[SOLVED] DKIM & Changing Server Hardware

Hi all,

I changed the hardware of my main NS server.

Problem sending email with Thunderbird and webmail:
Using webmail: “Error SMTP : [451] 4.7.1 Service unavailable - try again later”

If I remove DKIM, it is working again.

I checked the DKIM at the registrar and it is the same as the one from the Manager under mail.

Any suggestion !

Michel-André

Are there error details in /var/log/maillog or /var/log/messages ?

Let’s check the key with

opendkim-testkey

Here is another thread with same error, maybe related:

Hi @mrmarkuz,

Thank you for your reply.

# opendkim-testkey
opendkim-testkey: /etc/opendkim/keys/default.private: WARNING: unsafe permissions
opendkim-testkey: key default._domainkey.toto-101.org: 'default._domainkey.toto-101.org' record not found
opendkim-testkey: /etc/opendkim/keys/default.private: WARNING: unsafe permissions
opendkim-testkey: key default._domainkey.toto.info: No key
opendkim-testkey: /etc/opendkim/keys/default.private: WARNING: unsafe permissions
opendkim-testkey: key default._domainkey.toto.org: No key
#

I took out DKIM for .toto-101.org and toto.info.

Only DKIM for toto.org:

# opendkim-testkey
opendkim-testkey: /etc/opendkim/keys/default.private: WARNING: unsafe permissions
opendkim-testkey: key default._domainkey.toto.org: No key
#

fail2ban.log

2021-11-05 17:11:00,193 fail2ban.filter         [2695]: WARNING [dovecot-nethserver] Simulate NOW in operation since found time has too large deviation None ~ 1636146660.19 +/- 60
2021-11-05 17:11:00,193 fail2ban.filter         [2695]: WARNING [dovecot-nethserver] Please check jail has possibly a timezone issue. Line with odd timestamp: ip=192.168.1.1, mpid=23226, TLS, session=<Z9JyFBHQA9PAqAFR>

Tried again to send to admin:
maillog

Nov  5 17:38:56 dorgee opendkim[27762]: can't load key from /etc/opendkim/keys/default.private: Permission denied
Nov  5 17:38:56 dorgee opendkim[27762]: 722AFE2450: error loading key 'default._domainkey.toto.org'
Nov  5 17:38:56 dorgee postfix/cleanup[27949]: 722AFE2450: milter-reject: END-OF-MESSAGE from unknown[192.168.1.81]: 4.7.1 Service unavailable - try again later; from=<michelandre@toto.org> to=<admin@toto.org> proto=ESMTP helo=<[192.168.1.81]>
Nov  5 17:38:56 dorgee rspamd[2464]: <bfe66n>; lua; bayes_expiry.lua:440: finished expiry step 28: 994 items checked, 209 significant (0 made persistent), 2 insignificant (0

# ls -als /etc/opendkim/keys/default.private
4 -r--r----- 1 opendkim opendkim 1679 22 janv.  2019 /etc/opendkim/keys/default.private
#

Michel-André

Here are working permissions to compare:

[root@nethserver ~]# ls -l /etc/opendkim/keys/
total 8
-r--r----- 1 opendkim opendkim 1675 Oct 28  2018 default.private
-r--r--r-- 1 opendkim opendkim  503 Oct 28  2018 default.txt

EDIT:

Are the TXT DNS entries correct for the domains?

To test:

dig +short TXT default._domainkey.domain.com @8.8.4.4

In the wiki you can find more information.

1 Like

Hi @mrmarkuz,

I manually updated all the Let’s Encrypt certs and the problem went away.

# dig +short TXT default._domainkey.toto.org @8.8.4.4
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuGHdVEAmPh9oRVS5e7vqca6ji47YnnmYg4gilZstMNPw+kgUYHyfTepaR3AewxDvwM6C57Jfn7Xcmy0mB/UWwbTk60by7mu1xcFOpN4qn2NopZa3VzcRy6ZCryjVhaxII9vxIvxHeOEGzO/s0Xcv/O76tMDad0LXdhDwCMonkGfIf6oDQzbKljrnsH59lyh0V" "0mUFic/PYxc7i1nS2s+2fRa+hx/VX44a2QAqaMDZPHHhdUQlQyqEokaxqd2GkhlM/WxHZiqhtZpdwX6j1ShouC6W7zLrIsweUOAUkOEjE7jTUQUBRa1Fbogpd98UsSTxM0F66sTAybXb/rB7GhzzwIDAQAB"
#

I still have a last problem:

/etc/cron.daily/logrotate:

error: ufdbGuard:13 unknown user 'ufdb'
error: found error in /var/log/ufdbguard/ufdbguardd.log
, skipping
/etc/cron.daily/update-squidguard-blacklists:

chown: user incorrect: « squid:squid »
chown: user incorrect: « squid:squid »
chown: user incorrect: « ufdb:squid »

Michel-André

Hi all,

I uninstalled and reinstalled nethserver-web-filter, then created /var/log/ufdbguard/ufdbguardd.log with default root:root as user:group. This file was not created with the reinstallation.

Today, file /var/log/ufdbguard/ufdbguardd.log is still empty.

No error message this morning.

I will wait a few days to make sure everything is working correctly.

Michel-André

1 Like

Hi all,

No more error.

Michel-André

1 Like