I have configured a new email server for my company, we are using a cloud server on theplanet.com and a shared hosnting on bluehost.com, I configured the server using iredmail, all works great but when I try to test the dkim keys with amavisd testkeys it returns:
TESTING#1: dkim._domainkey.mydomain.com => invalid (public key: not available)
I set the dns record on dns panel in blehost
name: mail._domainkey
type: txt
value:"v=DKIM1; p=MIGfM......"
when I try to validate via auth#verifier.port25.com it returns
DKIM check details:
----------------------------------------------------------
Result: permerror (key "dkim._domainkey.mydomain.com" doesn't exist)
Please help me with this error
You created a DNS record of mail._domainkey.mydomain.com but your DKIM signer is using a selector of dkim therefore it's looking up dkim._domainkey.mydomain.com. If you rename the DNS record so that they match up it should work.
Related
I have Keycloak running in a Kubernetes cluster. Authentication works but I need to set up e-mail to be able to send e-mails for verification and password reset.
I have SendGrid set up as an SMTP Relay. These settings (host, port and api key) work when I send mail using the SendGrid java client. However, when pressing Test connection in KeyCloak I get:
[Error] Failed to load resource: the server responded with a status of 500 ()
[Debug] Remove message (services.js, line 14)
[Debug] Added message (services.js, line 15)
[Error] Can't find variable: error
https://<domain>/auth/resources/ong8v/admin/keycloak/js/controllers/realm.js:76 – "Possibly unhandled rejection: {}"
[Debug] Remove message (services.js, line 14)
There isn't much to go on here. I have an e-mail address set up for the currently logged in user. I've also tried resetting the password in case the Test connection functionality was broken but that didn't work either.
The Realm Settings settings user for email are as such:
host: smtp.sendgrid.net
port: 587
from: test#<domain>
Enable StartTLS: true
Username: "apikey"
Password: <api key>
Any idea what can be wrong? Or how to find out? For instance, maybe I can get a more meaningful error message somehow.
Edit:
I got the server logs.
Failed to send email: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: smtp.sendgrid.net, 587; timeout 10000;
nested exception is: java.net.SocketTimeoutException: connect timed out
Edit 2:
I've tried sending mail using Telnet using the exact same settings and that works. So apparently it's something with Keycloak or its underlying Java libraries that's causing issues sending e-mail.
Turns out that Keycloak works and that emails were blocked by the hosting provider.
I just setup our domain a couple weeks ago to use SPF and DMARC, but no DKIM atm. But every now an then I receive an DMARC Failure report from linkedin:
This is an email abuse report for an email message received from IP 213.160.4.146 on Tue, 16 Jul 2019 12:34:26 +0000.
The message below did not meet the sending domain's dmarc policy.
The message below could have been accepted or rejected depending on policy.
For more information about this format please see http://tools.ietf.org/html/rfc6591 .
Feedback-Type: auth-failure
User-Agent: Lua/1.0
Version: 1.0
Original-Mail-From:
Original-Rcpt-To: messages-noreply#linkedin.com
Arrival-Date: Tue, 16 Jul 2019 12:34:26 +0000
Message-ID: <5cd…8b2f#SR-EXC.biv.local>
Authentication-Results: dmarc=fail (p=none; dis=none) header.from=biv-ot.org
Source-IP: 213.160.4.146
Delivery-Result: delivered
Auth-Failure: dmarc
Reported-Domain: biv-ot.org
But I can't detect any error - the IP address and domain match our MX record which is included in the SPF entry. Also the referenced RFC 6591 doesn't include the auth faile "dmarc". I get this mail round about once a week and no other server send me ever an DKIM failure report. Any idea whats wrong?
DNS Entries:
biv-ot.org:
MX: mail.biv-ot.org
A: 148.251.171.224
SPF: v=spf1 a mx include:ot-live.zms.hosting a:mout.kundenserver.de ~all
DMARC: v=DMARC1; p=none; ruf=mailto:…; fo=s
mail.biv-ot.org:
A: 213.160.4.146
This behavior is often witnessed with automated responses, such as NDRs and Out of Office replies, from mail servers as described in the Simple Mail Transfer Protocol (SMTP) RFC, section 4.5.5
In these cases the smtp.mailfrom field is empty and in most SPF implementations the check falls back to checking the HELO identity (recommended), as described in the SPF RFC, section 2.4.
Even if you create an SPF record for the HELO identity, you may still fail DMARC (on SPF) because of misalignment, if the HELO identity does not share the organizational domain of Header.From address.
In your specific case, the HELO identity would be assumed as postmaster#firewall.biv-ot.org and the reported domain (Header.From) is set to: biv-ot.org. This means that publishing an SPF record for firewall.biv-ot.org would solve your issue.
Also note: You only publish a ruf= address in your DMARC policy. Almost no mailbox providers send forensic/failure reports, so it is not wise to rely on only these reports to judge whether or not your email authentication practices are in a good state.
These blogs by Dmarcian and Valimail outline why these forensic / failure reports are so scarce.
Puzzling problem sending emails from one server to another.
Sending from Server-01 pr#example.camp TO Server-02 eman#example.edu.au
Server 02 bounces with sender verify fail for <pr#example.camp>: Unrouteable address
On Server-02 running dig MX example.camp resolves fine with:
;; ANSWER SECTION:
mus.camp. 2869 IN MX 10 server01-aus.emanwebdesign.com.
mus.camp. 2869 IN MX 0 server01-aus.emanwebdesign.com.
;; AUTHORITY SECTION:
mus.camp. 2869 IN NS ns10.domaincontrol.com.
mus.camp. 2869 IN NS ns09.domaincontrol.com.
Also from Server-02 I can telnet into port 25 of mus.camp and verify the existence of the email address (pr#...).
Any clues as to why Exim's sender verify is failing?
Edit
exim -bvs pr#example.camp returns
pr#example.camp failed to verify: Unrouteable address
Worked out the problem was that the mus.camp domain was originally hosted on Server-02 but then moved to Server-01. Server-02 however was still trying to lookup the email address within itself instead of going to Server-01.
To solve the problem I deleted the mail and dns records from Server-02. (using VestaCP).
ello,
I'm trying to set up a 3rd party domain for my mail server and so far I've struggled making it out of the spam folder for my sent messages. And It's a whole other story with hotmail which blacklists my whole server. My DNS records are externally hosted on another Registrar and so far I've managed to pass some tests (SPF tests) when sending mails to: check-auth#verifier.port25.com. However, I cannot seem to pass the DKIM test where I get permerror. Here's what I did to set it up, I went to cpanel > Email > Authentication. and copied the DKIM record as shown on the page to a DNS entry on my registrar:
default_domainkey # example.com TXT ...
Here's the DKIM report on auth25:
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: permerror (invalid key: error reading public key: 139806656485120:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:142:;139806656485120:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306:;139806656485120:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_PUBKEY;)
ID(s) verified:
Canonicalized Headers:
message-id:<8e56704aed7b951ff8fadb1233971857#example.com>'0D''0A'
subject:TEST'0D''0A'
to:check-auth#verifier.port25.com'0D''0A'
from:salwa.fawzi#example.com'0D''0A'
date:Fri,'20'04'20'Dec'20'2015'20'10:56:30'20'+0100'0D''0A'
content-transfer-encoding:7bit'0D''0A'
content-type:text/plain;'20'charset=US-ASCII;'20'format=flowed'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=example.com;'20's=default;'20'h=Message-ID:Subject:To:From:Date:'20'Content-Transfer-Encoding:Content-Type:MIME-Version;'20'bh=q5cyARPl5zX/knmvCnEy11G7/r6gcljJ44qrvv5DErY=;'20'b=;
Canonicalized Body:
TEST'0D''0A'
DNS record(s):
default._domainkey.example.com. 86400 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+INdfCMRWPx4Kr2vYS+S11VcN/7GGUBt9ZSgEJQCtesw0v4xFlNjA2N1N+ymshVZOPB76dhzd7CWb2YTYiUl5TjzM69Dp15KSDu5kQNwX/MaIHSNkWlnz+3AcdRG5rCwDxKkWiPlTDREz8bFdIY1+3UZbetZhq70+NQPYjMZHn69KzOnNrYraZ6es5nVDFVJi"
If anybody had experience on setting up Mail Servers on Cpanel/WHM I would really appreciate their help.
This:
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+INdfCMRWPx4Kr2vYS+S11VcN/7GGUBt9ZSgEJQCtesw0v4xFlNjA2N1N+ymshVZOPB76dhzd7CWb2YTYiUl5TjzM69Dp15KSDu5kQNwX/MaIHSNkWlnz+3AcdRG5rCwDxKkWiPlTDREz8bFdIY1+3UZbetZhq70+NQPYjMZHn69KzOnNrYraZ6es5nVDFVJi
is not a valid DKIM public key. How did you generate this value?
I am testing my mail serveur DKIM and SPF settings with Port25 auth test.
SPF is perfect, but my DKIM doesn't work. Here is the error:
----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: permerror (key "default._domainkey.pokesharp.com" doesn't exist)
ID(s) verified:
Canonicalized Headers:
message-id:<4b811ef394a3840c888aaf70e625190c#pokesharp.com>'0D''0A'
subject:123'0D''0A'
to:check-auth#verifier.port25.com'0D''0A'
from:admin#pokesharp.com'0D''0A'
date:Mon,'20'12'20'Aug'20'2013'20'10:38:04'20'-0400'0D''0A'
mime-version:1.0'0D''0A'
dkim-signature:v=1;'20'a=rsa-sha256;'20'q=dns/txt;'20'c=relaxed/relaxed;'20'd=pokesharp.com;'20's=default;'20'h=Message-ID:Subject:To:From:Date:MIME-Version;'20'bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;'20'b=;
Canonicalized Body:
DNS record(s):
default._domainkey.pokesharp.com. TXT (NXDOMAIN)
NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
Although, in my DNS, I do have "default._domainkey" IN TXT 14400 with value:
"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjUEWGRzEyKE0GcoICtp4bAKhrIjG8zubaDBV8MJSEO49nJHPk8zTJNFYmFBaMX0GVwxstam3C231TedkiRBk5RQ32lOqiaHW/PGpYqGrdE95arh8floBinkcVCqwnodUMBizDLh0rZvdOf+lElQAf0nBFL0X2EhGDC4IlEYpu7QIDAQAB;"
I don't quite understand why it doesn't see it. (I'm using cPanel/WHM)
Thank you very much!
Is it possible that it was just propagation delays? If I query your DNS now, I get your DKIM public key (see below). Are you still getting the same results from the port25 verifier?
mti2935#basement:~$ nslookup -q=TXT default._domainkey.pokesharp.com
Server: 75.75.75.75
Address: 75.75.75.75#53
Non-authoritative answer:
default._domainkey.pokesharp.com text = "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjUEWGRzEyKE0GcoICtp4bAKhrIjG8zubaDBV8MJSEO49nJHPk8zTJNFYmFBaMX0GVwxstam3C231TedkiRBk5RQ32lOqiaHW/PGpYqGrdE95arh8floBinkcVCqwnodUMBizDLh0rZvdOf+lElQAf0nBFL0X2EhGDC4IlEYpu7QIDAQAB\;"
Authoritative answers can be found from: