Resolved [PPP-26713] DKIM after migration

[UFHH01]

Hi themew,

Wondering how dangerous it would be to manually edit the canonicalization file or continue to wait for a response from Plesk.

Well, it's not dangerous, because you would definetly make a backup/copy of the file that you want to manually modify, in case that you have to restore it.


Actually, I'm as well a bit surprised about the whole ( optional ) Plesk - DKIM - component with Plesk Onyx, because it's still documented as the former "DomainKeys" = sparse and inaccurate ( sorry @plesk - Team )
In addition, configuration options seem to be non - existent and/or veiled in binaries or encrypted Plesk - files, even that the whole signing - and - checking process is adapted from official free ( GNU GPL ) python/perl/pear - packages.


----------------------------------------------------------------------------------------------------

Own opinion - my "two cents" :

Unfortunately, I recommend NOT to use the Plesk - DKIM - feature, untill they change non-existent configuration options to existent ones, because I can't accept the fact, to have absolutely no control over the possible options by signing and checking DKIM - signatures.
We use our very own configurations and free packages from Debian/Ubuntu ( => apt-cache search dkim ), with automated scripts that generate public/private keys for DKIM ( with the additional TXT - entries for the DNS - server, mailed to the depending reseller/subscription - account, which created the new domain and automatically added to the depending domain - specific DNS - settings via psa - database, which finally triggers at last a sync with the local DNS - server ), when a new domain has been created ( => triggered by event-handler ) on our servers. The scripts modify/re-create-from-backups as well apache, nginx, mysql, php, mail and ftp related configuration files in case that Plesk updates/upgrades/patches them, because we can't accept the fact here as well, that Plesk changes working services to services with possible issues.
Pls. don't get this wrong here: We really LOVE Plesk ( especially the newest, best-ever version Plesk Onyx ), but on production servers with hundreds/thousands of domains, we can't accept updates/upgrades/patches which result in changes/reconfigurations at our main - services ( apache, nginx, mysql, php, mail, ftp ), which could as well lead to an completely inactive service.
We still miss the Plesk - feature of an immidiate eMail to the server admin, with a list of ALL changed files, in case of updates/upgrades/patches from Plesk, which we solved as well with "incron" ( => http://inotify.aiken.cz/ ) for example - but this is "off topic".

 

[Antrax1]

Hi,

Plesk do not adds the following two records to the DNS zone of the domain:

default._domainkey.<example.com> - contains the public part of the generated key.
_ domainkey.<example.com> - contains the DKIM policy.

how can generate this?

 

[UFHH01]

Hi Antrax1,

pls. note, that these ( optional ) entries are based on your settings, at for example: => Home > Tools & Settings > Mail Server Settings

Pls. consider to change between "on" and "off", with an additional confirmation by clicking onto the button "OK" and re-enable the option again aftrewards, to solve possible issues, that corresponding DNS - entries are not placed into your domain - specific DNS - settings - page at: => "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"
​

Pls. check as well the ( optional ) setting at => "Home > Subscriptions > YOUR-DOMAIN.COM > ( tab ) Mail > ( tab ) Mail Settings" ( pls. click here onto the link "YOUR-DOMAIN.COM", to reach the next domain - specific Mail Setting - page! )

And again:
Pls. consider to change between "on" and "off", with an additional confirmation by clicking onto the button "OK" and re-enable the option again aftrewards, to solve possible issues, that corresponding DNS - entries are not placed into your domain - specific DNS - settings - page at: => "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

​

Pls. consider as well to inspect your mail.log for possible issues with DKIM signing and checking.

 

[Antrax1]

Hi Antrax1,

pls. note, that these ( optional ) entries are based on your settings, at for example: => Home > Tools & Settings > Mail Server Settings

View attachment 11683
Pls. consider to change between "on" and "off", with an additional confirmation by clicking onto the button "OK" and re-enable the option again aftrewards, to solve possible issues, that corresponding DNS - entries are not placed into your domain - specific DNS - settings - page at: => "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"
​

Pls. check as well the ( optional ) setting at => "Home > Subscriptions > YOUR-DOMAIN.COM > ( tab ) Mail > ( tab ) Mail Settings" ( pls. click here onto the link "YOUR-DOMAIN.COM", to reach the next domain - specific Mail Setting - page! )

View attachment 11684
And again:
Pls. consider to change between "on" and "off", with an additional confirmation by clicking onto the button "OK" and re-enable the option again aftrewards, to solve possible issues, that corresponding DNS - entries are not placed into your domain - specific DNS - settings - page at: => "Home > Subscriptions > YOUR-DOMAIN.COM > DNS settings"

​

Pls. consider as well to inspect your mail.log for possible issues with DKIM signing and checking.

I was finally solved, I have done this process several times with a few hours of difference and a rebooted and was solved.

I make a test in The Port25 Solutions, Inc. team and have this result:

Summary of Results

SPF check: pass
DomainKeys check: neutral
DKIM check: pass
SpamAssassin check: ham

"neutral"
The message was signed but the signature or signatures contained syntax errors or were not otherwise able to be processed. This result SHOULD also be used for other failures not covered elsewhere in this list.

it´s ok?

 

[UFHH01]

Hi Antrax1,

since Plesk Onyx, the old DomainKeys - signing/checking has been replaced with "DKIM". If you don't manually install DomainKeys - signing/checking on your server, there will be no more DomainKeys - signing/checking.

Pls. see as well:

DKIM Protection ( Plesk Onyx ( 17.0 ) online documentation - Administrator's Guide )

Quoted from the documents:

Enabling DKIM after Plesk Upgrade
When you upgrade Plesk from versions prior to Plesk Onyx, DomainKeys is automatically replaced with DKIM. If the DomainKeys functionality was enabled in Plesk, DKIM will be enabled too.

 

[themew]

Hi themew,


Well, it's not dangerous, because you would definetly make a backup/copy of the file that you want to manually modify, in case that you have to restore it.


Actually, I'm as well a bit surprised about the whole ( optional ) Plesk - DKIM - component with Plesk Onyx, because it's still documented as the former "DomainKeys" = sparse and inaccurate ( sorry @plesk - Team )
In addition, configuration options seem to be non - existent and/or veiled in binaries or encrypted Plesk - files, even that the whole signing - and - checking process is adapted from official free ( GNU GPL ) python/perl/pear - packages.


----------------------------------------------------------------------------------------------------

Own opinion - my "two cents" :

Unfortunately, I recommend NOT to use the Plesk - DKIM - feature, untill they change non-existent configuration options to existent ones, because I can't accept the fact, to have absolutely no control over the possible options by signing and checking DKIM - signatures.
We use our very own configurations and free packages from Debian/Ubuntu ( => apt-cache search dkim ), with automated scripts that generate public/private keys for DKIM ( with the additional TXT - entries for the DNS - server, mailed to the depending reseller/subscription - account, which created the new domain and automatically added to the depending domain - specific DNS - settings via psa - database, which finally triggers at last a sync with the local DNS - server ), when a new domain has been created ( => triggered by event-handler ) on our servers. The scripts modify/re-create-from-backups as well apache, nginx, mysql, php, mail and ftp related configuration files in case that Plesk updates/upgrades/patches them, because we can't accept the fact here as well, that Plesk changes working services to services with possible issues.
Pls. don't get this wrong here: We really LOVE Plesk ( especially the newest, best-ever version Plesk Onyx ), but on production servers with hundreds/thousands of domains, we can't accept updates/upgrades/patches which result in changes/reconfigurations at our main - services ( apache, nginx, mysql, php, mail, ftp ), which could as well lead to an completely inactive service.
We still miss the Plesk - feature of an immidiate eMail to the server admin, with a list of ALL changed files, in case of updates/upgrades/patches from Plesk, which we solved as well with "incron" ( => http://inotify.aiken.cz/ ) for example - but this is "off topic".

I've spent several days looking at this as well as examining headers and running tests as email delivery is critical for us and our customers.

Besides the header showing simple/simple (default) rather than relaxed/relaxed as we discovered in the OPENDKIM we manually had to add to 12.5, I also noticed that OPENDKIM sent h=To:Subjectate:From; and Onyx sends h=To:From:Subject; which could also lead to the FAIL message from Google, Yahoo and mail verifier sites.

So, we now know the DKIM keys being created and sent from Onyx are correct and are verified as correct -- the issue seems to be the canonicalization in the header and the h= code.

Wondering at this point if turning off the automatic DKIM setting in ONYX and re-installing OPENDKIM as we had done in 12.5 is the way to go.

Still, we've been waiting so long for instant-on DKIM and now that it's been added (albeit without an editable config file) to Plesk, it would be nice to hear something from Plesk about this issue.

I couldn't agree with you more -- We Love Plesk!! and have deployed it on our customer's servers exclusively for years (it's the only panel we use) so hopefully a quick fix is coming, or instructions so we can take care of this in the meantime.

 

[Marco.Marco]

I upgrade the onyx from 12.6, and have the same problem,
looking forward having a solution soon!

 

[Marco.Marco]

i found the following code, the key should be stored in /etc/domainkeys/

sub getDomainKeysDomainSupport() {
my ($self, $parent, $domainId, $domainName, $dnsZoneId) = @_;
my $sql = "SELECT p.value FROM Parameters p, DomainServices ds " .
"WHERE ds.parameters_id = p.id AND ds.dom_id = $domainId AND p.parameter = 'domain_keys_sign'";

my $state;
if ($self->{dbh}->execute_rownum($sql)) {
$state = @{$self->{dbh}->fetchrow()}[0];
} else {
$self->{dbh}->finish();
return;
}
$self->{dbh}->finish();

my $domainKeysNode = XmlNode->new('domain-keys', 'attributes' => {'state' => $state });

if ($state) {
my $privateKey = $self->addTar("$domainName.sfdk.privatekey",
'directory' => '/etc/domainkeys/'.$domainName,
'include' => ['default']);

$domainKeysNode->setAttribute('private-key', $privateKey) if $privateKey;

$sql = "SELECT * FROM dns_recs WHERE dns_zone_id=$dnsZoneId AND displayHost='default._domainkey.$domainName.'";
if ($self->{dbh}->execute_rownum($sql)) {
while (my $ptrHash = $self->{dbh}->fetchhash()) {
chop $ptrHash->{'val'};
my $str = substr($ptrHash->{'val'}, 2);
$domainKeysNode->setAttribute('public-key', $str);
}
}
$self->{dbh}->finish();


}
$parent->addChild($domainKeysNode);
}

 

[IgorG]

Guys, we have submitted bugreport PPP-26713 regarding this issue. The fix is scheduled for one of nearest microupdate.

 

[Marco.Marco]

thanks so much, wanna know how we can get notified if the bug is fixed?

thanks

 

[IgorG]

how we can get notified if the bug is fixed?

Just check ChangeLog - https://docs.plesk.com/release-notes/17.0/change-log/

 

[Marco.Marco]

thanks so much for your kind reply!!

 

[themew]

Plesk Onyx Update 6 (November 14th) absolutely FIXES the DKIM issue!!! Tested on both http://dkimvalidator.com/ and http://mail-tester.com/ as well as verified through Google headers (they look so beautiful now).

Thank you Plesk Team and all other contributors to this thread.

 

[sergiomb]

yeah , I could also Use DKIM spam protection system to sign outgoing email messages , but to fix https://plesk.uservoice.com/forums/...bility-to-activate-dkim-and-domainkey-without , we need to know the public key ,
private are here /etc/domainkeys/yourdoamin/default . can you add public key or the dns record where we can apply in an extern dns ? anyway where is public key in linux centos 7 server ?

Thank you.

 

[themew]

yeah , I could also Use DKIM spam protection system to sign outgoing email messages , but to fix https://plesk.uservoice.com/forums/...bility-to-activate-dkim-and-domainkey-without , we need to know the public key ,
private are here /etc/domainkeys/yourdoamin/default . can you add public key or the dns record where we can apply in an extern dns ? anyway where is public key in linux centos 7 server ?

Thank you.

The DKIM public key is displayed in your Plesk DNS settings (even if you don't use the Plesk DNS, it's there.) Copy the DKIM signature from there to your external DNS server and you're done.

You can then retrieve or check it from here > http://dkimcore.org/tools/keycheck.html