DKIM FAIL & SSL verify error
Posted: March 23rd, 2024, 9:04 am
Hello everyone,
A few weeks ago...
I've got problems with my mail server,
Suddenly DKIM FAIL within mailersafelist.com.
According to GMAIL original email header:
I've already checked each domain within:
- user level
- Email Manager
- Email Account
All of DKIM option are already Enabled.
Test to Check DKIM checker with:
- MXToolBox
- EasyDmarcy
All of emails working fine and went-through the inbox and not rejected/rate limited. (SPF, DMARC no problems).
Well I'm confused.
but Somethings went wrong exactly...
which is fail with one domain only and other domains got no problem at all...
Google mail system glitched?
DirectAdmin system glitched?
According to DA support:
/etc/exim.dkim.conf still had the old "x" selector after it was changed to "default" in the directadmin.conf
and I really confused with that glitch.
I've already checked and changed it to this:
As far as my knowledge... DA panel using default._domainkey for the selector.
And I'm glad the mail server running fine afterward.
But another problems arise... a few days ago...
I've got another problem with gmail...
#1. SSL verify error: certificate name mismatch: DN="/OU=No SNI provided; please fix your client./CN=invalid2.invalid"
#2. Email still delivered but with longer time to finisihed by mail server.
Try to dig more the problems...
According to DA Panel team support, The specifically issues are:
and:
shows both - resolver issues,
the DC hosting provides "closer/reliable" resolvers might attempt using to use ipv6.
(there's "local" ipv6 ip configured, but in practice ipv6 is unreachable... and can be disabled it in the /etc/exim.conf to not to try use that ipv6 variable, with customisable at /etc/exim.variables.conf.custom with exim_conf rebuild followed)
Then I've changed this file:
/etc/exim.variables.conf.custom
with:
And then run the Configuring and customizing Exim to update exim.conf:
This should rewrite the exim configuration files with the ipv6 being disabled.
As per custombuild.1710948207.2372220.ZXhpbQA.log file:
From Exim mainlog:
and finally... Looks like everything working normally now as per day to day activity.
A few weeks ago...
I've got problems with my mail server,
Suddenly DKIM FAIL within mailersafelist.com.
According to GMAIL original email header:
Code: Select all
SPF: PASS with IP 104.37.168.247
DKIM: 'FAIL' with domain mailersafelist.com
DMARC: 'PASS'
...
...
ARC-Authentication-Results: i=1; mx.google.com;
dkim=temperror (no key for signature) header.i=@mailersafelist.com header.s=x header.b=u2Rl9vzv;
spf=pass (google.com: domain of ...@mailersafelist.com designates 104.37.168.247 as permitted sender) smtp.mailfrom=...@mailersafelist.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=mailersafelist.com
...
...
- user level
- Email Manager
- Email Account
All of DKIM option are already Enabled.
Test to Check DKIM checker with:
- MXToolBox
- EasyDmarcy
All of emails working fine and went-through the inbox and not rejected/rate limited. (SPF, DMARC no problems).
Well I'm confused.
but Somethings went wrong exactly...
which is fail with one domain only and other domains got no problem at all...
Google mail system glitched?
DirectAdmin system glitched?
According to DA support:
/etc/exim.dkim.conf still had the old "x" selector after it was changed to "default" in the directadmin.conf
and I really confused with that glitch.
I've already checked and changed it to this:
Code: Select all
[root@srv8 ~]# cat /etc/exim.dkim.conf
#/etc/exim.dkim.conf v1.7
dkim_domain = ${if or { \
{eq{$sender_address_domain}{}} \
{eq{$sender_address_domain}{$primary_hostname}} \
} \
{$primary_hostname}{${lookup{$sender_address_domain}lsearch,ret=key{/etc/virtual/domainowners}{$value}}}}
dkim_selector = default
dkim_private_key = ${if exists{/etc/virtual/$dkim_domain/dkim.private.key}{/etc/virtual/$dkim_domain/dkim.private.key}{0}}
dkim_canon = relaxed
dkim_strict = 0
[root@srv8 ~]#
And I'm glad the mail server running fine afterward.
But another problems arise... a few days ago...
I've got another problem with gmail...
#1. SSL verify error: certificate name mismatch: DN="/OU=No SNI provided; please fix your client./CN=invalid2.invalid"
#2. Email still delivered but with longer time to finisihed by mail server.
Try to dig more the problems...
Code: Select all
[root@srv8 ~]# tail -n 30 /var/log/exim/mainlog
...
...
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z [142.251.2.27] SSL verify error: certificate name mismatch: DN="/OU=No SNI provided; please fix your client./CN=invalid2.invalid" H="gmail-smtp-in.l.google.com"
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4367 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no C="250 2.0.0 OK 1710923322 ju9-20020a170903428900b001d9b8bc0fd8si12021852plb.68 - gsmtp"
2024-03-20 01:28:42 1rmr7s-00000009EkT-1H8z Completed
...
...
[root@srv8 ~]#
Code: Select all
2024-03-20 01:16:54 1rmr7s-00000009EkT-1H8z == ...@gmail.com R=lookuphost defer (-1): host lookup did not complete
Code: Select all
2024-03-20 01:28:41 1rmr7s-00000009EkT-1H8z H=gmail-smtp-in.l.google.com [2607:f8b0:4023:c0d::1b] Network is unreachable
the DC hosting provides "closer/reliable" resolvers might attempt using to use ipv6.
(there's "local" ipv6 ip configured, but in practice ipv6 is unreachable... and can be disabled it in the /etc/exim.conf to not to try use that ipv6 variable, with customisable at /etc/exim.variables.conf.custom with exim_conf rebuild followed)
Then I've changed this file:
/etc/exim.variables.conf.custom
with:
Code: Select all
disable_ipv6=true
smtp_receive_timeout=15m
Code: Select all
cd /usr/local/directadmin/custombuild
./build set exim yes
./build set eximconf yes
./build set spamassassin yes
./build exim
./build exim_conf
As per custombuild.1710948207.2372220.ZXhpbQA.log file:
Code: Select all
Configuration file /etc/exim.conf already exists
Exim installation complete
Moving exim binary.
Restarting exim.
Enabling exim in systemd...
Exim 4.97.1 Installed.
Code: Select all
2024-03-20 09:57:04 exim 4.97.1 daemon started: pid=2494190, -q1h, listening for SMTP on port 25 (IPv4) port 587 (IPv4) and for SMTPS on port 465 (IPv4)
Code: Select all
2024-03-23 06:37:22 1ro1Yo-00000001itl-1Es2 <= ...@marketer-safelist.com U=... P=local S=3666 T="Marketer Safelist Mailing Complete!" from <...@marketer-safelist.com> for ...@gmail.com
2024-03-23 06:37:22 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ro1Yo-00000001itl-1Es2
2024-03-23 06:37:22 1ro1Yn-00000001iss-24rq => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4375 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201042 y19-20020a63de53000000b005dc833ef4e5si4011703pgi.64 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001iss-24rq Completed
2024-03-23 06:37:22 1ro1Yn-00000001isS-0fYy => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4356 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201042 u3-20020a632343000000b005eb4d2501c7si4077774pgm.693 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001isS-0fYy Completed
2024-03-23 06:37:22 1ro1Yn-00000001it5-2r7q => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4360 H=gmail-smtp-in.l.google.com [142.251.2.26] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201042 f17-20020a170902ce9100b001dde0e3c188si1652901plg.366 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001it5-2r7q Completed
2024-03-23 06:37:22 1ro1Yn-00000001itI-3Yo3 => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4379 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201042 lk5-20020a17090308c500b001e09468e718si1653068plb.39 - gsmtp"
2024-03-23 06:37:22 1ro1Yn-00000001itI-3Yo3 Completed
2024-03-23 06:37:22 1ro1Yo-00000001itW-06Rm => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4382 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201042 r6-20020a632046000000b005e49532dc9esi3994893pgm.309 - gsmtp"
2024-03-23 06:37:22 1ro1Yo-00000001itW-06Rm Completed
2024-03-23 06:37:23 1ro1Yo-00000001itl-1Es2 => ...@gmail.com F=<...@marketer-safelist.com> R=lookuphost T=remote_smtp S=4617 H=gmail-smtp-in.l.google.com [142.251.2.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=yes C="250 2.0.0 OK 1711201043 y4-20020a62f244000000b006e64519650esi1605014pfl.205 - gsmtp"
2024-03-23 06:37:23 1ro1Yo-00000001itl-1Es2 Completed