais pas de signature DKIM. Le message est que j’ai pas de signature DKIM. Donc ce n’est même pas un problème de config DNS puisque le mail n’est pas du tout signé.

Donc j’ai regardé rspamd. Le daemon tourne bien j’ai des logs. Les permissiosn sont OK. Et postfix se connecte bien a rspamd puisque je n’ai rien changé dans la config de base du main.cf

J’ai envoyé le mail spamassassin test (le sendmail < gtube.txt) pour voir si le mail passait bien dans le pipe de rspamd. Et effectivement il est rejeté.

Je n’ai rien trouvé dans les logs. J’ai cherché sur le forum et des tuto sur google et je ne trouve rien d’utile ou des indices qui m’aident à avancer.

Des idées ? Merci beaucoup !


#2

I’m still stuck with the problem. Here are the logs when im sending a mail.
Je suis toujours bloqué. Voici mes logs quand j’envoie mon mail :
2018-12-29 13:15:12 #2066(normal) <c5c0ce>; task; spf_symbol_callback: skip SPF checks for local networks and authorized users

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; lua; once_received.lua:95: Skipping once_received for authenticated user or local network

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; lua; dmarc.lua:218: skip DMARC checks for local networks and authorized users

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:34: user is authenticated

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:107: use domain(header) for signature:ndd.info

2018-12-29 13:15:12 #2066(normal) <c5c0ce>; dkim_signing; lua_dkim_tools.lua:126: final DKIM domain: ndd.info

2018-12-29 13:15:12 #2066(normal) lua; dkim_signing.lua:159: dkim_signing

2018-12-29 13:15:12 #2066(normal) lua; arc.lua:518: arc

2018-12-29 13:15:16 #2066(normal) <c5c0ce>; task; rspamd_task_write_log: id: <test@gmail.com>, qid: <79F7F21B81>, ip: ::1, user: foobar, from: <foobar@ndd.info>, (default: F (no action): [0.40/21.00] [MV_CASE(0.50){},MIME_GOOD(-0.10){multipart/alternative;text/plain;},ARC_NA(0.00){},FREEMAIL_ENVRCPT(0.00){gmail.com;},FREEMAIL_TO(0.00){gmail.com;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},MID_RHS_MATCH_FROM(0.00){},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},RCVD_TLS_ALL(0.00){},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 901, time: 4155.118ms real, 23.230ms virtual, dns req: 0, digest: <3a05e84ad147ce21e55a0d7eb52003b8>, rcpts: <test@pouet.com>, mime_rcpts: <test@pouet.com>

2018-12-29 13:15:16 #2066(normal) <c5c0ce>; task; rspamd_protocol_http_reply: regexp statistics: 63 pcre regexps scanned, 1 regexps matched, 175 regexps total, 11 regexps cached, 2.08k bytes scanned using pcre, 2.08k bytes scanned total

2018-12-29 13:15:17 #2063(rspamd_proxy) <74ab63>; proxy; proxy_milter_finish_handler: finished milter connection

And this is my /etc/rspamd/local.d/dkim_signing.conf
Et voici mon fichier /etc/rspamd/local.d/dkim_signing.xonf

allow_envfrom_empty = true;

allow_hdrfrom_mismatch = false;

allow_hdrfrom_multiple = false;

allow_username_mismatch = true;

auth_only = true;

path = "/etc/rspamd/dkim/$selector.key";

selector = "mail";

sign_local = true;

symbol = "DKIM_SIGNED";

try_fallback = true;

use_domain = "header";

use_esld = false;

use_redis = false;

key_prefix = "DKIM_KEYS";

And the postfix config (only milter part)
et voici ma config postfix (que la partie milter)

# Rmilter

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

milter_protocol = 6

smtpd_milters = inet:localhost:11332

# Skip email without checking if milter has died

milter_default_action = accept

non_smtpd_milters = $smtpd_milters

Thank you for your help. Merci pour votre aide


#3

Hello,
How is the _domainkey’s line in your DNS zone ?


#4

Hi antanof,

This is the result of the website dkimcore.org/c/keycheck :

But When i send a mail to dkimvalidator i have this result :

DKIM Information:

DKIM Signature

This message does not contain a DKIM Signature


#5

Hello @Kuun-Lann of course is not a valid DKIM key : missing h tag
v=DKIM1; h=sha256; k=rsa; p=…

You can check with your new mail._domainkey.domain.tld

Seeyu


#6

Hi Antanof, thank you for following my issue.

I added h=sha256 to my DNS zone. I check with dkimcore and i can see the new line added in the zone.

I send a mail to mail-tester but i have the same message:

Your message is not signed with DKIM

As you can see this is not a error message of no valid DKIM key. It seems there is no signature at all :confused: