Page 1 of 1

DKIM FAIL & SSL verify error

Posted: March 23rd, 2024, 9:04 am
by admin
Hello everyone,

A few weeks ago...
I've got problems with my mail server,
Suddenly DKIM FAIL within mailersafelist.com.

According to GMAIL original email header:

Code: Select all

SPF:	PASS with IP 104.37.168.247
DKIM:	'FAIL' with domain mailersafelist.com
DMARC:	'PASS'
...
...
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@mailersafelist.com header.s=x header.b=u2Rl9vzv;
       spf=pass (google.com: domain of ...@mailersafelist.com designates 104.37.168.247 as permitted sender) smtp.mailfrom=...@mailersafelist.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mailersafelist.com
...
...
I've already checked each domain within:
- user level
- Email Manager
- Email Account

All of DKIM option are already Enabled.

Test to Check DKIM checker with:
- MXToolBox
- EasyDmarcy

All of emails working fine and went-through the inbox and not rejected/rate limited. (SPF, DMARC no problems).

Well I'm confused.
but Somethings went wrong exactly...
which is fail with one domain only and other domains got no problem at all...
Google mail system glitched?
DirectAdmin system glitched?

According to DA support:
/etc/exim.dkim.conf still had the old "x" selector after it was changed to "default" in the directadmin.conf
and I really confused with that glitch.

I've already checked and changed it to this:

Code: Select all

[root@srv8 ~]# cat /etc/exim.dkim.conf
  #/etc/exim.dkim.conf v1.7
  dkim_domain = ${if or { \
                        {eq{$sender_address_domain}{}} \
                        {eq{$sender_address_domain}{$primary_hostname}} \
                        } \
                {$primary_hostname}{${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}}
  dkim_selector = default
  dkim_private_key = ${if exists{/etc/virtual/$dkim_domain/dkim.private.key}{/etc/virtual/$dkim_domain/dkim.private.key}{0}}
  dkim_canon = relaxed
  dkim_strict = 0
[root@srv8 ~]#
As far as my knowledge... DA panel using default._domainkey for the selector.
And I'm glad the mail server running fine afterward.

But another problems arise... a few days ago...
I've got another problem with gmail...
#1. SSL verify error: certificate name mismatch: DN="/OU=No SNI provided; please fix your client./CN=invalid2.invalid"
#2. Email still delivered but with longer time to finisihed by mail server.

Try to dig more the problems...

Code: Select all

[root@srv8 ~]# tail -n 30 /var/log/exim/mainlog
...
...
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z [142.251.2.27] SSL verify error: certificate name mismatch: DN="/OU=No SNI provided; please fix your client./CN=invalid2.invalid" H="gmail-smtp-in.l.google.com"
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4367 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no C="250 2.0.0 OK  1710923322 ju9-20020a170903428900b001d9b8bc0fd8si12021852plb.68 - gsmtp"
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z Completed
...
...
[root@srv8 ~]#
According to DA Panel team support, The specifically issues are:

Code: Select all

2024-03-20 01:16:54 1rmr7s-00000009EkT-1H8z == ...@gmail.com R=lookuphost defer (-1): host lookup did not complete
and:

Code: Select all

2024-03-20 01:28:41 1rmr7s-00000009EkT-1H8z H=gmail-smtp-in.l.google.com [2607:f8b0:4023:c0d::1b] Network is unreachable
shows both - resolver issues,
the DC hosting provides "closer/reliable" resolvers might attempt using to use ipv6.
(there's "local" ipv6 ip configured, but in practice ipv6 is unreachable... and can be disabled it in the /etc/exim.conf to not to try use that ipv6 variable, with customisable at /etc/exim.variables.conf.custom with exim_conf rebuild followed)

Then I've changed this file:
/etc/exim.variables.conf.custom
with:

Code: Select all

disable_ipv6=true
smtp_receive_timeout=15m
And then run the Configuring and customizing Exim to update exim.conf:

Code: Select all

cd /usr/local/directadmin/custombuild
./build set exim yes
./build set eximconf yes
./build set spamassassin yes
./build exim
./build exim_conf
This should rewrite the exim configuration files with the ipv6 being disabled.

As per custombuild.1710948207.2372220.ZXhpbQA.log file:

Code: Select all

Configuration file /etc/exim.conf already exists
Exim installation complete
Moving exim binary.
Restarting exim.
Enabling exim in systemd...
Exim 4.97.1 Installed.
From Exim mainlog:

Code: Select all

2024-03-20 09:57:04 exim 4.97.1 daemon started: pid=2494190, -q1h, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
and finally... Looks like everything working normally now as per day to day activity.

Code: Select all

2024-03-23 06:37:22 1ro1Yo-00000001itl-1Es2 <= ...@marketer-safelist.com U=... P=local S=3666 T="Marketer Safelist Mailing Complete!" from <...@marketer-safelist.com> for ...@gmail.com
2024-03-23 06:37:22 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ro1Yo-00000001itl-1Es2
2024-03-23 06:37:22 1ro1Yn-00000001iss-24rq => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4375 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201042 y19-20020a63de53000000b005dc833ef4e5si4011703pgi.64 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001iss-24rq Completed
2024-03-23 06:37:22 1ro1Yn-00000001isS-0fYy => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4356 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201042 u3-20020a632343000000b005eb4d2501c7si4077774pgm.693 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001isS-0fYy Completed
2024-03-23 06:37:22 1ro1Yn-00000001it5-2r7q => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4360 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201042 f17-20020a170902ce9100b001dde0e3c188si1652901plg.366 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001it5-2r7q Completed
2024-03-23 06:37:22 1ro1Yn-00000001itI-3Yo3 => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4379 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201042 lk5-20020a17090308c500b001e09468e718si1653068plb.39 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001itI-3Yo3 Completed
2024-03-23 06:37:22 1ro1Yo-00000001itW-06Rm => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4382 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201042 r6-20020a632046000000b005e49532dc9esi3994893pgm.309 - gsmtp"
2024-03-23 06:37:22 1ro1Yo-00000001itW-06Rm Completed
2024-03-23 06:37:23 1ro1Yo-00000001itl-1Es2 => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4617 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK  1711201043 y4-20020a62f244000000b006e64519650esi1605014pfl.205 - gsmtp"
2024-03-23 06:37:23 1ro1Yo-00000001itl-1Es2 Completed