New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DKIM_sign tries to sign using the envelop from #2774
Comments
This might work for a server serving only one domain. Per the DMARC specification, the DKIM signature should align with the From header. Therefore, the dkim_sign plugin will prefer to sign the message with the domain in the From header if present, and that's exactly what happened:
When the From header is missing, we attempt to extract the domain name from the envelope from. |
Yes, that's what I've understood. But when forwarding emails, there is no way to have a domain name signature (since it's from the source we don't master). From what I've seen in some email:
You can have multiple layer of DKIM signature, one for each hop. In the standard, I'm reading:
|
From what I've found, it seems SRS is required in order to rewrite the envelope without breaking the initial message. Does Haraka supports SRS ? |
Ok, I've hacked something that works a bit like this:
It seems to work now better for forwarding as it's following the RFC I've read (see above). Would you like me to send a PR for the DKIM change ? |
system info
system info
$ grep -v "^#" /var/lib/haraka/config/plugins
syslog
dnsbl
helo.checks
tls
rcpt_to.alias_forward2
data.headers
dkim_sign
queue/discard
limit
$ cat dkim_sign.ini
[main]
disabled = false
selector = mars2020
domain = mydomain.com
headers_to_sign = To, From, Subject, Content-Type, Message-ID, Date
dkim.private.key = /var/lib/haraka/config/dkim/mydomain.com/private
Expected behavior
When using the dkim_sign plugin with an alias/forward plugin, the dkim_sign should use the current server's domain and not the envelope's from (or if missing the From header).
Observed behavior
In bold, see the dkim_sign error
Extract of logs:
Steps to reproduce
Enable a forwarding plugin like alias_forward or alias_forword and set up DKIM.
The text was updated successfully, but these errors were encountered: