Dkim records not matching

╭─stephdl@leo.lan ~  ‹master› 
╰─➤  dig @ns1.hostserv.eu +short +tries=1 +retry=0 +time=2 default._domainkey.domain.com TXT
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0LJtESK0G5LJ3euhIpLRyXlJyVOrw7exuztpOurn+/CYIYrpKVyBEdYBwlU2fOpSITJotK6dL2oOuhVnfCt6DhtSrTlA+jAvbHFsAraOm50dONtA9UllyKqjBPjYUP3VgPfTrHdC0r6oz1VcHb8JEuY9aDMb5EG8p155ZUpsrPYLn/m2Fq6nf5w/0g1/liPF3z" "FdLY8N61Vfgj3oX1dIhGGKVECPapA4Nh2tP+tznVaD6saMpH9POjHAmOPZ56ZaCrbdyChPKXh6ntwscb75QILhjuvLnmkfKsanO3bjJrIRl9tR25RhOEGnxwzAzqrxGvh+wj+bd2tDvVsLYcmiQIDAQA"
╭─stephdl@leo.lan ~  ‹master› 
╰─➤  dig @1.1.1.1 +short +tries=1 +retry=0 +time=2 default._domainkey.domain.com TXT
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0LJtESK0G5LJ3euhIpLRyXlJyVOrw7exuztpOurn+/CYIYrpKVyBEdYBwlU2fOpSITJotK6dL2oOuhVnfCt6DhtSrTlA+jAvbHFsAraOm50dONtA9UllyKqjBPjYUP3VgPfTrHdC0r6oz1VcHb8JEuY9aDMb5EG8p155ZUpsrPYLn/m2Fq6nf5w/0g1/liPF3z" "FdLY8N61Vfgj3oX1dIhGGKVECPapA4Nh2tP+tznVaD6saMpH9POjHAmOPZ56ZaCrbdyChPKXh6ntwscb75QILhjuvLnmkfKsanO3bjJrIRl9tR25RhOEGnxwzAzqrxGvh+wj+bd2tDvVsLYcmiQIDAQA"
╭─stephdl@leo.lan ~  ‹master› 
╰─➤  dig @8.8.8.8 +short +tries=1 +retry=0 +time=2 default._domainkey.domain.com TXT
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0LJtESK0G5LJ3euhIpLRyXlJyVOrw7exuztpOurn+/CYIYrpKVyBEdYBwlU2fOpSITJotK6dL2oOuhVnfCt6DhtSrTlA+jAvbHFsAraOm50dONtA9UllyKqjBPjYUP3VgPfTrHdC0r6oz1VcHb8JEuY9aDMb5EG8p155ZUpsrPYLn/m2Fq6nf5w/0g1/liPF3z" "FdLY8N61Vfgj3oX1dIhGGKVECPapA4Nh2tP+tznVaD6saMpH9POjHAmOPZ56ZaCrbdyChPKXh6ntwscb75QILhjuvLnmkfKsanO3bjJrIRl9tR25RhOEGnxwzAzqrxGvh+wj+bd2tDvVsLYcmiQIDAQA"

Should be good now

Hm, I still see the “records not matching” error in nethserver.

I tested with 7 dkim checker websites and either they say dkim record ok (but 0 bits) or they say the record is invalid or no record found or “We were not able to retrieve the key length, there is maybe an issue in that key” or another site reports: “This doesn’t seem to be a valid RSA public key: RSA.xs:178: OpenSSL error: bad base64 decode at blib/lib/Crypt/OpenSSL/RSA.pm (autosplit into blib/lib/auto/Crypt/OpenSSL/RSA/new_public_key.al) line 91.”

you could try to rename /etc/opendkim/default.txt and reinstall nethserver-mail-server, then configure again DKIM to your provider

As this is our prod. system (and I certainly will make a snapshot before trying) I’d like to know if reinstalling nethserver-mail-server should not affect the rest of the nethserver (accounts, settings like connectors and everything else related/configured)?

And maybe move the whole /etc/opendkim folder, not just the default.txt? Or would you not recommend that?

the action to create the key is /etc/e-smith/events/actions/nethserver-mail-create-opendkim-key

So rename the key

mv  /etc/opendkim/default.txt  /etc/opendkim/default.txtOLD
/etc/e-smith/events/actions/nethserver-mail-create-opendkim-key
systemctl restart opendkim

if you want to go back, just rm the new key and rename the old key and restart again dkim

I moved /etc/opendkim folder, reinstalled nethserver-mail-server and opendkim and did an /etc/e-smith/events/actions/nethserver-mail-create-opendkim-key and finally restarted opendkim service.

I also used another browser (edge) than before (firefox) for creating the TXT record by copy/pasting the key in registar webinterface. And here we are again with the wrong " and thus the records not matching error

I can ask them again to recreate the record for me as their webinterface probably has an issue, but I worry that I will hit the same result as above - being key not valid or 0 bits… We’ll see…

Is there anything else I can do?

Not worry about a bug in the Nethserver UI?

Well - true in a way dan35 but then again I am not sure what exactly the problem is as the " apparently are ok because I now check with the same 5 dkim checker tools and in contrary to the key without the additional 2 " now the opendkim checker sites report that the key is valid and is 2048 bits so the key that I had the registar modified was apparently not good, but the one created by their webinterface with the two additional " is…

So is this officially an assigned/accepted bug of nethserver ui now and will it be fixed? Anything else I could provide?

I guess, I will rollback to the snapshot I did earlier without reinstall of above packages to be on the safe side and recreate the old key @registar by webinterface with the two additional " " and wait for a fix in nethserver.

Could you show some screenshots of your TXT dns field

Which screenshots from where do you mean exactly. I already added screenshots above, but can do them again. What do you mean? From neth cockpit, webinterface registar, dig?

Only from the registar, I continue to believe there is no bug in NethServer

could you post here again the key of dkim from /etc/opendkim/default.txt please; I am looking something

cat /etc/opendkim/keys/default.txt default._domainkey IN TXT ( "v=DKIM1; k=rsa; " “p=MIIB…”
“…” ) ; ----- DKIM key default for domain.tld

OK maybe we could fix something on our side

Are you ok to break your server ?

I am kidding, the solution was simple sorry for the waste of time

No worries. It is a ProxMox VM so if I can be of any help I can do a snapshot and test if you like and then roll back.

If you want to test then

cp /usr/libexec/nethserver/api/nethserver-mail/domains/read 
/usr/libexec/nethserver/api/nethserver-mail/domains/read_ORIGINAL

then copy the content of

https://raw.githubusercontent.com/NethServer/nethserver-mail/fca9cf4b7d4faf53a6910546d75e8726cac85f0f/api/domains/read

inside /usr/libexec/nethserver/api/nethserver-mail/domains/read