I am running my private mailcow in a “company network” behind two Sophos Firewalls, configured as MTAs.
I have tried the domain wide footer (plain text) with Umlaute (composed with MS Outlook via ActiveSync) in my installation, and I had no problems with DKIM.
Maybe something is altering SMTP headers, e.g. because you set up some filtering in OPNsense?
Englishencoding from different mail clients using mailcow as mail server
Is an already proper installed and running opendkim service a prerequisite before installing mailcow-dockerized?
stefan21 This is not needed at all. Why do you think it is?
More or less a guess. What else can I do as to copy’n paste the dkim key from mailcow to my DNS? I think there is no mistake. I’d like to know, what causes the dkim failure in .
Validating Signature
result = fail
Details: bad RSA signature
To the question of running filters on the OPNsense. No, not for outgoing email, afaik.
With that little information, we can only guess. Probably you are mixing up DKIM selectors, and/or not waiting until updated DNS records have been published on every DNS server out there.
Getting closer. Your guess might lead in the right direction. Thank you for pointing to the records.
I did a dkim check in another tool. mxtoolbox does indeed show a different record as dkimvalidator.com. And here we go - mail-tester.com and mxtoolbox are identical. And correct.
So, for the DKIM it’s a dkimvalidator and cache/update problem. Thank you so far.
Now I will try to find the error with the umlaute problem. I’ll keep investigating.
Could you tell me where exactly are the dkim keys in mailcow stored? Files or database? And I’d like to know how to get there.
More testing with emails to a vodafone account:
mx5.vodafonemail.de/4SV90B37Vyz9ryY;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=x.de header.i=@x.de header.a=rsa-sha256 header.s=dkim header.b=cVJitv3G;
dkim-atps=neutral
I did a diff -s file1 <– dkim from mailcow file2 <– dkim copied to DNS. They are identical.
Could it be, that if restoring a mailcow backup, the keys are messed up? I’d like to check the keys (public and private) before restore and after restore.
stefan21 Could it be, that if restoring a mailcow backup, the keys are messed up?
That could be. Probably they are stored in the Redis DB. I remember a thread in this forum where they discussed problems with the DKIM keys.
Well, I’d like to check this. What’s the best approach to access the DB?
BTW here’s the email to the vodafone account:
"
test
–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,
Mit freundlichen Gr=C3=BC=C3=9Fen,
=C3=B6=C3=A4=C3=BC=C3=9F
"
Umlaute in signature and domain footer… as already seen. Of course with a failed dkim key after a restore. To verify the suspicion I’ll wipe/delete the mailcow install on my laptop and start over with a new, clean install. No restores, no imports, nothing. Means from scratch. Will report.
stefan21
Now I am thinking that the Umlaute conversion is the reason why the DKIM fails. Something is changing the character encoding in transit and changing the “checksum”. Maybe the DKIM keys are fine.
I never tried to access the Redis DB, don’t know.
esackbauer Now I am thinking that the Umlaute conversion is the reason why the DKIM fails. Something is changing the character encoding in transit and changing the “checksum”.
Let me start over with a fresh clean install. I’ll create a domain (same I use for tests), a user, will copy the new dkim key to DNS, nothing more. I’ll do a “vanilla” backup. First email will be with no umlaute. Second email will have umlaute. Third email will have signature and Umlaute. Forth one will have the signature and a system wide footer with umlaute.
I’ll report.
I did the tests. Here are the results:
Sending an email from SOGO in HTML format, no matter what language, with signature and footer, with german umlaute, works correct. The dkim test pass:
mx5.vodafonemail.de/4SVGtc1n9xz9rxk;
dkim=pass (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=An7pjvp1;
dkim-atps=neutralSending an email from SOGO in plain text format, no matter what language, with signature and footer, with german umlaute, will not work. The dkim test fails.
mx5.vodafonemail.de/4SVH2f6TNFz6vhw;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=QWmUDGNz;
dkim-atps=neutral
Reverting in SOGO back to html text will pass the dkim test (again).
- Sending an email form email-client thunderbird in HTML format, no matter what language, with signature and footer, with german umlaute, will not work. dkim test fails. The layout of the email looks like:
"
umlaute: =C3=B6=C3=A4=C3=BC=C3=9F
–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,
- Sending emails from thunderbird will always fail the dkim test. No matter if plain text or html.
To resume:
- sending emails from SOGO in html containing german umlaute, works. DKIM will pass.
- sending emails from SOGO in plain text containing german umlaute leads to DKIM fails.
- sending emails from email-client thunderbird will always fail the dkim test. And the german umlaute are in a wrong format.
As we need thunderbird out of several reasons, at this moment with the results above, I cannot migrate my email servers to mailcow. We send, and will this probably do also in future, emails only in plain text format. And we need dkim, dmarc and spf - valid.
Besides the question of restoring a backup to different box with another underlying OS and the decryption of the emails, while doing a restore of all items including the keys. But this point for the moment is less important, it could be solved in another way.
How to proceed?
With your great write-up of your findings you should open an issue on github:
mailcow/mailcow-dockerized/issues
- Edited
Can’t tell. Sending emails composed in sogo with plain text and umlaute to i.e. domain hosted at allinkl brings up the same result:
Authentication-Results: q.kasserver.com;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=x.de header.i=@x.de header.a=rsa-sha256 header.s=dkim header.b=JevnIlCW;
dkim-atps=neutral
I’m sending from a socalled pool IP: IP-x.x.x.x-um38.pools.vodafone-ip.de. Means not a static IP. But if this causes the failure, then the failure should also be while sending in HTML. As I pointed out, DKIM passes with email sent from the same (dynamic) IP(4).
IMVHO I don’t think so.
- Edited
stefan21 OK, according to your header examples from above it was always mx5.vodafonemail.de which had the problem with your DKIM, so I thought it’s Vodafone specific.
But, as I wrote above, no DKIM problems here sending plaintext mails with Sogo
If you like, you could tell me one of your email adresses (is in this forum a pm function?). I’ll send you an email. Let’s see how this works.
- Edited
Well, since yesterday I have one user who also has encoding troubles. User is on iPad with ActiveSync configured. User can send via SOGo without problems, but from Apples integrated mail client outgoing mails are totally unreadable.
Had no time to investigate further yet.
esackbauer OK, I just checked this on my iPad and my ActiveSync account, works as usual with iPadOS 16.7.2 and after updating to iPadOS 17.1.1 in my case