VestaCP DKIM setup using external DNS

thekreek

Member
Currently I'm trying to setup a VPS with VestaCP

My current setup is:

Domain name: mxweb.info

Main dns: dns.he.net

VPS 1 (alpha.mxweb.info):

CentOS 6.5 - 32bit

VPS 2 (zhor.mxweb.info):

CentOS 6.5 - 32bit

My problem:

The main VPS (alpha.mxweb.info) is not passing the DKIM test's and all the email I sent to hotmail ends up in the junk folder.

The bind zone file (from VestaCP) has the following settings:


$TTL 14400
@ IN SOA ns1.localhost.ltd. root.alpha.mxweb.info. (
2014050703
7200
3600
1209600
180 )

@ 14400 IN NS ns1.localhost.ltd.
@ 14400 IN NS ns2.localhost.ltd.
@ 14400 IN A 107.170.239.57
mail 14400 IN A 107.170.239.57
www 14400 IN A 107.170.239.57
pop 14400 IN A 107.170.239.57
ftp 14400 IN A 107.170.239.57
@ 14400 IN MX 10 mail.alpha.mxweb.info.
@ 14400 IN TXT "v=spf1 a mx ip4:107.170.239.57 ?all"
_domainkey 14400 IN TXT "t=y; o=~;"
mail._domainkey 14400 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

And my setup in he.net is the following:


NAME TYPE TTL PRIORITY DATA
mxweb.info SOA 86400 - ns1.he.net. hostmaster.he.net. 2014050731 10800 1800 604800 86400
mxweb.info NS 300 - ns1.he.net
mxweb.info NS 300 - ns2.he.net
mxweb.info NS 300 - ns3.he.net
mxweb.info NS 300 - ns5.he.net
mxweb.info NS 300 - ns4.he.net
alpha.mxweb.info A 300 - 107.170.239.57
mail.alpha.mxweb.info A 300 - 107.170.239.57
mxweb.info A 300 - 23.252.115.166
alpha.mxweb.info MX 300 10 alpha.mxweb.info
alpha.mxweb.info SPF 300 - v=spf1 a mx ip4:107.170.239.57 ?all
www.alpha.mxweb.info CNAME 300 - alpha.mxweb.info
alpha.mxweb.info TXT 300 - _domainkey IN TXT t=y;o=~;
mail._domainkey.alpha.mxweb.info TXT 300 - "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"


Also my test from verifier.port25.com gives me this result on the DKIM test


DKIM check details:
----------------------------------------------------------
Result: permerror (key "mail._domainkey.alpha.mxweb.info" doesn't exist)
ID(s) verified:
Canonicalized Headers:
message-id:<[email protected]>'0D''0A'
from:[email protected]'0D''0A'
date:Wed,'20'07'20'May'20'2014'20'21:39:26'20'-0700'0D''0A'
mime-version:1.0'0D''0A'
subject:'0D''0A'
to:[email protected]'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:From:Date:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

Canonicalized Body:

DNS record(s):
mail._domainkey.alpha.mxweb.info. TXT (NXDOMAIN)

I already rebuild the DKIM keys to a key lenght of 1024 using the command " v-add-mail-domain-dkim %user% %domain% %key-length% " and restarting bind, without a good result.

My objective is:

Build a DNS cluster using both VPS and host a couple of domains I have.

Point the hosted domains to each VPS and be able to send emails without problems

Any suggestions for fixing this email issue?

P.S. sorry for the long post, I tried to post as much info as possible
 

sv01

Slow but sure
have you try sending to gmail? I prefer testing using gmail, I often get false report from verifier.port25.com.

After changing file config did you remember to restart mail services?

edit : 

DKIM key should like this 


v=DKIM1\; k=rsa\; t=y\;p=MIGfMA0qGSIb3DQEBAQUAA4GNADCBiQKBgQCofhyElagDdZB045HXRMriBN+ZDXMma6+fccJo/50GinxwOxS5JtiHQOX73b4v8KWWhBalUrzn88Bb1CGSij97yTMHGDS7zTm/kLh5t3SlSKpskyEdlBif5qlncN7aFJLwGYnnDuPiI4kSrU1CQAB
you miss v=DKIM1\; 
 
Last edited by a moderator:

thekreek

Member
Hi @sv01 I added the " v=DKIM1\; " and still I get failed on the DKIM tested, already restarted exim and bind.

The answer I get is this


DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: fail (signature doesn't verify)
ID(s) verified:
Canonicalized Headers:
message-id:<[email protected]>'0D''0A'
from:[email protected]'0D''0A'
date:Thu,'20'08'20'May'20'2014'20'21:24:56'20'-0700'0D''0A'
mime-version:1.0'0D''0A'
subject:'0D''0A'
to:[email protected]'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=alpha.mxweb.info;'20's=mail;'20'h=Message-ID:From:Date:MIME-Version:Subject:To;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;

Canonicalized Body:

DNS record(s):
mail._domainkey.alpha.mxweb.info. 179 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDlmqgXuuHLd2bCDjtQx+hCDneR5wfat/VdH6XNVluEZRRTYUaV1JKw9u9GsWeA6htf7L5ICu2VDGz3fL7llQDyGeERhWGocQhSJbVWm7F1QguwKDUvqt4y99W9W/4irQC7AYxjXi0QIXSaWAJwf4ES4QvmLrKain0i2fRT1oBYdQIDAQAB"

Public key used for verification: mail._domainkey.alpha.mxweb.info (1024 bits)

Any more suggestions?
 

jarland

The ocean is digital
This will spit out the DKIM key DNS entry:

/usr/local/vesta/bin/v-list-mail-domain-dkim-dns

Problem is, the way it outputs it won't work in your DNS. Now I'm no DKIM expert, I'm really just now getting into it, but I edited this file on mxroute to output the exact DNS entry that a client could add to their DNS that would pass the test. Here's the code for the file:

http://sprunge.us/jbLb

After that, I coded a quick little script for the Catalyst master server so Ryan & Don could pull a DKIM key for anyone for MXroute if a ticket was opened while I wasn't around:


#!/bin/bash
# Usage: dkim domainname
user=$(ssh [email protected] "/usr/local/vesta/bin/v-search-domain-owner $1")
ssh [email protected] "/usr/local/vesta/bin/v-list-mail-domain-dkim-dns $user $1"

The result was:


[email protected]:~$ dkim jarland.me
mail._domainkey 3600 IN TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0xV1NRp5dEcBG0f8WQBTtRHSIjwJx7Qzvh7uwD6XYGkHhQUYfzhj+0s/heNCgUaWKgaRheN8+wDrNm6VpGo/3ZUylWpEReE3GmS1ir/rbBjfNLxTBYUl9qVTo9F2iJ1n1qU2DeJaAAWGzwaqfBdVZVr1D9h6jdJVGLx3wAf+mjQIDAQAB"

Take it as you will, that's just my setup and how I overcame the problem. It's a bit more than you need but I always like to share.
 
Last edited by a moderator:

nikoskip

New Member
I know this is a really old post, but I had a similar problem. I installed VestaCP without the DNS server and even if I set the "DKIM Support" option, the public key wasn't being generated, so I generated it my self with:

Code:
# /home/admin/conf/mail/your_domain.com
openssl rsa -in dkim.pem -out dkim.public.pem -pubout -outform PEM
Next I used the exact content of the public key and set it up on my own DNS server.

Hope this can help someone!
 
Top