DKIM, SPF and DMARC Relay Server

Hi,
we´ve setup ISPConfig as an smtp relay server running on a Hetzner Root-Server.
A while ago, we were working on our e-Mail "reputation" and configured SPF, DKIM and DMARC via ISPConfig UI.
I am a bit confused, on how to setup DKIM and DMARC for the relayed e-Mails.
Checking the correct setup using for e.g. mail-tester.com or similar, these checks are alwas reporting a wrong setup, when checking relayed e-Mails.
Using the sam checks sending e-Mails via Roundcube from the root server, anything works as expected and no misbehavior is indicated.

 

I think this depends on the setup. In rspamd you have a few options which mails should be dkim singed. These options are as follows:

Code:

# If false, messages from authenticated users are not selected for signing
sign_authenticated = true;

# If false, messages from local networks are not selected for signing
sign_local = true;

# Map file of IP addresses/subnets to consider for signing
sign_networks = "/some/file"; # or url

I don't know the default settings for ISPConfig on top of my head. If you are using the relay without authentication (e.g. IP in mynetworks) than you need to add a map for "sign_networks" aswell and the the IP of the sending server to sign those mails with DKIM.

 

Hmm, DKIM setup is part of ISPConfig and I am not really sure, if rspamd has to be involved.
The IP address of the sending server is dynamically assignen, so there´s no static mapping possible.

 

Rspamd is installed and working. The e-Mails are DKIM-signed, but as mentioned before, mails from the external sending server, which are relayed, are not signed the right way. If I send mails from the ISPConfig Host via e.g. Roundcube anything is fine.

 

Now, I tried to apply these settings, but not really sure, what the right files is.
This one, I changed to true
local.d/arc.conf:sign_authenticated = false;
As per my understanding, the local e-Mail signing works fine.
Checked, with the new option, against https://unspam.email no luck.

 

Yes, I am using smtp auth for relaying.
From my personal POV, it must have something to do with the "from" address, which is changed to the domain of the sending server when relaying, but I have no idea, how to fix this (if it´s the problem).

 

Hmm, gave it a try, but now, DKIM is not provided anymore in mails sent. Strange behavior.
Any ideas?

 

You can enable debug output for the dkim signing module to debug issues. It can bei configured in logging.inc.

 

Hmmm, from the logs (snippet):
arc; lua_dkim_tools.lua:454: user domain mismatch
Adding
allow_username_mismatch = true;
to local.d/dkim_signing.conf seems to do the trick.
D´accord?

 

Question ist why ist there a user domain mismatch?
Any hints in the logs?

 

Ok, applied all options provided above ... no luck
After some more, time consuming, investigation...
I´ve attached a few files including the log snippets of rspamd and the corresponding e-Mail headers which may help to figure out, what´s going wrong.
One Mail has been sent via Roundcube directly from the mailserver: Related files relay_mail*
The other one from my local machine through the mailserver where it has been authenticated with a seperate e-Mail user: Related files relay_mail*
From my POV, it must have to do with the smtp auth account, but I cannot figure out, what to do.
Hopefully all of the personal information has been removed in the attached files.

 

There shouldn't be any difference between roundcube and local machine sending.
Though your headers are far from complete, so there's no way of telling why direct mail is dkim signed and relay mail is not.
The only step mentioned in the headers is the last step where Google receives the mail from your relay server. Every other step before that is absent.

 

Ok, just for clarification:
"local machine" is a local mail server which is used to send mails through the relay server.
The headers have been extracted from the incoming mails of the gmail Account.
Why? "Though your headers are far from complete".
I copied all the stuff from the Thunderbird Headers to these files.

Indeed there is a difference: In the rspamd logs, you´ll find
"user domain mismatch" for the relaying version, which is not in the direct mail. Searching for DKIM in the logs should give some hints.

 

And I asume roundcube uses that same local mail server?

Check headers directly at Gmail.
There should be way more "received:" steps. From the point of origin till when Google receives it.
Your local mail server alone should already have reported multiple "received:" steps in the headers.
And then there are the steps where your local mail server received it and your relay server received it too.
All are missing now, except where Google receives it.

 

No, no, sorry for the missing clarification:
Roundcube is running on the relay server in the internet.
One more try to clarify:
Direct-mail: Roundcube (Internet root server) -> gmail
Relay-mail: Local LAN Windows PC (Thunderbird) -> Local LAN mail server (linux postfix as well) -> INTERNET: Relay Server -> gmail

 

Now it makes some more sense.
You expect the relay server to do dkim signing on a non-local mail domain for direct-mail.
That won't fly.
Dkim signing of relay-mail is done by your local mail server, so that's ok.