1

Topic: signing DKIM in the queue

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mariadb
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello Zhang,

For sending bulk emails, I use a PHP script (link to PHP class: https://www.phpclasses.org/package/9-PH … nformation ), this script pushes emails directly to the Postfix queue and it works great. I wanted to additionally secure my domains and set up a DMARC policy in dns, now I get reports that my e-mails (sent by script) do not pass the DKIM check.
How to make DKIM appear in every email, not only in those sent via the normal route (via port 587)?

Best regards,
Pawel

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: signing DKIM in the queue

If email was sent by client with SMTP Authentication, DKIM will be signed. So the question is how does your PHP script send out email? Use the php "mail()" function or "sendmail" command (both without smtp auth)?

3

Re: signing DKIM in the queue

Mails are pushed into the queue via command line.
Direct write to the queue with the function sendmail and php "fputs" by pipe.
As you can see without any authorization.
This is probably the fastest way of shipping.

var $sendmail_path="/usr/lib/sendmail";
var $sendmail_arguments="";
Function SendMail($to, $subject, $body, $headers, $return_path)
    {
        $command=$this->sendmail_path." -t -i";
        switch($this->bulk_mail ? $this->bulk_mail_delivery_mode : $this->delivery_mode)
        {
            case SENDMAIL_DELIVERY_DEFAULT:
            case SENDMAIL_DELIVERY_INTERACTIVE:
            case SENDMAIL_DELIVERY_BACKGROUND:
            case SENDMAIL_DELIVERY_QUEUE:
            case SENDMAIL_DELIVERY_DEFERRED:
                break;
            default:
                return($this->OutputError("it was specified an unknown sendmail delivery mode"));
        }
        if($this->delivery_mode!=SENDMAIL_DELIVERY_DEFAULT)
            $command.=" -od".$this->delivery_mode;
        if(strlen($return_path))
            $command.=" -f '".preg_replace("/'/", "'\\''",$return_path)."'";
        if(strlen($this->sendmail_arguments))
            $command.=" ".$this->sendmail_arguments;
        if(!($pipe=@popen($command,"w")))
            return($this->OutputPHPError("it was not possible to open sendmail input pipe", $php_errormsg));
        if(strlen($headers))
            $headers.="\n";
        if(!@fputs($pipe,"To: ".$to."\nSubject: ".$subject."\n".$headers."\n")
        || !@fputs($pipe,$body)
        || !@fflush($pipe))
            return($this->OutputPHPError("it was not possible to write sendmail input pipe", $php_errormsg));
        pclose($pipe);
        return("");
    }

Best regards,
Pawel

4

Re: signing DKIM in the queue

Try this:

- Open file /etc/postfix/master.cf, find line below:

pickup ...

- Append one line RIGHT AFTER the 'pickup' line:

  -o content_filter=smtp-amavis:[127.0.0.1]:10026

It will send emails pushed by your PHP program (AND all emails generated in similar ways without smtp auth) to Amavisd program through port 10026 - it's configured with (amavisd) policy 'ORIGINATING', it will sign DKIM AND perform spam/virus scanning for emails.

If you want to avoid spam/virus scanning and keep only DKIM signing, check the policy 'MLMMJ' in Amavisd config file (/etc/amavis/conf.d/50-user), it uses port 10027 and has DKIM signing enabled but spam/virus scanning disabled. Although you can use it directly, but it's used by mlmmj mailing list by default, i suggest keeping them separated and create a new policy by copying its settings but listen on another new network port.

5

Re: signing DKIM in the queue

Super, thank you smile - I will check how it works and let you know.

I do not have "MLMMJ" in the configuration file, but this is not a problem I know where to change and what to check.

Best regards,
Pawel

6

Re: signing DKIM in the queue

Hello Zhang,

Everything works as it should. smile
Thank you for your support.

Best regards,
Pawel