How to get the DKIM public key from Plesk if DNS is not installed?

Follow

Comments

45 comments

  • Avatar
    Pascal Saul

    Is it possible to show the public key in the control panel under "Mail Settings" please. We're not all admins ;)

    Your example is not complete and should be:

    default._domainkey.example.com IN TXT "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+aOU9Dw2Qedi6qOEcpbGQ3pHVI8SonKGNSBBgiImChx6k6I7s1UqeCzaHpKXKLIY4GA601gloVCnnTumZ/5TxnviBHg1a2lsatt/gCj2pl61a+uALM1oRdgPhxPYefloFpi0lau8thV6u9BYTfUgfqIF+dvFIVlu0MULsWDDJfwIDAQAB

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Pascal Saul

    Thank you for the feedback.

    The feature suggestion about showing public key in Plesk UI may be created at Plesk User Voice

    0
    Comment actions Permalink
  • Avatar
    Prodesignerch

    Error, no such file or directory. :( 

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    @Prodesignerch, please, could you give more details about the issue?

    When do you have this error shown? During which step of resolution?

    Also, let us know what OS and Plesk versions do you use?

    0
    Comment actions Permalink
  • Avatar
    Adl

    Hi, on my test system seems that script not recognize ${NEW_DOMAIN_NAME} parameter.

    I can only see this in /tmp/dkim_keys, a file called

    "dkim_key_.txt"

    And inside this file only

    "default._domainkey. IN TXT "v=DKIM1;k=rsa; p="

    Thanks a lot.

     

    0
    Comment actions Permalink
  • Avatar
    Harm Jakob Tolsma

    I kept getting errors when verifying DKIM. "OpenSSL wrong tag"
    After some searching I found the reason.
    The script in zip-file seems to use the private key in the output for the record when it is actually the public key that needs to be included.

    ## recreate key:
    openssl rsa -in /etc/domainkeys/$new_domain_name/default -pubout -out public.key  --> Here we create a public key

    ## crop first and last line of keyfile
    sed '1d;$d' /etc/domainkeys/$new_domain_name/default > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe   --> here we trim the private key

    Everything worked as expected after I changed the last line to:
    sed '1d;$d' public.key > $tmp_path/$tmp_prefix$new_domain_name$tmp_fe

    0
    Comment actions Permalink
  • Avatar
    Bato Tsydenov

    Hello Harm Jakob Tolsma

    Thank you for bringing this to our attention.

    I have updated the script so that it is working correctly now.

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Also, automatic script should be executed only via Tools & Settings > Event Manager, manual execution of the script via the command line will not work.

    0
    Comment actions Permalink
  • Avatar
    Janik R.

    I rewrote the script a little bit so that the keys can now be saved directly in the customer's document root.
    In addition, the script is no longer executed when creating subdomains.

    I've added a little description and installation guide in the readme.

    https://github.com/rabe0577/plesk-dkim-recreate

    I hope I can help you with that.

    2
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Janik R.
    Thank you so much for sharing this! I am sure other Pleskians will find it helpful.

    0
    Comment actions Permalink
  • Avatar
    lydie_t (Edited )

    @Bato Tsydenov I have executed your script but I obtain this error :

    "Can't open /etc/domainkeys/example.com/default for reading, Permission denied

    139775231444224:error:0200100D:system library:fopen:Permission denied:../crypto/bio/bss_file.c:74:fopen('/etc/domainkeys/example.com/default','r')

    139775231444224:error:2006D002:BIO routines:BIO_new_file:system lib:../crypto/bio/bss_file.c:83:

    unable to load Private Key"

    Detailed info for default file are : 

    "-r--r----- 1 root popuser 891 Oct 24 18:06 default"

    How can I correct this error and get my DKIM public key ?

     

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev (Edited )

    Hi @lydie_t.

    Please let me know your OS version.

    Also, clarify under what user you are executing the command, and whether or not it is working in case you are running it under root user via SSH, not via scheduled task.

    0
    Comment actions Permalink
  • Avatar
    lydie_t

    Hi @Alexandr Redikultsev,

    Connecting under root, I am now able to access "default" file (which is the private key), then execute the command indicated by @Bato Tsydenov. This creates the public key.

    Thank you. This helped.

    0
    Comment actions Permalink
  • Avatar
    IDC

    Error No such file or directory

    # openssl rsa -in /etc/domainkeys/example.com/default -pubout -out public.key
    Error opening Private Key /etc/domainkeys/example.com/default
    139977471330208:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/domainkeys/example.com/default','r')
    139977471330208:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
    unable to load Private Key

    0
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @IDC,

    Make sure that corresponding file /etc/domainkeys/example.com/default exists indeed. Do not forget to replace example.com with the actual domain's name.

    0
    Comment actions Permalink
  • Avatar
    IDC

    Hi @Alexandr Redikultsev,

    Thank you for your response.

    Now,I am created file /etc/domainkeys/example.com/default and re-place exam.com to my domain's name.

    This error tell me "unable to load Private Key"

    # openssl rsa -in /etc/domainkeys/mydomain.com/default -pubout -out public.key
    unable to load Private Key
    140544879454112:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: ANY PRIVATE KEY

    0
    Comment actions Permalink
  • Avatar
    Anton Maslov

    Hi @IDC,

    This file should not be created manually, it should be created automatically by Plesk when you enable DKIM. Please remove that file and then make sure DKIM is enabled on your server:

    • The option Allow signing outgoing mail is enabled in Tools & Settings > Mail Server Settings
    • The option Use DKIM spam protection system to sign outgoing email messages is enabled in Domain > example.com > Mail Settings
    1
    Comment actions Permalink
  • Avatar
    Florent

    Hi,

    Is it possible to change the "default" selector to something else ? ("plesk" for example ;))

    Thx

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Florent,

    Could you, please, give more details about the question?

    This will help to give a more precise answer.

    0
    Comment actions Permalink
  • Avatar
    Florent

    Hi @Ivan,

    "Private keys are located in the corresponding domain directory in /etc/domainkeys/, for example, /etc/domainkeys/example.com/default (for selector "default")."

    I would like to use another selector, not "default", is it possible ? :)

    Thx

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Florent,

    It is possible.

    You may use selector with another name, for example:

    /etc/domainkeys/test.ts/plesk

    You can create public key using the following command:
    openssl rsa -in /etc/domainkeys/test.ts/plesk -pubout -out public.key

    However, such solution was not tested.

    The ability to change "default" selector automatically is yet to be implemented in Plesk.

    I would suggest you to take part in our product improvement by referring to the following link:
    https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/20246935-more-control-of-dkim

    The top-ranked suggestions are likely to be included in the next versions of Plesk.

    0
    Comment actions Permalink
  • Avatar
    M.Ouattara (Edited )

    Hi All.

    need your help please.

    I got this error "Error, no such file or directory"

    In fact the directory /etc/domainkeys/ do not exit on my dedicated server. however, i have checked on mail setting DMARC, DKIM an SPF on my Plesk 17.8.11.  but directories still unavailable.

    Need your help

    0
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hi @M.Ouattara!

    The "/etc/domainkeys/" folder is missing because you have not marked the "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" checkbox for any domain yet

    Once you mark it for any domain, the "/etc/domainkeys/" folder will be created automatically together with the domain's related folder "/etc/domainkeys/example.com"

    0
    Comment actions Permalink
  • Avatar
    M.Ouattara

    Thank you Nikita for your usefull help. Everything is now ok. thank you

    0
    Comment actions Permalink
  • Avatar
    Cyrill Fässler

    The Script works for us after some changes that are based on how we handle the installation of domains/subscription in our company.

    Is there any possibility to generate and get the public key with the API or REST API?

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @Cfaessler !

    To do that, it should be possible to call system utilities (like openssl) via API. Unfortunately, it is not possible to do that either with our XML API or REST API.

    0
    Comment actions Permalink
  • Avatar
    Carlos Ivan Castillo Moya

    to see if I understand, when I mark the option "Plesk > Domains > example.com > Mail Settings > Use DKIM spam protection system to sign outgoing email messages" indicates that records are generated in the DNS zone of plesk, right? If the answer is yes, it means that if you use this panel DKIM will work well.

    Now, if I use external DNS I could refer to the DNS zone where the records are using a CNAME record ?

    0
    Comment actions Permalink
  • Avatar
    Maxim Krasikov (Edited )

    Hello @Carlos Ivan Castillo Moya,

    You are right, when option "Use DKIM spam protection system to sign outgoing email messages" is enabled, the corresponding DKIM record is generated for the domain DNS zone in Plesk.

    Since an external DNS server is used for a domain, the TXT record related to DKIM should be transferred to the external DNS as it is.

    You can find the additional information about DKIM protection here:
    https://support.plesk.com/hc/en-us/articles/115003843813

    0
    Comment actions Permalink
  • Avatar
    Alex

    Hi.

    I have following issue:

    I use external DNS service, and I setup DKIM private key as described in a manual on this page. It was working fine with Onyx, but after updating to Obsidian, I now get an error from the backup manager - WARNING: (Mail object 'domain.com') Unable to back up domain keys. Error: Call to a member function getRecordsMatched() on null.

    I have re-issued default key, generated a new pub-key, but still getting the error.

    Any ideas how to fix this issue?

    Thanks

     

    0
    Comment actions Permalink
  • Avatar
    Taras Ermoshin

    Hello @Alex!

    This message is just a warning, it shouldn't affect the integrity of the backup.

    I recommend you check the permissions and ownership on the key files so they look like in the example below:

    # namei -om /etc/domainkeys/example.com/default
    f: /etc/domainkeys/example.com/default
    drwxr-xr-x root root /
    drwxr-xr-x root root etc
    drwxr-xr-x root root domainkeys
    drwxr-xr-x root root example.com
    -r--r----- root popuser default

    If the warning is still shown after setting the correct permissions and ownership, please submit a technical support request for further investigation.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request