Hi, we´ve setup ISPConfig as an smtp relay server running on a Hetzner Root-Server. A while ago, we were working on our e-Mail "reputation" and configured SPF, DKIM and DMARC via ISPConfig UI. I am a bit confused, on how to setup DKIM and DMARC for the relayed e-Mails. Checking the correct setup using for e.g. mail-tester.com or similar, these checks are alwas reporting a wrong setup, when checking relayed e-Mails. Using the sam checks sending e-Mails via Roundcube from the root server, anything works as expected and no misbehavior is indicated.
I think this depends on the setup. In rspamd you have a few options which mails should be dkim singed. These options are as follows: Code: # If false, messages from authenticated users are not selected for signing sign_authenticated = true; # If false, messages from local networks are not selected for signing sign_local = true; # Map file of IP addresses/subnets to consider for signing sign_networks = "/some/file"; # or url I don't know the default settings for ISPConfig on top of my head. If you are using the relay without authentication (e.g. IP in mynetworks) than you need to add a map for "sign_networks" aswell and the the IP of the sending server to sign those mails with DKIM.
Hmm, DKIM setup is part of ISPConfig and I am not really sure, if rspamd has to be involved. The IP address of the sending server is dynamically assignen, so there´s no static mapping possible.
Rspamd is the software that signs your emails with Dkim. If it's not installed or configured, you will not have DKIM-signed emails.
Rspamd is installed and working. The e-Mails are DKIM-signed, but as mentioned before, mails from the external sending server, which are relayed, are not signed the right way. If I send mails from the ISPConfig Host via e.g. Roundcube anything is fine.
Now, I tried to apply these settings, but not really sure, what the right files is. This one, I changed to true local.d/arc.conf:sign_authenticated = false; As per my understanding, the local e-Mail signing works fine. Checked, with the new option, against https://unspam.email no luck.
Best is to check email source in your email client to see if they are signed instead of using any kind of external service. Do you use smtp authentication for the connection that you use to relay emails?
Yes, I am using smtp auth for relaying. From my personal POV, it must have something to do with the "from" address, which is changed to the domain of the sending server when relaying, but I have no idea, how to fix this (if it´s the problem).
If the from address does not match, then the emails are not signed. You can try to set these options in Rspamd to enforce signing: allow_envfrom_empty = true; allow_hdrfrom_mismatch = true; Vut not sure if other servers will accept the emails as signed then. But you can try it.
Hmm, gave it a try, but now, DKIM is not provided anymore in mails sent. Strange behavior. Any ideas?
You can enable debug output for the dkim signing module to debug issues. It can bei configured in logging.inc.
Hmmm, from the logs (snippet): arc; lua_dkim_tools.lua:454: user domain mismatch Adding allow_username_mismatch = true; to local.d/dkim_signing.conf seems to do the trick. D´accord?
