AZIvan
Level 1 (0 points)

Q: DKIM sig missing from IOS using Server 5 originated messages only

Hi,

 

I have been testing out my new DKIM setup (many thanks to the kind folks at topic desk for the Implementing DomainKeys/DKIM on OS x 10.8.x Mountain Lion server.....) and I see the DKIM signature on some messages and not on others when I receive my server's emails on gmail.  I have narrowed it down to IOS originated messages, but only those from my own OS X Server 5 accounts. 

 

Signed Examples: (as seen on a gmail account (gmailacc1) using OS X mail show headers)

gmailacc2 to gmailacc1 from MACBOOK

gmailacc2 to gmailacc1 from iPhone

 

UNSIGNED example: (as seen on gmail account (gmailacc1) using OS X mail show headers)

serveracc1 to gmailacc1 from iPhone1

serveracc2 to gmailacc1 from iPhone1

 

In short it only has the DKIM signature missing from iOS devices but only when originating from accounts that my server hosts.  

 

Setups:

iPhone1 on 9.2

macbook is on OS X El Capitan 10.11.2

server is version 5.0.15

server OS is OS X El Capitan 10.11.2

 

Header differences:  (I do see that DKIM is still not working quite right but that should not be causing this discrepancy- place advise if you disagree)

 

Following two lines are only in the macbook originated header:

 

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; h=

x-mailer:mime-version:date:date:message-id:subject:subject

:content-transfer-encoding:content-type:content-type:from:from

:received:received; s=default; t=1451843424; x=1453657825; bh=vN

aAS12lrLmuVbNt9e3bDfxq/890NGY77wOelrIV0cI=; b=LSGPeIY+vQvOHpOJk3

ZwP8L5NkTgKtWKWrdRK8bBrcx90QV5+MkghM59IfHH5tD0M7OQ5Q9npCDj+rp7R7

ZKEdLGm99Zy1Yj9c6swliTZ7MRyq4lZDUaxboZKoTvs9LCg63BsMQejgrQihsmS3

W00In+uQUEGyflFMmqRNYI/xo=

 

dkim=fail header.i=@example.com;

 

Besides timestamp, sequence/CR,CR/LF and message related differences there are a few modified lines: (seem insignificant to me)

 

iPhone: 

Received: from [192.168.1.2] (server.example.com [123.456.789.123])

by server.example.com (Postfix) with ESMTPSA id C5D641D5A69C

for <gmailacc1@gmail.com>; Sun, 3 Jan 2016 10:50:24 -0700 (MST)

 

Mime-Version: 1.0 (1.0)

 

X-Mailer: iPhone Mail (13C75)

 

Macbook:

Received: from [192.168.1.12] (unknown [192.168.1.12])

by server.example.com (Postfix) with ESMTPSA id E20431D5A6A6

for <gmailacc1@gmail.com>; Sun, 3 Jan 2016 10:50:24 -0700 (MST)

 

Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))

 

X-Mailer: Apple Mail (2.3112)

 

Any help would be greatly appreciated, thanks.

Mac mini (Late 2012), OS X Server, Latest rev of all SW/HW/Timecapsule

Posted on Jan 3, 2016 11:18 AM

by FromOZ,Solvedanswer
FromOZ FromOZ
Level 3 (545 points)
A:

Setting up DKIM on OS X 10.11.2 and OS X Server 5.0.15

 

This is based on the information at https://classicyuppie.com/protecting-your-domain-with-spf-and-dkim/, I have expanded and clarified various points.

 

Working Folder

The standard folder location for mail in Server.app 5.x is:

 

/Library/Server/Mail

 

we will be making changes to Amavis in the following folder:

 

/Library/Server/Mail/Config/amavisd

 

Even though the commands use the full path to files you may find it helpful to change to that folder.

 

Create the DKIM private key

Notes:

  • This creates a 1024 bit RSA private key, a 2048 length key can be made by appending a space then 2048 at the end of the command. I don't believe a 2048 bit key is strictly necessary.
  • The permissions are set to world readable. I don't believe that is desirable, you could try 640 and see how it works.

sudo amavisd genrsa /Library/Server/Mail/Config/amavisd/dkim_key

sudo chmod 644 /Library/Server/Mail/Config/amavisd/dkim_key

 

Edit the amavisd.conf file

Notes:

  • In the website this is shown as one line, I enter as two for readability as they are actually two commands
  • This assumes the key file has the name and location as created in the previous commands
  • Enter the lines replacing 'example.com' for your Internet legal domain name.

dkim_key('example.com', 'mail', '/Library/Server/Mail/Config/amavisd/dkim_key');

@dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );

 

Change the following line:

$interface_policy{'10026'} = 'ORIGINATING';

to:

$interface_policy{'10024'} = 'MYNETS';

 

I am not 100% sure of the purpose of this change, I believe it is to change the scope the DKIM function will apply to.

 

Save the amavisd.conf file and exit your editor.

 

Generate the Public Key

Run the following command

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

which will output the public key for the dkim_key private key you generated earlier. It will look something like this:

; key#1 1024 bits, i=mail, d=example.com, /Library/Server/Mail/Config/amavisd/dkim_key

mail._domainkey.example.com. 3600 TXT (

  "v=DKIM1; p="

  "MIGfMA0GCSqGSIb3BQEBAQUA12345678iQKBgQDczdNsPrmwkI0spKJDEzhWuaEh"

  "MFwB4kIunu0E+yrAbcDeFgHiJkLmNoPQXPdpi0fWyONV0qQuzA3HGMfnsEo5OIO9"

  "vpV69I333333333333444444RtIarnpYlaB2a+5wRGfHlj61YhWdIjGrsh4IUztq"

  "edr3456789BBDDIDAQAB")

 

Enter the DKIM DNS record

The first line describes the public key — the key length, the domain it is for etc. The second line is a DNS record format line if you were going to import it into BIND, in our case we will (most likely) be entering it into the management screen of our external DNS provider. Each provider will have a different format screen but the values you will enter are assuming the provider auto fills in the domain portion of the DNS record i.e. example.com. The lines of the TXT text value are joined together into one line enclosed in double quotes.

 

DNS Record Type: TXT

TTL:  3600

Key: mail._domainkey

Text: "v=DKIM1; p=MIGfMA0GCSqGSIb3BQEBAQUA12345678i [....] edr3456789BBDDIDAQAB"

 

Restart the Amavis daemon

You can either just restart the amavis daemon or restart the whole mail server.

sudo ps aux | grep amavisd | grep master 

sudo kill <PID#>

 

Test the installation

Send an email to — check-auth@verifier.port25.com — from different clients, Macs & iOS devices, and from your LAN and the Internet. It will send you back a detailed email but what you are looking for is the DKIM check = pass in the summary at the top.

 

==========================================================

Summary of Results

==========================================================

SPF check:          pass

DomainKeys check:   neutral

DKIM check:         pass

Sender-ID check:    pass

SpamAssassin check: ham

 

I also have SPF setup on my domain so it shows a pass on SPF check.

Posted on Jan 4, 2016 1:12 PM

Close
AZIvan

Q: DKIM sig missing from IOS using Server 5 originated messages only

  • All replies
  • Helpful answers

  • by FromOZ,Helpful

    FromOZ FromOZ Jan 3, 2016 4:05 PM in response to AZIvan
    Level 3 (545 points)
    Jan 3, 2016 4:05 PM in response to AZIvan

    Hi - I've recently done setup of DKIM on my recently installed OS X 10.11.2 + OS X Server 5.0.15 setup. Previously was on Mavericks + Server 3.x but did clean install.


    I found website with information for setup of DKIM that I followed — with some slight changes — and it worked straight off.


    As you mentioned that you found a different result from an iOS device to a Mac I just tested my iPhone (had done with Mac during setup) and it came out fine.


    There is actually a site you can email to and they send you back a very detailed analysis email. Here is the summary they send, this is result from my iPhone test.

    The Port25 Solutions, Inc. team

     

    ==========================================================

    Summary of Results

    ==========================================================

    SPF check:          pass

    DomainKeys check:   neutral

    DKIM check:         pass

    Sender-ID check:    pass

    SpamAssassin check: ham


    Send an email to: check-auth@verifier.port25.com and see what you get back. I can post tutorial of how I did my setup if needed. Would be tomorrow.


    Let us know how you go with the test.

  • by AZIvan,

    AZIvan AZIvan Jan 3, 2016 4:38 PM in response to FromOZ
    Level 1 (0 points)
    Jan 3, 2016 4:38 PM in response to FromOZ

    Thanks so much for the response @FromOZ, This solved the DKIM issue from the MACBOOK as it indicated invalid character " and I found a double quote before the v=DKIM in the DNS TXT record and also one at the very end so deleted both.   Thanks a bunch, the port 25 checker is a great resource.  This Fixed the email from macbook issue. 

     

    Here is what I get after fixing the DNS DKIM TXT record: 

    SPF check: Pass

    DomainKeys check: neutral

    DKIM check: pass <-- on mac generated email &   neutral <-- on iPhone generated email

    Sender-ID check:  pass

    SpamAssassin:  ham

     

    It also very much confirms that iOS is not sending singed messages (says: neutral (message not signed) )   - am digging into this but not clues yet.  Your offer for a tutorial tomorrow sounds great (am sure many will appreciate it as the one I mentioned has at least one change (directory changed) to work in server 5), sorry to trouble you for that.  Unfortunately I have no idea if its the account config on the phone or the server or how they communicate or if iPhone needs some keys/certs. 

     

    Thanks again

  • by AZIvan,

    AZIvan AZIvan Jan 3, 2016 9:12 PM in response to AZIvan
    Level 1 (0 points)
    Jan 3, 2016 9:12 PM in response to AZIvan

    I finally got it to work from another iOS device with DKIM signing.  I took a different iPhone and restored it from scratch to iOS 9.2, then manually added one of my servers email accounts (none of them sign from my iPhone) and it is now sending emails that are signed from the restored iPhone. 

     

    I still very much want to know what may be wrong with my iPhone setup as I have gone as far as to setup a new account from scratch on the server and then on my iPhone and it still does not DKIM sign while new iPhone does.  I really don't wan't to restore from scratch my main iPhone, any ideas?

     

    Thanks a bunch  

  • by FromOZ,Helpful

    FromOZ FromOZ Jan 4, 2016 10:28 PM in response to AZIvan
    Level 3 (545 points)
    Jan 4, 2016 10:28 PM in response to AZIvan

    I was going to ask you about your email client and server setup because, fundamentally, once this is setup on the server it should be active for all accounts on the server, at the very least all accounts in the email domain (the one setup for DKIM, let's call it example.com for the purposes of the discussion) unless an account was specifically excluded (if that's possible - I did a straight baseline setup so DKIM is active on my whole domain (example.com) and thereby all accounts having an email address of user@example.com.


    After your last email, just for completeness, I ran a test of my iPhone connecting to my server from outside my local (home) LAN to send email. I don't know how you have your mail architecture setup but this is mine


    I am using split-horizon DNS so for all devices/clients regardless of whether they are in the LAN or connecting remotely via the Internet they use DNS to resolve the (mail) server.


    Internally + Externally:

    =================

    client email --> server.example.com [Postfix/587] --> server.example.com [Amavis/10024] --> server.example.com [Postfix] --> External Mail Forwarder -> Onwards delivery


    I am using port 587 / SMTP Submission for client submission of email, on my firewall I have the external public DNS resolved address for MX at server.example.com mapped to the server internal LAN address.


    So back to your situation - can you check why/how different client machines are connecting differently to mail running on your OS X Server.app machine. If you are using port 587 for email submission across the board then all email - for the domain you setup DKIM on, the mail domain setup on the mail service of your Server.app - should be being process via the same path.


    There is one setting in Amavis which I changed as part of the DKIM setup, don't have the info to hand here, which I will advise when I post my setup. That may have some relevance.


    In the meantime if you can check the above on your site.


    Good luck!

  • by FromOZ,Solvedanswer

    FromOZ FromOZ Jan 4, 2016 1:12 PM in response to AZIvan
    Level 3 (545 points)
    Jan 4, 2016 1:12 PM in response to AZIvan

    Setting up DKIM on OS X 10.11.2 and OS X Server 5.0.15

     

    This is based on the information at https://classicyuppie.com/protecting-your-domain-with-spf-and-dkim/, I have expanded and clarified various points.

     

    Working Folder

    The standard folder location for mail in Server.app 5.x is:

     

    /Library/Server/Mail

     

    we will be making changes to Amavis in the following folder:

     

    /Library/Server/Mail/Config/amavisd

     

    Even though the commands use the full path to files you may find it helpful to change to that folder.

     

    Create the DKIM private key

    Notes:

    • This creates a 1024 bit RSA private key, a 2048 length key can be made by appending a space then 2048 at the end of the command. I don't believe a 2048 bit key is strictly necessary.
    • The permissions are set to world readable. I don't believe that is desirable, you could try 640 and see how it works.

    sudo amavisd genrsa /Library/Server/Mail/Config/amavisd/dkim_key

    sudo chmod 644 /Library/Server/Mail/Config/amavisd/dkim_key

     

    Edit the amavisd.conf file

    Notes:

    • In the website this is shown as one line, I enter as two for readability as they are actually two commands
    • This assumes the key file has the name and location as created in the previous commands
    • Enter the lines replacing 'example.com' for your Internet legal domain name.

    dkim_key('example.com', 'mail', '/Library/Server/Mail/Config/amavisd/dkim_key');

    @dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );

     

    Change the following line:

    $interface_policy{'10026'} = 'ORIGINATING';

    to:

    $interface_policy{'10024'} = 'MYNETS';

     

    I am not 100% sure of the purpose of this change, I believe it is to change the scope the DKIM function will apply to.

     

    Save the amavisd.conf file and exit your editor.

     

    Generate the Public Key

    Run the following command

    sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

    which will output the public key for the dkim_key private key you generated earlier. It will look something like this:

    ; key#1 1024 bits, i=mail, d=example.com, /Library/Server/Mail/Config/amavisd/dkim_key

    mail._domainkey.example.com. 3600 TXT (

      "v=DKIM1; p="

      "MIGfMA0GCSqGSIb3BQEBAQUA12345678iQKBgQDczdNsPrmwkI0spKJDEzhWuaEh"

      "MFwB4kIunu0E+yrAbcDeFgHiJkLmNoPQXPdpi0fWyONV0qQuzA3HGMfnsEo5OIO9"

      "vpV69I333333333333444444RtIarnpYlaB2a+5wRGfHlj61YhWdIjGrsh4IUztq"

      "edr3456789BBDDIDAQAB")

     

    Enter the DKIM DNS record

    The first line describes the public key — the key length, the domain it is for etc. The second line is a DNS record format line if you were going to import it into BIND, in our case we will (most likely) be entering it into the management screen of our external DNS provider. Each provider will have a different format screen but the values you will enter are assuming the provider auto fills in the domain portion of the DNS record i.e. example.com. The lines of the TXT text value are joined together into one line enclosed in double quotes.

     

    DNS Record Type: TXT

    TTL:  3600

    Key: mail._domainkey

    Text: "v=DKIM1; p=MIGfMA0GCSqGSIb3BQEBAQUA12345678i [....] edr3456789BBDDIDAQAB"

     

    Restart the Amavis daemon

    You can either just restart the amavis daemon or restart the whole mail server.

    sudo ps aux | grep amavisd | grep master 

    sudo kill <PID#>

     

    Test the installation

    Send an email to — check-auth@verifier.port25.com — from different clients, Macs & iOS devices, and from your LAN and the Internet. It will send you back a detailed email but what you are looking for is the DKIM check = pass in the summary at the top.

     

    ==========================================================

    Summary of Results

    ==========================================================

    SPF check:          pass

    DomainKeys check:   neutral

    DKIM check:         pass

    Sender-ID check:    pass

    SpamAssassin check: ham

     

    I also have SPF setup on my domain so it shows a pass on SPF check.

  • by AZIvan,

    AZIvan AZIvan Jan 4, 2016 8:32 PM in response to FromOZ
    Level 1 (0 points)
    Jan 4, 2016 8:32 PM in response to FromOZ

    Wow @FromOZ, your guide is EXCELLENT.  Thanks too much, am sure others will also make good use of this guide. 

     

    The steps are very similar, but there are definite differences from what I did, which i see as good news.

     

    Key differences (ignoring private key file name & director differences and ignoring that I used 'i=default' vs. 'i=mail') are:

    1. I made/left the private key in /var/db/dkim <-- unlikely to be an issue
    2. I made the permission 640 not 644 <-- unlikely to be an issue
    3. my DKIM options_by_sender_maps  did not have the a => 'rss-sha256'  <--  I think this caused me some issues, but I can't remember for sure, maybe it was how my DNS records was setup.  Am surprised i got some DKIM signed emails to pass.
    4. my DKIM options_by_sender_maps had ttl =>  21*24*3600 vs your 30*24*3600  <-- this is unlikely to be an issue
    5. my DKIM options_by_sender_maps had c => 'relaxed/simple' vs 'relaxed/relaxed' <-- I need to read up on this one.
    6. i did not have the $interface_policy{'10024'} = 'MYNETS'; <-- I need to read up on this one, this one is a key suspect for my issues.

     

    If manual changes using my old keys/directories don't work, I will restore the originals of the files that server had before I used my method and then implement the flow fully as you outlined.  LOL, I also like to cd into the directory

     

    FYI Update (before making the above changes):  I have found my servers DKIM signing is very unpredictable, I do not get the signing now even from the macbook or new from scratch iPhone build, yet I have changed nothing on my server, mac, dns.  Even the iPhone from scratch setup stopped signing.   Suspecting propagation of changes allowed a window of signing to sneak by, but can't fully explain every observation.

     

    Not sure how to thank you for all the time and effort you have put in to helping me, am deeply grateful.  Can't wait to make the changes and test it out tonight.

  • by AZIvan,

    AZIvan AZIvan Jan 5, 2016 12:47 AM in response to AZIvan
    Level 1 (0 points)
    Jan 5, 2016 12:47 AM in response to AZIvan

    DKIM appears to be working from mac and IOs sources.  I cleaned the setup by bring back the original amavisd.conf with the original server settings and followed your instructions to the tee, including setting up a new key and updating the godaddy DNS and that seems to have resolved the issues. 

     

    Few items:

     

    1) I did have to use 644 else I could not generate the public key (was logged in as su) have not tried going back to 640 but do agree with you that makes way more sense for the private key.  Think the following may help:

     

    sudo chown root:_amavisd /Library/Server/Mail/Config/amavisd/dlim_key

    sudo chmod 640 /Library/Server/Mail/Config/amavisd/dlim_key

     

    but have not tired this.

     

    2) FYI for folks on godaddy:  the txt record does not use the double quotes, that was the first thing that I learned from the checker you pointed me to, wish all services would use the same formats/wildcards/keywords etc...

     

    3) I seem to be getting one detail from the checker at port25 that has me confused:  (specifically the message not signed result)

    ----------------------------------------------------------

    DomainKeys check details:

    ----------------------------------------------------------

    Result:         neutral (message not signed)

    ID(s) verified: header.From=user@example.com

    DNS record(s):

     

    yet when I look at my header on gmail, I see my server's email has indeed signed it.  Are you also seeing this?  By the way the summary is matching yours:

     

    ==========================================================

    Summary of Results

    ==========================================================

    SPF check:          pass

    DomainKeys check:   neutral

    DKIM check:         pass

    Sender-ID check:    pass

    SpamAssassin check: ham

     

    4) HAM details showing:

     

    ----------------------------------------------------------

    SpamAssassin check details:

    ----------------------------------------------------------

    SpamAssassin v3.4.0 (2014-02-07)

     

    Result:         ham  (-2.0 points, 5.0 required)

     

    pts rule name              description

    ---- ---------------------- --------------------------------------------------

    -0.0 SPF_PASS               SPF: sender matches SPF record

    -0.0 RP_MATCHES_RCVD        Envelope sender domain matches handover relay domain

    -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%

                               [score: 0.0000]

    -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from author's

                               domain

    0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not necessarily valid

    -0.1 DKIM_VALID             Message has at least one valid DKIM or DK signature


    its more negative, think that is a good thing?

     

    Thanks again, best new years wishes!

  • by FromOZ,

    FromOZ FromOZ Jan 5, 2016 12:56 PM in response to AZIvan
    Level 3 (545 points)
    Jan 5, 2016 12:56 PM in response to AZIvan

    Hi

    3) I seem to be getting one detail from the checker at port25 that has me confused:  (specifically the message not signed result)

    ----------------------------------------------------------

    DomainKeys check details:

    ----------------------------------------------------------

    Result:         neutral (message not signed)

    ID(s) verified: header.From=user@example.com

    DNS record(s):

     

    yet when I look at my header on gmail, I see my server's email has indeed signed it.  Are you also seeing this?


    It's OK, you're good, I see the same on reply to my test email.

    ----------------------------------------------------------

    DomainKeys check details:

    ----------------------------------------------------------

    Result:         neutral (message not signed)

    ID(s) verified: header.From=user@example.com

    DNS record(s):


    This is for DomainKeys, the original (proprietary) system setup by Yahoo which morphed into, and is different to, the open source DKIM. The setup I documented does not include DomainKeys, and really don't believe it's necessary to have both. Obviously DKIM provides the necessary functionality.


    If you are seeing the summary results you posted from emailing via multiple client devices inside your LAN and the Internet then you are good to go!

  • by FromOZ,

    FromOZ FromOZ Jan 5, 2016 2:21 PM in response to AZIvan
    Level 3 (545 points)
    Jan 5, 2016 2:21 PM in response to AZIvan

    Huh - forum software didn't show my first post, even after multiple refreshes, so I thought it had been trashed, did it again and first one appeared - go figure

  • by AZIvan,

    AZIvan AZIvan Jan 5, 2016 4:57 PM in response to FromOZ
    Level 1 (0 points)
    Jan 5, 2016 4:57 PM in response to FromOZ

    I also noticed forum web acting weird today, wanted to mark helpful items and what solved it, but could not see the markings and some times could not mark this helped.  But it looks like it did log the ticks on helped and on this solved it.   

     

    Anyway thanks again for the help, could not have done it without your excellent OS x server 5 mail DKIM guide and all your super clear details/descriptions. 

     

    By the way am using a free account at dmarcian to see how my email traffic is behaving at other mail serves thanks to dmarc pointing to dmarcian - really like the service and its support of little guys   hoping my mails stop going into the junk folders.

     

    Thanks and best wishes.

  • by Edkroket from AMSD,

    Edkroket from AMSD Edkroket from AMSD Apr 1, 2016 4:29 AM in response to FromOZ
    Level 1 (8 points)
    Servers Enterprise
    Apr 1, 2016 4:29 AM in response to FromOZ

    It doen not show that the message was signed with DKIM?

    Why not? It is only neutral without signature?