DKIM and Exchange Servers

Discussion in 'General' started by pyte, Feb 20, 2023.

  1. pyte

    pyte Well-Known Member HowtoForge Supporter

    Hi,
    i have a few exchange servers that receive mails from my ISPConfig systems by transport. These exchanges servers use ISPConfig as a mail relay to send mail. As the domains i transport for are not known by ISPConfig as maildomains, i can't simply actiavte DKIM for them.

    Is there a clever solution for this, or do i have to manually maintain a list of the domains and tinker with rspamd to make this work?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Try adding the domains under Spamfilter > user/domain in ISPConfig in the same way a rule for a mail domain gets added (it's with @domain.tld, if I remember correctly. At least for amavis, this worked and for Rspamd it might work as well.
     
  3. pyte

    pyte Well-Known Member HowtoForge Supporter

    I am a bit confused. How should this help the case of singing messages with DKIM?

    I thought it might be an idea to add the DKIM form from "Add E-Mail DomaiN" to "Add E-Mail Relay Domain" and generate a key and dns record and add the config to /etc/rspamd/local.d/dkim_domains.map
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, you're right. It works for the other parts of the spam filter but as the DKIm key is bound to the mail domain, this can not help there. You will have to set this up manually then in Rspamd.
     
  5. pyte

    pyte Well-Known Member HowtoForge Supporter

    Any thoughts about adding the create dkim function, as it is implemented in "New Mail domain", to the "Add new relay domain"?
    I'm willing to make it work and create a MR if it is a sensible idea.

    //EDIT: just realized this will be loads of work, but i'll try it atleast :)
     
    ahrasis likes this.
  6. remkoh

    remkoh Active Member

    Why not sign emails directly on the exchange server, before relaying?
    I'm using Exchange DKIM Signer for some time now on several exchange servers which also relay to another host before emails are sent over the internet.
    https://github.com/Pro/dkim-exchange
    It works perfectly. I've never had any problems and mail-tester.com returns 10/10.
    Since one of the last updates you don't even have to reinstall it after installing a CU anymore.
     
  7. pyte

    pyte Well-Known Member HowtoForge Supporter

    I am aware of dkim-exchange, but wanted to keep the parts together and not seperate them. We're talkging 6-7 exchange Servers with hunderts of domains and tousends of users
     
    remkoh likes this.
  8. muekno

    muekno Active Member HowtoForge Supporter

    @pyte haveing the same problem, ISPConfig does DKIM excellent for local mail domains, and sind last update easy to install. but if it works as a mail relay, what ist does excellent too your out of DKIM singning. I found out a way it might work but have no server to test it, so I will not try it as it might brake my running production system with customer mail on it.
    I send my solution to Till waiting for a comment, if the way may work. I it does its not to much work to implemt.
    I can not DKIM on the mail source as it does not support DKIM and at least DKIM is part of DNS too so the DKIM records (public key) have to be on the DNS Server and the private key on the correspondending Mailsystem
     
  9. pyte

    pyte Well-Known Member HowtoForge Supporter

    Is it a solution implementet in ISPConfig?

    I've made it possible with a script. I check every transport domain, if the NS has the zone for that domain i genereate the keys and put them in the correct folder, edit the rspamd config and create the DNS Record.
     
    ahrasis likes this.
  10. muekno

    muekno Active Member HowtoForge Supporter

    @pyte exectly thats the way i thought
    generate the keys and store both keys under /var/lib/amavis/dkim/domain.public respective .private
    and add an entry in /etc/rspamd/local.d/ dkim_selectors.map "domain default"
    generate DKIM record manualy and DMARC is only DNS relevant
    just did test it as I wrote would not harn my production system
    a script may be fine if you have more domains, for me there are 3 at this time
    Did you tested itin production?
    The other thing I am not shure about,ISPConfig stores everything in his database, so manually adding thing will not be reproduced in the database so what about updates etc. will the changes be permanent. The DKIM and DMARK records are DNS based and will be in the database, the clue will be the private key and the domain information stored under amavis and rspamd directories.

    On the other site it is very popular haveing a postfix on the public IP address, mx points to, relaying mails from and to the inner Exchange or what ever other mail system. So DKIM and DMARC should be made on that server, while there is normaly no public access to the in network with private IP4 adresses, wether mail server nor DNS.
     
    Last edited: Mar 4, 2023
    ahrasis likes this.
  11. pyte

    pyte Well-Known Member HowtoForge Supporter

    Kinda. I don't see an issue here as the script uses the ISPConfig API to create the DNS Record, so it is stored in the database. ISPConfig will not overwrite the keyfiles while updating and i don't think it's gonna regenerate the rspamd config files for DKIM with an update.
     

Share This Page