VestaCP DKIM setup using external DNS

Discussion in 'Questions and Answers' started by thekreek, May 8, 2014.

  1. thekreek

    thekreek Member

    37
    5
    May 17, 2013
    Currently I'm trying to setup a VPS with VestaCP

    My current setup is:

    Domain name: mxweb.info

    Main dns: dns.he.net

    VPS 1 (alpha.mxweb.info):

    CentOS 6.5 - 32bit

    VPS 2 (zhor.mxweb.info):

    CentOS 6.5 - 32bit

    My problem:

    The main VPS (alpha.mxweb.info) is not passing the DKIM test's and all the email I sent to hotmail ends up in the junk folder.

    The bind zone file (from VestaCP) has the following settings:


    $TTL 14400
    @ IN SOA ns1.localhost.ltd. root.alpha.mxweb.info. (
    2014050703
    7200
    3600
    1209600
    180 )

    @ 14400 IN NS ns1.localhost.ltd.
    @ 14400 IN NS ns2.localhost.ltd.
    @ 14400 IN A 107.170.239.57
    mail 14400 IN A 107.170.239.57
    www 14400 IN A 107.170.239.57
    pop 14400 IN A 107.170.239.57
    ftp 14400 IN A 107.170.239.57
    @ 14400 IN MX 10 mail.alpha.mxweb.info.
    @ 14400 IN TXT "v=spf1 a mx ip4:107.170.239.57 ?all"
    _domainkey 14400 IN TXT "t=y; o=~;"
    mail._domainkey 14400 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

    And my setup in he.net is the following:


    NAME TYPE TTL PRIORITY DATA
    mxweb.info SOA 86400 - ns1.he.net. hostmaster.he.net. 2014050731 10800 1800 604800 86400
    mxweb.info NS 300 - ns1.he.net
    mxweb.info NS 300 - ns2.he.net
    mxweb.info NS 300 - ns3.he.net
    mxweb.info NS 300 - ns5.he.net
    mxweb.info NS 300 - ns4.he.net
    alpha.mxweb.info A 300 - 107.170.239.57
    mail.alpha.mxweb.info A 300 - 107.170.239.57
    mxweb.info A 300 - 23.252.115.166
    alpha.mxweb.info MX 300 10 alpha.mxweb.info
    alpha.mxweb.info SPF 300 - v=spf1 a mx ip4:107.170.239.57 ?all
    www.alpha.mxweb.info CNAME 300 - alpha.mxweb.info
    alpha.mxweb.info TXT 300 - _domainkey IN TXT t=y;o=~;
    mail._domainkey.alpha.mxweb.info TXT 300 - "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"


    Also my test from verifier.port25.com gives me this result on the DKIM test


    DKIM check details:
    ----------------------------------------------------------
    Result: permerror (key "mail._domainkey.alpha.mxweb.info" doesn't exist)
    ID(s) verified:
    Canonicalized Headers:
    message-id:<[email protected]>'0D''0A'
    from:[email protected]'0D''0A'
    date:Wed,'20'07'20'May'20'2014'20'21:39:26'20'-0700'0D''0A'
    mime-version:1.0'0D''0A'
    subject:'0D''0A'
    to:[email protected]'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:From:Date:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

    Canonicalized Body:

    DNS record(s):
    mail._domainkey.alpha.mxweb.info. TXT (NXDOMAIN)

    I already rebuild the DKIM keys to a key lenght of 1024 using the command " v-add-mail-domain-dkim %user% %domain% %key-length% " and restarting bind, without a good result.

    My objective is:

    Build a DNS cluster using both VPS and host a couple of domains I have.

    Point the hosted domains to each VPS and be able to send emails without problems

    Any suggestions for fixing this email issue?

    P.S. sorry for the long post, I tried to post as much info as possible
     
  2. sv01

    sv01 Slow but sure

    426
    87
    May 17, 2013
    have you try sending to gmail? I prefer testing using gmail, I often get false report from verifier.port25.com.

    After changing file config did you remember to restart mail services?

    edit : 

    DKIM key should like this 


    v=DKIM1\; k=rsa\; t=y\;p=MIGfMA0qGSIb3DQEBAQUAA4GNADCBiQKBgQCofhyElagDdZB045HXRMriBN+ZDXMma6+fccJo/50GinxwOxS5JtiHQOX73b4v8KWWhBalUrzn88Bb1CGSij97yTMHGDS7zTm/kLh5t3SlSKpskyEdlBif5qlncN7aFJLwGYnnDuPiI4kSrU1CQAB
    you miss v=DKIM1\; 
     
    Last edited by a moderator: May 8, 2014
  3. thekreek

    thekreek Member

    37
    5
    May 17, 2013
    Hi @sv01 I added the " v=DKIM1\; " and still I get failed on the DKIM tested, already restarted exim and bind.

    The answer I get is this


    DomainKeys check details:
    ----------------------------------------------------------
    Result: neutral (message not signed)
    ID(s) verified: [email protected]
    DNS record(s):

    ----------------------------------------------------------
    DKIM check details:
    ----------------------------------------------------------
    Result: fail (signature doesn't verify)
    ID(s) verified:
    Canonicalized Headers:
    message-id:<[email protected]>'0D''0A'
    from:[email protected]'0D''0A'
    date:Thu,'20'08'20'May'20'2014'20'21:24:56'20'-0700'0D''0A'
    mime-version:1.0'0D''0A'
    subject:'0D''0A'
    to:[email protected]'0D''0A'
    dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:From:Date:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

    Canonicalized Body:

    DNS record(s):
    mail._domainkey.alpha.mxweb.info. 179 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

    Public key used for verification: mail._domainkey.alpha.mxweb.info (1024 bits)

    Any more suggestions?
     
  4. jarland

    jarland The ocean is digital

    873
    562
    Apr 4, 2013
    This will spit out the DKIM key DNS entry:

    /usr/local/vesta/bin/v-list-mail-domain-dkim-dns

    Problem is, the way it outputs it won't work in your DNS. Now I'm no DKIM expert, I'm really just now getting into it, but I edited this file on mxroute to output the exact DNS entry that a client could add to their DNS that would pass the test. Here's the code for the file:

    http://sprunge.us/jbLb

    After that, I coded a quick little script for the Catalyst master server so Ryan & Don could pull a DKIM key for anyone for MXroute if a ticket was opened while I wasn't around:


    #!/bin/bash
    # Usage: dkim domainname
    user=$(ssh [email protected] "/usr/local/vesta/bin/v-search-domain-owner $1")
    ssh [email protected] "/usr/local/vesta/bin/v-list-mail-domain-dkim-dns $user $1"

    The result was:


    [email protected]:~$ dkim jarland.me
    mail._domainkey 3600 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0xV1NRp5dEcBG0f8WQBTtRHSIjwJx7Qzvh7uwD6XYGkHhQUYfzhj+0s/heNCgUaWKgaRheN8+wDrNm6VpGo/3ZUylWpEReE3GmS1ir/rbBjfNLxTBYUl9qVTo9F2iJ1n1qU2DeJaAAWGzwaqfBdVZVr1D9h6jdJVGLx3wAf+mjQIDAQAB"

    Take it as you will, that's just my setup and how I overcame the problem. It's a bit more than you need but I always like to share.
     
    Last edited by a moderator: May 10, 2014
    matt[scrdspd] and HalfEatenPie like this.
  5. nikoskip

    nikoskip New Member

    1
    1
    Jul 11, 2017
    I know this is a really old post, but I had a similar problem. I installed VestaCP without the DNS server and even if I set the "DKIM Support" option, the public key wasn't being generated, so I generated it my self with:

    Code:
    # /home/admin/conf/mail/your_domain.com
    openssl rsa -in dkim.pem -out dkim.public.pem -pubout -outform PEM
    
    Next I used the exact content of the public key and set it up on my own DNS server.

    Hope this can help someone!
     
    ayoube ritouni likes this.
  6. ayoube ritouni

    ayoube ritouni New Member

    1
    0
    Dec 25, 2017
    Thanks a lot ' nikoskip ' it worked for me