Resolved [PPP-26713] DKIM after migration

[Esuard]

Hi,

I have this issue, after migration from 12 to Onyx (centos5/12.05>centos7/Onyx), I'm getting this in maillog:
dk_check[30583]: DKIM verify result: DKIM verification (d=mydomain.xx, 1024-bit key) failed: signature verification failed

After checking with dkimvalidator i got this:

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.xx;
s=default; t=1476796694;
bh=jBHu0RF4c0DzohwyrlCCm+LHXTp77ZYWvhhB0smAp2c=; l=14956;
h=From:To:Subject;
b=RHEfvTmwMgEz/Z8zCJ1e/8mZhLLmfaRYofliikKTpD6TtXeOaA/beKAyqAUXWEh20
q5h3wvn6XbogeAA0SUlMupaf9VJnMBJXCUA3fZsuzWDx7ahkLLmvVF7UaA1PFSc9QU
1EwMOC7iv6Vk8Y0wLCeLxO7uDTOFxddpzXf7Z728=


Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: simple/simple
d= Domain: mydomain.xx
s= Selector: default
q= Protocol:
bh= jBHu0RF4c0DzohwyrlCCm+LHXTp77ZYWvhhB0smAp2c=
h= Signed Headers: From:To:Subject
b= Data: RHEfvTmwMgEz/Z8zCJ1e/8mZhLLmfaRYofliikKTpD6TtXeOaA/beKAyqAUXWEh20
q5h3wvn6XbogeAA0SUlMupaf9VJnMBJXCUA3fZsuzWDx7ahkLLmvVF7UaA1PFSc9QU
1EwMOC7iv6Vk8Y0wLCeLxO7uDTOFxddpzXf7Z728=

Building DNS Query for default._domainkey.mydomain.xx
Retrieved this publickey from DNS: v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf2zhCxQZwCas+WyOcx0EXODOc4DmKEBw3exvobRrXdOJGcChttb9D5+eZber7XYpLHlmHH1PUDhN3fS/qMqWdxDiAKXWRWFOuLxf6B6HBJUEv4nAo+8Z/+4iQK9i00Yjnt76zyyQKfRF+qVqYZ1dixnXGm5ZFy7OcBE66+eSzoQIDAQAB;
Validating Signature
result = fail
Details: message has been altered

This is the first and only Plesk server that I ever worked with. I believe that the dkim DNS records were imported and don't match the private key...
Already googled for 3 days without result.

Any help will be appreciated!

 

[LaForge112]

Are u using external DNS?

The key changed by Upgrade because of change from DNSKEY to DKIM.

So i had to change the entries at my external nameserver / domainhoster.

Greets LaFo

 

[Esuard]

Nope, I'm using Plesk DNS. Plesk DNS was used before an after. Because of this, email gets in junk. Even from users from same domain...

 

[LaForge112]

Hmmm i'm really afraid to write that, but did you try to switch off and on dkim signing on server based level?

Greets LaForge

 

[Mark87]

I have also a DKIM related error. In Outlook.exe users receive only the header, no subject or mail content shows up. In webmail and IOS it works fine. Anyone an idea?

 

[Esuard]

Hmmm i'm really afraid to write that, but did you try to switch off and on dkim signing on server based level?

Greets LaForge

Still not working.

 

[Mark87]

Anyone? Please help.

 

[UFHH01]

Hi @AlL,

Nope, I'm using Plesk DNS. Plesk DNS was used before an after. Because of this, email gets in junk. Even from users from same domain...

Still not working.

Anyone? Please help.

If you would like help from people willing to help, consider to provide MORE informations, so that investigations are based on facts and not on guessings. Yes, this means as well, that you have to provide the correct domain - name, because anonymized informations can't be investigated.

 

[Esuard]

Hi @AlL,







If you would like help from people willing to help, consider to provide MORE informations, so that investigations are based on facts and not on guessings. Yes, this means as well, that you have to provide the correct domain - name, because anonymized informations can't be investigated.

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=amprenta-advertising.ro;
s=default; t=1476898716;
bh=u+gXQFijRwa7f5nwVWIgRx4PPfy9PdQOx7Cr8ayHP9U=; l=14956;
h=From:To:Subject;
b=bGZAw6fCa0lre9rJ18J6GUcq+SfZO+deZm6VLrMo5BcTjDmJzmGrRnzT2PlqUTV13
jF7gkYcS8QMkyEZj34navUyzdoDeCCjp9guO6VTJiGOR60CgN91FY+UCJB9F5AYu8g
QqLkAjZAbx71BHvQ4cXYLuRXAeLFol6MxR3pSVs4=


Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: simple/simple
d= Domain: amprenta-advertising.ro
s= Selector: default
q= Protocol:
bh= u+gXQFijRwa7f5nwVWIgRx4PPfy9PdQOx7Cr8ayHP9U=
h= Signed Headers: From:To:Subject
b= Data: bGZAw6fCa0lre9rJ18J6GUcq+SfZO+deZm6VLrMo5BcTjDmJzmGrRnzT2PlqUTV13
jF7gkYcS8QMkyEZj34navUyzdoDeCCjp9guO6VTJiGOR60CgN91FY+UCJB9F5AYu8g
QqLkAjZAbx71BHvQ4cXYLuRXAeLFol6MxR3pSVs4=
Public Key DNS Lookup
Building DNS Query for default._domainkey.amprenta-advertising.ro
Retrieved this publickey from DNS: v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDf2zhCxQZwCas+WyOcx0EXODOc4DmKEBw3exvobRrXdOJGcChttb9D5+eZber7XYpLHlmHH1PUDhN3fS/qMqWdxDiAKXWRWFOuLxf6B6HBJUEv4nAo+8Z/+4iQK9i00Yjnt76zyyQKfRF+qVqYZ1dixnXGm5ZFy7OcBE66+eSzoQIDAQAB;
Validating Signature
result = fail
Details: message has been altered

 

[UFHH01]

Hi Esuard,

your settings and configuration seem to be correct and as you stated before, you already switched off DKIM - signing for your mail - server globally and switched it back on again. The only possible answer now can be, that you upgraded Plesk Onyx from a previous Plesk version ( now OpenDKIM has been replaced with DKIM ) and Plesk DNS didn't change the public key correctly but Plesk created a new private key for DKIM, wich will not match the existent public key.

I would suggest to

1. Switch off the DKIM - signing - feature for the specific domain at:

a. Home > Subscriptions > example-domain.com > Websites & Domains > ( tab) Mail > ( tab ) Mail settings

Check the desired domain and click on the button "Activate/Deactivate Services". It opens a popup - window, where you could choose: DKIM spam protection system to sign outgoing email messages > Drop-down menu > Disable​

or

b. Home > Subscriptions > uwefilthaut.de > Websites & Domains > (tab ) Mail Settings

( checkbox ) Use DKIM spam protection system to sign outgoing email messages​

2. Check that the depending DNS - entries have been removed at:

Home > Subscriptions > example-domain.com > Websites & Domains > DNS Settings​

3. Check that the record for your "default._domainkey" has changed to a non-existent entry ( this could take some time, untill all worldwide DNS - servers are synched - up to 24-48 hours ) at for example => "http://dkimcore.org/tools/" <=​

=> Check a published DKIM Core Key => Selector: default => Domain name: example-domain.com
​

4. Re-enable DKIM - signing ( see step 1. and enable now instead of disabling ), when you verified that there is no previous DNS record for "default._domainkey"

5. Check that the depending DNS - entries are created ( see step 2. )

6. Check that the NEW record is now available and correct ( see step 3. )

7. Send a Test - eMail from an eMail - account of "example-domain.com" to an external eMail - account of your choice ( see for example => http://dkimvalidator.com/ <= )

8. Check the results and pls report back. ​

 

[iWiLL]

Hi,
I have the same problem on a fresh server (Plesk Onyx v17.0.17 Update #3, CentOS 7.2.1511).
I think it is related to the header c=simple/simple and changing it to c=relaxed/relaxed will fix the problem.
Where do I find the DKIM configuration file?

 

[tft7000]

Hi,
I have the same problem. Also on a fresh Plesk Onyx Server on Debian 8 (no upgrade).
I activated the name server for a domain.
Later I activated dkim for that domain.
When I sent a test mail via webmail to dkimvalidator it showed me the same error as the op mentioned:

any idea?

Information from dkimvalidator:

Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: simple/simple
d= Domain: <some domain>
s= Selector: default
q= Protocol:
bh= T/5FjlNQpdHizkQaEax9Z2y2pZWPOYKLPf/W5hz/Nbs=
h= Signed Headers: From:To:Subject
b= Data: <some data>

and finally:
result = fail
Details: message has been altered

 

[UFHH01]

Hi @ all:

if I'm not mistaken, the Plesk - developpers forgot, that a missing "c" ( canonicalization ) - definitions lead to the standard, defined as " c = b'simple/simple' "

Quoted from: "/usr/lib/python2.7/dist-packages/dkim/canonicalization.py" ( on Debian/Ubuntu - based systems ):

...
        if c is None:
            c = b'simple/simple'
...

Unfortunately, I couldn't find any Plesk related python - files ( Plesk "normally" uses it's very own python files or/and definitions, located at "/usr/local/psa/lib/modules/python/", which could lead to the fact, that the system-wide python package ( module "python-dkim" ) is being used.

Pls. wait for a Plesk - Team - Member to verify my thoughts and to get an official clarification, where to ( manually ) adjust the standard settings for Plesk - related DKIM - signings.

 

[IgorG]

I have also a DKIM related error. In Outlook.exe users receive only the header, no subject or mail content shows up. In webmail and IOS it works fine. Anyone an idea?

We have already submitted bugreport PPP-26493 but fix is not included to microupdate yet. As the possible workaround you can disable 'Verify incoming mail' in Tools & Settings -> Mail settings or switch from Courier-IMAP to Dovecot.

 

[tft7000]

Hi @ all

I see that opendkim library is installed. Also there is a binary 'dk_sign' in /opt/psa/handlers/hooks. unfortunatly I don't see any source code that could help understanding, what's happening...

I don't find anything close to a config file that defines the simple/simple method.. or where I could change it eg to relaxed..

Anyway, I don't understand, why simple/simple is not working (produces invalid signs on the remote site): is something wrong with the configuration (that I don't find) or did the writing of the mail headers change after the mails was sent?

 

[Giorgos Kontopoulos]

I have same problem with DKIM but not all domains FAIL DKIM

domain in plesk before upgrade to ONYX sends email with DKIM that passes
domain added after upgrade to ONYX sends email with DKIM that fails

DKIMValidotor reports "message has been altered"
mail-tester reports "Your DKIM signature is not valid"
gmail reports "FAIL with domain null"

upon diffing the two received messages to GMAIL (from passing domain and from failing domain)
I see the same type of messages is send for both cases (no extra info send in either of the emails)

Therefore I conclude that the same POSTFIX setup can send DKIM messages that PASS (and also FAIL)

Thus, this must be a DOMAIN specific configuration for POSTFIX or most probably DKIM

where do we inspect for DKIM specific setup files ?
any suggestions ?

EDIT: 1 question
shouldn't this be reported as a bug ? has it ?

 

[Giorgos Kontopoulos]

This breaks existing working functionality when upgrading from 12.5 is there an official answer to this ??

 

[themew]

Hi Esuard,

your settings and configuration seem to be correct and as you stated before, you already switched off DKIM - signing for your mail - server globally and switched it back on again. The only possible answer now can be, that you upgraded Plesk Onyx from a previous Plesk version ( now OpenDKIM has been replaced with DKIM ) and Plesk DNS didn't change the public key correctly but Plesk created a new private key for DKIM, wich will not match the existent public key.

I would suggest to

1. Switch off the DKIM - signing - feature for the specific domain at:

a. Home > Subscriptions > example-domain.com > Websites & Domains > ( tab) Mail > ( tab ) Mail settings

Check the desired domain and click on the button "Activate/Deactivate Services". It opens a popup - window, where you could choose: DKIM spam protection system to sign outgoing email messages > Drop-down menu > Disable​

or

b. Home > Subscriptions > uwefilthaut.de > Websites & Domains > (tab ) Mail Settings

( checkbox ) Use DKIM spam protection system to sign outgoing email messages​

2. Check that the depending DNS - entries have been removed at:

Home > Subscriptions > example-domain.com > Websites & Domains > DNS Settings​

3. Check that the record for your "default._domainkey" has changed to a non-existent entry ( this could take some time, untill all worldwide DNS - servers are synched - up to 24-48 hours ) at for example => "http://dkimcore.org/tools/" <=

=> Check a published DKIM Core Key => Selector: default => Domain name: example-domain.com
​

4. Re-enable DKIM - signing ( see step 1. and enable now instead of disabling ), when you verified that there is no previous DNS record for "default._domainkey"

5. Check that the depending DNS - entries are created ( see step 2. )

6. Check that the NEW record is now available and correct ( see step 3. )

7. Send a Test - eMail from an eMail - account of "example-domain.com" to an external eMail - account of your choice ( see for example => http://dkimvalidator.com/ <= )

8. Check the results and pls report back. ​

Igor, followed your instructions and while Onyx did remove the DKIM settings and replaced it when re-enabling DKIM in mail settings, the key still fails at dkimvalidator.com and mail-tester.com . Key verifies correctly at http://dkimcore.org/tools/keycheck.html .

Looks like this issue popped up back in September > Plesk Onyx Preview and FeedBack and was never solved.

Previously the DKIM config file was here > /etc/opendkim.conf and the item to edit was: # Commonly-used options; the commented-out versions show the defaults. Canonicalization relaxed/simple

However, that file and the OpenDKIM or DKIM directory doesn't exist in /etc/ so we're stuck.

The very interesting thing is that when I add a new domain to Plesk Onyx and receive the email to admin the DKIM header is: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; -- PERFECT.

BTW, this is on a new server, CentOS 7, Plesk 12.5 new install upgraded to Onyx and original 12.5 site migrated using migration tool into Onyx.

 

[iWiLL]

if I'm not mistaken, the Plesk - developpers forgot, that a missing "c" ( canonicalization ) - definitions lead to the standard, defined as " c = b'simple/simple' "

Pls. wait for a Plesk - Team - Member to verify my thoughts and to get an official clarification, where to ( manually ) adjust the standard settings for Plesk - related DKIM - signings.

Any idea when this bug will be fixed?

 

[themew]

Hi @ all:

if I'm not mistaken, the Plesk - developpers forgot, that a missing "c" ( canonicalization ) - definitions lead to the standard, defined as " c = b'simple/simple' "

Quoted from: "/usr/lib/python2.7/dist-packages/dkim/canonicalization.py" ( on Debian/Ubuntu - based systems ):

...
        if c is None:
            c = b'simple/simple'
...

Unfortunately, I couldn't find any Plesk related python - files ( Plesk "normally" uses it's very own python files or/and definitions, located at "/usr/local/psa/lib/modules/python/", which could lead to the fact, that the system-wide python package ( module "python-dkim" ) is being used.

Pls. wait for a Plesk - Team - Member to verify my thoughts and to get an official clarification, where to ( manually ) adjust the standard settings for Plesk - related DKIM - signings.

Looking at the canonicalization.py file in CentOS, I also see exactly what you're talking about, that if the setting isn't defined it defaults to simple/simple.

What's strange is that when I migrated a domain from Plesk 12.5 to Onyx using the migration tool, I received an email from the server to the admin account and the DKIM setting was relaxed/relaxed, so it's set somewhere in Onyx, just not for new or migrated domains.

Wondering how dangerous it would be to manually edit the canonicalization file or continue to wait for a response from Plesk. With Yahoo and Google demanding non-failing DKIM (our DMARC report from Google today was a disaster) hopefully response or fix from Plesk is imminent.