1 (edited by hws 2019-02-02 19:16:28)

Topic: Mails not DKIM signed from authenticated clients

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

we use iRedMail MariaDB and suddenly mails are no longer DKIM signed when sent by SASL authenticated clients with our mail server. Mails are signed when sent from the local webmail client (roundcube). We use amavisd-new version 2.11.1 (the most recent version).

I already activated and checked with amavisd debug and those are the results when sent from non-local authenticated clients:

Feb  1 18:17:30 hello amavis[12477]: loaded policy bank "ORIGINATING"
Feb  1 18:17:31 hello amavis[12477]: (12477-01) dkim: not signing mail which is not originating from our site

This is the originating block at our amavis.conf:

$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
    originating => 1,         # declare that mail was submitted by our smtp client
    allow_disclaimers => 1,   # enables disclaimer insertion if available
    enable_dkim_signing => 1,

    # notify administrator of locally originating malware
    spam_admin_maps  => ["root\@$mydomain"],
    # notify administrator of locally originating malware
    virus_admin_maps => ["root\@$mydomain"],
    spam_admin_maps  => ["root\@$mydomain"],
    bad_header_admin_maps => ["root\@$mydomain"],
    banned_admin_maps => ["root\@$mydomain"],
    warnbadhsender   => 0,
    warnbannedsender => 0,

    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option

    # Bypass checks
    #bypass_spam_checks_maps => [1],    # don't check spam
    #bypass_virus_checks_maps => [1],   # don't check virus
    #bypass_banned_checks_maps => [1],  # don't check banned file names and types
    #bypass_header_checks_maps => [1],  # don't check bad header
};

As said, when I send over Roundcubemail installed at the mail server it works without problems, using the same sender and recipient addresses:

Feb  1 19:19:00 hello amavis[9265]: loaded policy bank "ORIGINATING"
Feb  1 19:19:00 hello amavis[9265]: (09265-01) dkim: candidate originators: From:<xxx@xxx.com>
Feb  1 19:19:00 hello amavis[9265]: (09265-01) lookup [dkim_signature_options_bysender], 2 matches for "xxx@xxx.com", results: "xxx.com"=>{a=>"rsa-sha256",ttl=>"864000",d=>"xxx.com"}, "."=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"2592000"}
Feb  1 19:19:00 hello amavis[9265]: (09265-01) dkim: signature options for xxx@xxx.com(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=xxx.com
Feb  1 19:19:00 hello amavis[9265]: (09265-01) dkim: signing (author), From: <xxx@xxx.com> (From:<xxx@xxx.com>), KEY.key_ind=>9, a=>rsa-sha256, c=>relaxed/simple, d=>xxx.com, s=>dkim, ttl=>864000, x=>1549912740

I am running out of ideas. Why is mail handled differently by amavisd when using the same policy bank? Is this -again- a bug in amavisd? What can I do to have my outgoing mails from clients DKIM signed?

Thanks for help!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Mails not DKIM signed from authenticated clients

Further troubleshooting leads to this:

When I explicitly add the IP address of an external client into the @mynetworks variable in amavisd the MYNETS policy will also be used for this client, resulting in correctly dkim signed mails.

This is the MYNETS policy bank of amavisd.conf:

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
    originating => 1,  # is true in MYNETS by default, but let's make it explicit
    os_fingerprint_method => undef,  # don't query p0f for internal clients
    allow_disclaimers => 1, # enables disclaimer insertion if available
    enable_dkim_signing => 1,
};

If MYNETS policy is used the mails get signed correctly. If ORIGINATING block is used, mails are not signed with the message "dkim: not signing mail which is not originating from our site".

The settings of both blocks seems to be correct. I cannot add all possible client addresses into @mynetworks.

What can I do to get my client's mails signed?

3

Re: Mails not DKIM signed from authenticated clients

- Did you send email through port 587 with SMTP authentication?
- Does transport "submission" in /etc/postfix/master.cf have option "content_filter="?

4

Re: Mails not DKIM signed from authenticated clients

ZhangHuangbin wrote:

- Did you send email through port 587 with SMTP authentication?
- Does transport "submission" in /etc/postfix/master.cf have option "content_filter="?

Yes. only port 587 is allowed for clients

Yes:

-o content_filter=smtp-amavis:[127.0.0.1]:10026

5

Re: Mails not DKIM signed from authenticated clients

Please turn on debug mode in Amavisd, send one testing email for both cases (failed dkim + working dkim), and copy Postfix + Amavisd logs here. we need the log for troubleshooting.