Not possible to disable DKIM signing for a single domain

[PitWenkin]

As @aqueos pointed out in #777

Contrary to what it could appear, having OUTGOING email signing is not related to having pop/imap boxes on the domain.

A website could need dkim signing even if the pop/imap is elsewhere to be able to send to google or microsoft from the website itself.

I have a server with DKIM enabled globally but with several domains which shouldn't have their emails signed

1. Mail for domain is enabled but DNS is hosted elsewhere and not in control of virtualmin
2. Mail for domain is disabled and DNS is hosted elsewhere and not ion control of virtualmin

As mentioned in #119 (comment), signing a domain with DKIM, while there is no or a different entry in DNS is worse then not signing.

The settings under DomainKeys Identified Mail are:

So neither of the two domains mentioned should be signed

Only domains matching the DNS and email enabled criteria and those listed in Extra domains to sign for are listed under Domains currently signed for.

There is an Add DomainKeys Identified Mail records option in DNS Options as seen on @iliaross's screenshot in #777 (comment) but the DNS Options is not available my two domains.

Contrarily to #1018 saving the DomainKeys Identified Mail seems to add DKIM signing to previously not signed domains, but it does not remove signing from domains that should not be signed.

Either I'm missing a setting which would allow to remove singing for domains, or there is a bug…

[jcameron]

You can control DKIM signing on a per-domain basis at DNS Settings -> DNS Options -> Add DomainKeys Identified Mail records

[PitWenkin]

but the DNS Options is not available my two domains.

[iliaross]

but the DNS Options is not available my two domains.

Is the "DNS for Domain" feature enabled on the "Edit Virtual Server" page for these?

[PitWenkin]

but the DNS Options is not available my two domains.

Is the "DNS for Domain" feature enabled on the "Edit Virtual Server" page for these?

No. As DNs is hosted elsewhere and not in control of virtualmin

[jcameron]

Try this :

1 - SSH into your Virtualmin system as root and run virtualmin list-domain --domain yourdomain.com --file-only

2 - Edit the file output by the previous command, and at the end at the line dkim_enabled=0

3 - Go back to the DKIM page in the UI, and re-save it.

[PitWenkin]

Try this :

1 - SSH into your Virtualmin system as root and run virtualmin list-domain --domain yourdomain.com --file-only

list-domains ;-)

2 - Edit the file output by the previous command, and at the end at the line dkim_enabled=0

3 - Go back to the DKIM page in the UI, and re-save it.

Did not help. Emails are still being signed

[jcameron]

Which Linux distro and version are you running there? From that I can figure out which config file contains the list of domains to sign for.

[PitWenkin]

Which Linux distro and version are you running there? From that I can figure out which config file contains the list of domains to sign for.

Operating system Ubuntu Linux 22.04.5
Webmin version 2.303
Usermin version 2.203
Virtualmin version 7.30.8

Files being used by opendkim are:

/etc/dkim-domains.txt
/etc/dkim-keytable
/etc/dkim-signingtable
/etc/dkim.key
/etc/dkimkeys/…

Seems as if virtualmin only makes changes in /etc/dkim-domains.txt but not in /etc/dkim-signingtable.
Both files have the same permissions rwxr-xr-x and user/group root:root; therefore it should not be a problem with permissons?

When I manually change content of those files signing is done (or not) as it should.

[jcameron]

Ok that could be an issue. In the primary DKIM config file (something like /etc/opendkim.conf), which lines refer to /etc/dkim-domains.txt and /etc/dkim-signingtable ?

[PitWenkin]

Ok that could be an issue. In the primary DKIM config file (something like /etc/opendkim.conf), which lines refer to /etc/dkim-domains.txt and /etc/dkim-signingtable ?

This are the (relevant) entries in /etc/opendkim.conf:

Domain /etc/dkim-domains.txt
Selector 202410
KeyFile /etc/dkim.key
…
SigningTable refile:/etc/dkim-signingtable
KeyTable /etc/dkim-keytable

/etc/dkim-domains.txt had a proper list of domains that should have been signed (According to settings in the Domainkey form)

/etc/dkim-signingtable had one entry * default

/etc/dkim-keytable had one entry default %:202410:/etc/dkim.key

/etc/dkim.key had (and has) the right key.

Additional info:

On a server where DKIM was never used, there was only a /etc/opendkim.conf file with default settings (none of the /etc/dkim-*files actively used) as well as the /etc/dkimkeys/` folder.

The one and only website active was already filled out in the Extra domains to sign for text-area. (The website has no DNS active therefore I think the fact that it was pre-filled is ok)
This is a screenshot AFTER enabling and saving the form:

Output on screen after saving:

Finding virtual servers to enable DKIM for ..
.. no virtual servers with DNS and email enabled were found, but enabling for 1 extra domains

Generating private key in file /etc/dkim.key ..
.. done

Extracting public key from private key in /etc/dkim.key ..
.. done

Setting domain and selector in DKIM filter configuration ..
.. done

Enabling DKIM filter at boot time ..
.. done

Starting DKIM filter ..
.. done

Configuring mail server to use DKIM filter ..
.. done

After this:
/etc/dkim-domains.txt was created with the domain from Extra domains to sign for
/etc/opendkim.conf was changed and had the following entries:

Domain /etc/dkim-domains.txt
KeyFile /etc/dkim.key
Selector 202503

There were no files created for signingtable or keytable nor are they referenced in the opendkim.conf.

When I created a second website (without DNS enabled) the domain was added to the /etc/dkim-domains.txt, which should not have happened.
When I revisited the DomainKeys form it was NOT included in the Extra domains to sign for but in the list of Domains currently signed for. When I saved the form the domain was removed from the /etc/dkim-domains.txt.

[jcameron]

When I created a second website (without DNS enabled) the domain was added to the /etc/dkim-domains.txt, which should not have happened.

Did this website have email enabled? Looking at the current code, if it doesn't have DNS, it shouldn't get DKIM signing when Domains to sign for by default is set to Only those with DNS and email enabled

[aqueos]

hi,

you dont need to have email enabled to sign OUTGOING mail from a website. There is no need to host imap account on the server to have to sign with DKIM outgoing emails of the website :)

i have seen also problem in the dkim configuration but had not found the time to make test case to report the exact issue but yes i had the case the server started to sign all outgoing mail even when not listed and such problematic behaviors. I ended up chattr +i the files so it stop doing silly things.

best regards,
Ghislain.

[PitWenkin]

When I created a second website (without DNS enabled) the domain was added to the /etc/dkim-domains.txt, which should not have happened.

Did this website have email enabled? Looking at the current code, if it doesn't have DNS, it shouldn't get DKIM signing when Domains to sign for by default is set to Only those with DNS and email enabled

I has Mail for Domain enabled but no DNS

The setting for DKIM are those in the screenshot above Only those with DNS and email enabled and a I wrote signing was ONLY enabled directly after ceation of the website, but removed once I saved the form …

[PitWenkin]

you dont need to have email enabled to sign OUTGOING mail from a website. There is no need to host imap account on the server to have to sign with DKIM outgoing emails of the website :)

I know… this is exactly my problem:

2. Mail for domain is disabled and DNS is hosted elsewhere and not ion control of virtualmin

I have a website the has no email accounts, only some system mail sent via the CMS. But those emails are signed while they should not. I would need to contact a 3rd party, which is managing the DNS, to get the corresponding entry addded/updated.

[iliaross]

I can’t say for sure, but it looks like the problem is with your manually created hybrid setup that either OpenDKIM or Virtualmin isn’t handling well.

We only set up a simple config with Domain, Selector, and KeyFile. You also added SigningTable and KeyTable manually, and that’s probably what’s causing the issues.

I don’t think that setup is even recommended. I’d suggest commenting out those extra options out and sticking to the defaults.

And, please, if you manually change a service’s config, it’s really important to mention it right from the start!

[PitWenkin]

I can’t say for sure, but it looks like the problem is with your manually created hybrid setup that either OpenDKIM or Virtualmin isn’t handling well.

We only set up a simple config with Domain, Selector, and KeyFile. You also added SigningTable and KeyTable manually, and that’s probably what’s causing the issues.

I don’t think that setup is even recommended. I’d suggest commenting out those extra options out and sticking to the defaults.

You right, it seems that SigningTable and KeyTable are not needed. The were however needed once in the last 2-3 years. We had to add them for the signing to work at all … We just can't remember if this was due to opendkim, virtualmin, or an interaction between the two. After multiple OS upgrades and virtualmin updates, there is no way to tell why this was the case.

And, please, if you manually change a service’s config, it’s really important to mention it right from the start!

While it is true that on the production servers, the two files seems to have caused the problems for existing websites, I'm still no sure if isn't a bug during the creation of new websites.

The whole Additional info - Stuff was done on a developer machine where DKIM was still configured out-of-the box.

Adding a website without DNS enabled, no matter if emails were enabled or not, should not have let to the emails being signed.

[iliaross]

Adding a website without DNS enabled, no matter if emails were enabled or not, should not have let to the emails being signed.

Why is that? DKIM signing should work no matter where the DNS is hosted...

The mail server uses OpenDKIM to sign outgoing emails with its private key, and the receiving server checks the public key through DNS to verify it.

That part doesn’t really depend on where DNS is hosted, does it?

[PitWenkin]

Adding a website without DNS enabled, no matter if emails were enabled or not, should not have let to the emails being signed.

Why is that? DKIM signing should work no matter where the DNS is hosted...

Because  Only those with DNS and email enabled is selected.