8

I have postfix, dovecot, opendkim and postsrsd installed. I am trying to forward mail from alias@example.com to myemail@gmail.com, and have them signed with DKIM.

I use postsrsd in order for the SPF record to pass for the forwarded emails.

However, when I send an email from my icloud account to alias@example.com, the message is delivered to my gmail inbox, but it is not being signed by DKIM.

Here is an output of my log:

postfix/smtpd:      connect from st11p01im-asmtp001.me.com[17.172.204.151]
postfix/smtpd:      BC23640B53: client=st11p01im-asmtp001.me.com[17.172.204.151]
postsrsd:           srs_forward: <myicloudemail@icloud.com> rewritten as <SRS0=zgyz=HT=icloud.com=myicloudemail@hostname.myemailserver.com>
postfix/cleanup:    BC23640B53: message-id=<6fd8e885-4be1-4a37-983f-3d6f18f3b73a@me.com>
opendkim:           BC23640B53: st11p01im-asmtp001.me.com [17.172.204.151] not internal
opendkim:           BC23640B53: not authenticated
opendkim:           BC23640B53: no signature data

I have looked at http://seasonofcode.com/posts/setting-up-dkim-and-srs-in-postfix.html and all my configuration files appear to be correct.

From what I have seen online, the "not internal, not authenticated" message means that the domain is not present in /etc/opendkim/TrustedHosts, but the domain being listed in the logs (st11p01im-asmtp001.me.com) is not my domain. I believe me.com belongs to Apple.

Is DKIM signing with an alias address using SRS not possible?

Update:
Having disabled postsrsd in /etc/postfix/main.cf, the problem still persists. Therefore, the issue is not with postsrsd, but with opendkim not signing mail for aliases addresses.

I think this is because opendkim looks at the original hostname that send the mail, which in my case is st11p01im-asmtp001.me.com, and therefore does not sign it because this address is not listed in /etc/opendkim/TrustedHosts.

Is there any way to get opendkim to work with alias addresses?

user2370460
  • 203
  • 3
  • 6
  • 1
    You shouldn't sign an email received from the outsider. – masegaloeh Jul 13 '15 at 04:13
  • 1
    @masegaloeh Could you please explain why? Sometimes the forwarded mail ends up in the spam folder of the final recipient. I am trying to avoid this. I would have assumed that signing the mail with DKIM would help towards this. – user2370460 Jul 13 '15 at 08:35
  • 1
    From technical perspective, you need to rewrite `From:` header instead of envelope sender (as DKIM has no interest in envelope parts). Yes you can do the rewriting with postsrsd. Unfortunately by default, rewriting was occured **after** signing, so it's useless. – masegaloeh Jul 13 '15 at 11:08
  • 2
    Another argument is the server who responsible signing email is the one who sent it. If you forwarding email who already has DKIM signature, then you don't need to re-sign it again. – masegaloeh Jul 13 '15 at 11:13

2 Answers2

5

For your concept here the ideal workflow

  1. External email receive by postfix
  2. OpenDKIM verifies the DKIM signature, if exists
  3. Postfix rewrite From: header so it comes from your domain that you controlled, for example example.com
  4. OpenDKIM re-sign DKIM into rewritten email (and remove the original DKIM signature if exists).
  5. Postfix deliver it into aliases address.

Unfortunately, postfix and OpenDKIM doesn't support DKIM signing right before sending to final destination. OpenDKIM only support milter interface that only operates when postfix receives email. Yes, you can have workaround like postfix multi instance so the first instance will do rewriting and the second one will do signing, but I think it's not worth in your case.

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • I solved this problem by using the [postfix advanced filter](http://www.postfix.org/FILTER_README.html#advanced_filter) and adding the opendkim milter on the final phase. – jchook Sep 25 '18 at 22:27
  • Do you have an example of this @jchook? Would be super helpful. – bhundven Jun 16 '20 at 23:22
  • @bhundven example [master.cf](https://pastebin.com/CHSEWKTv) – jchook Jun 17 '20 at 23:34
1

I had the same problem and finally it solved by adding my source mail server (other mail sender server) ip to list of internal hosts in /etc/opendkim.conf file:

InternalHosts           refile:/etc/opendkim/TrustedHosts
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

and here is my /etc/opendkim/TrustedHosts file contents:

# this was localhost defined previously from tutorials i followed:
127.0.0.1
::1
# here is my workaround adding source mail server which its ip was not internal:
11.22.33.44
my:other:server:ipv6::1
Mojtaba Rezaeian
  • 311
  • 3
  • 12
  • What means your "source mail server"? If you use postfix as forwarding server (to accept mails on your own domain to forward them to gmail) the source mail server is almost different. it are the mail servers from the people which send you mail. Or do you have an other use case? – Lutz Feb 04 '22 at 16:36
  • @Lutz Sorry for my late response. I have multiple servers with different ips which may send my domain emails. I wanted to be able to sign all these emails using opendkim sent from every server I have, not only the one server/IP which has opendkim installed on it. From my point of view source mail server is the server/IP which I actually creating and sending email from. – Mojtaba Rezaeian Apr 26 '22 at 17:49