[ SOLVED ] -ISPConfig + DKIM ok, but messages from "email alias" are not DKIM signed.

Hi all reader,

**********************************
OBSERVATION :
**********************************

- ISPConfig version : ISPConfig Version: 3.2.11p2
- PHP default version for debian 12 which is 8.2 version
- ISPConfig as follow with NGinx
https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

- roundcube config as follow: ( howTo 1)
https://www.howtoforge.com/install-ispconfig-3-roundcube-plugins-on-debian-10/

As consequence the content of " nano /etc/roundcube/config.inc.php " is the following :

$config['plugins'] = [
...
'enigma', <---- Not install by default but this part works fine and is NOT related to my observations linked to DKIM. ( each account alias can have is own keys PUB and PRI )
'jqueryui', <----- activate thank to ( howTo 1)
'ispconfig3_account', <----- activate thank to ( howTo 1)
'ispconfig3_pass', <----- activate thank to ( howTo 1)
'ispconfig3_spam', <----- activate thank to ( howTo 1)
'ispconfig3_fetchmail', <----- activate thank to ( howTo 1)
'ispconfig3_filter', <----- activate thank to ( howTo 1)
'ispconfig3_wblist' <----- activate thank to ( howTo 1)
];

- installation is done on SERVER01 with email features ( postfix + docevot )
- on SERVER01 domains domain1.COM AND domain2.NET are activated WITH DKIM
- SPF, DKIM, DMARC are correctely configured on the DNS servers. ( NO PROBLEM on that part ; I AM SURE of it. )

- on SERVER01 are activated :
-a- [email protected] ( a user with storage features on SERVER01 )
-b- [email protected] ( a user ALIAS for [email protected] )


- on roundcube " [email protected] " account the [email protected] is declarated as one identity available.

- accounts " [email protected] " AND " [email protected] "

- Participant to this analysis potential questions and answers :
* Does SERVER01 transmit perfectely sign messages via thunderbird ? ( if [email protected] and [email protected] are 2 independents accounts of course. )
--> RESPONSE : YES

* Does SERVER01 transmit perfectely sign messages via roundcube for user [email protected] ?
--> RESPONSE : YES

* Does SERVER01 transmit perfectely sign messages via roundcube for alias user [email protected] ?
--> RESPONSE : NO and it the observation i try to solve ....

**********************************
IMPLICATIONS :
**********************************

My research track : ...

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
TRACK -1- :
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

- Not activate DKIM for "domain2.NET" on SERVER01
- install SERVER02 with DKIM activated for "domain2.NET"
- relay outgoing message from SERVER01 "domain2.NET" through SERVER02 ( SERVER02 will sign the outgoing messages - but i still wonder on which SMTP header SERVER02 will decide to sign or NOT the outgoing messages since on SERVER01 the authentication
process is done for" [email protected] " and NOT for " [email protected] ".)

Why i am wonder this concerning the outgoing message ?
RESPONSE :
--> Because if alias user " [email protected] " send an email via roundcube via the authenticated " [email protected] " web access ; the header of the outgoing message contains the following informations :

" Received: from webmail.domain.org (localhost [IPv6:::1]) (Authenticated sender: [email protected] ) by webmail.domain.org (Postfix) with ESMTPA id 0E470C0EA61 for <[email protected]>; Sun, 12 May 2024 00:55:51 +0200 (CEST) "

If the DKIM process is based on the " Authenticated sender " value then the signature will NOT be done since the FROM ( sender ) value is differente of the " Authenticated sender " value.

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
TRACK -2- :
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

As conclusion, questions are :
-1- Could you explain the process and which value(s) are taken into concideration during the DKIM sign process ?

Does if make sense to add into the process " if sender is an alias then take into concideration the domain alias sender AND NOT only the authentication sender domaine to sign. "


-2- Do you know if a main.cf and/or master.cf file modifications ( OR SOMETHING ELSE ) could allow the local roundcube to have messages sign also for " email ALIAS " declarated into the roundcube interface ?

I wonder if file " mail.cf " modification :
FROM : " smtpd_sasl_authenticated_header = yes "
TO : " smtpd_sasl_authenticated_header = no "
can help or not.

Since i do not know if it has " bad " implications on ispconfig working i ask before carry on my track ...


i wonder if " email routing " and / or " domain relay " ( via a local smtp relay maybe ) " relay recepient " could include a " solution " to allow DKIM to sign the message based on the FROM sender AND authenticate user instead of "only" on the " authenticate user ".

Regards,

Elvé.

 

I admit I did not understand much of the long discussion, but the part about

I like to comment on.
User can write anything to the FROM part, like for example biden @ whitehouse . gov, so signing that would be a forgery. Authenticated user at least has to know password or even be multifactor authenticated, so signing that is OK.

 

Thank you for your ... " remarks" which unfortunately put the light on the fact that as you mention you like comment but unfortunately NOT put the light on the fact that several sentence of the detailled situation mention i quote : " i wonder if " email routing " and / or " domain relay " ( via a local smtp relay maybe ) " relay recepient " could include a " solution " to allow DKIM to sign the message based on the FROM sender AND authenticate user instead of "only" on the " authenticate user ". "

If the writter has use the word "AND" to qualify the user it means that in this case the user is AT THE SAME time " authenticated " (which seam to be YOUR personnal need which i am agree of course) AND the same user is also the bearer of a second identity which is fixed to is first authenticated identity.
I gave you a sample case i feel you are lack of evidence of this trivial situation:
Let says that Mister George Smith call Miss Jane Johnson by phone.
If the fisrt sentence ( step 1 ) of Mister George Smith to Miss Jane Johnson is : " Hello this Smith ",
it does NOT imply ( to Miss Jane Johnson which has authenticate Mister George Smith ) that if during their conversation if Mister George Smith says to Miss Jane Johnson : " Would you like to have a drink with George ? " , that George stole the identy of Mister Smith ! Beleive or not Miss Jane Johnson has perfectely understand that "Smith" AND "George" is a SINGLE authenticate person.

As conclusion, before comment i invite you to read all details cause there are people ( lik me) who give much details to let people like "Till" Catch AND understand those details to produre each time a productive reply.
On other hand there are people who produre very few details into their requests which i am sure you will not only "like" but "LOVE" to comment for i hope the best resultut.
In the case i have exposed your comment has just " no place " cause you miss maybe the MOST important part of the message which is not hidden but that you may not have read before comment. This " detail " is to be able to understand what the word " AND " means ...
Hope it helps for your futur comment production.
Regards
Elve

 

Hi Till , Thank you
i will have a look that way and inform the community if it helps.
Regards

Elve

 

Dear All,

Thank to Till observation i have followed the "rspam track" : Here are the results :

Source of the value explaination :
https://rspamd.com/doc/modules/dkim_signing.html#principles-of-operation

Source of an other situation nearby the one i have exposed above than i have discovered thank to Till since i was not looking for at the right place even if my observations were right AND also observed by other poeple : ( the following thread help me also )
https://forum.howtoforge.com/threads/solved-rspamd-not-signing-email-alias-with-dkim.86690/


What i have done :

-A- : Edit this file :
nano /etc/rspamd/local.d/dkim_signing.conf

-B- : Add at the top of the file :
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
solution -1- :
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
use_domain = "envelope"; ( i invite who to read the rspam.com doc since several options are available here. )
allow_username_mismatch = true;

-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
solution -2-
The one available from here :
https://forum.howtoforge.com/threads/solved-rspamd-not-signing-email-alias-with-dkim.86690/
-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
allow_username_mismatch = true;
allow_hdrfrom_mismatch = true;

BOTH are working at least for me.

-C- : retart rspamd :
systemctl restart rspamd

-D- To test if your system correctly sign your messages you can use :
https://www.mail-tester.com/


For those who wonder WHY a such need, here it is a day to day explanation :
Let says Mike Pickles share is working time between is activity of "Dentist" though is Company AAAA.com and with is activity of "pet sitter" though is Company BBBB.NET.

Mike P. has got :

1- TWO emails address : " [email protected] " AND " [email protected]"
2- Mike in his day to day, since he use his brain for constructive and productive operations does NOT plan to logon and logoff each time he needs to use his identity as dentist or as pet sitter just to have outgoing message corretely DKIM signed.
3- As consequence Mike as configured his roundcube GUI to log with [email protected] credential but also with the possibility to use the email ALIAS "[email protected]" via the same connection.

Special remarks for those comment BEFORE readind "details and needs" :
This trivial sample is to illutrate the needs of TWO differents activities. If you have a reading blocking with "dentist" or "pet sitter", you can replace those two "imaginary profession" by " hairdresser astronaut " or anything else. The same logic can be applied to help any reader to understand the goal with sample images more linked to his/her own sensibility.

Conclusion : Thank you to Till and Jesse Norell. The first for the "rspam track" and the second to havee solve this 2 years before this thread and have helped me to directly find the correct place to apply the configuration modifications file.

Hope it helps

Regards,
Elve