DKIM, SPF and DMARC Relay Server

Why not, this is a common use case?!

 

No it's not.
Yes using a relay server is common practice, but for relaying only.
If you want it to do dkim signing too you'll need to set-up your domain as mail domain in ispc and enable dkim.
Or set-up roundcube to use your local mail server as smtp, so dkim signing is done there (as with thunderbird mail) and relayed back.

 

You can configure rspamd to sign for whatever you want if you like.

On a ISPConfig system you can overwrite the dkim_siging config to use addiotional map files for signing. We do this on our server with this configuration in overwrite.d/dkim_signing.conf:

Code:

path_map = [
    "/etc/rspamd/local.d/dkim_domains.map",
    "/etc/rspamd/maps.d/autodkim_domains.map"
];

selector_map = [
    "/etc/rspamd/local.d/dkim_selectors.map",
    "/etc/rspamd/maps.d/autodkim_selectors.map"
];


sign_networks = "/etc/rspamd/maps.d/kits_dkim_sign_networks.map";

The autodkim_* maps contain your custom configurations the others are the files from ISPConfig itself, dont touch them. In sign_networks you add the IPs of the downstream server that use the siging server as a outgoing realy.

Be aware that you need to handle the keypair on the ISPConfig server and in the DNS yourself for this.
More information can be found in the upstream documentation.

 

@pyte This is exactly what I wanted to hear. Thanks a lot.
I am a bit confused about the necessary entries in the autodkim_* files.
Is there any samples avail somewhere in the net?
I found this discussion helpful: https://github.com/orgs/docker-mailserver/discussions/4575#discussioncomment-14482755
,but there may be a more suitable one avail.

 

autodkim is a internal tool I wrote for the company I work at to handle automatic key generation, rotation and the corrosponding DNS records for customers that use our Hosted Exchange product.

These files contain the sam information as the files from ISPConfig itself e.g. dkim_domains.map and dkim_selectors.map. They define which dkim selector to use for a given domain and where the keyfile is located.

So for for the example.com domain that would be:

autodkim_selectors.map:

Code:

example.com s1

autodkim_domains.map:

Code:

example.com /var/lib/amavis/dkim/example.com.key

The rspamd configuration I provided in my earlier post, show how to configure rspamd to use multiple map files for dkim siging, so ISPConfig does not overwrite changes when you put them in dkim_domain.map/dkim_selectors.map.

For each domain you add to these custom autodkim_* files you need to generate a key-pair before that you place into /var/lib/amavis/dkim and add the public key as a dkim record to the dns zone of example.com

Sorry I'm writing this on my phone, so it might be a bit messy. Hope that clears things up!

 

@pyte Don´t worry about possibly messed about text. You are answering at light speed *g*
I will perform some tests and come back on this issue ASAP.
Thanks again for all your time.

 

Ok, for all, running into the same issue.
File "/etc/rspamd/modules.d/dkim_signing.conf" helped to point me to the right direction.
There are two options, I changed :
allow_hdrfrom_mismatch = true;
sign_authenticated = true;
but I assume, that "sign_authenticated" did the trick.
Because the local mail server is authenticating itself via mail user account, all Mails were not signed by default:
# If false, messages from authenticated users are not selected for signing