DKIM not signing domain alias senders

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
hendea2
New user
New user
Posts: 3
Joined: 2014-01-24 02:40

DKIM not signing domain alias senders

Post by hendea2 » 2014-01-24 02:42

I have multiple domains which share the same pool of users. I have DKIM records in DNS for all of the domains and have DKIM configured on the domain in hMailServer, however when I send e-mail from any of the domains listed in the domain aliases, the messages are not signed. Is there any way to fix this?

User avatar
mattg
Moderator
Moderator
Posts: 20796
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM not signing domain alias senders

Post by mattg » 2014-01-24 03:11

I don't believe that it is possible to set DKIM on a domain alias
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

hendea2
New user
New user
Posts: 3
Joined: 2014-01-24 02:40

Re: DKIM not signing domain alias senders

Post by hendea2 » 2014-01-24 03:12

Hmm, after I noticed that it went open source again, I took a dive in and see that the code that handles signing with DKIM only looks to see if the domain of the sender matches the Domain name rather than any of the attached Aliases (specifically in DKIMSigner.cpp:36). We probably should have it look through the Alias' when trying to identify the domain that corresponds to the sender's address, however I'm not sure if this needs to be implemented as a new check or not (or if the existing GetDomain should be updated).

hendea2
New user
New user
Posts: 3
Joined: 2014-01-24 02:40

Re: DKIM not signing domain alias senders

Post by hendea2 » 2014-01-24 03:44

After even a bit more checking, it looks like it may be harder than I first thought. It appears that the Map that contains the domains in the cache doesn't expose the Domains outside of the generic Cache type which means there isn't a good clean way to get at the underlying data without exposing the Cache's collection and it looks like it may have critical section concerns that make revealing it dangerous.

Anyone know if there is another way to get at a listing of the domains? I wouldn't mind writing the code to adjust this if it's a useful feature, but my C++ is a bit rusty and I'm not familiar enough with where else the Domain's might be available.

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: DKIM not signing domain alias senders

Post by Bill48105 » 2014-01-24 05:06

Yeah it's been open for like 3 years now :)

There are various functions available I'd have to look. Did you look in utilities.cpp?

The fun part is settings for it but suspect the easiest way without modifying the admin is require the primary domain to have dkim setup then aliases use the exact same settings except key file but have aliases based on that like maindomain.dom-aliasdomain.dom.key or such. Otherwise it'll require a lot of changes in the GUI admin & with aliases being on a different tab than dkim making it more of a hassle.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

Bill48105
Developer
Developer
Posts: 6192
Joined: 2010-04-24 23:16
Location: Michigan, USA

Re: DKIM not signing domain alias senders

Post by Bill48105 » 2014-01-24 05:14

SMTPConnection.cpp:594

Code: Select all

      // Apply domain name aliases to this domain name.
      shared_ptr<DomainAliases> pDA = ObjectCache::Instance()->GetDomainAliases();
      const String sAccountAddress = pDA->ApplyAliasesOnAddress(sFromAddress);
DomainAlises.cpp:43

Code: Select all

   String 
   DomainAliases::ApplyAliasesOnAddress(const String &sAddress)
   {
      const String sDomainName = StringParser::ExtractDomain(sAddress);
      const String sMailbox = StringParser::ExtractAddress(sAddress);

      // Iterate over the domains to find a match.
      vector<shared_ptr<DomainAlias> >::iterator iterAccount = vecObjects.begin();
      
      boost_foreach(shared_ptr<DomainAlias> pFA, vecObjects)
      {
         if (pFA->GetAlias().CompareNoCase(sDomainName) == 0)
         {
            // We found the domain ID
            __int64 iDomainID = pFA->GetDomainID();
         
            shared_ptr<const Domain> pDomain = CacheContainer::Instance()->GetDomain(iDomainID);
            
            if (!pDomain)
               return sAddress;

            String sRetVal = sMailbox + "@" + pDomain->GetName();
         
            return sRetVal; 
         }
      }

      return sAddress;
   }
So it finds the domain & box parts then loops thru the domain aliases looking for a match to rewrite the address. Not too helpful as-is for DKIM but shows how it's done.
hMailServer build LIVE on my servers: 5.4-B2014050402
#hmailserver on FreeNode IRC https://webchat.freenode.net/?channels=#hmailserver
*** ABSENT FROM hMail! Those in IRC know how to find me if urgent. ***

crice
New user
New user
Posts: 6
Joined: 2013-02-26 22:41

Re: DKIM not signing domain alias senders

Post by crice » 2017-11-17 22:24

I bet there hasn't been much traction on this but i just ran into this as i was setting up DKIM. Due to fun tech debt my main domain for mail is a sub domain. I'm in the process of trying to merge it with the base domain and to do that i made the base domain an alias of the sub domain.

So it looks like

subdomain.mydomain.com
- > ALIAS mydomain.com


Now i'm in the process of making the mydomain.com the main mail address and everything works and is backwards compatible except for the DKIM signature.

Right now i get this

FROM: user@subdomain.mydomain.com -> All checks pass
FROM: user@mydomain.com -> DKIM not present but all other checks pass

Anything i can do to get this to work?

User avatar
mattg
Moderator
Moderator
Posts: 20796
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM not signing domain alias senders

Post by mattg » 2017-11-17 23:42

can you rename your domain name to
mydomain.com
-> ALIAS subdomain.mydomain.com

And change DKIM to match mydomain.com

This will then mean that subdomain.mydomain.com won't sign with DKIM, but in my view your senders should be sending from mydomain.com anyway

The ONLY way to get DKIM for a subdomain is to treat it as a separate domain in hMailserver. You can't store a DKIM signature against an alias
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RBoy
New user
New user
Posts: 26
Joined: 2018-12-04 04:28

Re: DKIM not signing domain alias senders

Post by RBoy » 2018-12-04 04:38

I too would like to vote for this feature. It's quite challenging that I have two domains being hosted by a single hMailServer instance but only one is getting a DKIM signature.

I'm guessing the question is:

Would you like hMailServer to DKIM sign alias domains?

[poll]
- Yes
- No
[/poll]

EDIT: Hmm, this poll tag doesn't seem to be right

User avatar
mattg
Moderator
Moderator
Posts: 20796
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM not signing domain alias senders

Post by mattg » 2018-12-04 06:39

Yep, This is not the feature request section


I saw you posted in the Feature request section also, so I added your poll to the original post in that thread.
http://www.hmailserver.com/forum/viewto ... 46#p181446
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RBoy
New user
New user
Posts: 26
Joined: 2018-12-04 04:28

Re: DKIM not signing domain alias senders

Post by RBoy » 2018-12-05 02:29

Thank you. Is this a challenging feature to implement?

User avatar
mattg
Moderator
Moderator
Posts: 20796
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM not signing domain alias senders

Post by mattg » 2018-12-05 04:22

I'm not a developer, but I'd imagine so

Each Domain Alias would require the DKIM implemenation, and each of the settings and files that go with that, so I'd say yes...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 70
Joined: 2018-11-23 14:42
Location: Germany

Re: DKIM not signing domain alias senders

Post by Virinum » 2018-12-05 07:41

I'm not a developer, too. But I think a checkbox with "Use DKIM-settings from primary domain" in the domain-alias section would be great. If checked the settings from the primary-domain would be used. The only thing the user would have to do is to provide the public DKIM-key-record in all alias-domains.

User avatar
mattg
Moderator
Moderator
Posts: 20796
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DKIM not signing domain alias senders

Post by mattg » 2018-12-05 15:39

But isn't DKIM domain dependent, won't you need a separate certificate for each domain name?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Virinum
Normal user
Normal user
Posts: 70
Joined: 2018-11-23 14:42
Location: Germany

Re: DKIM not signing domain alias senders

Post by Virinum » 2018-12-05 16:06

As far as I know you can reuse certificates. The only thing that has to be the same is the selector.

e.g.
  • dkim._domainkey.domain1.com: v=DKIM1; k=rsa; p=123
  • dkim._domainkey.domain2.com: v=DKIM1; k=rsa; p=123

RBoy
New user
New user
Posts: 26
Joined: 2018-12-04 04:28

Re: DKIM not signing domain alias senders

Post by RBoy » 2018-12-05 16:33

mattg wrote:
2018-12-05 15:39
But isn't DKIM domain dependent, won't you need a separate certificate for each domain name?
I believe it is allowed to have it sign multiple domains with a single key. There are two types of DKIM alignments, relaxed and strict. So yes it would be okay to use the same key for all domains in a relaxed implementation.

https://help.returnpath.com/hc/en-us/ar ... for-DMARC-
https://mxtoolbox.com/problem/dkim/dkim ... -alignment
https://www.dmarcanalyzer.com/what-is-alignment/

Post Reply