Re: missing log entries for old version of postfix
On 11/02/23 09:11, Sean Hennessey wrote: Wietse, Great call: Feb 9 12:58:01 ip-10-104-84-189 journal: Suppressed 5141 messages from /user.slice/user-0.slice Feb 9 13:00:00 ip-10-104-84-189 journal: Suppressed 7542 messages from /user.slice/user-0.slice Feb 9 13:00:37 ip-10-104-84-189 journal: Suppressed 22 messages from /user.slice/user-0.slice Feb 9 13:02:18 ip-10-104-84-189 journal: Suppressed 3853 messages from /user.slice/user-0.slice Look at /etc/systemd/journald.conf, specifically set RateLimitIntervalSec and/or RateLimitBurst to 0 to turn off journald throttling. Peter
Re: Postfix with opendkim generates "ssl error"
A sáb, 11-02-2023 às 14:37 -0500, Viktor Dukhovni escreveu: > On Sat, Feb 11, 2023 at 06:46:14PM +, Nicholas Jacobs wrote: > > > > > opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding > > > > routines:ASN1_get_object:header too long > > > > opendkim[3223]: F29AA21C4C: dkim_eom(): resource unavailable: > > > > d2i_PrivateKey_bio() failed > > > > > > The ASN.1 encoding (after base64 decoding the PEM input) of the > > > private > > > key is malformed. > > > > > > On Sat, Feb 11, 2023 at 05:48:45PM +, Nicholas Jacobs wrote: > > > > > > > # ls -la /etc/dkimkeys/ gives: > > > > -rw--- 1 opendkim opendkim 1704 Jan 28 18:08 > > > > 202208250.private > > > > -rw--- 1 opendkim opendkim 1679 Dez 30 18:23 > > > > 202212301.private > > > > -rw--- 1 opendkim opendkim 1679 Feb 8 10:51 > > > > 202302081.private > > > > > > There are three private keys there. Report the output of: > > > > > > $ cd /etc/dkimkeys/ > > > $ for pk in 202208250 202212301 202302081; do > > > printf "%s: " "$pk" > > > openssl pkey -in "${pk}.private" -pubout -outform DER | > > > wc - > > > c > > > done > > > > > > Which should report the DER byte count of the corresponding > > > public > > > keys. If the key is malformed, an error will be reported. > > > > The output is: > > 202208250: 294 > > 202212301: 294 > > 202302081: 294 > > So it seems that the PEM files are acceptable to the OpenSSL CLI, and > the underlying ASN.1 encoding is correct (and it may be noted that > the > ASN.1 encoding is not sensitive to LF vs. CRLF newline endings in the > PEM format). > > Which then suggests that the issue is at a different layer, somehow > the > private key data seen or held by opendkim is not the same as in those > files. > > This is not a Postfix issue. If this problem is reproducible even > after > generating and configuring a new keypair and restarting opendkim, > then > you'll need to decide whether to do the requisite debugging or to > look > for a different OS distribution, where the components in question > (Python, opendkim, OpenSSL, ...) don't exhibit the problem you're > seeing. > It is indeed reproducible after generating and configuring a new keypair and rebooting the server. Thank you for your comments, Viktor, they save me from looking in the wrong place. I have access to a server running a later version of Debian and I'll try the whole coinfiguration there.
Re: Postfix with opendkim generates "ssl error"
On Sat, Feb 11, 2023 at 07:47:43PM +0100, Benny Pedersen wrote: > > No, I checked that too. > > opendkim-testkey -d complete-web-solutions.com -k > > /etc/dkimkeys/202302081.private -s 202302081 -v -x /etc/opendkim.conf > > gives: > > opendkim-testkey: key secure > > is only dnssec ?, not if dkim pass ?, or both ? Please don't muddy the waters with random distractions. -- Viktor.
Re: Postfix with opendkim generates "ssl error"
On Sat, Feb 11, 2023 at 06:46:14PM +, Nicholas Jacobs wrote: > > > opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding > > > routines:ASN1_get_object:header too long > > > opendkim[3223]: F29AA21C4C: dkim_eom(): resource unavailable: > > > d2i_PrivateKey_bio() failed > > > > The ASN.1 encoding (after base64 decoding the PEM input) of the > > private > > key is malformed. > > > > On Sat, Feb 11, 2023 at 05:48:45PM +, Nicholas Jacobs wrote: > > > > > # ls -la /etc/dkimkeys/ gives: > > > -rw--- 1 opendkim opendkim 1704 Jan 28 18:08 202208250.private > > > -rw--- 1 opendkim opendkim 1679 Dez 30 18:23 202212301.private > > > -rw--- 1 opendkim opendkim 1679 Feb 8 10:51 202302081.private > > > > There are three private keys there. Report the output of: > > > > $ cd /etc/dkimkeys/ > > $ for pk in 202208250 202212301 202302081; do > > printf "%s: " "$pk" > > openssl pkey -in "${pk}.private" -pubout -outform DER | wc - > > c > > done > > > > Which should report the DER byte count of the corresponding public > > keys. If the key is malformed, an error will be reported. > > The output is: > 202208250: 294 > 202212301: 294 > 202302081: 294 So it seems that the PEM files are acceptable to the OpenSSL CLI, and the underlying ASN.1 encoding is correct (and it may be noted that the ASN.1 encoding is not sensitive to LF vs. CRLF newline endings in the PEM format). Which then suggests that the issue is at a different layer, somehow the private key data seen or held by opendkim is not the same as in those files. This is not a Postfix issue. If this problem is reproducible even after generating and configuring a new keypair and restarting opendkim, then you'll need to decide whether to do the requisite debugging or to look for a different OS distribution, where the components in question (Python, opendkim, OpenSSL, ...) don't exhibit the problem you're seeing. -- Viktor.
Re: Postfix with opendkim generates "ssl error"
Nicholas Jacobs skrev den 2023-02-11 18:24: No, I checked that too. opendkim-testkey -d complete-web-solutions.com -k /etc/dkimkeys/202302081.private -s 202302081 -v -x /etc/opendkim.conf gives: opendkim-testkey: key secure is only dnssec ?, not if dkim pass ?, or both ?
Re: Postfix with opendkim generates "ssl error"
A sáb, 11-02-2023 às 13:33 -0500, Viktor Dukhovni escreveu: > On Sat, Feb 11, 2023 at 03:41:06PM +, nj140...@yahoo.com wrote: > > > opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding > > routines:ASN1_get_object:header too long > > opendkim[3223]: F29AA21C4C: dkim_eom(): resource unavailable: > > d2i_PrivateKey_bio() failed > > The ASN.1 encoding (after base64 decoding the PEM input) of the > private > key is malformed. > > On Sat, Feb 11, 2023 at 05:48:45PM +, Nicholas Jacobs wrote: > > > # ls -la /etc/dkimkeys/ gives: > > -rw--- 1 opendkim opendkim 1704 Jan 28 18:08 202208250.private > > -rw--- 1 opendkim opendkim 1679 Dez 30 18:23 202212301.private > > -rw--- 1 opendkim opendkim 1679 Feb 8 10:51 202302081.private > > There are three private keys there. Report the output of: > > $ cd /etc/dkimkeys/ > $ for pk in 202208250 202212301 202302081; do > printf "%s: " "$pk" > openssl pkey -in "${pk}.private" -pubout -outform DER | wc - > c > done > > Which should report the DER byte count of the corresponding public > keys. > If the key is malformed, an error will be reported. > The output is: 202208250: 294 202212301: 294 202302081: 294
Re: Postfix with opendkim generates "ssl error"
On Sat, Feb 11, 2023 at 03:41:06PM +, nj140...@yahoo.com wrote: > opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding > routines:ASN1_get_object:header too long > opendkim[3223]: F29AA21C4C: dkim_eom(): resource unavailable: > d2i_PrivateKey_bio() failed The ASN.1 encoding (after base64 decoding the PEM input) of the private key is malformed. On Sat, Feb 11, 2023 at 05:48:45PM +, Nicholas Jacobs wrote: > # ls -la /etc/dkimkeys/ gives: > -rw--- 1 opendkim opendkim 1704 Jan 28 18:08 202208250.private > -rw--- 1 opendkim opendkim 1679 Dez 30 18:23 202212301.private > -rw--- 1 opendkim opendkim 1679 Feb 8 10:51 202302081.private There are three private keys there. Report the output of: $ cd /etc/dkimkeys/ $ for pk in 202208250 202212301 202302081; do printf "%s: " "$pk" openssl pkey -in "${pk}.private" -pubout -outform DER | wc -c done Which should report the DER byte count of the corresponding public keys. If the key is malformed, an error will be reported. -- Viktor.
Re: Postfix with opendkim generates "ssl error"
A sáb, 11-02-2023 às 10:36 -0700, Shawn Heisey escreveu: > On 2/11/23 08:41, nj140...@yahoo.com wrote: > > opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding > > routines:ASN1_get_object:header too long > > Others running into something similar found that the file either was > in > DOS format or had a BOM at the beginning -- characters were present > that > the library didn't know how to handle. > > https://serverfault.com/questions/368697/ssl-library-error-218570875-error0d07207basn1-encoding-routinesasn1-get-obje > > If that's the problem. seems that opendkim-testkey handles the file > in a > way that ignores the invalid characters. > > Thanks, > Shawn AFAIK, BOM at the beginning and the DOS format with ^M are only generated by Microsoft programs. I don't have any Microsoft programs on any machine involved. My desktop runs debian bookworm (=testing) and the server running postfix runs debian 10.13. But I checked anyway, and there's no BOM and no DOS format.
Re: Postfix with opendkim generates "ssl error"
A sáb, 11-02-2023 às 18:33 +0100, Matus UHLAR - fantomas escreveu: > > > On February 11, 2023 3:41:06 PM UTC, nj140...@yahoo.com wrote: > > > > Trying to send an email from n...@complete-web-solutions.com on > > > > the > > > > host sv9.complete-web-solutions.com results in the following > > > > messages > > > > in mail.log: > > > > ... > > > > > > > But opendkim seems correctly configured because the command: > > > > opendkim-testkey -d complete-web-solutions.com -s 202302081 -v > > > > -x > > > > /etc/opendkim.conf > > > > gives the result: > > > > opendkim-testkey: key secure > > > A sáb, 11-02-2023 às 16:37 +, Scott Kitterman escreveu: > > > You only tested the availability of the public key, but your > > > error is > > > with the private key. See the -k option. > > > > > > http://www.linuxcertif.com/man/8/opendkim-testkey/ > > On 11.02.23 17:24, Nicholas Jacobs wrote: > > No, I checked that too. > > opendkim-testkey -d complete-web-solutions.com -k > > /etc/dkimkeys/202302081.private -s 202302081 -v -x > > /etc/opendkim.conf > > gives: > > opendkim-testkey: key secure > > can the user of running opendkim process (on debian/ubuntu it's user > "opendkim") read the private key? > > ls -la /etc/dkimkeys/ > # ls -la /etc/dkimkeys/ gives: drwx-- 2 opendkim opendkim 4096 Feb 8 17:10 . drwxr-xr-x 91 root root 4096 Feb 11 14:43 .. -rw--- 1 opendkim opendkim 1704 Jan 28 18:08 202208250.private -rw--- 1 opendkim opendkim 1679 Dez 30 18:23 202212301.private -rw--- 1 opendkim opendkim 518 Dez 30 18:23 202212301.txt -rw--- 1 opendkim opendkim 1679 Feb 8 10:51 202302081.private -rw-r--r-- 1 opendkim opendkim 392 Feb 8 10:54 202302081.txt -rw-r--r-- 1 opendkim opendkim 218 Feb 8 11:20 keytable -rw-r--r-- 1 root root 664 Nov 6 2015 README.PrivateKeys -rw-r--r-- 1 opendkim opendkim 134 Feb 8 16:25 signingtable So yes, opendkim has read access to everything.
Re: Postfix with opendkim generates "ssl error"
On 2/11/23 08:41, nj140...@yahoo.com wrote: opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long Others running into something similar found that the file either was in DOS format or had a BOM at the beginning -- characters were present that the library didn't know how to handle. https://serverfault.com/questions/368697/ssl-library-error-218570875-error0d07207basn1-encoding-routinesasn1-get-obje If that's the problem. seems that opendkim-testkey handles the file in a way that ignores the invalid characters. Thanks, Shawn
Re: Postfix with opendkim generates "ssl error"
On February 11, 2023 3:41:06 PM UTC, nj140...@yahoo.com wrote: > Trying to send an email from n...@complete-web-solutions.com on the > host sv9.complete-web-solutions.com results in the following > messages > in mail.log: > ... > But opendkim seems correctly configured because the command: > opendkim-testkey -d complete-web-solutions.com -s 202302081 -v -x > /etc/opendkim.conf > gives the result: > opendkim-testkey: key secure A sáb, 11-02-2023 às 16:37 +, Scott Kitterman escreveu: You only tested the availability of the public key, but your error is with the private key. See the -k option. http://www.linuxcertif.com/man/8/opendkim-testkey/ On 11.02.23 17:24, Nicholas Jacobs wrote: No, I checked that too. opendkim-testkey -d complete-web-solutions.com -k /etc/dkimkeys/202302081.private -s 202302081 -v -x /etc/opendkim.conf gives: opendkim-testkey: key secure can the user of running opendkim process (on debian/ubuntu it's user "opendkim") read the private key? ls -la /etc/dkimkeys/ -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes.
Re: Postfix with opendkim generates "ssl error"
A sáb, 11-02-2023 às 16:37 +, Scott Kitterman escreveu: > > > On February 11, 2023 3:41:06 PM UTC, nj140...@yahoo.com wrote: > > Trying to send an email from n...@complete-web-solutions.com on the > > host sv9.complete-web-solutions.com results in the following > > messages > > in mail.log: > > ... > > > But opendkim seems correctly configured because the command: > > opendkim-testkey -d complete-web-solutions.com -s 202302081 -v -x > > /etc/opendkim.conf > > gives the result: > > opendkim-testkey: key secure > > You only tested the availability of the public key, but your error is > with the private key. See the -k option. > > http://www.linuxcertif.com/man/8/opendkim-testkey/ > > Scott K No, I checked that too. opendkim-testkey -d complete-web-solutions.com -k /etc/dkimkeys/202302081.private -s 202302081 -v -x /etc/opendkim.conf gives: opendkim-testkey: key secure
Re: Postfix with opendkim generates "ssl error"
On February 11, 2023 3:41:06 PM UTC, nj140...@yahoo.com wrote: >Trying to send an email from n...@complete-web-solutions.com on the >host sv9.complete-web-solutions.com results in the following messages >in mail.log: >... >But opendkim seems correctly configured because the command: >opendkim-testkey -d complete-web-solutions.com -s 202302081 -v -x >/etc/opendkim.conf >gives the result: >opendkim-testkey: key secure You only tested the availability of the public key, but your error is with the private key. See the -k option. http://www.linuxcertif.com/man/8/opendkim-testkey/ Scott K
Postfix with opendkim generates "ssl error"
Trying to send an email from n...@complete-web-solutions.com on the host sv9.complete-web-solutions.com results in the following messages in mail.log: postfix/cleanup[40982]: F29AA21C4C: message- id=<20230211151120.f29aa21...@sv9.complete-web-solutions.com> opendkim[3223]: F29AA21C4C: SSL error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long opendkim[3223]: F29AA21C4C: dkim_eom(): resource unavailable: d2i_PrivateKey_bio() failed postfix/cleanup[40982]: F29AA21C4C: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 4.7.0 resource unavailable; from= to= But opendkim seems correctly configured because the command: opendkim-testkey -d complete-web-solutions.com -s 202302081 -v -x /etc/opendkim.conf gives the result: opendkim-testkey: key secure /etc/postfix/main.cf (with comments and blank lines stripped): smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no append_dot_mydomain = no readme_directory = no compatibility_level = 2 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = sv9.complete-web-solutions.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, complete-web-solutions.com, sv9.complete- web-solutions.com, localhost.complete-web-solutions.com, oxbridgealumni.net, localhost relayhost = mynetworks = 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all milter_default_action = accept smtpd_milters = inet:localhost:8892 non_smtpd_milters = $smtpd_milters internal_mail_filter_classes = bounce /etc/opendkim.conf (comments and blank lines stripped): Syslog yes LogWhy yes UMask 022 Canonicalization relaxed/simple Mode sv SubDomains yes Socket inet:8892@localhost PidFile /var/run/opendkim/opendkim.pid OversignHeaders From TrustAnchorFile /usr/share/dns/root.key UserID opendkim:opendkim KeyTable file:/etc/dkimkeys/keytable SigningTable file:/etc/dkimkeys/signingtable I'm assuming the /etc/dkimkeys entries are correct since opendkim- testkey works (see above). Can anyone see the cause of the problem or suggest how to diagnose?