Topic: DKIM signing for delegate server

[axessit]

I use an SME server for local mail relay for a number of older devices, photocopiers, backup NAS, and also a specialist student management system. I have a delegate mail server set up that works fine, and we route mail through our ISP's special bulk mail server. Mail gets delivered fine, with SPF and DMARC being happy, but there is no DKIM signature.

If I remove the delegate server, then email gets the DKIM signature and is all happy at the receivers end.

But I need to deliver mail via the delegate as the SME doesn't have the users for the domain (Mr Google does).

Is there a way of having it also sign the emails with DKIM before sending, as the ISP will just pass this on as I haven't provided them the keys (and don't want too if I can avoid it)?

[Jean-Philippe Pialasse]

could it be your delegated server that is sweeping the dkim field as it has no key?

[axessit]

I suspected that, however when I spoke with the ISP, they said they don't, and the evidence is proven when I remove the delegate and send an email normally from the server to my home email. The email still goes through the ISP relay, configured by the email sending, but the DKIM signature is added.

Using the Delegate, the header reports DKIM= none.

Our SPF includes the ISP as well as Gmail, and I have loaded the keys into Google domain, so Gmail signs OK. The trouble is I need to get DKIM signed by Feb or all our major email ISP's in New Zealand will reject any unsigned mail.

I'm thinking I'll have to get the ISP to sign them, I haven't had that detailed conversation yet, but was wondering if their was a simple trick to do it my end.

[ReetP]

FWIW I have used AuthSMTP for some while and they are pretty useful (I have no connection - they have just been pretty good for us)

They will not touch your SME server DKIM sigs, but you can set up their own if you prefer that route.

Worth a look.

[Jean-Philippe Pialasse]

dkim signing is done at qpsmtpd level.
there is no impact wether the server use a delegated mail server or use qmail which is behind qpsmtp to deliver the message to destination.
only setting needeed to sign is the presence of the keys  in the signing folder.

however by default emails sent using a php webapp and most daemons are directly sent to qmail or delegated server without getting to qpsmtpd. That is probably what you are seeing when testing versus issue observed.

[axessit]

OK, so back on the case again today. So does the mail flow from device->(smtp)qpsmtp->qmail->ISP ?

Just looking through the qpsmtp logs and it is signing the mail

Code: [Select]

2023-12-13 09:59:19.399199500 2887 spooling message to disk
2023-12-13 09:59:19.518155500 2887 (data_post_headers) dkim: pass, we signed the message
But when I receive it, the signature header is stripped out.

Looks like email from different devices behaves differently. While investigating more by chance, I noted email from our copiers was rejected due to DMARC policy - unauthenticated mail, but an email form our Wireless controller was passed, so I'll investigate further on how these send.

[Jean-Philippe Pialasse]

if the domain used by the device does. ot match the one qpsmtpd is authorized to sign, then it is not.

yes it is a mission to see the different possibilities