Trouble signing outbound emails with DKIM

šŸ’¬ General Discussion
1

Hi there,

Iā€™m using suiteCRM 7.7.8, and iā€™m impressed by all the possibilities, iā€™d like to start with great congratulations and my best regards to the community.

Iā€™m quite new to all the coding things, so i may sound weird or wrong but as a former automation engineer I understand quickly (sometimes)

Iā€™m trying to add a dKIM signature to my outgoing emails, sent with the suitecrm client with multiple users.
I think iā€™m now ok with the DNS records on the hosting side.
Generated the public and private keys with http://dkimcore.org/tools/ and checked it, everything seams to be okay.
I created a private.key file and checked for accessibility, guess itā€™s ok too

At this point iā€™m trying to understand which module generates the emails and (might be wrong) passes them through PHPMailer in order to automatically add the DKIM private key into the mail header.

Googeling the ā€œsetting up PHPmailer with DKIMā€ leads me to this last step :
4. Add the following DKIM lines to PHPMailer *after the setFrom

$mail->setFrom($from, $from_name);
..
$mail->DKIM_domain = 'mydomain.com';
$mail->DKIM_private = 'path/to/your/private.key>';
$mail->DKIM_selector = '1450071.mydomain'; //Prefix for the DKIM selector
$mail->DKIM_passphrase = ''; //leave blank if no Passphrase
$mail->DKIM_identity = $mail->From;

My noobishness strikes hard here, I just canā€™t figure which file i should modify.

Can anyone help me find the holy truth ?

Tanks in advance, and sorry for my bad english.

Alex322

2

Did you ever get this to work?

3

It seems very simple to get DKIM working with phpmailer.

  1. First create a new keypair. For testing purposes (not recommended for production), you can make one online at:
    http://dkimcore.org/tools/

For production, Iā€™d recommend either a CLI tool like opendkim to create and manage keypairs or use openssl to create new keypair.
Note where you put your private key file.

  1. Then make a new TXT entry in your DNS provider that publishes your public key. I had to have it all in one line for it to work, but you should also be able to do it in two lines, if your DNS provider doesnā€™t allow lines of that length. See here e.g.: https://support.google.com/a/answer/173535?hl=en&ref_topic=2752442.
    splitting it up in 4 lines as indicated in dkimcore.org/tools did not work for me.

  2. Set up DKIM in SuiteCRM:

I simply opened the file:
/include/phpmailer/class.phpmailer.php

and inserted my details in these four lines
public $DKIM_selector = ā€˜((selector))ā€™; // unique selector for this dkim key
public $DKIM_identity = ā€˜((news@domain.ch))ā€™; // email address Iā€™m sending mails from out of suitecrm
public $DKIM_domain = ā€˜((domain.ch))ā€™; // domain that emails are sent from
public $DKIM_private = ā€˜/etc/opendkim/dkimkeyfile.keyā€™; // file location to private key (text file)

As soon as this file was saved any new mails sent from localhost were signed with dkim.

!! important:
Make sure to keep your dkim private key outside of /var/www/ā€¦ You donā€™t want or need www-data access to this file.

  1. Test your settings: use an email address at gmail.com to test your setup. send emails from suitecrm to your gmail address and you should see ā€œsigned byā€ or ā€œdkim: passā€.
    https://support.google.com/a/answer/180707?co=GENIE.Platform%3DDesktop&hl=en&oco=0
2 Likes
4

John, what do you think would a nice way to make this easier for users in the future, and to avoid the need to edit code?

Iā€™m asking you because I really donā€™t understand DKIM or any of these more elaborate email concerns, you now have started to understand them :slight_smile:

5

Does that mean you might write sweet little pull request to add more DKIM functionality? :woohoo:

::: key-pair generation
I donā€™t understand enough about apache vhosts and permissions to understand if suitecrm could automate keypair generation for you without it being a security risk. I currently keep my keys in /etc/dkim. I donā€™t believe the apache user could write to such a directory. And I donā€™t know if it could be considered safe to have the private key anywhere in /var/www/ ? Maybe, just maybe, if the private key is encrypted with a password. But Iā€™m not qualified to make such a call.

You could however at least add a most simple instruction for how to do it on CLI (at least for Linux/Mac OS) with openssl. Or a link to the best description online :slight_smile:

For openssl the commands would be something like this:


cd /etc
sudo mkdir dkim // create directory to hold your dkim keys
cd dkim
sudo openssl genrsa -out yourname.key 1028 // generate private key, assuming 1028 bit
sudo openssl rsa -in yourname.key -pubout -out yourname.pub.key // write public key to file

::: Admin panel for DKIM
First thing would be imho to add the 5 main DKIM fields that are available in /include/phpmailer/class.phpmailer.php to the admin backend and allow editing them in the backend instead of in the non-update-safe code. That is:

  • domain name //e.g. yourdomain.com
  • DKIM selector (freely chosen. must match DNS entry)
  • identity (not sure what this is for - usually email address from which mails are sent)
  • private key location (either plaintext file or encrypted in .pem-format)
  • passphrase (optional: if private key is encrypted with a password in .pem format)

Optionally, you could also add a field for canonicalization (which I donā€™t yet understand, but has something to do with the strictness of DKIM as far as changes made to emails during travel and redirects). The default currently is ā€˜relaxed/simpleā€™. Iā€™d suggest having this set in SuiteCRM by default as well.

Optionally, you could also add a field for encryption strength (1028bit or 2056bit). in phpmailer.php thatā€™s $DKIMsignatureType and would have to be made dynamic.

:::::: DKIM on/off checkbox
Currently DKIM is activated as soon as the following criteria are met:

  • domain name: set
  • DKIM selector: set
  • private key location: set
  • private key file exists in location provided

Iā€™d like a checkbox to activate/deactivate DKIM in the backend without losing the data entered.

::: DNS TXT entry
SuiteCRM can obviously not do much here except supply a default generic DNS entry and instructions. e.g.
name of DNS entry: [DKIM selector].yourdomain.com
DNS entry type: TXT
TXT entry contents: ā€œv=DKIM1;p=[public key]ā€

One of the trickier parts about all of this is how to split the TXT-entry into two or more lines, if your DNS provider doesnā€™t allow long enough entriesā€¦ I could only get it to work for me so far by using the shorter 1028bit public key and having it all in one line.

6

default for canonicalization should be ā€œrelaxed/relaxedā€. i.e. the least strict is a good place to start.
(note that ā€œrelaxedā€ does not get handled the same as ā€œrelaxed/relaxedā€)

https://wordtothewise.com/2016/12/dkim-canonicalization-or-why-microsoft-breaks-your-mail/

And instructions for creating private keys in pem format (with windows openssl tool):
https://www.dataenter.com/doc/general_domainkeys.htm

7

Itā€™s best to modify the ā€œSugarPHPMailer.phpā€ class, because ā€œclass.phpmailer.phpā€ is a third party library and is overwritten by upgrades, therefore code changes will be lost, itā€™s not upgrade safe.

1 Like
8

Thank you guys, iā€™ll give it a try asap and send feedback !
I hope this post will be used as documentation for others facing the same issue.

Best regards

9

Iā€™m not thinking of writing a PR for this (itā€™s out of my league, and out of my available time) but I think there is enough good information here for us to open the Issue in GitHub.

Realistically, I donā€™t expect it to be acted on, but at least the information will be there and eventually when somebody from the community needs to set up DKIM they might start from this and perhaps take things a step further.

1 Like
10

just noticed a mistake in the DNS entry part. It should be

name of DNS entry: [DKIM selector]._domainkey.yourdomain.com

pgr: go ahead with the github issue -> itā€™ll be moved to trello for sure as it aintā€™ a bug. But I agree this might be a good start.

ChrisC: I agree it should be done in an upgrade-safe manner. How can you edit SugarPHPMailer.php in an upgrade-safe manner?

11

@john
@alex
SugarPHPMailer;php is part of the application, so any modification to it would be done via pull request, tested and if good, added - it may take them 2 days, or 2 years, thereā€™s little rhyme or reason to their process - except that theyā€™re too busy making money managing SuiteCRM for the English National Health Service to really care too much about getting automatic testing working so they can update the software with Pull Requests in 24 hours not 24 months ! (facepalm)

If you donā€™t want invest so much of your time and work to develop a pull request, then enjoy getting ignored and face that frustration, the straight forward approach is to just use a free open source control panel (virtualmin) for your Linux SMTP mail server (postfix) which auto generates the key pairs and signs your outgoing mails with DKIM. Such as this one:
https://www.virtualmin.com/documentation/email/dkim

12

Was it ever implemented? I donā€™t think so, but damn itā€™s a great idea! Letā€™s do it! @pgr

13

What about the Webmin suggestion?

Iā€™m not sure we should be writing system Administration code into SuiteCRMā€¦

14

Maybe itā€™s too ambitious, but I thought about some implementation that would allow to configure DKIM data through Admin Panel in Suite, not hardcoded. I think thatā€™s the actual approach on SugarCRM.

Actually @ChrisC 's vision about PRs is very frustratingā€¦

Another question: my Suite instance is installed on another server rather than the server where the MTA and the mailboxes are. I think virtualmin works only if theyā€™re on the same server right?

If thatā€™s not right, I could install postfix on my Suite server and modify PHPMailer to send through postfix. But anyway, Iā€™d be writing admin code into Suite, so I guess both solutions are the same for meā€¦

15

Hello,

I did follow the different steps on this topic to set the DKIM on my own instance, but at the end of the day (and of the 15 last days indeed), I finish with an empty b field on my email header. I was just wondering if anyone here could help me ?
Regarding the age of this topic, I opened a new one : DKIM : b=signature absent with more details.
I would be really delighted by any help because this one makes me mad.

Thx