[SOLVED] rspamd not signing Email Alias with DKIM

Discussion in 'General' started by egaldoch, Mar 29, 2021.

Tags:
  1. egaldoch

    egaldoch New Member

    Hello,

    I am struggling with the the problem that rspamd is not signing alias mails, I have a main mailbox called mail@domain,tld and for this account an alias mail named post@aliasdomain,tld (Allow target to send mail using this alias as origin - enabled),
    DKIM signing is working fine for the main mail itself, If I write a mail with my email client from post@seconddomain,tld, but with the same mailbox account, the mail gets sent but not signed with DKIM,
    If I create a separate mailbox on seconddomain,tld, DKIM signing is working properly,

    The correct private and public keys are created for the domains itself,
    Code:
    [/var/lib/amavis/dkim]
└──╼ # ls -la
total 64
drwxr-x--- 2 _rspamd _rspamd 4096 Mar 29 13:45 .
drwxr-x--- 3 _rspamd _rspamd 4096 May 27  2020 ..
-rw-r--r-- 1 root    root    1702 Mar 29 13:16 mail@domain,tld,private
-rw-r--r-- 1 root    root     451 Mar 29 13:16 mail@domain,tld,public
-rw-r--r-- 1 root    root    1706 Mar 29 13:16 post@seconddomain,tld,private
-rw-r--r-- 1 root    root     451 Mar 29 13:16 post@seconddomain,tld,public
    Code:
    cat dkim_domains,map
domain,tld /var/lib/amavis/dkim/domain,tld,private
seconddomain,tld /var/lib/amavis/dkim/seconddomain,tld,private
    Code:
    cat dkim_selectors,map
domain,tld default
seconddomain,tld default
    On my rspamd dashboard the error "no actions in settings: ispc_mail_forwarding_14" is shown,
    Does someone have an idea why my alias mails are not signed?
     
    egaldoch, Mar 29, 2021
    #1
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have you enabled dkim in "mail domains" for the domain "aliasdomain.tld"?
     
    Croydon, Mar 29, 2021
    #2
  3. egaldoch

    egaldoch New Member

    Yes I have enabled dkim on both domains. I also tried to disable and then reenable it again.
     
    egaldoch, Mar 29, 2021
    #3
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    What you describe is the default rspamd behavior:
    • If envelope from address is not empty, the effective second level domain must match the MIME header From
    • If authenticated user is present, this should be suffixed with @domain where domain is what’s seen in the envelope/header From address
    Try setting `allow_hdrfrom_mismatch = true;` and `allow_username_mismatch = true;' in /etc/rspamd/local.d/dkim_signing.conf (and you'll have to use a conf-custom template to make that change survive ISPConfig updates).

    @Croydon: I would propose we set these two automatically if reject_sender_login_mismatch is true. (Without rslm enabled I'd leave them false to avoid one customer sending spoofed mail that is also dkim signed.)
     
    Jesse Norell, Mar 29, 2021
    #4
  5. egaldoch

    egaldoch New Member

    Thank you Jesse, that solved the issue for me!
     
    egaldoch, Mar 29, 2021
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Jesse Norell, Mar 29, 2021
    #6
  7. egaldoch

    egaldoch New Member

    Unfortunately the issue reappeared after I updated to ISPConfig 3.2.5, although I still have the config changes in place.
    Any ideas?
    Thanks in advance!


    Fixed the issue by checking, which I have activated before but got somehow disabled:
    System-->Server Config-->Mail--> Reject sender and login mismatch
     
    Last edited: Jun 13, 2021
    egaldoch, Jun 13, 2021
    #7

Share This Page