DKIM and DMARC for built-in outgoing mail

girish

This is fixed in 3.5.4 now.

ruben

I experienced the same issue today on a fresh new installation v4.0.0:

2019-05-10T11:54:20.000Z [INFO] [-] [core] [outbound] Sending email as a transaction
2019-05-10T11:54:20.000Z EACCES: permission denied, open '/app/haraka-config/config/dkim/mydomain.net/private'
2019-05-10T11:54:20.000Z [NOTICE] [-] [dkim_sign] skipped: no private key for mydomain.net
2019-05-10T11:54:20.000Z [INFO] [-] [core] [outbound] Processing delivery for domain: mail-tester.com

so it seems that this bug is still out there...

murgero

@ruben 4.0.0 is out? how do I install? my cloudron checks for updates but says it's up to date??

subven

@ruben did you checked if the file exists? What are the file permissions/owner/group? Does the file contains a certificate? With cloudron 4.X.X you have the ability to re-setup DNS (maybe this fixes the issue?). What about renewing all certs (--> Domain)?

@murgero cloudron is at v4.0.3 at the moment. Do you use a custom hoster image? I'm on a netcup image and the message popped up today. You're off topic by the way...

murgero

This post is deleted!

ruben

@subven yes, the file exists. These are the permissions:

drwxr-xr-x 2 yellowtent yellowtent 4096 May 10 10:33 ./
drwxr-xr-x 4 yellowtent yellowtent 4096 May 10 11:27 ../
-rw------- 1 yellowtent yellowtent  887 May 10 10:33 private
-rw-r--r-- 1 yellowtent yellowtent  272 May 10 10:33 public
-rw-r--r-- 1 yellowtent yellowtent    8 May 10 10:33 selector

The DKIM-signing works after a chmod 777 private but I don't think that 's a sustainable solution.

The 'renew all certs'-button does not seem te renew my certificates.
My DNS-setup is 'wildcard', so I don't think it 's possible to re-setup dns?

I just added an extra domain (with cloudron 4.0.3) and it results in the same permissions:

drwxr-xr-x 2 yellowtent yellowtent 4096 May 17 06:54 ./
drwxr-xr-x 5 yellowtent yellowtent 4096 May 17 06:54 ../
-rw------- 1 yellowtent yellowtent  887 May 17 06:54 private
-rw-r--r-- 1 yellowtent yellowtent  272 May 17 06:54 public
-rw-r--r-- 1 yellowtent yellowtent    8 May 17 06:54 selector

girish

@clouddaz @ruben @subven Any of you still facing this issue? I would love to get to the bottom of this since I thought this got fixed, but clearly hasn't.

doomilation

@girish Hi, I can confirm that this issue is still there with 2 domains.
Unfortunately I didn't check after a fresh install and just 1 domain.

ruben

@girish I had already deleted my test-setup; so I just set up a new one from scratch at scaleway. It results in the same errors and permissions as above.

girish

@ruben Thanks. Can you tell me which DNS provider you are using? Let me try to reproduce the bug with that backend.

ruben

@girish I’m using the wildcard DNS-option.

girish

@ruben thanks, I was able to reproduce the issue. It is related to the ubuntu image on scaleway. We relied on the user id to match between the host OS and the container. For some reason, adding a new user on scaleway starts from uid 1001 instead of 1000. Looking into a fix.

girish

A fix for now is to just run chmod +r /home/yellowtent/boxdata/mail/dkim/*/private.

As for certs for renewing, @ruben do you have incoming port 80 open on your server? The cert issue is not related to dkim keys.

girish

This is fixed now in 4.1 (which will get released next week or so)

ruben

@girish Nice! Will definitely try again after the release.

subven

I can confirm that this is finally fixed now

pintudason

DMARC is about email security. Traditionally this was about inbound protection, where DMARC can be used. Though, DMARC is more about outbound email protection.