Issue DKIM enabled, yet email is not signed

[stefanoostwegel]

So, i have found this KB article:
DKIM does not work: This message does not contain a DKIM Signature

My symptom is that DKIM is configured correctly, yet i keep getting the error:
This message does not contain a DKIM Signature
when using the validator at dkimvalidator.com.

So the only possible solution is the firewall according to this topic.
Does anyone know what rule i have to add or remove from my plesk firewall to solve this?

 

[AYamshanov]

Hi stefanoostwegel,

Could you provide more information about your issue? As an example, headers from an outgoing email, some DKIM-settings, output of the `dig` command with TXT-record for the DKIM as provided in KB. Do you use DNS hosting on Plesk or a domain hosts on external services?

 

[stefanoostwegel]

Hello, thnx for your response!

I use DNS on my plesk installation.

Here is the original message:

Received: from stefanoostwegelfotografie.nl (oostwegelservices.org [77.72.149.191])
by relay-3.us-west-2.relay-prod (Postfix) with ESMTPS id A26F126AD1
for <scCIiE89TMRYmC@dkimvalidator.com>; Wed, 3 Oct 2018 09:13:56 +0000 (UTC)
Received: from webmail.oostwegel.org (localhost [IPv6:::1])
by oostwegelservices.org (Postfix) with ESMTPSA id B8BC4291FE
for <scCIiE89TMRYmC@dkimvalidator.com>; Wed, 3 Oct 2018 11:13:54 +0200 (CEST)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="=_a843d7d270869f38ec5a1c5df7f97fe3"
Date: Wed, 03 Oct 2018 11:13:54 +0200
From: Stefan Oostwegel | Fotografie <info@stefanoostwegelfotografie.nl>
To: scCIiE89TMRYmC@dkimvalidator.com
Subject: test
Message-ID: <f284c65d801e457cea8dc48f63a2cd2d@stefanoostwegelfotografie.nl>
X-Sender: info@stefanoostwegelfotografie.nl
User-Agent: Roundcube Webmail/1.3.6

--=_a843d7d270869f38ec5a1c5df7f97fe3
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII

test
--=_a843d7d270869f38ec5a1c5df7f97fe3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p>test</p>

</body></html>

[root@XX_DOMAIN_XX~]# dig TXT _domainkey.stefanoostwegelfotografie.nl @ns.stefanoostwegelfotografie.nl. +short
"o=-"

 

[stefanoostwegel]

Other DKIM settings are displayed in attached images

 

[AYamshanov]

hmm...
Could you please check a maillog on the server, is there any information about this message to dkimverificator? Did you execute `plesk repair mail` on the server via SSH?

 

[stefanoostwegel]

i exceuted the repair, but it didnt change.
I found this in my log, could this be worth anythign?
postfix/smtpd[9251]: warning: connect to Milter service inet:127.0.0.1:8891: Connection refused

 

[AYamshanov]

Could you provide information about an exact version of Plesk and operation system? Did you do some customisations of mail settings manually in configs? Do you use any extension for mail service in Plesk?

Did you see KB: Mail cannot be sent: Connect to Milter service inet:127.0.0.1:8891: Connection refused, 451 4.7.1 Service unavailable ?

 

[stefanoostwegel]

Hmm i had two milters defined, so i changed it like the example prescribed.
I did not have any luck though, still no DKIM signing.

Here are the OS information:
OS ‪CentOS 6.10 (Final)‬
Product Plesk Onyx
Version 17.8.11 Update #22, last updated on Sept 25, 2018 09:52 AM

 

[stefanoostwegel]

Oh, and other then roundcube i have no mail services configured

 

[AYamshanov]

hm...

I have tried to send an email message through RoundCube and seen the next messages in maillog:

Oct 3 18:26:57 ppu17-8 postfix/smtpd[8065]: connect from localhost[::1]
Oct 3 18:26:57 ppu17-8 postfix/smtpd[8065]: 612C46803C4E: client=localhost[::1], sasl_method=PLAIN, sasl_username=admin@ppu17-8.xxx.yyy
Oct 3 18:26:57 ppu17-8 postfix/cleanup[8070]: 612C46803C4E: message-id=<2e62b89cabf6522e1d04330760d136c6@ppu17-8.xxx.yyy>
Oct 3 18:26:57 ppu17-8 check-quota[8073]: Starting the check-quota filter...
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: handlers_stderr: SKIP
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: SKIP during call 'check-quota' handler
Oct 3 18:26:57 ppu17-8 spf[8075]: Starting the spf filter...
Oct 3 18:26:57 ppu17-8 spf[8075]: SPF status: PASS
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: handlers_stderr: PASS
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: PASS during call 'spf' handler
Oct 3 18:26:57 ppu17-8 dk_sign[8076]: Starting the dk_sign filter...
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: handlers_stderr: PASS
Oct 3 18:26:57 ppu17-8 /usr/lib64/plesk-9.0/psa-pc-remote[25748]: PASS during call 'dd51-domainkeys' handler
Oct 3 18:26:57 ppu17-8 postfix/qmgr[3195]: 612C46803C4E: from=<admin@ppu17-8.xxx.yyy>, size=615, nrcpt=1 (queue active)
Oct 3 18:26:57 ppu17-8 postfix/smtpd[8065]: disconnect from localhost[::1]

As I send an email to a nonexistent email address, I can open it from tab "Mail Queue" in Plesk:

Received: from webmail.ppu17-8..xxx.yyy (localhost [IPv6:::1])
by ppu17-8.xxx.yyy (Postfix) with ESMTPSA id 612C46803C4E
for <nonexistent@nonexistent.email>; Wed, 3 Oct 2018 18:26:57 +0600 (NOVT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=ppu17-8.xxx.yyy; s=default; t=1538569617;
bh=3g7dCsSnBa/3DzRzTpCh0KHYt2q+S7U/Pqk0vBBbOxc=; l=7;
h=From:To:Subject;
b=TbteWPYN0k+X/vmFP17Y8ASg8fy47U5LdjGSRTruOf9Dlgdg1btBbzIH85fdsXfPd
lf0LEEp+zXuBPiW54zGLTUcEqKOYEfVjsTW5XtYweNTUCm5bGwQwL5qJACm6++G5On
+z2sx++1vHj8t+23iRl3WB6lD4e02JkycefmZc90=
Authentication-Results: ppu17-8.xxx.yyy;
spf=pass (sender IP is ::1) smtp.mailfrom=admin@ppu17-8.xxx.yyy smtp.helo=webmail.ppu17-8.xxx.yyy
Received-SPF: pass (ppu17-8.xxx.yyy: connection is authenticated)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 03 Oct 2018 19:26:57 +0700
From: admin@ppu17-8.xxx.yyy
To: nonexistent@nonexistent.email
Subject: test
Message-ID: <2e62b89cabf6522e1d04330760d136c6@ppu17-8.xxx.yyy>
X-Sender: admin@ppu17-8.xxx.yyy
User-Agent: Roundcube Webmail/1.3.6

Could you compare your logs with mine and say, what is differs? Do you see a message from "spf filter" and "dk_sign filter"?

 

[stefanoostwegel]

Still no change...
This is my log:

Oct 3 15:25:43 oostwegelhosting courier-imaps: LOGIN, user=info@stefanoostwegelfotografie.nl, ip=[::1], port=[34516], protocol=IMAP
Oct 3 15:25:43 oostwegelhosting courier-imaps: LOGOUT, user=info@stefanoostwegelfotografie.nl, ip=[::1], headers=16109, body=0, rcvd=334, sent=31719, time=0, starttls=1
Oct 3 15:25:43 oostwegelhosting postfix/smtp[11324]: 83C202920E: to=<XFUpeef056cFsg@dkimvalidator.com>, relay=31045262.in1.mandrillapp.com[54.245.105.146]:25, delay=2.1, delays=0.1/0.02/1.6/0.37, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 54CF426AFE)
Oct 3 15:25:43 oostwegelhosting postfix/qmgr[10811]: 83C202920E: removed
Oct 3 15:25:44 oostwegelhosting courier-imaps: Connection, ip=[::1]
Oct 3 15:25:44 oostwegelhosting courier-imaps: LOGIN, user=info@stefanoostwegelfotografie.nl, ip=[::1], port=[34518], protocol=IMAP
Oct 3 15:25:44 oostwegelhosting courier-imaps: LOGOUT, user=info@stefanoostwegelfotografie.nl, ip=[::1], headers=0, body=0, rcvd=134, sent=1024, time=0, starttls=1
Oct 3 15:25:59 oostwegelhosting plesk_saslauthd[11216]: select timeout, exiting
Oct 3 15:26:15 oostwegelhosting postfix/smtpd[11206]: connect from unknown[185.234.219.24]
Oct 3 15:26:15 oostwegelhosting postfix/smtpd[11206]: warning: connect to Milter service inet:127.0.0.1:12768: Connection refused

 

[stefanoostwegel]

Now this could be interesting:

Oct 3 15:35:57 oostwegelhosting dk_check[12327]: Starting the dk_check filter...
Oct 3 15:35:57 oostwegelhosting dk_check[12327]: DKIM verify result: Message is not signed
Oct 3 15:35:57 oostwegelhosting dmarc[12329]: Starting the dmarc filter...
Oct 3 15:35:57 oostwegelhosting dmarc[12329]: SPF record was not found in Authentication-Results:

[edit]
in retrospect, it could have been this command:
for domain in $(plesk db -Ne 'SELECT name FROM domains WHERE parentDomainId=0;'); do plesk bin domain_pref --update $domain -sign_outgoing_mail true; done

[/edit]