[SOLVED] DKIM Validation: public key: OpenSSL error: too long

U

unholyhumorousunratedoat

Active Member
Sep 18, 2019
40
9
28
29
Hi guys,
I'm working on setting up DKIM Signing for all outgoing mails.
In the GUI Proxmox shows me under DKIM the DNS Records I should set:

Code: 
Selector: pmg
Key Size: 4096
DNS TXT Record:

pmg._domainkey    IN    TXT    ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquGU+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qafd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9/9bU5dd3MXCgk0fKDBET/xW"
      "jU0wogV9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTbSgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkVeUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWVZFiOX1+NWb5H+VnBG1"

Calculating the public key gives
Code: 
root@pmg:~# openssl rsa -pubout -in /etc/pmg/dkim/pmg.private
writing RSA key
-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT
+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquG
U+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qa
fd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9/9bU5dd3MXCgk0fKDBET/xWjU0wog
V9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC
3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTb
Sgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkV
eUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWVZFiOX1+NWb5H+VnBG1wQS5w6ccuWwh
4GLfZPjbAYCmgP4UOw6vGFtlS9Ocxn2XJhCU47woKjZ6QNBU5+CCGHESRTcAXvyF
Dst3TSxXfYe+cJAZv+C1aR6csopi0mJJeRISOdswziEeF5u863cEcczAXGBFfG3/
d4WBp+dCQQwDQWzH3bh9cMCXy5+CSSgf9PtBSdODQRInZTrCZdRzQ9S5ruSsS761
E7PGm269NfjOGywPwQbOGykCAwEAAQ==
-----END PUBLIC KEY-----[CODE]

So I set the record and when I do `dig pmg._domainkey.company.de TXT` I get the following:
[CODE]
; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> pmg._domainkey.company.de TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59695
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;pmg._domainkey.company.de. IN TXT

;; ANSWER SECTION:
pmg._domainkey.company.de. 0 IN TXT  "v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquGU+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qafd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9" "/9bU5dd3MXCgk0fKDBET/xWjU0wogV9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTbSgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkVeUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWV" "ZFiOX1+NWb5H+VnBG1"

;; Query time: 150 msec
;; SERVER: 172.21.144.1#53(172.21.144.1) (UDP)
;; WHEN: Sun Nov 19 08:41:00 CET 2023
;; MSG SIZE  rcvd: 633

Looks good as well! But when I use https://dkimvalidator.com/ I get the following error:

Code: 
DKIM Information:

DKIM Signature

Message contains this DKIM Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
    company.de; h=cc:content-type:content-type:date:from
    :from:message-id:mime-version:reply-to:subject:subject:to:to; s=
    pmg; bh=nRJEGTQ22W5uDHarVi2s9qbrP8QWR5lUMLxX9dQ5tK0=; b=UkxIJbRg
    bhKin//yUue5nfw2OSwMr11Y/iHPkL/dXB0q+A6M7bPcQroaX1Q7bGzUELgi6Yim
    Wc4OqgZC2fJmx+NErQTeOk3MzbLrCq7WPyYyYOkgdmCoLCwdM1TQpS4NUZdq8dx0
    /86Kx05+dDFtFIY6jOhwgLHAkW7XgKD0kqa3g7D44D+NrC4diJEeTVIFZL9s1ZeB
    JXv5b64e8SyGt83LHFL1YNcMPHwWFYyAXkuI/ArI6SkGERp6QM/0pd8S54CV+EE0
    scD0MTUJJ6AVyEQ+ezQdirT36mIvN9aOFaOJQIjO6qXToI3KSaOME7l5zIX7UJy0
    LNt35hbYW6bGpR0RN4w6t4FfASGcIfutgv+UQVyvcOP7bGGjHSKvkLRKqTrT8A6c
    1OYbYIXdxx84qDlUElp9W5V8SdjHIZyltB+zxaH4yL4bfWWb5247z9wmjf0jOvkB
    n0pjrw3jseRkQf/0gao3fgnkKiXs0oGmkqwA8YLv6f5cKy7v7/Bmz5a/IlzybeAQ
    Mq2ci11YsQ//nprqGe4nII4GBZ0m76DTL0QfSzMLg6ih1Xrg14dbt6Y/ZRVIiLZI
    yHfkxaauMMzIw22RRJbqca1SdWdW3DHnE3WD9iYKFfeNgOwEwAbx6bllqcUyjmPP
    57vJfRY2GIyRZGdEzV2w2lFcUHDk4uf3edk=


Signature Information:
v= Version:         1
a= Algorithm:       rsa-sha256
c= Method:          relaxed/relaxed
d= Domain:          company.de
s= Selector:        pmg
q= Protocol:     
bh=                 nRJEGTQ22W5uDHarVi2s9qbrP8QWR5lUMLxX9dQ5tK0=
h= Signed Headers:  cc:content-type:content-type:date:from
    :from:message-id:mime-version:reply-to:subject:subject:to:to
b= Data:            UkxIJbRg
    bhKin//yUue5nfw2OSwMr11Y/iHPkL/dXB0q+A6M7bPcQroaX1Q7bGzUELgi6Yim
    Wc4OqgZC2fJmx+NErQTeOk3MzbLrCq7WPyYyYOkgdmCoLCwdM1TQpS4NUZdq8dx0
    /86Kx05+dDFtFIY6jOhwgLHAkW7XgKD0kqa3g7D44D+NrC4diJEeTVIFZL9s1ZeB
    JXv5b64e8SyGt83LHFL1YNcMPHwWFYyAXkuI/ArI6SkGERp6QM/0pd8S54CV+EE0
    scD0MTUJJ6AVyEQ+ezQdirT36mIvN9aOFaOJQIjO6qXToI3KSaOME7l5zIX7UJy0
    LNt35hbYW6bGpR0RN4w6t4FfASGcIfutgv+UQVyvcOP7bGGjHSKvkLRKqTrT8A6c
    1OYbYIXdxx84qDlUElp9W5V8SdjHIZyltB+zxaH4yL4bfWWb5247z9wmjf0jOvkB
    n0pjrw3jseRkQf/0gao3fgnkKiXs0oGmkqwA8YLv6f5cKy7v7/Bmz5a/IlzybeAQ
    Mq2ci11YsQ//nprqGe4nII4GBZ0m76DTL0QfSzMLg6ih1Xrg14dbt6Y/ZRVIiLZI
    yHfkxaauMMzIw22RRJbqca1SdWdW3DHnE3WD9iYKFfeNgOwEwAbx6bllqcUyjmPP
    57vJfRY2GIyRZGdEzV2w2lFcUHDk4uf3edk=
Public Key DNS Lookup

Building DNS Query for pmg._domainkey.company.de
Retrieved this publickey from DNS: v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquGU+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qafd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9/9bU5dd3MXCgk0fKDBET/xWjU0wogV9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTbSgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkVeUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWVZFiOX1+NWb5H+VnBG1
Validating Signature

result = invalid
Details: public key: OpenSSL error: too long

So the retrieved this publickey from DNS is shorter than the real public key but that is what the web interface shows me. Is that correct, so is the last past after VnBG1 not needed? Or is the GUI showing something wrong?

As mentioned in another thread, the command should be `openssl rsa -pubout -in /etc/pmg/dkim/pmg.private | grep -v 'PUBLIC KEY' | tr -d '\n'`
https://forum.proxmox.com/threads/dkim-public-key-invalid.99033/post-427567

And the output is the same:
Code: 
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquGU+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qafd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9/9bU5dd3MXCgk0fKDBET/xWjU0wogV9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTbSgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkVeUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWVZFiOX1+NWb5H+VnBG1wQS5w6ccuWwh4GLfZPjbAYCmgP4UOw6vGFtlS9Ocxn2XJhCU47woKjZ6QNBU5+CCGHESRTcAXvyFDst3TSxXfYe+cJAZv+C1aR6csopi0mJJeRISOdswziEeF5u863cEcczAXGBFfG3/d4WBp+dCQQwDQWzH3bh9cMCXy5+CSSgf9PtBSdODQRInZTrCZdRzQ9S5ruSsS761E7PGm269NfjOGywPwQbOGykCAwEAAQ==


Thank you in advance :)
 
Last edited:
Well I thought just trying and the GUI display not the whole public key. New DNS entry looks as follows:
Code: 
v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArEz2VJg5zyQzS6psZSUT+OHvAkEbT9+aS5sHBW+HsfUrSVkRPGJXiK3pQEtuRvsdK/k0tOwlYeCMFB0xOquGU+GRdEV4oL/XG6i8mXLq0dDVXJ4D1TnjfzI6hC6DNwbTTRn1AgwylTf/bQ19l0Qafd4YtXmj684Zg44YFmg1MEvLytb8p/Z4hZ9/9bU5dd3MXCgk0fKDBET/xWjU0wogV9Oh5m9I70yX5lYOPzVFaecrojrkjwKdkRQukm+Er38CCvujACeI7h574C97ECSC3/UM2apwHfUfiYJyWABKrXkx32NDMKMMayTgKJEqanA9qbVkFA6x/8ZC5slA8eTbSgqpv/FqvQ8rB9dem3AN7sAWOcPE64TSdyIbJCsIfmVkfKooZCSUvRDNY1LgRRkVeUQSv9z0GcE7WbT5C1BZFOV2V0x36jswWVZFiOX1+NWb5H+VnBG1wQS5w6ccuWwh4GLfZPjbAYCmgP4UOw6vGFtlS9Ocxn2XJhCU47woKjZ6QNBU5+CCGHESRTcAXvyFDst3TSxXfYe+cJAZv+C1aR6csopi0mJJeRISOdswziEeF5u863cEcczAXGBFfG3/d4WBp+dCQQwDQWzH3bh9cMCXy5+CSSgf9PtBSdODQRInZTrCZdRzQ9S5ruSsS761E7PGm269NfjOGywPwQbOGykCAwEAAQ==

And the DKIM validator says
Validating Signature

result = pass
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back