This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DKIM not working

I tried to setup DKIM with no success.

1. I used (on my local Linux box) openssl to generate a 1024bit RSA key pair.

2. I added the public key into DNS and let it propagate (for the moment with testing mode "t=y" )

$ host -t txt testing._domainkey.mydomain.example 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

testing._domainkey.mydomain.example descriptive text "v=DKIM1;k=rsa;t=y;p=MIGfMA0......DwIDAQAB"

3. I configured the UTM as follows

Priate key =

-----BEGIN PRIVATE KEY-----
MIIC...
...
...
...
-----END PRIVATE KEY-----

selector = testing

DKIM-Domains = mydomain.example

4. I used https://www.appmaildev.com/en/dkim to check. Result: DKIM-Result: none (no signature)

Why is no signature added?
According to the result at the receiving end, the mail is from the specified DKIM domain:

From: "Real Name" <username@domain.example>

This thread was automatically locked due to age.

Top Replies

hagman_01 over 4 years ago in reply to BAlfson +1 suggested

Apparently, my mistake was with step 1 (though I for sure do know how to generate key pairs). I don't recall which guide I followed (I am sure is was not by you), but that guide made me generate the keys…

Parents

0 emmosophos over 4 years ago

Hello Hagman!

Thank you for contacting the Sophos Community!

What is the output of dig nameofthekey._domainkey.domain.com TXT +short

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 emmosophos over 4 years ago

Hello Hagman!

Thank you for contacting the Sophos Community!

What is the output of dig nameofthekey._domainkey.domain.com TXT +short

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 hagman_01 over 4 years ago in reply to emmosophos

"v=DKIM1;k=rsa;t=y;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPSj8NGDf71/tmIKyJ3Ymbdgx4IGGxGVQCvj97AhN50uKw6qBpkMNBA8JCz0f4LfyV/2OM7R+WXSKtt/5cQD5mbYQku/5wbjqTJJDMVvBk10TAp636Z/s+zQC9/piaLAzqv/DSnGnxCXAzxK8rxdK5fetzAkf8Iw9vb2ChbbVjDwIDAQAB"

(cf. the equivalent host command in my post)

Does that even matter? I mean, a problem with the DNS record would certainly lead to failure in verification of the DKIM signature at the receiving end - but the DKIM signature is not even applied! at my sending end?

In other words: Does your question mean that UTM does the DKIM signing if it is able to verify that the corresponding public key DNS record (which i dnot needed for the signing per se) is resolvable from the (internal-ish) resolver of the UTM instead of merely from all receiving ends who resolve the "official" version of DNS?
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 4 years ago in reply to hagman_01

Hello Hagman,

Then you would need to check /var/log/smtp.log for one of the outbound emails to see what it says about the signing.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 hagman_01 over 4 years ago in reply to emmosophos

At first thought that no error were logged, but then O found a separate entry

DKIM: signing failed (RC -101)

I don't know what that means though (Google only ever heard of RC -102)
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 4 years ago in reply to hagman_01

Hello Hagman,

I was digging for a while but couldn't find anything.

My guess is that it has to do with the key length, but it is 1024 which should be good enough, I would ask you to create a new one maybe try going higher to 2048.

If it still fails please open a case with Support to get this investigated further, you can tell them you created a 1024 and a 2048 but it remains the same, also please provide them with the any KB you have followed and the output of the /var/log/smtp.log where it shows that error.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 hagman_01 over 4 years ago in reply to emmosophos

Thank you,

I did as suggested, created a 2048bit key - no change (no signature added, error "RC -101") .

I think I meanwhile stumbled about another thread about DKIM problem and they solved it quite unconventionally: by rebooting the firewall. I will give that a try tonight and otherwise try to open a case.

Thanks again
Cancel
Vote Up 0 Vote Down

Cancel
0 emmosophos over 4 years ago in reply to hagman_01

Hello Hagman,

Thank you for the follow-up!

Let me know if the reboot fixed the issue, or if you opened the case please share with me the Case ID so I can follow-up!

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel