1 Topic by tms (edited by tms 2021-05-17 22:36:43)

  • tms
  • Member
  • Offline
  • Registered: 2019-10-07
  • Posts: 13

Topic: Mails notifications sent by amavisd-new are not DKIM signed

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.4.0
- Deployed with iRedMail Easy or the downloadable installer? downloadable installe
- Linux/BSD distribution name and version: Debian Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I try to add some notifications in amavisd-new about mails with banned files:

$final_banned_destiny = D_BOUNCE;
$warnbannedrecip  = 1;

I noticed that with the default settings from iRedMail (global DKIM signature disabled, enabled in the "originating" policy banks), there is no DKIM signature on these mails. And because of my DMARC policy, these mails are bounced by the remote server.

If I enable global DKIM signature, the signature is added and mails are not bounced anymore.

Question is: Why the global DKIM signature is disabled by default ? Is there a risk to enable it ? According to this message, by default only local mails are signed by amavisd-new.

Regards,
Valentin

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Mails notifications sent by amavisd-new are not DKIM signed

What's the policy bank and DKIM settings in your amavisd config file?

$policy_bank{'MYNETS'} = { ... }
$policy_bank{'ORIGINATING'} = { ... }
$dkim_signature_options_bysender_maps = (...)

3 Reply by tms

  • tms
  • Member
  • Offline
  • Registered: 2019-10-07
  • Posts: 13

Re: Mails notifications sent by amavisd-new are not DKIM signed

Hi ZhangHuangbin,

My settings :

@mynetworks = qw( 127.0.0.0/8 [::1] 127.0.0.1 );

$policy_bank{'MYNETS'} = {   # mail originating from @mynetworks
    originating => 1,  # is true in MYNETS by default, but let's make it explicit
    os_fingerprint_method => undef,  # don't query p0f for internal clients
    allow_disclaimers => 1, # enables disclaimer insertion if available
    enable_dkim_signing => 1,
};

$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
    originating => 1,         # declare that mail was submitted by our smtp client
    allow_disclaimers => 1,   # enables disclaimer insertion if available
    enable_dkim_signing => 1,

    # force MTA conversion to 7-bit (e.g. before DKIM signing)
    smtpd_discard_ehlo_keywords => ['8BITMIME'],
    terminate_dsn_on_notify_success => 0,  # don't remove NOTIFY=SUCCESS option
};

@dkim_signature_options_bysender_maps = ({
    # catch-all (one dkim key for all domains)
    '.' => {d => 'xxxxxxxxx.yyy',
            a => 'rsa-sha256',
            c => 'relaxed/simple',
            ttl => 30*24*3600 },
});

NB : If a local sender send a banned file to an external recipient, the external recipient will receive a DKIM signed notification.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Mails notifications sent by amavisd-new are not DKIM signed

Amavisd settings seem fine. I'm afraid that we need to turn on debug mode for troubleshooting.
FYI: https://docs.iredmail.org/debug.amavisd.html