New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rspamd - "setup config dkim" only generated DKIM for the main domain, but not the others #3326
Comments
It kinda looks like very related to #3321 if I'm not mistaken? |
I'm not sure if that's related. Just that after running And the output of the command only told me to set up DNS for that "domain1.com". Shouldn't it create DKIM keys for ALL domains on the server? Like it did for OpenDKIM. Thanks! |
Ok - looks like I need to run it like this for each domain:
Fair enough. But probably it should be more explicit here :) https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/#dkim |
Not really :)
No, this is expected (for now). You will need to run the script for each domain separately as of now, and then adjust |
Thanks @georglauterbach I've just run it for each of the domains. I get all the files in I wonder if the reason it wasn't updated is because it's not mounted, as per the logs in #3327 |
Haha, nice timing :D Yes, this could be improved. I'll provide a PR. |
The default configuration only takes into account a single domain; the script is not capable of more. Please mount a custom configuration that uses all domains, as shown in our docs. |
Thanks! I see the example here - https://docker-mailserver.github.io/docker-mailserver/latest/config/best-practices/dkim_dmarc_spf/#dkim But it shows a completely different syntax/structure:
This is what I have as default:
Can I just duplicate this into something like this?
(and couldn't this be easily automated by the Thanks very much!!! |
Yes, this is DMS' default.
Looks good and should be working!
You are free to provide a PR :) I'm curious how you'd manage multiple domains that could have multiple selectors though. IMO, writing the file (with the help of our documentation) is easier :) |
Ah ok - I understand. Thank you for all your help today. It's just that in the "user's side" (my side), every time there is a big upgrade with the mailserver, I always struggle to understand what's going on, and I also never heard of Your documentation is great, but for someone that just comes in after an upgrade, it's hard to know what should I focus on 😊👍🏼 (not a bad criticism - I think you are doing as much as you can!!) |
#3329 should improve the docs - you are indeed right, our docs assume the users know that we do not take care of multiple domains. This will first be visible on the edge docs and later on v13.0.0. You may use the |
Perfect - that looks great. Thanks!!! |
That should start to slow down. Many of the bigger breaking changes have been addressed. There is still a few more disruptive ones expected, but those should be more clearly communicated in the changelog / release notes at the time. |
@ghnp5 Did you get this to work? I cannot get emails from another domain signed :-/ My
It will only sign emails from example.com, not second-domain.com. I've made sure the config is in place for rspamd in the container. Any other ideas how to debug that? rspamd.log does not show any relevant warning... |
Hey It seems to be working for me, yes, for the extra domains. Did you also run this, for each domain?
and do you confirm the file Note that, for me, the |
I've run Mmh, strange. |
Did you try restarting mailserver, by destroying the container and recreating it? |
@some-user123 what does Docs about container restarts: https://docker-mailserver.github.io/docker-mailserver/latest/usage/#get-up-and-running |
Yes, I re-created the container. Before that my
Permissions are identical to the first domain:
|
Seems good.. (btw - looks like you missed the replacement of your domains in the first output) |
I've added a third domain, that does not have a dash in its name and used selector I found it strange though, that there was no error/warning in the log even though I did not propagate the public key in DNS. |
Can you switch the domains (the 2nd into 1st, and 1st into 2nd), and see if it works for that other domain? That should "prove" if it only works for the first or not. |
I think, I found it.
Is that intentional? |
Seems very reasonable to me. Why would you sign an email with DKIM for domain A when the sender actually is using domain B? |
I guess the answer is two steps: If the mail server sends this mail, it should sign it. If it refuses the sign it (because the user isn't authorized to send it), it should not send it - because the user isn't authorized 😉. Why should the mail server send mails across domains? (As it currently does.) Users can also receive mails across domains. Mails to both firstname.lastname@example.com and firstname.lastname@second-domain.com end up in the same mailbox. Why should the user use a different account to send mails for the second address? |
To me, that looks like a custom setup that doesn't seem to be usual. If the email is to be sent using "...@second-domain.com", it should authenticate as that user instead, I believe. Regardless, this seems to be something that wouldn't be fixable by the Docker Mail Server developers :) |
Because, when it comes to DKIM, there is a difference between sending and receiving (in the end, DKIM is asymmetric!). We're talking about signing an email when sending it. This has nothing to do with receiving. Have you tried different settings for |
Obviously, there is a different between sending and receiving. But why should there be a difference between MTA and DKIM in sending? Either the mail is legit, then sign it and send it. Or it isn't, then refuse to send it. Phrased differently:
|
Because this is what we call spoofing. Have you set
Perfect 👌🏽 |
We don't, and there is a blocker issue / discussion as to why when it was last attempted to default that. Besides, the I haven't read the discussion in full, so I'm probably missing some context. I can understand @some-user123 expectation for a single user account that manages multiple domains, especially with the same local part of the address (eg: DMS creates accounts in Dovecot with the full address IIRC, but that's technically not required for login. An account could be agnostic to addresses it receives mail for and can send as. A more common scenario might be an alias Perhaps in that case, you have several domains, each with their own marketing alias address. If DMS isn't where the mailbox is for the recipients, then it sends mail out to recipients that may be at a different domain. I am not familiar enough with DKIM, but assume that requires signing (probably not the same as what was discussed above). What about a use-case where several services send mail for password resets and the like through DMS. DMS may likewise be configured to go through a relay host like SendGrid, where you have a single account with credentials. The same can be done with DMS, where your services authenticate on port 587/465 with a single SASL account, but use different sender addresses / domains. Even with |
Hey
I enabled Rspamd, and then ran:
docker exec -it mailserver setup config dkim
However, unlike what happened with the old system (OpenDKIM), I only got the DKIM generated for the main domain, but not the other domains.
Am I doing it right, or do I need to provide an extra parameter for the domain I want to generate, or so?
Thanks!
The text was updated successfully, but these errors were encountered: