Invalid DKIM Signature

Hi,

I followed all previous topics here to troubleshoot Invalid DKIM Signature issue but still no luck. I would appreciate it if you could help me to resolve this issue asap.

My OS: Ubuntu 20.04.6 LTS.

Cyberpanel Current Version:

2.3
Build:  
5
Current Commit:  
c7d300418b64372fa6f8f088ca982f2638bad84a
Latest Version:  
2.3
Latest Build:  
5
Latest Commit:  
5505f5a0f711d902bd5f58a50beb7946438d3b78

I manage my DNS at my domain register (not on cyberpanel). I have opendkim running:

systemctl status opendkim
opendkim.service - OpenDKIM DomainKeys Identified Mail (DKIM) Milter
     Loaded: loaded (/lib/systemd/system/opendkim.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2024-03-07 10:31:09 MSK; 1 months 12 days ago
       Docs: man:opendkim(8)
             man:opendkim.conf(5)
             man:opendkim-genkey(8)
             man:opendkim-genzone(8)
             man:opendkim-testadsp(8)
             man:opendkim-testkey
             http://www.opendkim.org/docs.html
   Main PID: 895 (opendkim)
      Tasks: 6 (limit: 2255)
     Memory: 1.8M
     CGroup: /system.slice/opendkim.service
             └─895 /usr/sbin/opendkim -x /etc/opendkim.conf

Mar 07 10:31:09 ubuntu-1cpu-2gb-us-sjo1 systemd[1]: Starting OpenDKIM DomainKeys Identified Mail (DKIM) Milter...
Mar 07 10:31:09 ubuntu-1cpu-2gb-us-sjo1 systemd[1]: Started OpenDKIM DomainKeys Identified Mail (DKIM) Milter.
Mar 07 10:31:09 ubuntu-1cpu-2gb-us-sjo1 opendkim[895]: OpenDKIM Filter v2.11.0 starting (args: -x /etc/opendkim.conf)

I have main.cf as follows:

cat /etc/postfix/main.cf
# Global Postfix configuration file. This file lists only a subset
# of all parameters. For the syntax, and for a complete parameter
# list, see the postconf(5) manual page (command: "man 5 postconf").
#
# For common configuration examples, see BASIC_CONFIGURATION_README
# and STANDARD_CONFIGURATION_README. To find these documents, use
# the command "postconf html_directory readme_directory", or go to
# http://www.postfix.org/.
#
# For best results, change no more than 2-3 parameters at a time,
# and test if Postfix still works after every change.



queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
mail_owner = postfix
inet_protocols = all
mydestination = localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES


myhostname = panel.mydomain.com
mynetworks = 127.0.0.0/8
message_size_limit = 30720000
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
inet_interfaces = all
smtp_tls_security_level = may

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

I also have correct KeyTable and SigningTable records with correct paths.

journalctl -f | grep opendkim

Journal file /var/log/journal/system.journal is truncated, ignoring file.

journalctl -f | grep postfix

Journal file /var/log/journal/system.journal is truncated, ignoring file.
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/pickup[2712298]: CFC05232AB5: uid=1011 from=<[email protected]>
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/cleanup[2713223]: CFC05232AB5: message-id=<[email protected]>
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: CFC05232AB5: from=<[email protected]>, size=9133, nrcpt=1 (queue active)
Apr 19 10:42:00 ubuntu-1cpu-2gb-us-sjo1 postfix/smtp[2713226]: CFC05232AB5: to=<[email protected]>, relay=mail.emailstester.com[95.217.248.68]:25, delay=2.2, delays=0.07/0.02/1.7/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AD522104202)
Apr 19 10:42:00 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: CFC05232AB5: removed
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: connect from unknown[36.133.157.105]
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: warning: unknown[36.133.157.105]: SASL LOGIN authentication failed: Invalid authentication mechanism
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: disconnect from unknown[36.133.157.105] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/pickup[2712298]: EBB92232AB5: uid=1011 from=<[email protected]>
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/cleanup[2713282]: EBB92232AB5: message-id=<[email protected]>
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: EBB92232AB5: from=<[email protected]>, size=9132, nrcpt=1 (queue active)
Apr 19 10:43:40 ubuntu-1cpu-2gb-us-sjo1 postfix/smtp[2713226]: EBB92232AB5: to=<[email protected]>, relay=mail.emailstester.com[95.217.248.68]:25, delay=1.8, delays=0.03/0/1.4/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7AD6A104202)
Apr 19 10:43:40 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: EBB92232AB5: removed

content of /etc/opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog			yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask			007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain			example.com
#KeyFile		/etc/dkimkeys/dkim.key
#Selector		2007

# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization	simple
#Mode			sv
#SubDomains		no

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
#Socket                  inet:8892@localhost
Socket  inet:8891@localhost

##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders		From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim

Mode	sv
Canonicalization	relaxed/simple
KeyTable	refile:/etc/opendkim/KeyTable
SigningTable	refile:/etc/opendkim/SigningTable
ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
InternalHosts	refile:/etc/opendkim/TrustedHosts

I would really appreciate it if you could help me to resolve this issue. Thanks in advance!!

When you send email, can you give output of

journalctl -f | grep opendkim

Hi @usmannasir

Thanks for your reply, really appreciate it!

When I run this command and send an email - nothing is changing in the output, it looks like this all the time:

journalctl -f | grep opendkim
Journal file /var/log/journal/system.journal is truncated, ignoring file.

When I run this I can see some output:

journalctl -f | grep postfix

Journal file /var/log/journal/system.journal is truncated, ignoring file.
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/pickup[2712298]: CFC05232AB5: uid=1011 from=<[email protected]>
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/cleanup[2713223]: CFC05232AB5: message-id=<[email protected]>
Apr 19 10:41:58 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: CFC05232AB5: from=<[email protected]>, size=9133, nrcpt=1 (queue active)
Apr 19 10:42:00 ubuntu-1cpu-2gb-us-sjo1 postfix/smtp[2713226]: CFC05232AB5: to=<[email protected]>, relay=mail.emailstester.com[95.217.248.68]:25, delay=2.2, delays=0.07/0.02/1.7/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as AD522104202)
Apr 19 10:42:00 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: CFC05232AB5: removed
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: connect from unknown[36.133.157.105]
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: warning: unknown[36.133.157.105]: SASL LOGIN authentication failed: Invalid authentication mechanism
Apr 19 10:43:20 ubuntu-1cpu-2gb-us-sjo1 postfix/smtpd[2713255]: disconnect from unknown[36.133.157.105] ehlo=1 auth=0/1 quit=1 commands=2/3
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/pickup[2712298]: EBB92232AB5: uid=1011 from=<[email protected]>
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/cleanup[2713282]: EBB92232AB5: message-id=<[email protected]>
Apr 19 10:43:38 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: EBB92232AB5: from=<[email protected]>, size=9132, nrcpt=1 (queue active)
Apr 19 10:43:40 ubuntu-1cpu-2gb-us-sjo1 postfix/smtp[2713226]: EBB92232AB5: to=<[email protected]>, relay=mail.emailstester.com[95.217.248.68]:25, delay=1.8, delays=0.03/0/1.4/0.34, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7AD6A104202)
Apr 19 10:43:40 ubuntu-1cpu-2gb-us-sjo1 postfix/qmgr[2693550]: EBB92232AB5: removed

Yup looks like postfix is not even trying to send email to opendkim for adding signature although by the looks of it the configs of postfix seems fine.

Normally when postfix connects to opendkim it is like

root@cyberpanel:~# journalctl -f | grep dkim
Jan 10 10:49:17 cyberpanel.net opendkim[579]: 3447740AAD: DKIM-Signature field added (s=default, d=wpmautic.net)

and postfix logs are like this if it cant connect to opendkim → Message not signed with DKIM - #14 by lesupremo

If you have CP add-ons then either reset mail configs it may solve the issue or try reaching our support as I can not see anything wrong.

@usmannasir , thank you for your response. I do not have any CP add-ons installed, so resetting the mail configuration is not an option.

Could you please suggest any other possible causes for this issue or further troubleshooting steps I can take? Any additional insights would be greatly appreciated.

Thank you for your assistance!!!

From what you have shared I can see everything seems fine. See if going through this thread helps: Message not signed with DKIM - #14 by lesupremo

@usmannasir, thank you for pointing me towards the existing threads. Indeed, I’ve thoroughly perused them along with numerous others on this forum. However, my situation appears to be quite unique, as the solutions provided thus far haven’t resolved my issue. Consequently, I’ve initiated this new thread, detailing all the steps I’ve taken in an attempt to debug and rectify the problem. I believe this could also serve as a valuable resource for others encountering a similar DKIM issue.

I’m eager to delve deeper into this challenge and would greatly value any additional insights you could offer. Your expertise is not only instrumental in aiding my current situation but also contributes significantly to the collective knowledge base of this forum. I’m looking forward to any suggestions you might have and am more than willing to share my findings and experiences to benefit Cyberpanel community.

I do agree that you provided really detailed of everything which really helped me initially to think about this issue.

But there is nothing I can say by the looks of it, until our support dig into it and look further. So I will be closing this thread.