Solved DKIM and DMARC for built-in outgoing mail

clouddaz

Outgoing mail from the built in email solution does not have a DKIM signature or a DMARC signature.
Is this possible to enable or configure?

girish

@clouddaz Outbound mails should already have DKIM signature. Can you send a test mail to https://www.mail-tester.com/ and send us the report?

girish

Also, Email -> Status. Are all the check marks green?

clouddaz

@girish, yes they are all green.

girish

@clouddaz If you can send a test mail to test@cloudron.io (you can do this from email -> status -> send test mail), I can inspect the headers.

clouddaz

I've just sent it, but don't be surprised if it turns up in your spam folder. Thanks in advance for checking.

clouddaz

And I just noticed:

Feb 14 01:02:24 [INFO] [-] [core] [outbound] Sending email as a transaction
Feb 14 01:02:24 [NOTICE] [-] [dkim_sign] skipped: no private key for lily.dmnw.net
Feb 14 01:02:24 [INFO] [-] [core] [outbound] Processing delivery for domain: cloudron.io
Feb 14 01:02:24 EACCES: permission denied, open '/app/haraka-config/config/dkim/lily.dmnw.net/private'

girish

@clouddaz That does indeed seem like the problem.

On the server: Go to the directory /home/yellowtent/boxdata/mail/dkim/<domain>. It should have the public/private DKIM keys. Are they present? If they are present, then chown -R yellowtent:yellowtent /home/yellowtent/boxdata/mail/dkim and then go to services -> mail and restart it.

If they are not present, let me know, we have to see why they are not present (they are created at domain addition time).

clouddaz

Yes both DKIM keys are present. chown and mail restart were completed but still no DKIM or DMARC signing. This is the first domain (hostname) not a subsequent added domain, if that helps.

girish

@clouddaz Can you give us SSH access so I can debug the issue? Support -> Enable Remote support. Thanks!

subven

I have the same issue on my cloudron (standard plan). All checkmarks at SMTP Status are green. I use Mailjet (free account) at the moment to get around this issue.

2019-02-26T21:12:32.000Z EACCES: permission denied, open '/app/haraka-config/config/dkim/*****.******/private'
2019-02-26T21:12:32.000Z [NOTICE] [-] [dkim_sign] skipped: no private key for *****.******

cloudron@h2812623:/home/yellowtent/boxdata/mail/dkim/*****.******$ ll
total 20
drwxr-xr-x 2 yellowtent yellowtent 4096 Jan  9 07:29 ./
drwxr-xr-x 3 yellowtent yellowtent 4096 Dez  8 23:13 ../
-rw------- 1 yellowtent yellowtent  891 Dez  8 23:13 private
-rw-r--r-- 1 yellowtent yellowtent  272 Dez  8 23:13 public
-rw-r--r-- 1 yellowtent yellowtent    8 Dez  8 23:13 selector

@girish please let us know if you figure out what causes this behavior.

subven

I noticed that some folders maybe have wrong permissions. "cloudron" is the user I used to install Cloudron (with sudo) on the server.

Most of the folders/files under /home/yellowtent are owned by yellowtent, some by root and a small percentage is owned by cloudron. Could this result in the error we see?

girish

This is fixed in 3.5.4 now.

ruben

I experienced the same issue today on a fresh new installation v4.0.0:

2019-05-10T11:54:20.000Z [INFO] [-] [core] [outbound] Sending email as a transaction
2019-05-10T11:54:20.000Z EACCES: permission denied, open '/app/haraka-config/config/dkim/mydomain.net/private'
2019-05-10T11:54:20.000Z [NOTICE] [-] [dkim_sign] skipped: no private key for mydomain.net
2019-05-10T11:54:20.000Z [INFO] [-] [core] [outbound] Processing delivery for domain: mail-tester.com

so it seems that this bug is still out there...

murgero

@ruben 4.0.0 is out? how do I install? my cloudron checks for updates but says it's up to date??

subven

@ruben did you checked if the file exists? What are the file permissions/owner/group? Does the file contains a certificate? With cloudron 4.X.X you have the ability to re-setup DNS (maybe this fixes the issue?). What about renewing all certs (--> Domain)?

@murgero cloudron is at v4.0.3 at the moment. Do you use a custom hoster image? I'm on a netcup image and the message popped up today. You're off topic by the way...

murgero

This post is deleted!

ruben

@subven yes, the file exists. These are the permissions:

drwxr-xr-x 2 yellowtent yellowtent 4096 May 10 10:33 ./
drwxr-xr-x 4 yellowtent yellowtent 4096 May 10 11:27 ../
-rw------- 1 yellowtent yellowtent  887 May 10 10:33 private
-rw-r--r-- 1 yellowtent yellowtent  272 May 10 10:33 public
-rw-r--r-- 1 yellowtent yellowtent    8 May 10 10:33 selector

The DKIM-signing works after a chmod 777 private but I don't think that 's a sustainable solution.

The 'renew all certs'-button does not seem te renew my certificates.
My DNS-setup is 'wildcard', so I don't think it 's possible to re-setup dns?

I just added an extra domain (with cloudron 4.0.3) and it results in the same permissions:

drwxr-xr-x 2 yellowtent yellowtent 4096 May 17 06:54 ./
drwxr-xr-x 5 yellowtent yellowtent 4096 May 17 06:54 ../
-rw------- 1 yellowtent yellowtent  887 May 17 06:54 private
-rw-r--r-- 1 yellowtent yellowtent  272 May 17 06:54 public
-rw-r--r-- 1 yellowtent yellowtent    8 May 17 06:54 selector

girish

@clouddaz @ruben @subven Any of you still facing this issue? I would love to get to the bottom of this since I thought this got fixed, but clearly hasn't.

doomilation

@girish Hi, I can confirm that this issue is still there with 2 domains.
Unfortunately I didn't check after a fresh install and just 1 domain.

ruben

@girish I had already deleted my test-setup; so I just set up a new one from scratch at scaleway. It results in the same errors and permissions as above.

girish

@ruben Thanks. Can you tell me which DNS provider you are using? Let me try to reproduce the bug with that backend.

ruben

@girish I’m using the wildcard DNS-option.

girish

@ruben thanks, I was able to reproduce the issue. It is related to the ubuntu image on scaleway. We relied on the user id to match between the host OS and the container. For some reason, adding a new user on scaleway starts from uid 1001 instead of 1000. Looking into a fix.

girish

A fix for now is to just run chmod +r /home/yellowtent/boxdata/mail/dkim/*/private.

As for certs for renewing, @ruben do you have incoming port 80 open on your server? The cert issue is not related to dkim keys.

girish

This is fixed now in 4.1 (which will get released next week or so)

ruben

@girish Nice! Will definitely try again after the release.

subven

I can confirm that this is finally fixed now

pintudason

DMARC is about email security. Traditionally this was about inbound protection, where DMARC can be used. Though, DMARC is more about outbound email protection.