Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » DKIM multiple domains (kerio server with multiple domains - DKIM)
  •  
edwardpv

Messages: 4
Karma: 0
Send a private message to this user
I have a Kerio server setup with multiple domains... but it seems that for DKIM setup it only uses the ssl keys for the main domain. Is there a way to setup different public / private DKIM keys for each domain in kerio?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
The server uses the same public key for all local email domains.
  •  
edwardpv

Messages: 4
Karma: 0
Send a private message to this user
hmm I am using route 53 which only accepts a 1024 bit key - so i followed the instructions to make a 1024 bit key - but i keep getting the message that "the public DKIM key for this domain is either invalid or doesn't match the private key"
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Make sure that the DKIM public key is correctly published in the DNS (in one line, no spaces).
Also, it can take several hours to propagate change in your DNS, depending on DNS settings. In Kerio Connect you can get the information in the debug log (DNS resolver option). Eg:

[18/Oct/2013 23:47:04][2940] {dns} Searching cache for DKIM TXT records for host mail._domainkey.domain.com
[18/Oct/2013 23:47:04][2940] {dns} Searching for DKIM public key record in domain mail._domainkey.domain.com
[18/Oct/2013 23:47:04][2940] {dns} DNS server(s) count: 1, (0 detectected as duplicate(s)). 
[18/Oct/2013 23:47:04][2940] {dns} DNS server address(es): 192.168.10.10
[18/Oct/2013 23:47:04][2940] {dns} Querying server no. 1, address 192.168.10.10
[18/Oct/2013 23:47:04][2940] {dns} Got answer
[18/Oct/2013 23:47:04][2940] {dns} Valid answer arrived
[18/Oct/2013 23:47:04][2940] {dns} DKIM TXT record: v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/WBocrmMLKBoRG/rWN0uHJknmlJbpT/HRN9h7M3y9LJk9Zkn6h1POyrO1Y18I3O9o0qjO4INqw0


Keep in mind that each DNS record has a TTL for caches. You can verify it for example with dig command:

localhost:~ pdobry$ dig TXT mail._domainkey.domain.com

; <<>> DiG 9.8.5-P1 <<>> TXT mail._domainkey.domain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36987
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail._domainkey.domain.com. IN TXT

;; AUTHORITY SECTION:
domain.com. 55 IN SOA ns1.ignum.com. hostmaster.ignum.cz. 2013091101 10800 3600 604800 3600

;; Query time: 125 msec
;; SERVER: 192.168.81.1#53(192.168.81.1)
;; WHEN: Fri Oct 18 23:45:33 CEST 2013
;; MSG SIZE rcvd: 109

[Updated on: Fri, 18 October 2013 23:51]

  •  
edwardpv

Messages: 4
Karma: 0
Send a private message to this user
actually my issue was that you need to have a DNS entry for each alias... this was not very clear from the documentation.
  •  
b-tom

Messages: 194
Karma: 4
Send a private message to this user
Does Kerio support DKIM public keys longer than 2048-bit length?
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
See the RFC4871, longer keys than 2048bit can cause problems for verifier.

3.3.3. Key Sizes
Selecting appropriate key sizes is a trade-off between cost,
performance, and risk. Since short RSA keys more easily succumb to
off-line attacks, signers MUST use RSA keys of at least 1024 bits for
long-lived keys. Verifiers MUST be able to validate signatures with
keys ranging from 512 bits to 2048 bits
, and they MAY be able to
validate signatures with larger keys. Verifier policies may use the
length of the signing key as one metric for determining whether a
signature is acceptable.

Factors that should influence the key size choice include the
following:

o The practical constraint that large (e.g., 4096 bit) keys may not
fit within a 512-byte DNS UDP response packet


o The security constraint that keys smaller than 1024 bits are
subject to off-line attacks

o Larger keys impose higher CPU costs to verify and sign email
  •  
b-tom

Messages: 194
Karma: 4
Send a private message to this user
Thank you for the clarification.
  •  
hafeez

Messages: 6
Karma: 0
Send a private message to this user
I have kerio connect with 3 domain 1. ukproperty.info(primary) 2. propertyadvisorandconsultant.i... and 3. PROPERTIESADVISORANDCONSULTANT.INFO. DKIM selector is "mail". "mail._domainkey.ukproperty.inf..." is DKIM record name in DNS of "ukproperty.info" domain. what will be the selector name for "propertyadvisorandconsultant.i..." and "PROPERTIESADVISORANDCONSULTANT.INFO" domain in respective DNS of each domain?

And what will be the SPF record name and value for "propertyadvisorandconsultant.i..." and "PROPERTIESADVISORANDCONSULTANT.INFO" domain in respective DNS of each domain?
  •  
noise

Messages: 19
Karma: 0
Send a private message to this user
Hi at all

it is possible that not all mail server reconize the 2048 dkim public key ?

here is a test from kerio and postfix and a log from the postfix booth are configures with dkim postfix has a 1024 and kerio a 2048 key

At http://dkimvalidator.com

with Kerio 2048 key:

SpamAssassin Score: 1.112
Message is NOT marked as spam
Points breakdown:
0.0 HTML_MESSAGE BODY: HTML included in message
0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
1.0 XPRIO_SHORT_SUBJ Has X-Priority header + short subject

other postfix mail server 1024key:

SpamAssassin Score: -0.101
Message is NOT marked as spam
Points breakdown:
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature




May 11 15:10:29 hs1 postfix-local[30590]: postfix-local: from=user@kerio.server, to=user<_at_>postfix.server, dirname=/var/qmail/mailnames

May 11 15:10:29 hs1 spamassassin[30591]: Starting the spamassassin filter...

May 11 15:10:29 hs1 spamd[1517]: spamd: connection from hs.postfix.server [::1]:53034 to port 783, fd 6

May 11 15:10:29 hs1 spamd[1517]: spamd: using default config for user<_at_>postfix.server: /var/qmail/mailnames/postfix.server/user/.spamassassin/user_ prefs

May 11 15:10:29 hs1 spamd[1517]: spamd: processing message <964F8BFD-5209-410B-9C1E-F3200EBB1BF4@djnoise.com> for user<_at_>postfix.server:30

May 11 15:10:29 hs1 spamd[1517]: spamd: clean message (-2.9/5.0) for user<_at_>postfix.server:30 in 0.3 seconds, 6213 bytes.

May 11 15:10:29 hs1 spamd[1517]: spamd: result: . -2 - ALL_TRUSTED,BAYES_00,HTML_MESSAGE,MIME_QP_LONG_LINE,T_DKIM_I NVALID,URIBL_BLOCKED scantime=0.3,size=6213,user=user@postfix.server ,uid=30,required_score=5.0,rhost=hs.postfix.server,raddr=::1 ,rport=53034,mid= <964F8BFD-5209-410B-9C1E-F3200EBB1BF4<_at_>kerio.server>,bayes=0.000000,autolearn=ham autolearn_force=no

May 11 15:10:29 hs1 dmarc[30593]: Starting the dmarc filter...

May 11 15:10:29 hs1 dmarc[30593]: DKIM record was not found in Authentication-Results:

May 11 15:10:29 hs1 dmarc[30593]: DMARC: PASS message for user<_at_>postfix.server

May 11 15:10:29 hs1 dk_check[30594]: Starting the dk_check filter...

May 11 15:10:29 hs1 dk_check[30594]: DKIM verify result: DKIM verification (d=noise.ch, 0-bit key) failed: key not found in DNS
  •  
noise

Messages: 19
Karma: 0
Send a private message to this user
any suggestions ?

faq is with http://appmaildev.com test all test's are passed

but since dkim and dmarc is activated we doesn't receive emails from gmail !


the main problem is:
DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid

but i doesnt find much info about this Rolling Eyes

[Updated on: Mon, 15 May 2017 12:23]

  •  
noise

Messages: 19
Karma: 0
Send a private message to this user
Im at the end of my knowledge :-/

the dkim is passed if its a 1024 or 2048 is not necessary

the spf is also passed

but a the main problem i write the false above ! is:
T_DKIM_INVALID DKIM-Signature header exists but is not valid

  •  
noise

Messages: 19
Karma: 0
Send a private message to this user
the problem with gmail is solved !

gmail was blacklistet at: dnsbl.sorbs.net

but what is with:
T_DKIM_INVALID DKIM-Signature header exists but is not valid

is this error relevant or not ?
Previous Topic: Regular Expression Help
Next Topic: DKIM signing for unauthenticated SMTP?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 13:37:44 CET 2017

Total time taken to generate the page: 0.00635 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.