Outgoing email messages not DKIM signed when enabled for a domain and in server settings

[pleskuser67553]

Username:

TITLE

Outgoing email messages not DKIM signed when enabled for a domain and in server settings

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.49/50, CentOS Linux 7.9.2009, Intel

PROBLEM DESCRIPTION

For any given domain, in Mail Settings, "Use DKIM spam protection system to sign outgoing email messages" is checked enabled, but in some circumstances outbound email messages are not signed from said domain. It's necessary to switch DKIM off and on again to get it to work.

STEPS TO REPRODUCE

Ensure that "Allow signing outgoing mail" is checked in Tools & Settings > Mail Server Settings.

1. Go to an existing domain > Mail Settings.
2. Activate mail service on this domain is checked enabled - if not, check the box. Check Use DKIM spam protection system to sign outgoing email messages. Apply
3. Outbound messages are signed
4. Disable mail service but leave DKIM enabled, Apply
5. Outbound messages are not signed
6. Disable DKIM, do not enable mail service, Apply
7. Enable DKIM, Apply (new public key is generated, update DNS if external)
8. Outbound messages are signed

Also

1. Hostname is set for the server in Tools & Settings > Server Settings (let's say for this myserver.example.com - yes, mine is on a subdomain)
2. Create or go to the domain that matches the hostname of the server, myserver.example.com
3. DKIM is enabled in Mail Settings at some point (sorry I can't be more specific)
4. Add to panel.ini
   [notification]
   senderAddress=[email protected]
5. Outbound plesk notification emails come from the expected address but are not signed
6. Disable DKIM, do not enable mail service or mail service is not enabled, Apply
7. Enable DKIM, Apply (new public key is generated, update DNS if external)
8. Outbound Plesk notification messages are signed

ACTUAL RESULT

It appears dis/enabling DKIM works independently from whether the mail service is enabled on a domain, which is helpful and desired, but to me, the Mail Settings UI does not imply that it is independent - certainly, it's not explicit.

Either way, enabling DKIM is not working every time and it is sometimes necessary to disable and reenable DKIM on mail settings on the domain to get a fresh key.

EXPECTED RESULT

Enabling DKIM on a domain should sign the domain's outbound emails.

If this setting is enabled but messages are not being signed, a warning should be in the logs and/or show in Diagnose & Repair and/or popup a warning telling the user this and/or recommend disable and reenable to get a fresh key.

Perhaps also make it clear to users in the UI that disabling and reenabling DKIM on a domain will generate a new key! Especially helpful for those whose DNS is external.

ANY ADDITIONAL INFORMATION

Diagnose & Repair does not pick up this issue.

As well as trying to sign outbound messages from a customer's domain, I was looking in the docs for how to DKIM sign outbound plesk notifications - if it is recommended the route which I have taken, e.g. adding a domain that matches the server hostname, adding the panel.ini [notification] setting and then enabling DKIM on the domain's mail settings, then it would be good to see this documented as it will help other admins. But also, a shortcut for enabling DKIM signing of plesk notifications would be nice too.

Related but not part of this bug - would be helpful if:

• the DNS config / public key was not behind the "How to configure external DNS" popup
• the UI made clear that the public key has been changed, e.g. by displaying a creation date/time

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug

 

[Peter Debik]

The steps to reproduce the issue seem to lead to no issue the way you have put them. You end with "outbound messages are signed". Could you please describe what steps are necessary to reproduce the issue that outbound messages are not signed?

 

[pleskuser67553]

Ah, okay, yes. I guess I included workaround steps. I cannot edit my first post so here's an update:

STEPS TO REPRODUCE

Ensure that "Allow signing outgoing mail" is checked in Tools & Settings > Mail Server Settings.

1. Go to an existing domain > Mail Settings.
2. Activate mail service on this domain is checked enabled - if not, check the box. Check Use DKIM spam protection system to sign outgoing email messages. Apply
3. Outbound messages are signed
4. Disable mail service but leave DKIM enabled, Apply
5. Outbound messages are not signed

Also

1. Hostname is set for the server in Tools & Settings > Server Settings (let's say for this myserver.example.com - yes, mine is on a subdomain)
2. Create or go to the domain that matches the hostname of the server, myserver.example.com
3. DKIM is enabled in Mail Settings at some point (sorry I can't be more specific)
4. Add to panel.ini
   [notification]
   senderAddress=[email protected]
5. Outbound plesk notification emails come from the expected address but are not signed

ACTUAL RESULT

Use DKIM spam protection system to sign outgoing email messages is checked but outbound messages are not signed.

It can be resolved with a workaround, to turn it off and on again with the following steps:

1. Disable DKIM, do not enable mail service or mail service is not enabled, Apply
2. Enable DKIM, Apply (new public key is generated, update DNS if external)
3. Outbound messages are signed

It appears dis/enabling DKIM works independently from whether the mail service is enabled on a domain, which is helpful and desired. However, to me, the behaviour of the steps above and the Mail Settings UI does not imply that it is independent - certainly, it's not explicit.

Either way, enabling DKIM is not working every time and it is sometimes necessary to disable and reenable DKIM on mail settings on the domain to get a fresh key.

EXPECTED RESULT

If Use DKIM spam protection system to sign outgoing email messages is checked on a domain it should sign the domain's outbound emails, always.

If this setting is enabled but messages are not being signed, a warning should be in the logs and/or show in Diagnose & Repair and/or popup a warning telling the user this and/or recommend disable and reenable to get a fresh key.

Perhaps also make it clear to users in the UI that disabling and reenabling DKIM on a domain will generate a new key! Especially helpful for those whose DNS is external.

 

[Peter Debik]

I am having difficulties sorting the matter. I cannot see what the product issue is other than missing features.

For the first part, that DKIM is not active when mail service is not active, this is a known feature request:

Add ability to sign DKIM when Mail service is disabled for domain

Currently, when mail service is disabled for domain the DKIM signature is not working. It should be able to disable mailservices for specific domains (because 3rd party mail service like gmail, microsoft's exchange online etc. is used), while messages sent by web application (php mail()...

plesk.uservoice.com

For the second part, that Plesk notifications are not DKIM signed, I think that is another known feature request:

Implement support of SPF, DMARC and DKIM anti-spam methods for Plesk email notifications

Plesk email notifications to the administrator's email address get into Spam folder at public email providers because they are not protected by SPF, DMARC or DKIM anti-spam methods. It is required to enhance the Plesk notification system so that Plesk email notifications are treated as...

plesk.uservoice.com

Do these feature requests meet your points?

 

[pleskuser67553]

For the first part, that DKIM is not active when mail service is not active, this is a known feature request

Sorry, maybe I was not clear, I am able to activate DKIM on a domain when the mail service is not active, so maybe this has already been implemented? Else it's a bug, but a welcome bug

It's just that sometimes the DKIM checkbox can be checked but it is not signing messages - that should be the focal point of this bug report. I believe I have outlined conditions above in which this happened for me.

I have worked around it by unchecking, Applying, checking, Applying and then updating my external DNS with the regenerated key. All while the mail service is not activated.

For the second part, that Plesk notifications are not DKIM signed, I think that is another known feature request

I see, I will up-vote and I will point commenters to my workaround which does DKIM sign Plesk notifications.

 

[Kaspar]

It's just that sometimes the DKIM checkbox can be checked but it is not signing messages - that should be the focal point of this bug report. I believe I have outlined conditions above in which this happened for me.

I believe your right. When the DKIM option is checked it is expected that outbound messages are signed, even if the mail option is disabled. However, the way Plesk handled disabling the mail service for a domain has been a source of discontent for a while for some users. Fortunately Plesk picked up on this. Which is why in the most recent version (18.0.51) Plesk changed the way the mail service can be managed per domain. Rather then having it on or off, it's now also possible to select the option "Disabled for incoming mail".

I haven't upgraded to 18.0.51 myself yet and thus haven't had a chance to test these new settings. I do expect however that selecting the "Disabled for incoming mail" option for the mail service will keep the DKIM setting checked. And as a result all outbound messages will be signed. So in short, I *think* the issue you reported has been solved on the newest Plesk version because of the way mail service can be managed per domain.

 

[Ehud]

I find the reported issue as a Plesk BUG, and not a feature request, as it poses a security risk, where one implementing a strict DMARC policy won't see an alert going to spam, or in order to get alerts, might loosen the strict DMARC security policy.

I expect Plesk to provide a walk around to manually set the emails to add the DKIM signature, or to divert them to be sent via SES SMTP which does so.

 

[Ehud]

As can be seen on the attached print screen, the domain is well configured to have emails signed by DKIM, and the option selected only prevents Incoming emails.

Yet server, which by the email content, does use the postfix Plesk service, does NOT sign with the DKIM key.

This is found by me to be a Plesk BUG. Can you please fix it?

BTW - The entire CURRENT way Plesk handles DKIM, is found by me to miserable:
1) No place shown where to replace the key.
2) Private Key itself is NOT password protected, so any one gaining access to the server, can copy it and the published public key... and use them some where else to impersonate.
3) It's not well explained on a Plesk KB (Knowledge Base) article, how to manually set the DKIM usage on PHP or Postix manual configuration

 

[Ehud]

It's possible I found a second related Plesk BUG.

Although the mail server for the domain is set for 'Disabled for incoming mail', the mail server seems to be OFF.

It seems like the implementation of "Disabled for incoming mail" is ill configured, and it turn OFF the mail server, thus not enabling the DKIM signature of the OUTGOING emails, in contrast to general understanding of the meaning of selecting the option: "Disabled for incoming mail".

 

[Ehud]

Plus...

One should ask himself, how could a services as Fail2Ban, and the PHPMailer get to send emails which get DKIM signed, according to configuration of webmail "Amazon" (?) and 'SSL/TLS certificate for webmail' and 'SSL/TLS certificate for mail', HOWEVER the Plesk system notification emails, are NOT well configured to fetch that path of being created.


Also, it should be possible to have manual control, over the parameters that might endanger the DMARC evaluation on the receiving server, as:

1) Controlling the FROM DOMAIN parameter
2) Ensuring the MAIL FROM, sender, and 'reply_to' email addresses are all the same
3) Ensuring the domain mentioned in the 'sender' / MAIL FROM email address, is the same as in FROM DOMAIN

 

[Peter Debik]

BTW - The entire CURRENT way Plesk handles DKIM, is found by me to miserable:
1) No place shown where to replace the key.

We have a feature request DKIM - needed to import own keys where you can vote for the feature.

2) Private Key itself is NOT password protected, so any one gaining access to the server, can copy it and the published public key... and use them some where else to impersonate.

When someone gains access to a server to edit root owned files, you'll have more trouble than DKIM issues. Owners have access to these files anyway. Also, when you protect such a file with a password, where would you store the password or hash? It will be root-accessible, too.

3) It's not well explained on a Plesk KB (Knowledge Base) article, how to manually set the DKIM usage on PHP or Postix manual configuration

Please post a suggestion how you would like to explain it. I'll be happy to forward it to the tech doc team.

 

[Peter Debik]

Plus...

One should ask himself, how could a services as Fail2Ban, and the PHPMailer get to send emails which get DKIM signed, according to configuration of webmail "Amazon" (?) and 'SSL/TLS certificate for webmail' and 'SSL/TLS certificate for mail', HOWEVER the Plesk system notification emails, are NOT well configured to fetch that path of being created.


Also, it should be possible to have manual control, over the parameters that might endanger the DMARC evaluation on the receiving server, as:

1) Controlling the FROM DOMAIN parameter
2) Ensuring the MAIL FROM, sender, and 'reply_to' email addresses are all the same
3) Ensuring the domain mentioned in the 'sender' / MAIL FROM email address, is the same as in FROM DOMAIN

Please feel free to formulate your feature requests one by one and post them to Feature Suggestions: Top (1824 ideas) – Your Ideas for Plesk. Also check, please, if similar requests already exist, such as Add DKIM-key in php mail() function

 

[Ehud]

Hi Peter,


Regarding:

Please post a suggestion how you would like to explain it. I'll be happy to forward it to the tech doc team.

There are articles out there, regarding manually adding DKIM to PHPMailer and Posfix. It's up to Plesk, IMHO, to provide a tool/way to do so.


Regarding:

Please feel free to formulate your feature requests one by one and post them to Feature Suggestions: Top (1824 ideas) – Your Ideas for Plesk. Also check, please, if similar requests already exist, such as Add DKIM-key in php mail() function

I'll do so. However I find it VERY strange, as Plesk notification not having DKIM, causes problems to users in implementing "s" (strict) e-mail policies or setting "reject". This is considered by me to be a Plesk BUG, as a Plesk configuration, IMHO causes for problems for a Plesk user.

 

[Ehud]

I have posted the blow:

DKIM Not set to Plesk Server Notifications, Considered also a Plesk BUG

 

[Ehud]

Hi Peter Debik,

As for you question:

Please post a suggestion how you would like to explain it. I'll be happy to forward it to the tech doc team.

May I ask, if diverting all Postfix created emails to be sent via an AWS SES SMTP existing service, would solve the No DKIM issue, by passing the emails on the Plesk server to a different mail generation channel which DOES involve DKIM signing?

And if so, would the attached possible recommendation regarding how to do so (from ChatGPT OpenAI), be good? And if so, can Plesk please publish its own KB article?

To configure Postfix to use AWS SES SMTP for sending emails, you need to make the following
changes to your main.cf configuration file:
1. Uncomment or add the following lines to enable SASL authentication:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options =
noanonymous smtp_tls_security_level = encrypt
2. Create a file named /etc/postfix/sasl_passwd and add the following line to it:
[email-smtp.region.amazonaws.com]:587 SMTP_USERNAME:SMTP_PASSWORD
Replace SMTP_USERNAME with your AWS SES SMTP username and SMTP_PASSWORD with your AWS
SES SMTP password. Make sure to replace region with the appropriate AWS region you are
using.
3. Run the following command to generate the hash DB file for sasl_passwd:
postmap /etc/postfix/sasl_passwd
4. Adjust the myhostname parameter to match your domain name. In your case, set it to:
myhostname = mail.currenge.com
5. Set the relayhost parameter to the AWS SES SMTP endpoint. For example:
relayhost = [email-smtp.region.amazonaws.com]:587
Replace region with the appropriate AWS region.
6. Uncomment or add the following line to enable TLS encryption:
smtp_tls_security_level = encrypt
7. Save the changes to main.cf and restart Postfix for the changes to take effect. The command to
restart Postfix depends on your operating system, but it's typically one of the following:
makefile Copy code
markdown Copy code
bash Copy code
makefile Copy code
css Copy code
makefile Copy code
6/1/23, 4:42 AM https://chat.openai.com
https://chat.openai.com 2/2
service postfix restart systemctl restart postfix
These configurations will configure Postfix to use AWS SES SMTP for sending emails. Make sure to
replace the placeholders with your actual AWS SES SMTP credentials and region.

I'm also attaching a great Google recommendation for the process of setting DMARC.

 

[Peter Debik]

I am not a competent advisor for AWS. Maybe another user is experienced with it or their support can help.

 

[Ehud]

Those are all issues related to the PLESK side.. and most likely also to a file as:

/etc/postfix/main.cf

That's a Plesk file...

And in it, for example, one should set

myhostname = mail.example.com
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

That's an issue, that to the best of my understanding, should be well covered in a Plesk support KB article, however it's still not.

 

[Ehud]

Apparently... Plesk controls postfix/DKIM, and could explain how to use the tools it provide.

For example, you may see some examples, on the manual, seen on the file:

/etc/postfix# man header_checks

EXAMPLES
Header pattern to block attachments with bad file name extensions. For convenience, the PCRE /x flag is specified, so that there is no need to collapse the pattern into a single line of text. The purpose of the
[[:xdigit:]] sub-expressions is to recognize Windows CLSID strings.

/etc/postfix/main.cf:
header_checks = pcre:/etc/postfix/header_checks.pcre

/etc/postfix/header_checks.pcre:
/^Content-(Disposition|Type).*name\s*=\s*"?([^;]*(\.|=2E)(
ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|
hlp|ht[at]|
inf|ins|isp|jse?|lnk|md[betw]|ms[cipt]|nws|
\{[[:xdigit:]]{8}(?:-[[:xdigit:]]{4}){3}-[[:xdigit:]]{12}\}|
ops|pcd|pif|prf|reg|sc[frt]|sh[bsm]|swf|
vb[esx]?|vxd|ws[cfh]))(\?=)?"?\s*(;|$)/x
REJECT Attachment name "$2" may not end with ".$4"

Body pattern to stop a specific HTML browser vulnerability exploit.

/etc/postfix/main.cf:
body_checks = regexp:/etc/postfix/body_checks

/etc/postfix/body_checks:
/^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>$/
REJECT IFRAME vulnerability exploit

SEE ALSO
cleanup(8), canonicalize and enqueue Postfix message
pcre_table(5), format of PCRE lookup tables
regexp_table(5), format of POSIX regular expression tables
postconf(1), Postfix configuration utility
postmap(1), Postfix lookup table management
postsuper(1), Postfix janitor
postcat(1), show Postfix queue file contents
RFC 2045, base64 and quoted-printable encoding rules
RFC 2047, message header encoding for non-ASCII text

However

I could NOT find any Plesk KB article, explaining how to use such tools, which may enable lots of email security measures, as:

1) Scanning mails and fixing them
2) Manipulating email fields, while it's under Postfix responsibility, before it's sent, thus should enable setting missing fields (cc?), before the email is DKIM signed.

I do expect such an in-depth guidance to be provided by Plesk, regarding tools it presents on the server.

 

[Ehud]

Have a look at the workaround suggested on this Plesk Support KB.

 

[manos]

Have a look at the workaround suggested on this Plesk Support KB.

Hi

As had same problems with notifications, i did this
Eg if your plesk server host is server.example.com,
you can go at the zone of example .com and set different _domainkey and dmarc
records for the server.example.com
_domainkey in TXT o=~ (for the subdomain not root domain)
at _dmarc for server.example.com set aspf=s (strict as the ip is the same) but adkim = r (relaxed)
in this way notifications will go through