ISPConfig – DKIM-Patch 1.0 155


Diese Anleitung ist nur für den DKIM-Patch >= 1.0. Für ältere Versionen bitte hier weiterlesen.

Features

  • vollständige DKIM-Unterstützung
  • unterschiedlich starke DKIM-Keys bis zu 4096 bits
  • automatische Aktualiseriung der Domain-Key-Records im DNS
  • Aktualisierung des DKIM-Keys jederzeit möglich (automatisches Update des Selectors und der DNS-Zone)
  • vollständige DMARC-Unterstützng
  • Wizard zum Erstellen von DMARC-Records mit Überprüfung der Werte
  • Wizard zum Erstellen von SPF-Records

Install
Download
cd /tmp
wget blog.schaal-24.de/files/dkim-latest_ispconfig3.tar.gz
tar xfz dkim-latest_ispconfig3.tar.gz
cd dkim-patch

oder mit git
git clone https://git.schaal-24.de/ispconfig/dkim.git
cd dkim

Der Patch wird mit
php -q install.php
installiert. Für eine manuelle Installation siehe INSTALL.TXT

Der Patch muss zumindest auf dem Main-Server und dem Mail-Server installiert werden. Werden eigene DNS-Server geutzt, so muss auf diesen für eine Key-Stärke > 1024 Bit die Datenbank von ISPConfig angepasst werden: ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL DEFAULT '';

Server Config anpassen
Nachdem das Plugin installiert wurde, muss der Pfad für die DKIM Keys unter “Server Config” angepasst werden. An dieser Stelle werden private und public key abgelegt. Aus Sicherheitsgründen darf das nicht das root-Verzeichnis ‘/’ sein.
01-server_config

Die Keys für eine Mail-Domain anlegen
Wenn eine Domain angelegt oder verändert wird, befinden sich die Einstellungen unter “DomainKeys Identified Mail (DKIM)”. Der Schlüssel kann durch “Generate DKIM private key” erstellt oder durch cut & paste eingefügt werden. Der DNS-Record wird nur zur Information angezeigt und kann genau so in einen externen DNS übernommen werden.

Wenn DKIM Einstellungen geändert werden (z.B. der Delimiter oder der Key), wird der DNS-Record durch ISPConifig aktualisiert oder angelegt, solange die dazugehörige DNS-Zone aktiv ist.
02-mail_domain_edit
DNS-Wizard
Standardmäßig erstellt ISPConfig eine neue Zone mit aktivem DKIM. Die Einstellung kann im Template geändert werden.
03-dns_wizard

DNS-Record
Der DKIM-Eintrag kann einfach über den Button “DKIM” eingefügt werden.
04-dkim_record

SPF-Record
Ein SPF-Eintrag kann einfach über den Button “SPF” eingefügt werden.
05-spf_record

DMARC-Record
Ein DMARC-Eintrag kann einfach über den Button “DMARC” eingefügt werden.
06-dmarc_record

Resync
Die DKIM Einstellungen können jederzeit neu geschrieben werden (es sollten immer die DKIM-Keys und die DNS-Einträge gesynced werden).

Import
Wenn in amavis bereits DKIM-Keys vorhanden sind, können diese in ISPConfig importiert werden. Siehe dazu README im script-Verzeichnis.


Kommentar erstellen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

155 Gedanken zu “ISPConfig – DKIM-Patch 1.0

    • Florian Schaal Beitragsautor

      You must define the dkim-keys on the mailserver and insert the record on your dns-servers

  • Thomas Gumpinger

    Ist echt gut, nur ein kleines problem. Der DKIM Eintrag im DNS wird mit einer TTL von 0 erstellt. Lässt sich das irgendwo ändern?

  • Olivier T

    Hello
    Thanks for this great plugin.

    I have version 3.0.5.4p8 of ISPConfig on witch I installed DKIM-Patch 1.0
    I see now that ISPConfig 3.0.5.4p9 is available and proposed for upgrade.
    Can I proceed freely or should I make any specific manipulation ?

    TIA
    Br
    Olivier T

  • DROUIN

    Got this error in ispconfig.log after installing the plugin and no dkim key file was created. I’m on Ispconfig 3.0.5.4p8 on multi-server env (web server with ispconfig master + database server + mail server)
    I install the plugin on both web server and mail server.

    11.03.2016-20:31 – DEBUG – Unable to register function ‘domain_dkim_delete’ from plugin ‘mail_plugin_dkim’ for event ‘mail_domain_delete’
    11.03.2016-20:31 – DEBUG – Unable to register function ‘domain_dkim_insert’ from plugin ‘mail_plugin_dkim’ for event ‘mail_domain_insert’
    11.03.2016-20:31 – DEBUG – Unable to register function ‘domain_dkim_update’ from plugin ‘mail_plugin_dkim’ for event ‘mail_domain_update’

    • Florian Schaal Beitragsautor

      Could you provide your OS and your PHP-Version? And on which server you see the debug-errors?

        • Florian Schaal Beitragsautor

          Please check the permissions for /var/lib/amavis and /var/lib/amavis/dkim
          Both directories must be owned by user and group amavis and the permissions are 750.

  • Dario Bor

    Hello,
    I need to apply the patch on all servers, in a multiserver envoirment, or just on the mail server and ispconfig master?
    I have 1 webserver, 1 master Ispconfig control panel, 1 mail server.

    Thanks in advance!

    Dario

  • VIRON INIOTAKIS

    Hello.
    I noticed that if i set ispconfigs language at greek the words DomainKeys Identified Mail (DKIM)
    and Generate DKIM Private-key gone missing from Mail Domain

    How to fix this?

    • Florian Schaal Beitragsautor

      You can check for the langugae-settings in the lng-file and compare this with the en-file:
      interface/web/mail/lib/lang
      i`ve currently no time to check this by myself. i can do this in the next week.

  • Ovidiu

    Hi Florian,

    do you know of a tutorial to implement the “other side” – I mean now I am signing all my outgoing emails with the proper DKIM but how would I check incoming emails for correct DKIm keys and take “action”?

    • Florian Schaal Beitragsautor

      You can revert the changes at every time. Just restore the created backups from postfix main.cf and master.cf and from your amavis-config.

  • borekon

    Hi, i’ve disabled amavis and spamassassin from ispconfig. Then installed the plugin, but ther’s an error that says “mail transport unavaiable” and can’t send any mails.
    So, i’ve renamed the master.cfdkim and main.cf.dkim to it’s original and now works again.
    is there any way to install without using amavis?
    thanks for that great plugin.

  • Andrea

    Hi,

    first a big thanks for this patch!

    I have a server running web ad mail. On this server i have around 10 mail domain all signed with your DKIM patch ad all works perfectly.

    I have discovered , however, that one of these domains has not signed mail . Precisely this domain is the first level domain of the hostname of the server ( the server the hostname s1.example.com and the domain that give me problems is example.com ).

    I check the mail.log and mail.err but there are no errors.

    Could be the problem the domain ? Because with the remaining domains patch works perfectly!

    The command amavisd-new test keys example.com give me pass.

    Thanks !!

  • Mickael

    For my part, as I expected before installation, … it does not work :-( (Yet my installation ispconfig is fresh from yesterday …)
    Amavis not sign emails. In mail.log … I see:

    amavis [13471]: DKIM code NOT loaded

    Solutions?!

    • Florian Schaal Beitragsautor

      You don´t need DKIM-Code in amavis. It´s difficult to find a solution why amavis won´t sign your mails. I would with the steps on the debug-page. If this does not solve your problem, please check the steps in INSTALL.TXT. In other cases you can also open a ticket on https://support.schaal-24.de

      • Mickael

        Hello,
        I have not found the problem, but I found another one.
        Apparently, if one makes a stronger key than “weak”, there are not enough characters in a TXT field ispconfig to contain all the public key…

        • Florian Schaal Beitragsautor

          ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL DEFAULT ''; for your ispconfig-database. i will not update the installer to work without any issues on every setup. this is already done for the upcoming ispconfig-relase.

  • David S

    Hello,
    I cant generate keys by clicking on “Generate DKIM private-key”.
    I error log is:

    sh: /openssl: No such file or directory
    sh: /openssl: No such file or directory
    [Sun Jul 05 00:58:17 2015] [warn] [client 2001:xx] mod_fcgid: stderr: PHP Warning: unlink(../../temp/random-data.bin): No such file or directory in /usr/local/ispconfig/interface/web/mail/mail_domain_dkim_…

    I have openssl on my server.
    What cound be wrong? Thank you.

    David

      • David S

        I have Debian. Exec is enabled at CLI and CGI config. At Apache config is disabled. Should be enabled everywhere?

      • David S

        I enabled exec everywhere, but I´m still getting this error when I want generate key by clicking on “Generate private DKIM key”.

        sh: /openssl: No such file or directory
        sh: /openssl: No such file or directory
        [Mon Jul 06 13:14:34 2015] [warn] [client 46.xx] mod_fcgid: stderr: PHP Warning: unlink(../../temp/random-data.bin): No such file or directory in /usr/local/ispconfig/interface/web/mail/mail_domain_dkim_create.php…

  • Victor

    This is really neat. Works right outside the box. Thanks for the plugin and packaging! The guys at ispconfig should really integrate this into the core project.

    For testing / debugging purposes I suggest “dig TXT” on the CLI for the SPF record and “dig default._domainkey.yourdomain.tld TXT” for the DKIM record.

  • Ovidiu

    Could you help explain what needs to be done for “If you indicate that reports should be sent to an address outside your domain, you may need to request that the receiving party publish a special DMARC report DNS record” – I mean I would like to receive al DMARC reports at one specific email address that is outside the domains I am receiving reports for.

    I found their FAQ here: http://dmarc.org/faq/senders/ search for outside, I need some help understanding their solution:

    If you indicate that reports should be sent to an address outside your domain, you may need to request that the receiving party publish a special DMARC report DNS record:

    _dmarc.example.com TXT “v=DMARC1; p=none; rua=mailto:aggregate@thirdparty.com”
    example.com._report._dmarc.thirdparty.com TXT “v=DMARC1”

    is example.com the domain I am receiving reports for and thirdparty,com the domain I am receiving them at? If yes, I assume I need such a record in my receiving DNS for each domain I am receiving reports from?

    • Florian Schaal Beitragsautor

      thirdparty.com is the domain that receives the reports and example.com is the domain for the dmarc-records. I let all reports send to dmarcian.com and check the reports in their interface. You can see my dmarc-record with a simple dns-query: dig _dmarc.schaal-24.de -t TXT

  • Ovidiu

    a bit of a stupid question but if I were to install this with git, WHERE would I do that, I mean cd to which directory before executing git clone … ? or does that not really matter and how would one update to a newer version in future also using git?

    • Florian Schaal Beitragsautor

      It does not matte where you clone the git. /tmp might be a good solution. To update the git change to the cloned git-dir and run git pull. I don´t think that i will release any further versions of this patch as it´s already integrated into the upconfig ispconfig-release.

      • Ovidiu

        Thanks Florian, do you have any links for me to check the progress of hte integration or where did you see that? Just want to check if it in the upcoming release or not, I don’t mind waiting a few more months to get this feature or do you think it will not be a problem using your patch now then upgrading when it gets integrated?

        • Florian Schaal Beitragsautor

          You can use this patch with the current release. If you ugrade your installation to the upcoming release (3.1) you won´t loose any data. With ISPConfig 3.1 you don´t to install the DKIM-Patch. The full patch is already ispconfig 3.1. But its just a developer-version. You should not use it on a production server. Just install the patch and you´re fine.

  • Mike

    Hi and first and foremost I want to thank you for your DKIM Patch.
    However, I have a bit of trouble to set up DKIM signing on the submission port.

    Could you give me a hint how I could archieve that?

    • Mike

      Alright
      I’ve managed to get DKIM signing on submission by myself.
      Just add:
      -o content_filter=amavis:[127.0.0.1]:10026

      at the end of the submission options.

      • Florian Schaal Beitragsautor

        There is no need to add such an option and you shpould remove it. Make sure, that you have content_filter = amavis:[127.0.0.1]:10024 in the main.cf, 127.0.0.1:10025 inet n - n - - smtpd ... and 127.0.0.1:10027 inet n - n - - smtpd .... in master.cf and make sure, your smtpd_sender_restrictions are right.

        • Mike

          All these things are fullfilled – actually.
          However, I don’t want to decline that I may did a mistake, eventhough I can’t see it.
          btw why is the dedicated content_filter in the submission options wrong or not good? What’s the reason?

          Here are my main.cf and master.cf, if you say it DKIM on submission should kinda work “out of the box” and there must be a mistake, eh?
          https://gist.github.com/donmichelangelo/d7f06468f62fd02f7a14
          https://gist.github.com/donmichelangelo/80e7f6a8264c91577c80

          • Florian Schaal Beitragsautor

            Because /etc/postfix/tag_as_originating.re already connects to amavis:
            /^/ FILTER amavis:[127.0.0.1]:10026

            Could you show your amavis-config, too? Did you see anything in your logs when you deliver mails on the submission-port?
            And: your mails are signed with dkim when you deliver them on port 25?

          • Mike

            For some resaon I couldn’t answer on your response, so do I on my own.

            To your question regarding DKIM signing on Port 25: Yes, with these configuration files amavis signs my emails on Port 25.
            I’ve removed the content_filter line in the master.cf within the submission options and amavis doesn’t sign anymore my emails with DKIM.

            However, I want to slowly “train” my email users to send their emails through port 587 for certain reasons, that’s why I need it working on Port 587 aswell.

            Here is my amavisd.conf:
            https://gist.github.com/donmichelangelo/e8cddff6786f1f28ce45

          • Florian Schaal Beitragsautor

            You have i.e. two policy_bank in your amavis-config. Are you running openSuSE?
            Amavis signs mails over 25 d 587 (you should have a signed-mail from me in your inbox).

  • Richard Whitcombe

    Ive installed the latest version of the patch on the latest ISP Config but just can;t get it to work.

    The tests i sent to @port25 and various other checkers all come back with Bad signature (Fail).

    The DNS record has been added and that DOES pass the external verifier checks as being valid. DNS is hosted externally.

    From the logs:-

    Mar 30 19:49:35 server amavis[27963]: (27963-01) dkim: candidate originators: From:
    Mar 30 19:49:35 server amavis[27963]: (27963-01) dkim: signing (author), From: (From:), KEY.key_ind=>0, a=>rsa-sha256, c=>relaxed/simple, d=>server.org.uk, s=>default, ttl=>1814400, x=>1429555775.20686

    From that i assume it IS getting signed with something in amavisd-new.

    amavis-d testkeys comes back with:-

    fail (OpenSSL error: data too large for key size) although im not sure if this is DNS TTL or not as i’ve been testing (?)

    The keys have been generated via the GUI on ispconfig without issue and the storage directory is amavid readable and owned.

    Any idea where im going wrong with all this?

    • Florian Schaal Beitragsautor

      If you use an external DNS please make sure, that the record is not to long and try it with a key-strength of 1024bits.
      You can run “amavisd-new showkeys” to see the full dns-record that must be inserted in the dns. You may had an error with cut&paste.
      As long as you do not provide the domain a selector i can not check your dns-record.
      Accoding to http://lists.amavis.org/pipermail/amavis-users/2011-September/000837.html your dns-record might be wrong.

  • Stanislav Petýrek

    Hi Florian,
    thanks for great patch! :-) It’s easy, super.

    Installation was no problem (only tells me “check the permissions manually (750 for amavis.amavis or vscan.vscan)”….what can I exactly do with it?), but I have major problem with outgoing mails. There are not signed by DKIM….

    I just try your debug-page, and “amavisd-new testkeys” wrote me, that “default._domainkey.mydomain.cz => public key: not available”. It’s because I have “external DNS records”, or does not matter on it?

    Because in external DNS-records I have correct TXT record with values copy from ISPConfig -> E-mail -> Domains -> specific domain -> DNS-record. I noticed here in this discussion, that text is only approximate, but my be I need it to know exactly.
    In “DNS-record field” is for example default_domainkey._mydomain.eu, in disscussion above tells that correctly it is default.domainkey.mydomain.eu, and amavisd-new tesstkeys tells default._domainkey.mydomain.eu. Any option from these dont function.

    Thanks much for your feedback!
    Stanley Petyrek

    I have ISPConfig 3.0.5.4p5, and your latest patch downloaded today. Debian 6.0.

    • Florian Schaal Beitragsautor

      amavisd-new testkeys checks your private-keys against the public-keys stored in a dns-record. If you use external dns, you should wait a few hours and/or use dig (i.e dig default._domainkey.schaal-it.com TXT or dig @ns03.schaal-24.de default._domainkey.schaal-it.com TXT) to query the dns from your domain-hoster for the public-key.
      amavsid-new shows the file containing the privat key and displays the dns-record for your dkim-key-pair.
      From the debug-page: amavisd-new testkeys verifies the in the DNS registered public key against the locally stored private key and amavisd-new showkeys shows the location of the private and public keys for all in amavis defined domains

      • Stanislav Petýrek

        Thanks for your feedback!

        I try the DIG and find some mistake in my external DNS record (i made a copy of text “default._domainkey.exampledomain.com” to DNS, but in DNS must by only text “default._domainkey”, so basic mistake, I am sorry).

        So now I have correct external DNS record with DKIM key, and amavisd-new showkeys exampledomain.com shows me private key, too. But my OUTgoing mails has not signed by DKIM signature. I cannot find it in header of test mails.

        What am I doing wrong, or where is the problem? In “check the permissions manually (750 for amavis.amavis or vscan.vscan)” = message during installation? I am basicman in this system, what should I do? Set the permission od amavis folder? Or it is not the problem?

        Thanks you very much for you help!
        Stanislav Petyrek

        • Stanislav Petýrek

          I just set permissions for /var/lib/amavis/dkim to 750, but my problem is without change. Do you have another idea?

          • Stanislav Petýrek

            I try it by manual setup (install.txt), and it is ok now. There was some missing parts in config files, so manual installation is better for me…

            And I found a little error in install.txt. The filename of amavis.conf.txt is amavis.conf.dkim.

            Thank you very much for you assistance and nice patch! :-)

          • Stanislav Petýrek

            I have a next problem, so I opened a ticket…. thx much

          • Florian Schaal Beitragsautor

            Problem solved. There was – for some reasons – /etc/amavisd.conf but amavis uses the /etc/amavisd/conf.d-structure.

          • Stanislav Petýrek

            Thank you very much for your help, your support to DKIM-patch is the best :-)

    • Robin

      Hi Florian,

      First of all: a big thanks for creating this plugin! :-)

      I wanted to share something that took me two hours today to figure out.

      I already had the 1.0 version of your dkim for ispconfig installed using the wget dkim-latest_ispconfig3.tar.gz some months ago (in september 2014).

      This time I used git clone https://git.schaal-24.de/ispconfig/dkim.git and afterwards in the tmp dir ran the install.php. I answered ‘y’ to every question.

      I got no errors, but then my ISPConfig gave a 403 forbidden when I tried to go to the URL of my ISPConfig installation. My nginx error log gave:

      2015/03/16 02:38:19 [error] 4422#0: *711934 "/usr/local/ispconfig/interface/web/index.php" is forbidden (13: Permission denied), client: 87.212.11.140, server: _, request: "GET / HTTP/1.1", host: ":8080"
      2015/03/16 02:38:19 [error] 4422#0: *711934 open() "/usr/local/ispconfig/interface/web/favicon.ico" failed (13: Permission denied), client: 87.212.11.140, server: _, request: "GET /favicon.ico HTTP/1.1", host: ":8080"

      It turns out that every directory that had a setGuid and had some file down its tree that changed had lost it’s execute rights for the group. This included the /interface, /server, /server/web, /server/web/admin, /server/web/dns, /server/web/js and /server/web/mail directories and the subdirectories for the last 4 mentioned. I solved this by executing a

      chmod g+x

      for every of these dirs and every subdir they had that did have a setGuid and did not have the group execute rights.

      Is this caused by a small bug in your script or does it have something to do with my OS/server settings?

      Kind regards,
      Robin

      • Florian Schaal Beitragsautor

        The install.php should change owner and group for the interface-files to ispconfig.ispconfig.

  • Figo

    Nice! Good work!

    I’ve only one question…

    port25 answer me :

    ———————————————————-
    DomainKeys check details:
    ———————————————————-
    Result: neutral (message not signed)
    ID(s) verified: header.From=xxx@backpackerguide.nz
    DNS record(s):

    (DKIM pass)

    Why do the message is “not signed”, and which DNS record is expected ?

    Does that mean my config is not fully configured ?

    Thanks !

    • Florian Schaal Beitragsautor

      This plugin signs with dkim and not with a domainkey. Just check “DKIM check details:” inside the mail from port25.

  • justLern'n

    thanks for providing this topic and patch.

    customer was getting rejected by gmail such he could not email his customer list.

    this patch worked well.

    thank you.

    download via ‘latest’, so I didn’t notice patch version.
    patch in INSTALL doc states:
    *** Use this patch only with ISPConfig 3.0.5.4p2 or newer
    ISPConfig Version: 3.0.5.4p5
    ubuntu 14.04
    we did the script install:
    php -q install.php
    then followed up with the INSTALL doc to verify
    implement what didn’t get done with the php script.
    we did not do the ‘alter table’ as we for the moment are only doing 1024 keys and dkim / amavis / ispconfig 3 are working well.
    are thought is that if we update ispconfig 3/et al/ we didn’t want it to walk on this mod.
    maybe wrong thinking on our part, but lazy and it works as is.

    • Florian Schaal Beitragsautor

      I don´t know why the installer shows you this warning, but you can safely alter the db-table dns_rr for keys > 1024.

  • Jakob Curdes

    Hello, we have a problem with the patch (1.1.6) and ispconfig 3.0.5.4p5 . When we create a Domain key in the “mail domain” dialogue this looks fine. However, in the DNS dialogue, the key does not show up with its full length. The respective field seems to be too short. I read that there was a database change but I could not figure out if the install.php applies this by itself or if we need to alter the database. I should mention we hat a 0.7 version of the patch installed before this one. Or is this not database-related? We run a multiserver setup and installed the patch on the server running the ispconfig interface and on the mail server where also the DNS resides.

    • Jakob Curdes

      Sry, I figured out that we needed to alter the dns_rr field to “text”; now it works as expected! Thank you for this plugin!

  • Vikram

    Hi Florian,

    Thanks for the great patch.
    I’ve installed it on my two ISPC 3.0.5.4p5 servers x.x.x.131 and x.x.x.134. I have DNS role installed only on 131. Whereas I intend to used your patch to add DKIM and SPF on 134 also. But it gives me error “DKIM disabled for this mail-domaindata_error_empty” when I try to add DKIM for an email domain which is serving from 134.

    Could you please help me ?

    Regards,
    Vikram

  • Dima

    Excuse for my bad English spoken language

    Three times I reinstalled Debian 7 + ISPConfig system. I tried to install by DKIM-Patch.
    I do everything according to the instruction, but letters aren’t signed by DKIM a signature

    default._domainkey.mydomain.su => pass

        • Florian Schaal Beitragsautor

          I used the installer a few days ago and all changes are done. Could please provide your OS and the php-Version (feel free to send me a mail).
          You can not change a DKIM-Record in the DNS by editing the TXT-Record. You should use the DKIM-Button instead. Please also check your database-structure for dns_rr or run “ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL DEFAULT ”;” for dbispconfig (console or phpmyadmin).
          It seems, that you had some trouble with the installer.

        • Ovidiu

          I can confirm this.
          I just manually checked INSTALL.TXT and then checked my config files and main.cf as well as master.cf wasn’t touched by the isntall script. Running the same server config as the reporting person

          => My system Debian7-64 + nginx + (php5-fpm). I established according to the instruction of https://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3.

          Inside INSTALL.TXT it says:
          adjust amavis-config to handle postfix-connects (/etc/amavis/conf.d/50-user or /etc/amavisd.conf)

          cat amavis.conf.txt >> /etc/amavis/conf.d/50-user
          OR
          cat amavis.conf.txt >> /etc/amavisd.conf

          There isn’t even a amavis.conf.txt present

          P.S. I tried doing this via the git clone command.
          I’ll try again and do it manually, shouldn’t be a problem doing this, right?

          • Ovidiu

            I tried the manual download with wget … then ran php -q install.php and still my smtpd_sender_restrictions are untouched :-(

          • Ovidiu

            the tag_as_foreign.re tag_as_originating.re files are not being created/copied either.

            I will open a support ticket, I think that is the easiest.

  • Christoph Kluge

    Migration to latest ispconfig 3.0.5.4p5 + dkim-patch 1.1.5 went totally smoothly – also the previous setup keys are reused! :)

    Additionally I got a feature request 😉
    It would be awesome to fetch the server-instance-type (e.g. web/interface or mail) and then only ask for those changes which are really required to apply..

  • Hauke

    Hallo, super Patch, sehr hilfreich. Gibts nen Flattr-Account? Habe aber leider ein Problem, bekomme irgendwie die DKIM-Signatur nicht korrekt hin. Evtl. hat ja jemand eine Idee, Tipps oder Hinweise für mich. Schlüssel wurden erstellt und liegen im Ordner, Public-Key im externen DNS-Server per Copy&Paste eingetragen, aber jeder Test mit mail-tester.com sagt “DKIM Signatur ist nicht gültig”. :-/

    Beispiel: https://www.mail-tester.com/web-bETRqx

    Ideen, Tipps, Vorschläge?

    Vielen Dank

    • Florian Schaal Beitragsautor

      I´ve no flattr-account. Maybe you missed something with cut&paste? Could you send an email to mailtest @ unlocktheinbox.com and forward me the result?

  • Clouseau

    Although the dir has this perrmisions /var/lib/amavis/dkim/
    drwxr-x— 2 amavis amavis dkim

    The new create dkim keys, private and public have this permissions:
    -rw-r–r– 1 root root domain.tld.private
    -rw-r–r– 1 root root domain.tld.public
    They are safe because there others have no rights on dkim directory but maybe it would be better for keys to have 640 permissions tih group amavis on them…

    Btw. this works https://www.howtoforge.com/community/threads/ispconfig-dkim.66217/

    Now I’m gonna see how to put cluebringer in the picture…

    • Clouseau

      SPF records is to short:

      Any other server hostname that may deliver or relay mail for this domain: You can’t add a longer entry is limited. ie. I wanna add 10 hostnames and can’t. I can later when SPF record is created but I have to go to records and edit current txt entry…

    • Florian Schaal Beitragsautor

      the dkim-dir is created as 750 if the user amavis or vscan was found. Otherwise its 755 to allow root to access the keys.

  • Ronald

    Hi Florian,

    I have installed your patch on my ISPConfig setup. I have a multi server installation with 2 servers, both running their own mail, web and mysql server. The first server is also running as a DNS server.

    When I use the resync tool to resync DKIM tokens, I get an error in the ISPCOnfig log that says “Unable to write DKIM settings – no or invalid DKIM-Path defined”. On both servers the path is set to “/var/lib/amavis/dkim” and that folder exists on both servers. What is this error and how can I fix it?

    Also antother quick question: I saw a small file named “dkim-patch-all-languages.tar.gz” in your files folder. The text left to the checbox in the resync tool is empty. Can I install this languages archive and will it fix this?

    Thanks in advance!

    Ronald

    • Florian Schaal Beitragsautor

      The error during a resync occurs, if
      the dkim-path for the server is not set (check the database)
      the dkim-path is /
      or the dkim-path is a symlink

      Which language are you using? I checked it with the german and english-language and the resync-tools shows the values for every checkbox.

      • Ronald

        The error is no longer occuring when I resync the keys, but the dkim path was right from the beginning. I din’t change anything. A little mysterious, but it’s working now.

        I’m using Dutch. Your question made me thinking and I added the language string for “resync_dkim_txt” in the nl_ language file for the resync page. Maybe you can adjust the install script that it adds the language string in all recync language files?

      • Ovidiu

        Getting the same error when resyncing:
        16.11.2015-13:49 – ERROR – Unable to write DKIM settings – no or invalid DKIM-Path defined

        Yet the path is set and ISPCFG3 actually does manage to write as I did a ls -al /var/lib/amavis/dkim/ and I can see from the time stamp that it actually resynced the DKIM keys.

        Any ideas why I get the error emails yet the resync succeeds??

  • Florian Nunes

    Florian,
    Nothing is missing, but we can’t edit a SPF record. So, if I add a spf record and I missed to check the active option, I can’t update it to active this record. The only solution is to delete the record and create a new one.

    Thanks.

    • Florian Schaal Beitragsautor

      Use the SPF-Button in the DNS-Zone. This loads your current settings and allows you to change anything you need – incl. activating the record.

      • Florian Nunes

        Ha ok. Strange behavior…
        For other records, we can do that by clicking direclty on the line located on the list. But with SPF record, if I click on it, TXT record opens and we can’t modify it…

        • Florian Schaal Beitragsautor

          The same happens for DKIM and DMARC. I thougth the error-message is usable. :)

          FYI: those records are simple TXT-Records. If you edit a TXT-Record you always get the interface to edit txt-records – even if some values are disabled. You can change the source to change a TXT-Record with spf-value. But this can break the record very easy.

          • Florian Nunes

            No, I’m not able to change the TXT record corresponding to SPF by clicking on it. When I try to validate my changes, the interface says: “SPF is not allowed. Use the SPF button.” And If I try by your SPF records, SPF record input is in read-only mode. So, I can’t add the “include:_spf.google.com” string (for example) on my SPF record…
            I know we can break records (as other DNS records), but I think your SPF system is a little bit too many restricted…
            Most of us are Sys Admin, and in my prospective, we need to have free hands 😉

          • Florian Schaal Beitragsautor

            You can not change the spf-record (this is just an information about the current settings) but you can change everything in the other fields to update the record.
            It´s possible to allow changes in the record itself but this will also allow custumers to change those settings. I don´t think that i will change the code to allow the admin to change the record-field in the spf-wizard with the current ispconfig-release, because the next major-release uses bootstrap.

  • Florian Nunes

    Thanks for your reply.
    I notice some improvment on SPF records:
    – when I try to add on SPF records, it seems the interface have an HTML issue, because ther is a “/>” next to the active checkbox.
    – If we want to customize a SPF record, after create one, the interface says “we can’t add SPF to TXT records”. I think we should have the ability to modify it if we want to.

    Thanks by advance Florian

    • Florian Schaal Beitragsautor

      You can customize the SPF-Record with the new SPF-Button. If you need more settings please let me know what´s missing. If we allow SPF with a TXT-Record a customer may break-up his spf-record (and breaks mail-delivery).

  • Florian Nunes

    Hi,
    Backup creation failed on my installation on Debian 7.0:

    Create backup - /var/backup/dkim-'.2014-12-06T12:12:50+01:00.'.tgz
    tar: Removing leading `/' from member names
    tar: /etc/amavisd.conf: Cannot stat: No such file or directory
    tar: /etc/amavisd.conf/50-user: Cannot stat: No such file or directory
    tar: /etc/amavisd.conf/60-dkim: Cannot stat: No such file or directory
    tar: /etc/amavis/conf.d/60-dkim: Cannot stat: No such file or directory
    tar: /etc/amavisd/amavisd.conf: Cannot stat: No such file or directory
    tar: /etc/postfix/tag_as_foreign.re: Cannot stat: No such file or directory
    tar: /etc/postfix/tag_as_originating.re: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/lib/classes/validate_dkim.inc.php: Cannot st at: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/form/dns_dkim.tform.php: Cannot stat : No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/form/dns_dmarc.tform.php: Cannot sta t: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/form/dns_spf.tform.php: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/templates/dns_dkim_edit.htm: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/templates/dns_dmarc_edit.htm: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/templates/dns_spf_edit.htm: Cannot s tat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/dns_dkim_edit.php: Cannot stat: No s uch file or directory
    tar: /usr/local/ispconfig/interface/web/dns/dns_dmarc_edit.php: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/dns/dns_spf_edit.php: Cannot stat: No su ch file or directory
    tar: /usr/local/ispconfig/interface/web/js/mail_domain_dkim.js: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/interface/web/mail/mail_domain_dkim_create.php: Cannot stat: No such file or directory
    tar: /usr/local/ispconfig/server/plugins-available/mail_plugin_dkim.inc.php: Can not stat: No such file or directory
    tar: Exiting with failure status due to previous errors

    One more thing, I think putting colon in backup filename is not a good idea. On my server, I can’t Tar the backup file generated.
    Suggested involvment: create the /var/lib/amavis/dkim directory, with appropriate rights, if it doesn’t exists, would be great.

    Thanks for you job!

    My settings Server:
    – Debian 7.0, ISPConfig 3.0.5.4p4

    • Florian Schaal Beitragsautor

      Your backup “fails” because the latest version was not installed. There is no colon in the backupname. The archive is just called dkim-date(%c).tgz. I will update the installer within the next days to avoid some errors, choose a different archiv-name and ask for some user-input.
      There will be also a release with some dmarc-related changes before x-mas.

      The installer could not create the dir for dkim-keys because you can change this in the backend and this may lead to unused directories plus you can have different users for amavis on different mailservers (vscan or amavis). If the directory does not exists when you create a dkim-key-pair, it will be created with the right permissions. If you have a master-server without mailhandling, you will never such a directory on this server.

  • ashok

    I have installed ispconfig and removed spamassassin and clamav. So i guess amavis is also not there. I did this to reduce the memory footprint. Spams are already blocked at postfix level through rbl and by csf blocking other public block lists.

    My question is, in this current setup without the spamassassin n clamav, can the above instructions work ? if you really need amavis, can i install it back and function without spamassassin n clamav, please advice on this

    • Florian Schaal Beitragsautor

      You need amavisd-new to sign the mails. You could remove clamav and spamassassin if you need no spam-checks.

  • Justin

    Hi, I just installed the latest version on Centos 7 yesterday but failed during /etc/init.d/postfix restart: command not found, setup aborted.

    Here are some of my postfix errors. Anyone can help me get my email sending and receiving working again? Thank you very much.

    Justin

    postfix/proxymap[232628]: warning: connect to mysql server 127.0.0.1: Access denied for user ‘ispconfig’@’127.0.0.1’ (using password: YES)

    postfix/trivial-rewrite[232633]: warning: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf: table lookup problem

    postfix/trivial-rewrite[232633]: warning: proxy:mysql:/etc/postfix/mysql-virtual_domains.cf: table lookup problem

    postfix/smtpd[232627]: NOQUEUE: reject: RCPT from **********.com[000.000.000.000]: 451 4.3.0 : Temporary lookup failure

    • Florian Schaal Beitragsautor

      Make sure that mysql is running and the mysql-user ispconfig can login into mysql with the password from /usr/local/ispconfig/server/lib/config.inc.php

      • Justin

        HI, Florian

        I checked my config.inc.php and mysql user name and password were correct and same in mysql-virtual_domains.cf and the password are working properly. only postfix failed to work as you can see from my last post.

        Thank you very much.

        Justin

        • Florian Schaal Beitragsautor

          It seems that postfix can´t connect to mysql with the user ispconfig. But what about “/etc/init.d/postfix restart: command not found”? Do you need “service postfix restart”? If you think, the install.php failed you can restore your configs from the archiv in /var/backup and install it manually (adjust amavis and postfix, copy the files and alter the database). I will try it on centos 7 next week.

  • Dariusz Kowalczyk

    There are currently generated invalid selector:
    default_domainkey.example.com. 3600 TXT ….

    correct should look like this:
    default.domainkey.example.com. 3600 TXT ….

    • Florian Schaal Beitragsautor

      The dns-record is generated with the right settings. This bug affects only the dns-record in the mail-domain-settings and is display for information onyl. The dns-modul creates propper dns-settings. I just fixed it in the git and will release and new version within this week.

    • Florian Schaal Beitragsautor

      Yes, the plugin is fully integrated in ISPConfig. You can run install.php on every server because an activated plugin will not be used if the server is neither a mail oder dns-server. Since there is a change in the database-structure to allow dkim-keys up to 4096 bytes, you should the patch on every server.

      • Fran

        root@apc:/tmp# tar xfz dkim-latest_ispconfig3.tar.gz
        root@apc:/tmp# cd dkim-patch
        root@apc:/tmp/dkim-patch# php -q install.php
        updating amavis ()

        updating postfix

        error copying tag_as_foreign.re
        Aborting setup

        puf xD

        • Florian Schaal Beitragsautor

          This indicates, that the installer was not able to make backups of the postfix-configs and / or was not able to run postconf. Maybe you ran out of memory / diskspace?

          • Raphael Lienard

            Hi Florian,
            thanks for you great script ! I had the same issue than Fran and by checking the code of install.php i figured out the issue. I have a multi-server setup and I had to run the setup on both mail and web server (I hope that I didn’t miss one).
            On the mail server, no problem, the setup was successful. On the web (ispconfig main) server, it didn’t work because there is no amavis nor postfix installed. So I had to say ‘n’ when the prompt asked me for configuring postfix/amavis.
            In your code here is the error :
            $answer=rtrim(fgets(STDIN));
            if ($answer == ” || $answer == ‘Y’ || $answer = ‘y’) {
            This means that what ever you answer.. $answer will be set to ‘y’.. After correcting this I was able to install correctly the patch to my web server.

          • Christoph Kluge

            Raphael Lienard figured out one important point – as I am also running a multi-server setup without amavi/postfix on the web-servers and was looking for the issue.

            On multiple places within the install.php the last condition always overwrites the $answer variable to yes.

            if ($answer == ” || $answer == ‘Y’ || $answer = ‘y’) {
            vs
            if ($answer == ” || $answer == ‘Y’ || $answer == ‘y’) {

          • Florian Schaal Beitragsautor

            Thanks for the hint. But there is no need to install the patch on servers without postfix/amavis (as long as this is not the server with the interface)

  • Alex Williams

    Hi, I’m going to install your patch on our master server tomorrow I just have a quick question. Is it required that I also install this patch on our clustered server as well? I guess you do but just wanted to make sure first.

    Many thanks!

    • Florian Schaal Beitragsautor

      1. The latest version (1.1) reuqieres a change in the database-fields to allow dkim-key-strength up to 4096. You must install the patch on every server or at least alter the database. But this page is for 1.0 so you must not alter the db but you should not install v1.0 with ispconfig 3.0.5.4p4
      2. You must activate the server-plugin on every mail-server.

      The easiest way is to run install.php on each server. It makes no difference, if you change the ispconig/interface-dir on a slave-server and you can also activate the dkim-server-plugin on a web-server but it will not be used.

  • Rudi

    Hi Florian, Thank you for this great patch. Installation of latest patch (v1) on my fresh Debian/ISPConfig-3.0.5.4p3 was smooth, but “Generate DKIM Private-key” doesn’t do anything. What did I missed? OpenSSL and OpenDKIM are installed. Path is set to /var/lib/amavis/dkim/ and it’s owned by amavis.

    • Florian Schaal Beitragsautor

      Why did you use OpenDKIM? You should not use OpenDKIM and amavis to sign mails.

      Did you see nothing when click “create…”? In this case please check the error-log from your http-server.

      If you can´t see a dns-record but the key is created, you can ignore this (there is a bug regarding the dns-record when the domain-modul is in use, so you will never see the dns-record in the mail-domain-settings).

      • Miguel

        I’m having the same problem as Rudi on my Debian 7/ISPConfig 3.0.5.4p8 server with external DNS.
        Install procedure went without any problem. DKIM path and strength are set at Server Config. The DKIM path is properly chmodded to 750. “Generate DKIM Private-key” does nothing and my apache2 error.log gets no new entry.

        After some fiddling I verified mail_domain_dkim_create.php came back with ‘invalid key’ for and an empty so I tried through a root session both openssl commands from this php file and both returned what look like proper results.

        Am I missing something? Thanks for any pointers.

  • klamardo (@miguelpenagomez)

    dkim fresh install or update

    in lang spanish fail show server options.

    fix .. line 162 $wb[‘realtime_blackhole_list_note_txt’] = ‘(Separar RBL’s con comas)’;

    remove “‘” in RBL’s

  • Lecquio

    When I install this patch I can’t access to ISPCONFIG server config, it keeps think for a couple of seconds and nothing happends.
    What could be the problem?

    • Florian Schaal Beitragsautor

      Did you download the pathch as archive or did you use git? maybe the es-language is broken. Please get the latest version from git.schaal-24.de

  • Florian Schaal Beitragsautor

    Did you set the dkim-dir in the interface to /etc/postfix/dkim, too?
    This errors occurs, when ispconfig is unable to write anything to the amavis-config (60-dkim or amavisd.conf). Can you post the full path to your amavis-config?

    • Toyin Alabi

      Thanks for prompt response, I resolved this, on CentOS 6.5 amavisd.conf is in the folder /etc/amavisd/amavisd.conf but your dkim patch writes to /etc/amavisd.confdkim file, the solution is to symbolic link
      ln -s /etc/amavisd/amavisd.conf -> /etc/amavisd.confdkim

      However, I have another problem, postfix won’t send signed mail, a snippet of my maillog is

      Sep 12 04:38:49 server amavis[2697]: Amavis::ZMQ code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: Amavis::DB code loaded
      Sep 12 04:38:49 server amavis[2697]: SQL base code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: SQL::Log code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: SQL::Quarantine NOT loaded
      Sep 12 04:38:49 server amavis[2697]: Lookup::SQL code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: Lookup::LDAP code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: AM.PDP-in proto code loaded
      Sep 12 04:38:49 server amavis[2697]: SMTP-in proto code loaded
      Sep 12 04:38:49 server amavis[2697]: Courier proto code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: SMTP-out proto code loaded
      Sep 12 04:38:49 server amavis[2697]: Pipe-out proto code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: BSMTP-out proto code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: Local-out proto code loaded
      Sep 12 04:38:49 server amavis[2697]: OS_Fingerprint code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: ANTI-VIRUS code loaded
      Sep 12 04:38:49 server amavis[2697]: ANTI-SPAM code loaded
      Sep 12 04:38:49 server amavis[2697]: ANTI-SPAM-EXT code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: ANTI-SPAM-C code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: ANTI-SPAM-SA code loaded
      Sep 12 04:38:49 server amavis[2697]: Unpackers code loaded
      Sep 12 04:38:49 server amavis[2697]: DKIM code loaded
      Sep 12 04:38:49 server amavis[2697]: Tools code NOT loaded
      Sep 12 04:38:49 server amavis[2697]: Found $file at /usr/bin/file
      Sep 12 04:38:49 server amavis[2697]: Found $altermime at /usr/bin/altermime
      Sep 12 04:54:46 server postfix/smtpd[3867]: NOQUEUE: filter: RCPT from localhost[127.0.0.1]: : Sender address triggers FILTER amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo=
      Sep 12 12:52:18 server postfix/qmgr[28612]: warning: private/amavis socket: malformed response
      Sep 12 12:02:18 server
      Sep 10 01:26:08 server postfix/error[3558]: EC0236640692: to=, relay=none, delay=938, delays=937/0.2/0/0.07, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)
      postfix/error[3039]: 2FA3066406F6: to=, relay=none, delay=67586, delays=67585/1/0/0.21, dsn=4.3.0, status=deferred (mail transport unavailable)

      result of netstat -tap

      tcp 0 0 localhost:10024 *:* LISTEN 2697/amavisd (maste
      tcp 0 0 localhost:10025 *:* LISTEN 28609/master
      tcp 0 0 localhost:10026 *:* LISTEN 2697/amavisd (maste
      tcp 0 0 *:mysql *:* LISTEN 1702/mysqld

      Thanks for your help

        • Florian Schaal Beitragsautor

          ISPConfig never writes to amavisd.confdkim. This is a backup from your old config created by the installer. Your amavis-config can´t be a symlink. Everything besides the installer 😉 works on centos 6.5 (i just installed centos). Please add the content from amavis.conf.dkim (from the archiv or git) manually to your amavis-config. You can also get the latest version frm git and run install.php again.

  • Toyin Alabi

    My Server is setup with Centos 6.5 and ISPCONFIG 3.0.5.4 I followed your tutorial here for DKIM patch. but I have these errors in ispconfig log file ERROR – Unable to add DKIM Private-key for xxxxx.com to amavis-config. also no dkim keys is created in /etc/postfix/dkim folder. amavisd dkim is loaded with these messages 11 03:22:03 server opendkim[1970]: 2566F66406E7: DKIM verification successful
    Sep 11 05:06:28 server opendkim[1970]: 4453D66406E4: DKIM verification successful
    Sep 11 09:02:42 server opendkim[1970]: 00A7466406E8: DKIM verification successful
    Sep 11 15:12:37 server amavis[23438]: Module Mail::DKIM::Signer 0.37
    Sep 11 15:12:37 server amavis[23438]: Module Mail::DKIM::Verifier 0.37
    Sep 11 15:12:37 server amavis[23438]: DKIM code loaded

    the folder /etc/postfix/dkim was created and setup in ispconfig server config mail