Problems after upgrade to 8629

Question asked by Miguel Enrique - 9/12/2023 at 11:44 AM

Answered

Hello.

I recently switched to the latest version of SmarterMail 8629 (Aug 17, 2023) from version 14. The update worked without problems and has been working fine for a couple of weeks until yesterday when several customers called me to report that their email was returned because it was not being signed (DKIM).

Remote server returned '550 5.7.509 Access denied, sending domain XXXXXX.COM does not pass DMARC verification and has a DMARC policy of reject.'

I checked the logs and for no apparent reason some domains stopped signing mail (DKIM). The delivery log showed in all shipments from those domains:

[2023.09.11] 20:11:15.180 [70680825] Exception getting DKIM signature System.NullReferenceException: Object reference not set to an instance of an object.

[2023.09.11] at SmarterMail.Common.MailSigning.DKIM.DKIM.Sign(MimeMessage mime, db_domain_settings_readonly domainSettings, DkimSignatureField sigField, MessageSigningArgs signingArgs, List`1& logLines) at MailService.RelayServer.RemoteDeliverySession.GetDkimS signature()

The configuration in Smartermail was correct. The DNS records had not been changed. Even from the server with nslookup I could see the correct selector key and mxtoolbox was not reporting any problems. Turning DKIM on and off did not solve the problem.

The only entry I found on this problem was:

https://portal.smartertools.com/community/a94772/8125-exception-getting-dkim-signature.aspx

But in my case, the configuration was correct.

Restarting the server did not fix the problems. Finally I decided to change the keys by regenerating in SmarterMail, update DNS, and the signing started working without problems.

Without changing anything on the server, without changing anything in DNS, without rebooting, it's very strange.

Has anyone had these problems?

Greetings.

Miguel Enrique.

6 Replies

Reply to Thread

Kyle Kerst Replied

9/12/2023 at 11:55 AM

Employee Post

Hello Miguel, glad to hear you were able to get upgraded largely without issues. We did have some known DKIM issues in the past where the private/public key or selector data could become blank, but this was resolved several updates ago and also doesn't appear to be exactly what is happening in your case. As such, I suspect there might be some issue with the underlying data, or a file locking issue on the disk preventing us reading that data. If you have active maintenance and support I can get a ticket started for us and we can take a look together if you'd like! Otherwise, I recommend starting with a check via Process Monitor from Microsoft/Sysinternals. You can configure it with filters like these to find anything touching our JSON configuration files aside from us or other expected cases:

IF PATH CONTAINS C:\SMARTERMAIL\DOMAINS\ THEN INCLUDE

IF PROCESS NAME IS MAILSERVICE.EXE THEN EXCLUDE

IF PROCESS NAME IS W3WP.EXE THEN EXCLUDE

IF PROCESS NAME IS EXPLORER.EXE THEN EXCLUDE

You may need to filter out additional items depending on the environment but these should be a good start. If you do see any executables returned here (and see locks noted in particular) do a google search for that exe to find out what it is first, then find out if its using Volume Shadowcopy Service in Windows to access that file. If it isn't; it may be locking the file and preventing us from reading it when we try to sign a message.

If nothing turns up there though, there may be some issue with the underlying data and we'd need to take a look to get to the bottom of that. On that front; do you have a backup of the pre-upgrade data available by chance? This would be a good starting point for us to step through the upgrade process and see how the DKIM data behaves. If not, I recommend making a quick backup of the affected domain's Archived Data folders (found at their root directory) which should contain before/after backups of that JSON file we can review as well. Good luck and have a good one Miguel!

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

Miguel Enrique Replied

9/12/2023 at 12:53 PM

Hello Kyle.

I think I have been using SmarterMail since version 2, because the first invoice in "my profile" is the update to version 3.x from 2006 and the previous invoices do not appear. I pay annually for renewals.

I have not been able to update before because I also use Declude and I have been waiting for all the problems to be solved.

I must recognize the great work the team has done with the update. The only problem I have had is that clients have to change the webmail language (it has been set to English) and the imap folders names. But that is another story that is explained in the help.

The problem with DKIM is solved and today I have not located any domains with problems. I won't create a ticket for something that works.

Thank you very much for the ideas to detect a file locking problem.

Greetings.

Miguel Enrique.

Mon Mariola, S.L.

Kyle Kerst Replied

9/12/2023 at 3:29 PM

Employee Post Marked As Answer

Thanks for your reply Miguel, that is great to hear, always happy to see a longtime fan! I checked out your profile in our customer management system and you do have an active M&S plan with those annual renewals - so if you ever need anything at all please don't hesitate to submit tickets with us on these. As always happy to help with quick questions and pointers too :-) Have a good one Miguel!

Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com

J. LaDow Replied

9/17/2023 at 12:33 PM

We have just experienced this issue across multiple domains where they have just stopped signing mails with the same error:

Exception getting DKIM signature System.NullReferenceException: Object reference not set to an instance of an object.

We're gathering data and running tests as noted above. Logs show it is affecting minimum two domains out of 90.

Running rev. 8629

Will update with more details as we uncover.

MailEnable survivor / convert --

J. LaDow Replied

9/17/2023 at 2:07 PM

So we have two domains for sure with issues.

One we finally got it to accept the new keys in DNS and re-enable, but now we're getting the exception regarding BCC should not be in the list of included fields.

We attempted to reset the fields settings and this is from the settings.json file for said domain:

Now, that domain is complaining again that it cannot find the keys to sign messages (and they are present in the settings.json - just not in the screenshot). So this is a loop between not finding the keys or reading the wrong fields to sign.

This issue presents on two domains. We completely disabled DKIM on the other one and started over with all the settings - including new DNS records -- now watching and waiting with the logs.

I think we're going to proceed to opening a ticket at this point.

MailEnable survivor / convert --

Miguel Enrique Replied

9/18/2023 at 5:08 AM

Hello J. LaDow.

I also keep getting errors “Exception getting DKIM signature System.ArgumentException: The list of headers to sign SHOULD NOT include the 'Bcc' header.” They always occur when the recipient is a gmail.com account. The senders are from different domains, but usually the same accounts. So far today, out of about 5,000 remote shipments, I have only had two shipments with the same sender and recipient with the error “The list of headers to sign SHOULD NOT include the 'Bcc' header.”. The Gmail server is different in the two shipments. However, other sends from the same sender to other Gmail accounts have worked correctly. It's strange.

I have seen that a new Smartermail update has been released with:

Build 8657 (Sep 14, 2023)

• Fixed: When trying to update the DKIM selector, public key, key size or max message sign, the API returns success but doesn't change the values.

If the Administration website uses the API to store information about the signed DKIM this may explain your problems, but not mine.

Greetings.

Miguel Enrique.

Mon Mariola, S.L.

Back to Community Threads

Please leave this box unchecked

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles