This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BUG XG 18.0.4 DKIM Signing not added

I have the error that when I try to enable DKIM verification that I get the error message that the DKIM settings cannot be deleted. I have read the post by Patel that this worked in 18.0.3 but is broken in 18.0.4 and will be fixed with 18.0.5.

I added the DKIM private key and selector for our domain and tested it with online DKIM tools. The DNS part is correct. Their error is that there is no DKIM signature header added to the email received send via the XG.  

Is the signing part also broken in 18.0.4?

Thanks

Fred  



This thread was automatically locked due to age.
  • Case is solved. I recreated the keys and added them again to DNS and the XG. This time they are added and the result check out ok.

  • Hello Fred,

    Thank you for the follow-up and for letting us what solved the issue.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • I'm having the same problem. Removing the key and adding it again, didn't help.

    The logs show this:

    6885 LOG: MAIN PANIC
    6885 Tainted filename '/sdisk/exim/dkim//xxxxxx_DKIM_KEY.pem'
    2021-05-24 12:12:31.408 [6885] xKKP8D-cslnwt-bA Tainted filename '/sdisk/exim/dkim//xxxxxx_DKIM_KEY.pem'
    6885 LOG: MAIN PANIC
    6885 unable to open file for reading: /sdisk/exim/dkim//xxxxxx_DKIM_KEY.pem
    2021-05-24 12:12:31.409 [6885] xKKP8D-cslnwt-bA unable to open file for reading: /sdisk/exim/dkim//xxxxxx_DKIM_KEY.pem

    The file is there and I can look at the contents (using cat, less or whatever).

  • Hi Christian,

    are you on 18.0.4? The error that DKIM settings could not be changed in 18.0.4 was supposed to be fixed in the 18.0.5. 
    I have not checked the release notes for it as we moved to Central Email Gateway.

    have you checked with a dkim verification website if your keys were validated ok?

  • Hi Fred,

    our XG has the following firmware: XG230 (SFOS 18.0.5 MR-5-Build586). With 18.0.4 it was simply not possible to activate DKIM through the webinterface. In 18.0.5 this is fixed but apparently DKIM support is still only half-functional - without any indication from the firewall itself. I'm pretty sure the keys are okay. It all work and still works with Sophos Email Appliance.  I double-checked the DNS records with various validation services. 

    The entries I found in the log files seem to indicate a known issue with many exim installation:
    Re: [exim] Tainted filename on DKIM signing in 4.94


    I want to clarify, that I configured all of this using the Sophos XG Firewall webinterface. Therefore, I have absolutely no responsibility for what is going on under the hood. Nonetheless, I consider it rather worrying, that I have to login via SSH and sift through some low-level logs to find out that nothing gets DKIM signed.

  • Hi Chirstian,

    I ultimately got DKIM fixed by adding a new key. 

    We however never got e-mail MTA SAV and Sandstorm functioning properly on the XG as it would not recognize viruses nor send them to Sandstorm as it was being triggered. Only occassionaly We ultimately moved to Sophos Central Email Gateway in cooperation with Sophos commerce. 

    Maybe you should create a new thread for your problem.

    Regards,

    Fred