Regression in DKIM signing when using multiple domains in one mailbox

Discussion in 'Developers' Forum' started by basmevissen, Mar 3, 2024.

  1. basmevissen

    basmevissen Member

    Hi all,

    I'm using ISPConfig for a long time. I always had a single mailbox bas@domain_a.nl and used it to send mail originating from bas@domain_a.nl and bas@domain_b.nl. Long time ago I added DMARC, SPF and DKIM signing support.
    That worked flawlessly until I recently upgraded my Ubuntu 12.04 LTS ESM to Ubuntu 20.04 LTS (24.04 came too late for me :) due to some other issues. The upgrade went reasonable smooth and I could also update to the latest version of ISPConfig to resolve the issue that triggered the host upgrade. But I now discovered a regression with DKIM signing:

    When sending mail from bas@domain_a.nl from mailbox bas@domain_a.nl, everything is fine. However, when I send mail from bas@domain_b.nl from the bas@domain_a.nl mailbox, it does not get DKIM signed anymore (I checked with old mail that it did before!).

    I checked domain_a.nl and domain_b.nl and the mailhosts DNS records (external to ISPConfig) and the DKIM settings in all domains (I redid them to be sure). Nothing had changed and everything is OK (also checked with mxtools and other sites).

    So I added a mailbox bas@domain_b.nl and send a mail as bas@domain_b.nl from it. That went fine. So all DNS, ISPConfig and mailhost DKIM settings are still fine. I conclude from these findings that the behaviour of the mailhost (or ISPConfig configuration) has changed. I could not find any error in the logs that gave a clue. Sending mail as bas@domain_a.nl from bas@domain_b.nl also does not get DKIM signed.

    All DMARC/SPF stuff passes in all cases. It is only that messages are no longer DKIM signed when sending from a different identity than the login domain of the mailbox. I use the installed roundcube webmail and Thunderbird. Same results.

    Any idea? How are the mail accounts connected to the sending domains? Can I debug this further?

    Best Regards,
    Bas.
     
    erik9u2 likes this.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You do not say how you have set up sending as another domain.
    Is it e-mail alias? If yes, have you set "Allow target to send mail using this alias as origin".
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you use Amavis or Rspamd and did you use the same application before?
     
  4. basmevissen

    basmevissen Member

    Thanks for your reply. Let me try to answer the questions.

    The "B" domain is setup as just another e-mail domain, not an alias. There was no mailbox for it (now it is to test).
    There is a catchall *@domain_b to bas@domain_b and a forward bas@domain_b to bas@domain_a.

    In the catchall, "Allow destination to send from email addresses in this domain" is not enabled. Also not for *@domain_a to bas@domain_a.
    However, I can send mails as test@domain_a from mailbox bas@domain_a that are DKIM signed. So that does not seem to be needed to fully utilize the xxxx@domain_x "mail address space" (I use it to make uniques mail addresses per destination).

    In the forward, "Allow target to send mail using this address as origin (if target is internal)" is enabled.

    I switched from Amavis to Rspamd after the upgrade. Can you please explain what is the role of that in signing outgoing mail?

    Regards, Bas.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Amavis or Rspamd is the software that does the DKIM signing of the emails. So switching from Amavis to Rspamd is likely the reason for the different behavior.
     
  6. basmevissen

    basmevissen Member

    Ok, didn't know that, thanks.
    But that appears not to work then, as in the forward I have enabled that bas@domain_a might send for bas@domain_b.
    I did enable "Allow destination to send from email addresses in this domain" for both domains to be sure (although sending as test@domain_x from bas@domain_x always works and performs DKIM signing, which it shouldn't IMHO) in the meantime and that did not make a difference. So maybe that points to a different problem if I understand that option well.
     
  7. erik9u2

    erik9u2 New Member

    I can also confirm this issue on a clean installation of ISPConfig on Debian 12.

    Setting up an "Email Catchall" with option "Allow destination to send from email addresses in this domain" ticked then creating a new identity in Roundcube and sending email as that identity WILL NOT sign the email. However, creating a separate mailbox and sending from it WILL sign the email.
     

Share This Page