Domain Keys Problem & server health extension

[KamalG]

My server details are as follows :

Version
Parallels Plesk v12.0.18_build1200140606.15 os_CentOS 6
OS
CentOS 6.5 (Final)

My DNS has the following settings
domainkey.mydomain.com. TXT o=-
default._domainkey.mydomain.com. TXT p=Key

==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham

DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: [email protected]
DNS record(s):

I have used all the following commands

# /usr/local/psa/bin/mailserver --sign-outgoing-mail false
# /usr/local/psa/bin/mailserver --sign-outgoing-mail true

Also tried the following command
/usr/local/psa/bin/domain_pref -u mydomainname -sign_outgoing_mail true

Also I installed the server health extension
it doesn't show anything in the home page.

Kindly help

 

[Lloyd_mcse]

Since you are using DKIM too, what do you have for ...

milter_protocol = 2

It needs to be

milter_protocol = 6

in /etc/postfix/main.cf

Working DKIM + DomainKeys settings are currently..

# DKIM & DomainKeys
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:12768, inet:127.0.0.1:12345
non_smtpd_milters = inet:127.0.0.1:12345

Where inet:127.0.0.1:12345 is DKIM.

I hope that helps

Kind regards

Lloyd

 

[KamalG]

Thank you very much for your kind reply,

I am now getting the following :
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: fail
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham


DomainKeys check details:
----------------------------------------------------------
Result: fail (bad signature)

The Signature is same as the DKIM

my dns has
_domainkey.mydomain.com. o=-

default._domainkey.mydomain.com. p=code

Setup, kindly help.

 

[Lloyd_mcse]

Hmm I'm set up to use different keys for DKIM and DK's to avoid permission issues - in testing I found that the private keys needed to be owned by opendkim only, to stop "insecure key" notice when restarting opendkim.

I notice now that you are on CentOS, my setup is on Ubuntu, so maybe there are some differences.

What do the mail logs show?

 

[KamalG]

They don't show any permission errors, both domain keys and dkim are being signed but the only problem is
DomainKeys check details:
----------------------------------------------------------
Result: fail (bad signature)

I checked the mail source in gmail and outlook the domain key is there.

 

[Lloyd_mcse]

That was going to be my next question - are they both in the actual header and ... signed by the correct domains key.

But since the DKIM is fine it really doesn't make sense that the DK isn't.

Anyone else have any ideas?

 

[KamalG]

I now used the option to sign domain keys from the domain mail setting and now it's working. The Mail Server Setting in tools it doesn't work. Manually adding the domain keys didn't work. I checked and the dns txt records were automatically put.

 

[KamalG]

everything is working but still the emails land in Junk folder in hotmail, Gmail and Yahoo are Ok.. I have a forum and a gaming website which requires email verification before they can be active.

Most of the users just register and never activate.. If there is any way my emails could land properly in hotmail inbox. I have checked my ip address and host against black listing and it's not. Kindly help

 

[Lloyd_mcse]

What does it say in the outlook.com headers?

I remember one job where SPF was passing on gmail, but not outlook because they had added a full stop at the end of the spf record. mxtoolbox and gmail passed it but outlook.com failed it.
Probably not related, but that's what sprang to mind.

Like I said what does the outlook.com header look like?

 

[KamalG]

Here is my Outlook Header

x-store-info:4r51+eLowCe79NzwdU2kRyU+pBy2R9QCDI9u8Kc1JemQQ0uTsugt9h3qS5ALRnjDoz+mY4pVUIXew1iTsyGap19xP2S0KcOC+TBG9uzOh1a3cujhLR36P/EHouOL8R4vE1y0nnIh74k=
Authentication-Results: hotmail.com; spf=pass (sender IP is domain ip) [email protected]; dkim=pass header.d=mydomain.com; x-hmca=pass [email protected]
X-SID-PRA: [email protected]
X-AUTH-Result: PASS
X-SID-Result: PASS
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtHRD0yO1NDTD02
X-Message-Info: 11chDOWqoTmodjNiZZRwFgc6BsGbvv4YDvnwfs8TE4YNVdxRP6JL3YC3COhBY4pKuuPGGTHW97qa6eykXWRskRk8WmZpN/GWNhYwHG8d4EMtTwksw5GdJwPX29yRPuQr8qXSzM/XeAff6SAlW+ccbFX9hqzGxsKMJqadNlO2NHrr6gaL+wIRVTKoaI0NxJcyr42dgpQXg2hpBby+/unsHTWdTfjvQ5h7
Received: from server.mydomain.com ([mydomain ip]) by SNT004-MC1F37.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22712);
	 Thu, 24 Jul 2014 06:33:07 -0700
Received: from webmail.mydomain.com (localhost [127.0.0.1])
	by server.mydomain.com (Postfix) with ESMTPA id 28B2B1110051A
	for <[email protected]>; Thu, 24 Jul 2014 19:18:06 +0545 (NPT)
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws;
  s=default; d=mydomain.com;
  b=RE1lKf8W7cTCFNYFr3guUU1ccz7UGRxoPzCLqslrs7HrTaGgJSAEcOHDGbV4sz8gvmzupAC6106Qt/o53oVNpwqa+JlcdCCFAtQN0SOJ3pFrRdZDE22Uvib1rfhdeCKse0KEXBHUUkFGJl1FXRZH3p5CD6uKUBEFWNX5Dchn8I=;
  h=DKIM-Signature:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:To:Subject:Organization:Reply-To:Mail-Reply-To:Message-ID:X-Sender:User-Agent;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com;
	s=mail; t=1406208786;
	bh=DDijYCrRMtAyreBtIB6n5SO06ks3/wK0MWT1/zQCWqE=;
	h=Date:From:To:Subject:Reply-To;
	b=OUi2tklCIHlvBZU5aE4uQ0Dm04V0r9K/j7o8fYt+Y7NCjIKSjGkuqjpJCWkSQR+o
	 8U6Oe0ir9MsNwH+31RQ9xd+Sf9wgUhIw4C0akTPkfj7Zw+LGnQaiVEDYs2INWzw09q
	 gNyuMt/T4uiEv0CEC0R9jJT+BYugOqEh4BlFsD04=
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 24 Jul 2014 19:18:06 +0545
From: Admin <[email protected]>
To: [email protected]
Subject: DKIM Test
Organization: Organization Name
Reply-To: [email protected]
Mail-Reply-To: [email protected]
Message-ID: <[email protected]>
X-Sender: [email protected]
User-Agent: Roundcube Webmail/1.0.0
Return-Path: [email protected]
X-OriginalArrivalTime: 24 Jul 2014 13:33:08.0186 (UTC) FILETIME=[CE3E23A0:01CFA743]

Gmail Header

Delivered-To: [email protected]
Received: by 10.140.28.102 with SMTP id 93csp275371qgy;
        Thu, 24 Jul 2014 06:31:59 -0700 (PDT)
X-Received: by 10.180.182.167 with SMTP id ef7mr35269593wic.44.1406208718424;
        Thu, 24 Jul 2014 06:31:58 -0700 (PDT)
Return-Path: <[email protected]>
Received: from server.mydomain.com (mail.mydomain.com. [domain ip])
        by mx.google.com with ESMTPS id n2si12080044wic.30.2014.07.24.06.31.57
        for <[email protected]>
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 24 Jul 2014 06:31:58 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates domain ip as permitted sender) client-ip=domain ip;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of [email protected] designates domain ip as permitted sender) [email protected];
       dkim=pass [email protected]
Received: from webmail.mydomain.com (localhost [127.0.0.1])
	by server.mydomain.com (Postfix) with ESMTPA id 690141110051A;
	Thu, 24 Jul 2014 19:16:57 +0545 (NPT)
DomainKey-Signature: a=rsa-sha1;  q=dns; c=nofws;
  s=default; d=mydomain.com;
  b=nLCDkTVpSFgkz21Q7GN3bFLt6t7zN6vcjvZZPkvBPuVzeaC6Jh/f8U2LJEzEfIfmZDdV7SA4JIZqrAOSTn1ECT2nh4nMcrsCU1EKzTwOTR7tHk2gO5I0r5hOyVo8Unye3EbnqoemK3BVA1QVYticl+9niz7h7T63cGzYDbTghc=;
  h=DKIM-Signature:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:From:To:Subject:Organization:Reply-To:Mail-Reply-To:Message-ID:X-Sender:User-Agent;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mydomain.com;
	s=mail; t=1406208717;
	bh=DDijYCrRMtAyreBtIB6n5SO06ks3/wK0MWT1/zQCWqE=;
	h=Date:From:To:Subject:Reply-To;
	b=CFBuV1qvG6EKmMwlWVlAa7trYiTlV+mghUm8KOoLRcXtzN2ToQgQppD/f+ZO60V6
	 XKzGF5RU5LZ+zoBlqoSXQZpTH9PixumsToBZ4m9tlM96VTsym7HW7oQHWqVlQ3BiaA
	 4q/pbxwC+VBDO8Z8AQiVX4KZurOIouRDXk2RxyAU=
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 24 Jul 2014 19:16:57 +0545
From: Admin <[email protected]>
To: [email protected], [email protected]
Subject: Test
Organization: My Organization
Reply-To: [email protected]
Mail-Reply-To: [email protected]
Message-ID: <[email protected]>
X-Sender: [email protected]
User-Agent: Roundcube Webmail/1.0.0

Also the following details :

==========================================================
Details:
==========================================================

HELO hostname: server.mydomain.com
Source IP: mydomain.com IP
mail-from: [email protected]

The Helo Hostname doesn't resolve to Source IP.

The Server.mydomain.com and mydomain.com IP are different, does this matter ?

 

[Lloyd_mcse]

Just add the other IP in your domains SPF record to make sure. But if you already have an A record for it and a +a or a in the SPF Record that should be fine.

The only difference I see between mine and yours are the DK and DKIM sigs are the other way round.

Do you get any errors when you check the server at http://mxtoolbox.com/ ?

 

[KamalG]

I don't get any errors at mxtoolbox.com

Checking server.mydomain.com which resolves to ip address against 98 known blacklists...
Listed 0 times with 0 timeouts

Same for other IP Addresses.

I have v=spf1 +a +mx -all in my dns for spf txt record.

220 server.mydomain.com ESMTP Postfix

Test	Result
	SMTP Banner Check	OK - server.mydomain.com_IP address resolves to server.mydomain.com
	SMTP Reverse DNS Mismatch	OK - Reverse DNS matches SMTP Banner
	SMTP TLS	OK - Supports TLS.
	SMTP Connection Time	0.905 seconds - Good on Connection time
	SMTP Open Relay	OK - Not an open relay.
	SMTP Transaction Time	3.292 seconds - Good on Transaction Time
Session Transcript:
Connecting to server.mydomain.com_IP address

220 server.mydomain.com ESMTP Postfix [718 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-server.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [749 ms]
MAIL FROM: <[email protected]>
250 2.1.0 Ok [764 ms]
RCPT TO: <[email protected]>
554 5.7.1 <[email protected]>: Relay access denied [749 ms]

MXTB-PWS3v2 4493ms

For SPF

spf:mydomain.com   Find Problems    spf  
Prefix	Type	Value	PrefixDesc	Description
+	a		Pass	Match if IP has a DNS 'A' record in given domain
+	mx		Pass	Match if IP is one of the MX hosts for given domain name
-	all		Fail	Always matches. It goes at the end of your record.

 

[Lloyd_mcse]

My SPF is something like..

v=spf1 a mx ptr ip4:192.168.0.1 ipv4:192.168.5.1 a:mail.domain.tld a:real-mail.server.tld -all

Where 192.168.0.1 is your domain ip and 192.168.5.1 is your mail server ip.

Other than that I'm not seeing much difference.

 

[KamalG]

Now it's working without errors.. I have a final query

I am getting this error at dnsstuff

myip1 | WARNING: The hostname in the SMTP greeting does not match the reverse DNS (PTR) record for your mail server. This probably won't cause any harm, but may be a technical violation of RFC5321

I have the reverse ptr setup exactly as the a record.

 

[Lloyd_mcse]

Now it's working without errors..

So no junk folder then?

I'm not familiar with dnsstuff warnings does it still give you all green on both domains at mxtoolbox?

 

[KamalG]

No the mail still lands in junk folder only in the mxtoolbox.com it's showing good ..

 

[KamalG]

anyone has any solution how to fix the Server Health Extension it doesn't show anything. Just Blank.. I installed it after my Plesk was preinstalled with the VPS.

 

[IgorG]

anyone has any solution how to fix the Server Health Extension it doesn't show anything. Just Blank.. I installed it after my Plesk was preinstalled with the VPS.

Any errors in /usr/local/psa/admin/logs/health-alarm.log ?
Have you tried re-install Health Monitor?

 

[KamalG]

Any errors in /usr/local/psa/admin/logs/health-alarm.log ?
Have you tried re-install Health Monitor?

The file is present but empty. I haven't tried re installing the Health Monitor.. Should I do that ?

Also the Rkhuner says the following in my email : Please inspect this machine, because it may be infected. Scan log:
I do not understand the log properly, I would request if you would kindly check my log.
I shall send the log in ur private.