-
-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Virtualmin does not include DKIM/SPF/DMARC information when an email is generated via the command line #785
Comments
Would you copy paste the separate script DirectAdmin created. |
Apologies but, as far as I can tell, there's an "old script" and a "new script," both of which I don't have access to as I don't use DirectAdmin ;) But the detailed instructions are at https://docs.directadmin.com/other-hosting-services/exim/configuring-exim.html#dkim-installation-guide and utilize Exim. The new method script is referenced at that URL so perhaps someone who has access to DirectAdmin can provide more details. The old method seems to be referenced in https://forum.directadmin.com/threads/configure-dkim-for-host-domain-com-email-addresses.59809/post-306301 and just refers to:
But https://forum.directadmin.com/threads/configure-dkim-for-host-domain-com-email-addresses.59809/post-309460 also notes:
|
Example: Ubuntu server
If everything is OK, you will see
Note that your DKIM record may need some time to propagate to the Internet's caching DNS servers. Depending on the domain registrar you use, your DNS record might be propagated instantly, or it might take up to 24 hours to propagate. You can go to https://www.dmarcanalyzer.com/dkim/dkim-check/ , enter your domain's DKIM selector, and enter your domain name, to check your DKIM record's DNS propagation time. If you see If you see the
|
Wow! Thanks for the quick response! Results in mail.log:
Detailed report from appmaildev.com (all same issues):
Result of DKIM test:
So I commented out
The results of https://www.mimecast.com/products/dmarc-analyzer/dkim-check/ are: "Error: Unable to find a DKIM record." Thus, I will keep trying over the next 24 hours to see if there are any changes. As indicated above, the milters are the same; please let me know if you think
|
|
https://www.mimecast.com/products/dmarc-analyzer/dkim-check/ still shows "Error: Unable to find a DKIM record." (Edit: I am checking for DKIM Selector 202404 of host.sub.myservername.com; however, 202404 does show up for sub.myservername.com). Not sure I understand: are you suggesting there's something wrong in the DNS records? Because, as I mentioned, all other emails are being sent properly from, e.g., user_name1@sub.myservername.com, user_name2@sub.myservername.com, etc (EDIT: which are sent via host.sub.myservername.com). It is only when an email is generated by the mail command line that it fails.
EDIT: Here's the header from an email sent without issue:
|
Just to further clarify: this is the header of a cron email from a script that failed which was rejected by Gmail:
This is why Gmail said it rejected the email:
|
The error messages says it requires either DKIM or SPF, or both, to pass, for
To enable SPF for |
Ah, that's my bad. I had added (which didn't work):
Just to confirm then: it should be |
Yes One error in your SPF record is |
Ah, that makes sense and resulted from a straight copy/paste without close evaluation. But it makes me curious and shows my lack of understanding as to why the original TXT doesn't work. I thought
...was the proper way to include host. You're saying you need a separate TXT record for host. And apologies for being dense but I still don't understand then how to add a DKIM for host.sub.myservername.com. Let me know if you think it makes sense to open a new feature request that automatically adds DKIM, SPF, and DMARC records like DirectAdmin as I've got to imagine I'm not the only one who sees Gmail rejecting emails. I'll report back once propagation occurs. |
Interesting... so SPF now comes back as "Neutral" when verifying through https://www.appmaildev.com/:
But Gmail is still unhappy:
|
If you remove the leading |
Since each subdomain has to have its very own SPF record, there's no way to state in the |
And Gmail is now (kind of) happy as it passes SPF and DMARC - thank you!
|
Thank you for plowing thru til the solution! Bonus, To make your email pass DKIM also, just go to virtualmin and add " |
One of the troubleshooting steps I tried before the OP was to create " Many, many thanks! |
Nope... sadly, it appears that's not going to work. After doing this, I stopped receiving emails on all domains. According to the mail logs, it's attributable to an "unreasonable virtual_alias_maps map nesting" (whatever that means). For example, I sent a test mail from Gmail to one of my Virtualmin domains:
Once I deleted the host subdomain, the error disappeared and email came through properly. Thus, if there isn't a way to add DKIM to host without creating a subdomain for host, perhaps I'll just stick with SPF and DMARC being OK and leave it at that. |
That error |
Thanks. The challenge is that the error occurs when adding host as a subdomain. (I tried it on both servers and it happened both times.) So there's something Virtualmin doesn't like about adding host as a subdomain. |
Saw many errors like this in my mail.logs which I assume is related to what happens when adding host as a subdomain:
|
Virtualmin and Plesk might sometimes add the server's domain to both lists by default. It's redundant. |
Fair enough. Although Perhaps a feature request would be for Virtualmin to check postfix before adding. I'd imagine it shouldn't be hard to do with a regex. |
After 5 solid days of frustrating troubleshooting, I'm calling uncle.
I have 2 servers, both of which have issues assigning DKIM/SPF/DMARC information when an email is generated via the command line mail program. The Virtualmin domain is setup as "sub.myservername.com" with the hostname as "host." All emails are sent properly via Postfix (i.e., with valid DKIM/SPF/DMARC information) with normal email clients and they are also all sent correctly when I test using command line mail as "sub.myservername.com" instead of "host.sub.myservername.com". In other words, the following works properly:
echo "Test message - you know the drill" | mail -r "root <root@sub.myservername.com>" -s "Test Message" test-d1b79814@appmaildev.com
However, none of the DKIM/SPF/DMARC information is sent when an email is generated using command line mail (as sometimes occurs when an application sends an error report) which always seems to come from "root@host.sub.myservername.com" automatically. I haven't found a way to change the automatic email to come from, e.g., root@sub.myservername.com instead of root@host.sub.myservername.com. I even tried changing my /root/.mailrc to:
...but it doesn't make a difference and the command line emails are still sent from root@host.sub.myservername.com.
The use case: when certain errors occur on my servers, I have the error reports sent both to my Virtualmin accounts as well as Gmail accounts (in case I can't get access to the emails on Virtualmin because of the problem which has happened in the past). However, Gmail is rejecting those emails because:
In other words, Gmail is rejecting the emails because the command line script that sends the errors doesn't have a valid SPF or DKIM.
For example, using the excellent diagnostic tool at https://www.appmaildev.com/, I executed this at the command line:
echo "Test message - you know the drill" | mail -r "root <root@host.sub.myservername.com>" -s "Test Message" test-d1b79814@appmaildev.com
...which generated the following summary:
...and which generated the following detailed report:
When the email is sent, I can see in my syslog:
2024-04-16T17:07:12.515010-04:00 host opendkim[788]: 766B1673CB: DKIM-Signature field added (s=202404, d=host.sub.myservername.com)
My etc/postfix/main.cf:
My etc/postfix/postfix master.cf:
My /etc/opendkim.conf:
My /etc/resolv.conf:
I see from https://forum.directadmin.com/threads/configure-dkim-for-host-domain-com-email-addresses.59809/ that "The default DNS zone host.domain.com that is added on install doesn't have the options out of the box to enable DKIM," and DirectAdmin has created a separate script to enable it. Is there something similar for Virtualmin? If not, any idea why Postfix won't properly attach this required information to command line emails? Thanks.
The text was updated successfully, but these errors were encountered: