Ability to sign with DKIM domain aliases too

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

<t>Would you like hMailServer to DKIM sign alias domains?</t>

Yes
6
86%
No
1
14%
 
Total votes: 7

amokkaths
New user
New user
Posts: 15
Joined: 2012-04-19 22:20

Ability to sign with DKIM domain aliases too

Post by amokkaths » 2015-12-18 17:55

Self-explanatory.
Additional settings and ability to specify DKIM settings for domain-alias too.


User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Ability to sign with DKIM domain aliases too

Post by mattg » 2017-11-17 23:46

feel free to nominate a question that users can vote on, and some suggested answers

https://www.hmailserver.com/feature_voting_extended
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RBoy
Normal user
Normal user
Posts: 31
Joined: 2018-12-04 04:28

Re: Ability to sign with DKIM domain aliases too

Post by RBoy » 2018-12-04 04:42

I vote for this feature also. Been bumping my head to understand why it wasn't signing emails with an alias domain

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Ability to sign with DKIM domain aliases too

Post by mattg » 2018-12-04 06:44

To me for this to work, would require two separate signatures, one for the Domain, and another for the Domain Alias...

I can't see that this would be easily achieved
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RBoy
Normal user
Normal user
Posts: 31
Joined: 2018-12-04 04:28

Re: Ability to sign with DKIM domain aliases too

Post by RBoy » 2018-12-05 16:36

mattg wrote:
2018-12-04 06:44
To me for this to work, would require two separate signatures, one for the Domain, and another for the Domain Alias...

I can't see that this would be easily achieved
I don't think you need separate signature. When Google mail does DKIM signing on behalf of other domains it uses it's own key.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Ability to sign with DKIM domain aliases too

Post by mattg » 2018-12-05 22:58

I've just checked a few mail messages

Outlook hosted domains have DKIM in the format
example.outlook.com or example.microsoft.com

gMail hosted domains have two DKIM signatures
DKIM-Signature = example.yyyymmmdd.gappssmtp.com
AND
X-Google-DKIM-Signature which is their own signing

It seems to me that they customise the DKIM signature for each sender.
Always relaxed though.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RBoy
Normal user
Normal user
Posts: 31
Joined: 2018-12-04 04:28

Re: Ability to sign with DKIM domain aliases too

Post by RBoy » 2018-12-06 19:45

Feel free to correct me if I'm wrong, but with a relaxed implementation it should be acceptable to use the same DKIM signature for different domains from what I've understood about it and with the appropriate DMARC setup it should still work, it may not be "aligned" but it'll be accepted. Is that correct?

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Ability to sign with DKIM domain aliases too

Post by mattg » 2018-12-06 23:15

I honestly don't know enough about it

If what you say is true, then what does DKIM signing actually achieve?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Ability to sign with DKIM domain aliases too

Post by RvdH » 2021-07-16 21:39

mattg wrote:
2018-12-04 06:44
To me for this to work, would require two separate signatures, one for the Domain, and another for the Domain Alias...

I can't see that this would be easily achieved
That doesn't seem the case
https://github.com/hmailserver/hmailserver/pull/383
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

mikedibella
Senior user
Senior user
Posts: 837
Joined: 2016-12-08 02:21

Re: Ability to sign with DKIM domain aliases too

Post by mikedibella » 2021-07-16 22:00

I see two ways for this to work, and possibly a UI construct to select between the two:

1. Domain Aliases are signed using the Domain private key and with the domain d= tag in the header coded with the Domain identity, not the Alias identity. The Domain configuration Selector is used. No additional DNS entry for the Alias public key needed.

2. Domain Aliases are signed using the Domain private key and with the domain d= tag in the header coded with the Alias identity, not the Domain identity. An additional DNS entry for the Alias public key needed in the Alias namespace, using the same Selector as the Domain configuration.

In both cases the same key pair is used, the difference is where the public key is retrieved from.

UI additions are a Radio button set:

* Do not sign Aliases
* Sign Aliases using Domain identity
* Sign Aliases using Alias identity

User avatar
RvdH
Senior user
Senior user
Posts: 3231
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Ability to sign with DKIM domain aliases too

Post by RvdH » 2021-07-17 11:16

Strange things are happening in conjunction with a DMARC header that should not allow (adkim=s) the -d=domain parameter in DKIM header to be different from the message.From address domain
https://github.com/hmailserver/hmailser ... -881756321
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply