Solved Can I reset the DKIM settings?
-
Awhile ago my cloudron ran under my.domain1.com, and I had set up email and what not. I then changed that main domain to my.domain2.com. Everything seems to work fine.
BUT, my Postmark DMARC checks have been telling me my SPF and DKIM aren't aligned and 8 emails from 3 clearly spammy sources were sent claiming to be from my.domain2.com.
So I checked that domain, and noticed that the DNS records and the email records on the cloudron both have this as their DKIM: cloudron-domain1com._domainkey. ?? Why wouldn't it be cloudron-domain2com._domainkey?
I then noticed that a new domain which I recently added (which came AFTER I moved my cloudron from VPS 1 to VPS 2, seamlessly I add) seems to have a DKIM record that has the residual hostname of the new VPS before I fixed that on the new VPS. It looks like: cloudron-62141b._domainkey. Shouldn't this be cloudron-domain2com._domainkey
So I checked other domains which have been on the cloudron for awhile and see that their DKIM starts with: cloudron-domain2com._domainkey. So, this has the main domain of the cloudron. This appears correct, and I don't have any non-aligned warnings for those domains.
So, is there a way to reset those DKIM records so they all have: cloudron-domain2com._domainkey. It seems that this is essential, even though my email dashboard has all green check marks.
Thanks!
A life lived in fear is a life half-lived
-
@scooke said in Can I reset the DKIM settings?:
So I checked that domain, and noticed that the DNS records and the email records on the cloudron both have this as their DKIM: cloudron-domain1com._domainkey. ?? Why wouldn't it be cloudron-domain2com._domainkey?
Did you also change the domain of the mail sever ? https://docs.cloudron.io/email/#server-location . The domain here determines the "name" of the mail server (and the required DKIM settings).
-
@girish Yes, that was changed. That was changed to domain2 while on still on VPS 1, where the initial mail location was domain1. So, I guess it didn't update properly back then. This is over a year ago. Maybe there was some glitch back then.
I tried to redo it just now by simply deleting "my" and retyping it, and there was a little message saying it was updating DNS, but only for the most recently added domain. I checked my main cloudron domain email settings under Status, and it still shows cloudron-domain1._domainkey, that the cloudron-domain2._domainkey DKIM key that others have.
I don't fully understand the DNS magic realm, and maybe it's fine that the DKIM domain doesn't actually match the actual domain, but now that I've discovered that my Cloudron is using three different DKIMs, I'd prefer to have them all use cloudron-domain2._domainkey.
Would I just navigate to where those keys are held on the VPS and delete them, and upon restarting the VPS cloudron will regenerate them, but properly using the current domain? My rDNS, or PTR record, uses my.domain2.com, same as the main dashboard domain, so don't these all have to match optimally?
A life lived in fear is a life half-lived
-
So, is it possible to reset the DKIM certs, or no? Can I just remove the ones which don't have the current info, and they'll be regenerated properly? Or will I bork my Cloudron up if I do that?
A life lived in fear is a life half-lived
-
@scooke So, the DKIM keys can be arbitrarily named. It's not a problem that it has the old domains name as part of it. In more recent Cloudron version, we have actually started using a hash and not the concrete name because people had similar concern as yours about "referencing" an older name.
If you want to reset this, you have to update the database directly for the moment. You can do it like this:
mysql -uroot -ppassword -e "select domain, dkimSelector from box.mail;"The above command will show the current domain and dkim selector. To update it, something like:
mysql -uroot -ppassword -e "UPDATE box.mail SET dkimSelector='cloudron' WHERE domain='currentdomain';"(please update the domain value accordingly).
As said, this is not a problem as such, so there is no issue leaving it as-is. I will make the dkim selector configurable in the coming release.
-
@girish Much appreciated, thank you!
-
@girish said in Can I reset the DKIM settings?:
As said, this is not a problem as such, so there is no issue leaving it as-is. I will make the dkim selector configurable in the coming release.
I would appear to me that somehow it is an issue.
Like @scooke I both moved my my. domain around (from uniteddiversity.org to uniteddiversity.coop and changed my mail server address from my.uniteddiversity.coop to mail.uniteddiversity.coop )
And when I do a uniteddiversity.coop:email DKIM lookup on https://mxtoolbox.com/SuperTool.aspx it tells me:
No DKIM Record foundSo I looked in my DNS and found these DKIM records which Cloudron obviously set:
And also, in email status within Cloudon, I have this:
So why are they not being found when I do a uniteddiversity.coop:email DKIM lookup on https://mxtoolbox.com/SuperTool.aspx ?
-
@jdaviescoates It appears fine in the DNS.
$ host -t TXT cloudron-uniteddiversityorg._domainkey.uniteddiversity.coop cloudron-uniteddiversityorg._domainkey.uniteddiversity.coop descriptive text "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFZ/gh1xMkTbgkE1fEQWrFY8jn0uoxpLLvtAPHhWKNRSv4k88PKw/kqdBCHx3fV1CjabMH8zjZBQgXpRqfopJLbdHmGDUKkbpFfb4XNoXXGjxbJzceBVWJtVnKdmNRT5wOFSpltJkkSSU3uRbwn81NEBd9Duavt4x8wu+tUFkQ4wIDAQAB"Maybe the web tool is (temporarily) broken ?
-
@girish said in Can I reset the DKIM settings?:
Maybe the web tool is (temporarily) broken ?
It appears fine there too.
-
@girish I was doing it this way:
uniteddiversity.coop:email
As you can see that is still showing an error.
-
@jdaviescoates said in Can I reset the DKIM settings?:
uniteddiversity.coop:email
I think the tool wants a domain name. Why are you adding a ":email" in the end? Is that a special syntax on that site?
-
@girish said in Can I reset the DKIM settings?:
Why are you adding a ":email" in the end? Is that a special syntax on that site?
Yes:
-
@jdaviescoates Ahhh, I had to read that a couple of times to grok it. The
:emailis not literal but is the DKIM selector (says so in the text). The DKIM selector in Cloudron iscloudron-uniteddiversityorg(this changes for each installation based on the primary domain. this allows to add same domain on multiple cloudrons).So, try with
uniteddiversity.coop:cloudron-uniteddiversityorgand that does work. -
@girish Your comprehensional wizardy astounds me! Seriously, impressive. I aim for that type of thinking to better deduce problems, and when I see it done, right in front of me, it's impressive.
EDIT: though this sounds sarcastic, I am being totally sincere!
A life lived in fear is a life half-lived
-
@scooke said in Can I reset the DKIM settings?:
EDIT: though this sounds sarcastic, I am being totally sincere!
ha ha
-
@girish said in Can I reset the DKIM settings?:
So, try with uniteddiversity.coop:cloudron-uniteddiversityorg and that does work.
Great, thanks for working that out!
Next question: did it ever become possible to reset such things?
For not particular reason other than neatness I'd kinda like it to by
cloudron-uniteddiversitycoopinstead, or evenrandomstring_uniteddiversity.coop -
@jdaviescoates I think https://forum.cloudron.io/topic/7478/more-on-whitelabelling-cloudron-for-providing-managed-cloudron-instances . That never got implemented
-
@girish, I was thinking of this:
@girish said in Can I reset the DKIM settings?:
I will make the dkim selector configurable in the coming release.
-
@jdaviescoates right, unfortunately, it was not prioritized/implemented.
