OpenSSL error when DKIM records are not returned

[codysprojects]

Describe the bug

When DKIM records are not returned Postal sends the wrong private key.

To Reproduce

• Fresh install of postal on Docker in AWS.
• Port 25 outbound restriction removed.
• Use default DNS servers configured in EC2
• DKIM and SPF records set up on external DNS.
• Test message sent to dkimvalidator.com

Expected behavior

Even though Postal can not validate DKIM, I expect it to send the proper key. I see from issue 2101 that it will not send the generated DKIM selector and use the default one so I have set up a TXT record to deal with this situation.

However, if I create an internal route53 record and set use_local_ns_for_domain_verification to true, everything works, but feel that I should not have to do this step to send the proper key.

Screenshots

Environment details

• OS: AL2
• Postal Version 3.3.4
• Type Docker

Additional information/context

DKIM not found

`Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: myDomain.com
s= Selector: prod-apse1-postal-01
q= Protocol:
bh= JtH4QbBo1VBzBnCdMttYYfQWVBbN9faeTkLplrHfulc=
h= Signed Headers: date:from:to:message-id:subject:mime-version:content-type:content-transfer-encoding
b= Data: HsGexLkguQe16UA1DZcRwR6rFWNyfZPGu3uLE54/dgvPwt6CJOzuqbLJtgH4g3N8wwA2qoMA
N3q6LpGyf9RQajiVncVJymAzd/VH+R++MHjPbAxxOHXS370EnQzC0zwMmb4JR1q867rKHQW0
uLwzYipISEwxPLGJF5zWBWih2DqjCQUcLnEFNml1egHuZhTyFEq1x/RnnRN0o+z1xbs/yCRS
y5MlSYUHQFFZ+mO9fl1SC3jFO0t/XhRozk0thXZ6K0elpblULu3uKu3G/XR0maanm1rCYHDk
mVqDXXJTZSQFDoG1vZW+jX1mzKMLabLKXxZGc2hJW4FhyY/+cy++HA==
Public Key DNS Lookup

Building DNS Query for prod-apse1-postal-01._domainkey.myDomain.com
Retrieved this publickey from DNS: v=DKIM1; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLr1yjRX+XlhW9SYxSCWXmKP2CX5fngy8i3GbhVq7Sya48dkQUrO8sfz+/TrrbcExb0R6eEvX/zyeyQ4Q+Y+amNlUxzSy5JN7hb359MQYUnbbAZ085Df/LS2YNbNAoSnOz85q7MNN9C0ILUPcMQJgDcCL5mmM52urSHR8aE0VmLwIDAQAB;
Validating Signature

result = fail
Details: OpenSSL error: data too large for key size`

DKIM found

`Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/relaxed
d= Domain: myDomain.com
s= Selector: prod-apse1-postal-01-rSXIxz
q= Protocol:
bh= g9xFG9UVos3KtIL9BnUAfJ1j7gyJ0BkFm1KvahQUknY=
h= Signed Headers: date:from:to:message-id:subject:mime-version:content-type:content-transfer-encoding
b= Data: TodweM0CE9x3CJcotuvds0Nttnwpnfd+7Aer7mLwkujCGHRJdo012nOLuWola+0UYKiZV44f
aHs0Imi6uwFmhGeBSU6ACa2SLbFHh0Rub9aMCR6wsfFNJe0aoY9bqvU7CXy+uLSoUzhw0m+L
daEC9TP4/WWC8NLC9+wj1Y3vF58=
Public Key DNS Lookup

Building DNS Query for prod-apse1-postal-01-rSXIxz._domainkey.myDomain.com
Retrieved this publickey from DNS: v=DKIM1; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDLr1yjRX+XlhW9SYxSCWXmKP2CX5fngy8i3GbhVq7Sya48dkQUrO8sfz+/TrrbcExb0R6eEvX/zyeyQ4Q+Y+amNlUxzSy5JN7hb359MQYUnbbAZ085Df/LS2YNbNAoSnOz85q7MNN9C0ILUPcMQJgDcCL5mmM52urSHR8aE0VmLwIDAQAB;
Validating Signature

result = pass
Details: `

[willpower232]

However, if I create an internal route53 record and set use_local_ns_for_domain_verification to true, everything works, but feel that I should not have to do this step to send the proper key.

The whole reason that use_local_ns_for_domain_verification exists is because of situations like this where the default DNS lookup isn't working and it needs to look elsewhere so turning this setting on appears to be vital for your installation of Postal.

As you saw, #2101 says that if Postal cannot find the related DKIM it can only use the fallback one. The one if falls back to isn't double checked and Postal can only hope it exists.

[codysprojects]

My confusion was that I was unaware that if the DNS records check did not pass it would use a different key. I could find that it would use the "default domain name and default DKIM selector", but not the key. My default domain and mail server domain were also the same, which may have added to my confusion. Now that I know, I can make it work. Thanks for the help.