psa-pc-remote: Error during 'dd51-domainkeys' handler

[Greg Sims]

TITLE:

psa-pc-remote: Error during 'dd51-domainkeys' handler​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk 12.5.30 Update #61 on CentOS 7​

PROBLEM DESCRIPTION:

We recently moved from RHEL 6/Plesk to the software stated above. We Did Not Use the migration tools provided in Plesk. We built the system one domain at a time on a fresh OS and Plesk install.

We enabled SPF and Domainkeys on our production domain. We ran Port25 which resulted in clean status for both SPF and Domainkeys. Everything is working well so far.

We have an email subscription list of over 20,000 members which is managed by Plesk/mailman. We send subscription email each morning to all of our members through mailman. Domainkeys is not working with mailman generated email.

We are seeing the following in our maillogs:

Mar 17 02:35:05 ray06 dk_sign[13876]: DK_STAT_SYNTAX: Message is not valid syntax. Signature could not be created/checked
Mar 17 02:35:05 ray06 /usr/lib64/plesk-9.0/psa-pc-remote[1535]: Error during 'dd51-domainkeys' handler

These error log entries happen for each message group (one message body and a group of email addresses) that is processed by Postfix. I discussed this with a mailman developer. They believe the software you are using for Domainkeys is not processing the email headers from mailman correctly and issuing these log messages as a result. It would be good to have feedback from Plesk development if this scenario matches when these log messages would be issued by dk_sign and psa-pc-remote.​

STEPS TO REPRODUCE:

1) enable SPF and Domainkeys
2) verify step 1) with Port25 -- should receive clean status
3) review the headers of the email that is sent
4) review /var/log/maillog does not have error logs described above
5) enable mailman for a domain, create a mailman list and add a couple of email addresses
6) send an email to mailman to be forwarded to the distribution
7) review the headers of the email sent by mailman
8) review /var/log/maillog
9) notice that Domainkeys does not pass in this scenario​

ACTUAL RESULT:

Error records described above in the maillog.

Domainkey errors for email sent from mailman.​

EXPECTED RESULT:

No error records in /var/log/maillog

Domainkeys Pass for email sent by mailman​

ANY ADDITIONAL INFORMATION:

This is a high priority issue for us as we do not have a way to generate clean Domainkey results for our 20K+ daily email distribution. We are using CentOS 7 and Plesk install software exclusively. Also note that this all worked on our RHEL 6 server and now it does not.

Thank you for looking into this! Greg​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[Greg Sims]

I interacted with a core developer of mailman. He said,

I think that the issue is outbound mail from your lists cannot be DKIM signed because whatever is doing the DKIM signing is looking at the domain of the From: header as the domain to sign with and that domain is not known to the DKIM signer. You have to configure your DKIM signer to look first for a List-Post: header, then to Sender: and last to From: for the domain to sign.
​

I hope this combined with an understanding of why we are seeing the errors in maillog will yield an understanding of root cause.

 

[IgorG]

Thank you. Forwarded to developers.

 

[IgorG]

Bug confirmed as PPPM-5476

 

[Greg Sims]

We received over 9,000 of these errors in our maillog this morning. The good news is the email is sent after the error. The bad news is our email logging does not match the reality of our outbound email traffic. We are sending many more emails than are being logged.

We are missing a large number of "status=sent" entries in our maillogs. Please note that each email is sent with a unique From address (VERP). This means the distribution list size in postfix always is one. Could it be that the "status=sent" is not logged in /var/log/maillog in the presence of the DK_STAT_SYNTAX error?