[SOLVED] rspamd not signing Email Alias with DKIM

Discussion in 'General' started by egaldoch, Mar 29, 2021.

  1. egaldoch

    egaldoch New Member


    I am struggling with the the problem that rspamd is not signing alias mails, I have a main mailbox called [email protected],tld and for this account an alias mail named [email protected],tld (Allow target to send mail using this alias as origin - enabled),
    DKIM signing is working fine for the main mail itself, If I write a mail with my email client from [email protected],tld, but with the same mailbox account, the mail gets sent but not signed with DKIM,
    If I create a separate mailbox on seconddomain,tld, DKIM signing is working properly,

    The correct private and public keys are created for the domains itself,
    └──╼ # ls -la
    total 64
    drwxr-x--- 2 _rspamd _rspamd 4096 Mar 29 13:45 .
    drwxr-x--- 3 _rspamd _rspamd 4096 May 27  2020 ..
    -rw-r--r-- 1 root    root    1702 Mar 29 13:16 [email protected],tld,private
    -rw-r--r-- 1 root    root     451 Mar 29 13:16 [email protected],tld,public
    -rw-r--r-- 1 root    root    1706 Mar 29 13:16 [email protected],tld,private
    -rw-r--r-- 1 root    root     451 Mar 29 13:16 [email protected],tld,public
    cat dkim_domains,map
    domain,tld /var/lib/amavis/dkim/domain,tld,private
    seconddomain,tld /var/lib/amavis/dkim/seconddomain,tld,private
    cat dkim_selectors,map
    domain,tld default
    seconddomain,tld default
    On my rspamd dashboard the error "no actions in settings: ispc_mail_forwarding_14" is shown,
    Does someone have an idea why my alias mails are not signed?
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have you enabled dkim in "mail domains" for the domain "aliasdomain.tld"?
  3. egaldoch

    egaldoch New Member

    Yes I have enabled dkim on both domains. I also tried to disable and then reenable it again.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What you describe is the default rspamd behavior:
    • If envelope from address is not empty, the effective second level domain must match the MIME header From
    • If authenticated user is present, this should be suffixed with @domain where domain is what’s seen in the envelope/header From address
    Try setting `allow_hdrfrom_mismatch = true;` and `allow_username_mismatch = true;' in /etc/rspamd/local.d/dkim_signing.conf (and you'll have to use a conf-custom template to make that change survive ISPConfig updates).

    @Croydon: I would propose we set these two automatically if reject_sender_login_mismatch is true. (Without rslm enabled I'd leave them false to avoid one customer sending spoofed mail that is also dkim signed.)
  5. egaldoch

    egaldoch New Member

    Thank you Jesse, that solved the issue for me!
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  7. egaldoch

    egaldoch New Member

    Unfortunately the issue reappeared after I updated to ISPConfig 3.2.5, although I still have the config changes in place.
    Any ideas?
    Thanks in advance!

    Fixed the issue by checking, which I have activated before but got somehow disabled:
    System-->Server Config-->Mail--> Reject sender and login mismatch
    Last edited: Jun 13, 2021

Share This Page