DKIM not signing with alias addresses - not internal, not authenticated

postfix gmail alias dkim opendkim
6,200

Solution 1

For your concept here the ideal workflow

  1. External email receive by postfix
  2. OpenDKIM verifies the DKIM signature, if exists
  3. Postfix rewrite From: header so it comes from your domain that you controlled, for example example.com
  4. OpenDKIM re-sign DKIM into rewritten email (and remove the original DKIM signature if exists).
  5. Postfix deliver it into aliases address.

Unfortunately, postfix and OpenDKIM doesn't support DKIM signing right before sending to final destination. OpenDKIM only support milter interface that only operates when postfix receives email. Yes, you can have workaround like postfix multi instance so the first instance will do rewriting and the second one will do signing, but I think it's not worth in your case.

Solution 2

I had the same problem and finally it solved by adding my source mail server (other mail sender server) ip to list of internal hosts in /etc/opendkim.conf file:

InternalHosts           refile:/etc/opendkim/TrustedHosts
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts

and here is my /etc/opendkim/TrustedHosts file contents:

# this was localhost defined previously from tutorials i followed:
127.0.0.1
::1
# here is my workaround adding source mail server which its ip was not internal:
11.22.33.44
my:other:server:ipv6::1
Share:
6,200

Related videos on Youtube

user2370460
Author by

user2370460

Updated on September 18, 2022

Comments

  • user2370460
    user2370460 almost 2 years

    I have postfix, dovecot, opendkim and postsrsd installed. I am trying to forward mail from [email protected] to [email protected], and have them signed with DKIM.

    I use postsrsd in order for the SPF record to pass for the forwarded emails.

    However, when I send an email from my icloud account to [email protected], the message is delivered to my gmail inbox, but it is not being signed by DKIM.

    Here is an output of my log:

    postfix/smtpd:      connect from st11p01im-asmtp001.me.com[17.172.204.151]
postfix/smtpd:      BC23640B53: client=st11p01im-asmtp001.me.com[17.172.204.151]
postsrsd:           srs_forward: <[email protected]> rewritten as <[email protected]>
postfix/cleanup:    BC23640B53: message-id=<[email protected]>
opendkim:           BC23640B53: st11p01im-asmtp001.me.com [17.172.204.151] not internal
opendkim:           BC23640B53: not authenticated
opendkim:           BC23640B53: no signature data

    I have looked at http://seasonofcode.com/posts/setting-up-dkim-and-srs-in-postfix.html and all my configuration files appear to be correct.

    From what I have seen online, the "not internal, not authenticated" message means that the domain is not present in /etc/opendkim/TrustedHosts, but the domain being listed in the logs (st11p01im-asmtp001.me.com) is not my domain. I believe me.com belongs to Apple.

    Is DKIM signing with an alias address using SRS not possible?

    Update:
    Having disabled postsrsd in /etc/postfix/main.cf, the problem still persists. Therefore, the issue is not with postsrsd, but with opendkim not signing mail for aliases addresses.

    I think this is because opendkim looks at the original hostname that send the mail, which in my case is st11p01im-asmtp001.me.com, and therefore does not sign it because this address is not listed in /etc/opendkim/TrustedHosts.

    Is there any way to get opendkim to work with alias addresses?

  • jchook
    jchook almost 6 years
    I solved this problem by using the postfix advanced filter and adding the opendkim milter on the final phase.
  • bhundven
    bhundven about 4 years
    Do you have an example of this @jchook? Would be super helpful.
  • jchook
    jchook about 4 years
    @bhundven example master.cf
  • bhundven
    bhundven about 4 years
    @jchook Thank you!
  • Lutz
    Lutz over 2 years
    What means your "source mail server"? If you use postfix as forwarding server (to accept mails on your own domain to forward them to gmail) the source mail server is almost different. it are the mail servers from the people which send you mail. Or do you have an other use case?
  • Admin
    Admin about 2 years
    @Lutz Sorry for my late response. I have multiple servers with different ips which may send my domain emails. I wanted to be able to sign all these emails using opendkim sent from every server I have, not only the one server/IP which has opendkim installed on it. From my point of view source mail server is the server/IP which I actually creating and sending email from.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

I can't send email from my server to gmail addresses
opendkim public key not available
DKIM header exists but signature is not valid
opendkim no signing table match for no signature data
How can I test the DKIM configuration of my server (Postfix + OpenDKIM)?
OpenDKIM not signing outgoing mail
Postfix - Opendkim - Unable to connect to local socket
Gmail smtp SASL authentication
Postfix not receiving mail from email but does from sendmail?
12.04 POSTFIX openDKIM no DKIM signature