Topic: Mails not DKIM signed from authenticated clients
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): NGX
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi,
we use iRedMail MariaDB and suddenly mails are no longer DKIM signed when sent by SASL authenticated clients with our mail server. Mails are signed when sent from the local webmail client (roundcube). We use amavisd-new version 2.11.1 (the most recent version).
I already activated and checked with amavisd debug and those are the results when sent from non-local authenticated clients:
Feb 1 18:17:30 hello amavis[12477]: loaded policy bank "ORIGINATING"
Feb 1 18:17:31 hello amavis[12477]: (12477-01) dkim: not signing mail which is not originating from our siteThis is the originating block at our amavis.conf:
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
enable_dkim_signing => 1,
# notify administrator of locally originating malware
spam_admin_maps => ["root\@$mydomain"],
# notify administrator of locally originating malware
virus_admin_maps => ["root\@$mydomain"],
spam_admin_maps => ["root\@$mydomain"],
bad_header_admin_maps => ["root\@$mydomain"],
banned_admin_maps => ["root\@$mydomain"],
warnbadhsender => 0,
warnbannedsender => 0,
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS option
# Bypass checks
#bypass_spam_checks_maps => [1], # don't check spam
#bypass_virus_checks_maps => [1], # don't check virus
#bypass_banned_checks_maps => [1], # don't check banned file names and types
#bypass_header_checks_maps => [1], # don't check bad header
};As said, when I send over Roundcubemail installed at the mail server it works without problems, using the same sender and recipient addresses:
Feb 1 19:19:00 hello amavis[9265]: loaded policy bank "ORIGINATING"
Feb 1 19:19:00 hello amavis[9265]: (09265-01) dkim: candidate originators: From:<xxx@xxx.com>
Feb 1 19:19:00 hello amavis[9265]: (09265-01) lookup [dkim_signature_options_bysender], 2 matches for "xxx@xxx.com", results: "xxx.com"=>{a=>"rsa-sha256",ttl=>"864000",d=>"xxx.com"}, "."=>{c=>"relaxed/simple",a=>"rsa-sha256",ttl=>"2592000"}
Feb 1 19:19:00 hello amavis[9265]: (09265-01) dkim: signature options for xxx@xxx.com(From): c=relaxed/simple; a=rsa-sha256; ttl=864000; d=xxx.com
Feb 1 19:19:00 hello amavis[9265]: (09265-01) dkim: signing (author), From: <xxx@xxx.com> (From:<xxx@xxx.com>), KEY.key_ind=>9, a=>rsa-sha256, c=>relaxed/simple, d=>xxx.com, s=>dkim, ttl=>864000, x=>1549912740I am running out of ideas. Why is mail handled differently by amavisd when using the same policy bank? Is this -again- a bug in amavisd? What can I do to have my outgoing mails from clients DKIM signed?
Thanks for help!
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.