Hi, I created a mail gateway with ispconfig3 as shown on the upper half of the drawing below. It can receive, filter and relay emails for a domain (example.tld) as expected. Ispconfig 3 does not handle this domain, in other words, the domain example.tld does not added to email domains (as the manual said). (Note: Ispconfig 3 can add dkim signatures for email domains which are added to email domains/aliases and handled by ispconfig.) My question, how can I turn the incoming email relay (ispconfig 3) into an outbound server, too, and add dkim signature for that specific domain? In other words, could ispconfig sign outgoing emails with dkim for a specific domain which not handled by ispconfig itself? In this specific case, ispconfig only should handle one email domain as relay and outbound email server (let's say example.tld), but in the future maybe more than one email domain should appear in relay and outbound, for example2.tld and example3.tld, where example2.tld should be relayed and example3.tld should handled fully in Ispconfig 3. So, I have no problems with adding dkim for email domains already handled by ispconfig using the WebUI of ispconfig, that works perfectly, thank you. Also, moving completely to Ispconfig 3 and abandon the legacy email server is not an option. I just would use Ispconfig 3 server to sign emails with dkim for specific domain(s) without unnecessarily messing the system. Thanks, István
It seems Rspamd is able to sign outbound emails: https://www.rspamd.com/doc/modules/dkim_signing.html I just found this doc, did not implement yet.
As the feature/configuration isn't currently supported in the ISPConfig ui, it will be necessary to "mess" with your setup. There are 2 pieces, allowing relaying from your legacy server for that domain, and configuring dkim signing for that domain's mail. Both amavis and rspamd perform dkim signing, if you have a preference for one over the other.
Thank you for the feedback. Yes, messing is acceptable, especially it will not break ispconfig configuration and vice versa. It seems, rspamd could handle dkim signature without interfering ispconfig, so, my choice is rspamd.
I will have to perform necromancy on this thread as I am now faced with having to enable dkim on our outbound email service, which is identical to the above setup. Has anything changed in the current version, making this possible without major confic changes? If not, where would the changes have to be implemented to make it work, as I am not seeing an obvious solution above. Since the primary setup is a hosted exchange setup sending through the server, we cannot move the mailboxes, thus needing the dkim signing of relayed mails.
I don't think anything has changed here, though I wouldn't consider it a "major" config change to setup signing of a custom domain. Add your exchange server ip(s) to postfix whitelist, generate a dkim key pair and publish the public key in your domain's dns, then add it to /etc/rspamd/local.d/dkim_signing.conf (eg. following the examples). The same change in dkim_signing.conf needs to be made in a dkim_signing.conf custom template so it survives ISPConfig updates (ie. copy server/conf/rspamd_dkim_signing.conf.master to server/conf-custom/ and copy your changes there). You might also need to add your exchange server's ip to /etc/rspamd/local.d/local_networks.inc (I'd be curious if you do or don't, I've never tried it without using authentication).
Cheers we'll have a look into it, I'll let you know if we got a solution, and if we add the local_networks.inc changes Thank you in advance
