Page 1 of 1

Server Messages not signed?

Posted: 2019-07-04 17:26
by Freeze
Hi there,

is it possible, that server messages (e.g. "Message undeliverable") are not DKIM signed?
Can I somehow activate DKIM signing for server messages?

Thank you very much in advance!

Re: Server Messages not signed?

Posted: 2019-07-05 01:17
by mattg
Mine aren't signed either, but I only send to local accounts. perhaps different if sent to a remote account.

trying to think of a way that I can test that...

Re: Server Messages not signed?

Posted: 2019-07-05 02:01
by palinka
What domain would <> empty sender use for DKIM?

Re: Server Messages not signed?

Posted: 2019-07-05 02:22
by mattg
Whilst SMTP envelope is empty, my daemon messages have a from header of 'mailer-daemon@FQDN' where FQDN is the local server name as set in SMTP settings

I only allow local senders to send mail from my server, so all of my Mailer-Daemon messages are to local recipients

Re: Server Messages not signed?

Posted: 2019-07-05 12:25
by palinka
mattg wrote:
2019-07-05 02:22
Whilst SMTP envelope is empty, my daemon messages have a from header of 'mailer-daemon@FQDN' where FQDN is the local server name as set in SMTP settings

I only allow local senders to send mail from my server, so all of my Mailer-Daemon messages are to local recipients
It's been a while since I've seen one. And me too for local senders only, so i wouldn't even know or care about DKIM.

How would you even test this proposition? If the sender and recipient are external, you'd need access to the sender server, i think, to see why a mailer daemon message was or was not received and why.

Re: Server Messages not signed?

Posted: 2019-07-05 13:38
by RvdH
Local account -> Forward to external account -> Rejected by DMARC -> Return message -> Local account -> Forward to external account....and there things screw up with(out) DKIM :mrgreen:

Re: Server Messages not signed?

Posted: 2019-07-06 03:26
by mattg
not an issue for me

Code: Select all

RewriteEnvelopeFromWhenForwarding=1
; When performing forwarding, hMailServer now keeps the original From address rather than changing to that of the forwarding account.
; This change was made to reduce risk of message delivery failures.
; To force the previous behavior, set RewriteEnvelopeFromWhenForwarding=1

Re: Server Messages not signed?

Posted: 2019-07-08 22:40
by Freeze
Thanks for the answers so far!

I have several adresses which are set to forward the incoming mails to other mail servers.
When my server is forwarding the email, the recepient server sometimes blocks it due to spam issues or something else.
In this case, my server sends an error message to the original sender. And it seems, these messages are not signed, because I get DKIM errors via DMARC from Yahoo.
May "RewriteEnvelopeFromWhenForwarding=1" help in this case?

Re: Server Messages not signed?

Posted: 2019-07-09 01:22
by mattg
#19 here
viewtopic.php?f=10&t=30193&start=180#p213193

This is a private build

Re: Server Messages not signed?

Posted: 2019-07-09 01:29
by Freeze
mattg wrote:
2019-07-09 01:22
#19 here
viewtopic.php?f=10&t=30193&start=180#p213193

This is a private build
Perfect! Thank you for this hint. Will give it a try.

Re: Server Messages not signed?

Posted: 2019-07-09 10:26
by RvdH
mattg wrote:
2019-07-09 01:22
#19 here
viewtopic.php?f=10&t=30193&start=180#p213193

This is a private build
I don's see what a Reply "account" Rule has to do with server messages not being DKIM signed :?:

Re: Server Messages not signed?

Posted: 2019-07-09 16:26
by mattg
Does the mail daemon 'reply to sender on bounce' not use the same function? I didn't check, but assumed that it would...

Again, I don't have an issue as all of my Daemon messages are to local accounts, as only local accounts can send from my server

Re: Server Messages not signed?

Posted: 2019-07-11 17:58
by Freeze
Freeze wrote:
2019-07-09 01:29
mattg wrote:
2019-07-09 01:22
#19 here
viewtopic.php?f=10&t=30193&start=180#p213193

This is a private build
Perfect! Thank you for this hint. Will give it a try.
Doesn't help :-(
Server messages still seem to be unsigned.

Re: Server Messages not signed?

Posted: 2019-08-19 05:17
by Freeze
mattg wrote:
2019-07-06 03:26
not an issue for me

Code: Select all

RewriteEnvelopeFromWhenForwarding=1
; When performing forwarding, hMailServer now keeps the original From address rather than changing to that of the forwarding account.
; This change was made to reduce risk of message delivery failures.
; To force the previous behavior, set RewriteEnvelopeFromWhenForwarding=1
Tried this setting, but there is no difference between having this option enabled or disabled.
In both cases the "From"-field in the mail header isn't altered when the server is forwarding a message from external to external (hMailServer version 5.6.8-B2451).

Re: Server Messages not signed?

Posted: 2019-08-24 10:32
by RvdH
You can try to rewrite the mailer-daemon@ address to a existing account for which the domain name had DKIM enabled

Taken from: https://www.hmailserver.com/forum/viewtopic.php?t=30139

Make a global rule

criteria:
From / contains / mailer-daemon
X-hMailServer-LoopCount / equals / 1

action:
Set header Value / From / postmaster@domain.com

Server messages should be signed after that... (when send to external)

[EDIT]
But now i am thinking of it, what if you just add the mailer-daemon@ domain and address and enable DKIM for that?

Re: Server Messages not signed?

Posted: 2019-08-28 00:09
by Freeze
Thank you for the answer. I set up the mailer-daemon@ - account and give it a try.
But this would mean, that hMailServer looks up the "From"-address in the user accounts and if there is one, the mail gets signed?
Sounds a little bit strange, but we will see :-)

Re: Server Messages not signed?

Posted: 2019-08-28 18:18
by Freeze
Freeze wrote:
2019-08-28 00:09
Thank you for the answer. I set up the mailer-daemon@ - account and give it a try.
But this would mean, that hMailServer looks up the "From"-address in the user accounts and if there is one, the mail gets signed?
Sounds a little bit strange, but we will see :-)
Doesn't work either.
The message is not signed.

Re: Server Messages not signed?

Posted: 2019-08-28 18:32
by RvdH
Freeze wrote:
2019-08-28 18:18
Doesn't work either.
The message is not signed.
Not sure what you are trying to do and how you tested this....but above method is tested and working, when send to external address (either by forward rule or account forward)
If server message is delivered to a local address the message is never signed...dkim signing only is done from local to external address....and not just in this example, always!

Re: Server Messages not signed?

Posted: 2019-08-28 18:43
by Freeze
RvdH wrote:
2019-08-28 18:32
Freeze wrote:
2019-08-28 18:18
Doesn't work either.
The message is not signed.
Not sure what you are trying to do and how you tested this....but above method is tested and working, when send to external address (either by forward rule or account forward)
If server message is delivered to a local address the message is never signed...dkim signing only is done from local to external address....and not just in this example, always!
What I did to test it is the following:
I created a forward address from test@mytld.com to thisaccountdoesntexist@foreigntld.com.
Then I sent a mail from myaccount@differenthoster.com to test@mytld.com and the server-message I received from mailer-daemon@mytld.com was not signed.

Here the message that was sent to myaccount@differenthoster.com:

Code: Select all

X-Apparently-To: myaccount@differenthoster.com; Wed, 28 Aug 2019 16:38:56 +0000
Return-Path: <>
Authentication-Results: mta4463.mail.ne1.differenthoster.com; 
 dkim=neutral (no sig) header.i=@mytld.com;
 spf=pass smtp.mailfrom=@mytld.com;
 dmarc=pass(p=quarantine sp=NULL dis=none) header.from=mytld.com;
Received-SPF: pass (domain of mytld.com designates 178.77.66.12 as permitted sender)
X-YMailISG: Kfrzv94WLDsvFl9nkVXdJsclm6xxfFZBnLn7yKLKeOY0Bbd7
 iwavOdkZUA1giQct390my7o8gCfWRRbow2fyxn7WRtzSc1rOi9t6wbxfIq.3
 7ZuynZ25SpyUTzKfvxUr4IcUm4GJnZScRbRb8dImnGXFASfwGiJQMu5D002_
 FaXc9spiytMHHGhvAhaaYdTbcu1EDkqwhuyHgwCWp1aI3Dr2VkDYlUeV5zSZ
 dLrTerdWjKVPtIFztL444_GNmBuiXFJLt9zI_vLf1jZ1cGdgbiXcTb9GzAb8
 auoZCtmqmsNMLODJ1Vo7GmQ46k0aCrIUmjAzZwvPFrq_oIFxgDXWlj0pFJ8B
 7SMsdI_rS5QOwjl_GJDzK6OMh.LHmqMVrTkPMxjgIQvpcJ.UoXXIxZssCRHF
 aQlON_r9_7qRWEjHGFA6DUw7Z3kMJmUwnGhXUCB5G83Q1XCjNIzi9VN1gyna
 0xHlqOVt71pmeVcXkeFM2Vpv_bxcc9Rf7FGDvdxS8O9hNdvVmhNapfzfAiaq
 zvNPynNh4OHaQvZBV84_iD6HyAC7Oudk5kemu3_t9ukaAIIHcFwkzKqOisVJ
 R6jMK4X0QGwP6wqcAvUtXM1VEMtYkZoR1.s8HRURVjZCFkN1wekoKFzHaTWH
 hTuHMJlZoH_bKa2GPzovCKPgqzHzMzyLdiupT2uY.bCh7O3jG9tvZKuoHops
 JXnqn0tWkV4wSNLMD1QDLvgJJdHNRzQGMc.sUMwuUMqXY4TO9BHdzkmky3o_
 Z0JLg6hIGwHiDswo0mNTi6FME9dYswI5pp9Pt_SEkQpYXojc7fW5pebZ0XpH
 TULGRV2SaCi6HTvVyzEh1sCHiLUUNNLu3TpWoSxt2ezs8wbUGz9dX4OU1mOb
 FcPa.ZX6p7.Z2tcmh5MgSF1ACjXciLtle7O0C6o-
X-Originating-IP: [178.77.66.12]
Received: from 10.217.131.17  (EHLO mytld.com) (178.77.66.12)
  by mta4463.mail.ne1.differenthoster.com with SMTPS; Wed, 28 Aug 2019 16:38:54 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <61E4833B-BD2E-467A-87F4-5E85ED2FC467@mytld.com>
Date: Wed, 28 Aug 2019 18:37:52 +0200
From: mailer-daemon@mytld.com
To: myaccount@differenthoster.com
Subject: Message undeliverable: Test
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1
Content-Length: 411

Your message did not reach some or all of the intended recipients.

   Sent: Wed, 28 Aug 2019 18:37:47 +0200
   Subject: Test

The following recipient(s) could not be reached:

thisaccountdoesntexist@foreigntld.com
   Error Type: SMTP
   Remote server (212.227.15.9) issued an error.
   hMailServer sent: RCPT TO:<thisaccountdoesntexist@foreigntld.com>
   Remote server replied: 550 Requested action not taken: mailbox unavailable



hMailServer

Re: Server Messages not signed?

Posted: 2019-08-28 22:31
by Freeze
This behavior is equal for both of your suggestions:
1) create rule to rewrite the From field to an existing account
2) create a mailer-daemon@mytld.com account

Re: Server Messages not signed?

Posted: 2019-08-29 00:05
by RvdH
1) RewriteEnvelopeFromWhenForwarding=1 enabled?
2) I think for this need the return-path header to be filled (Try option 1 again, only use the original mailer-daemon@mytld.com as 'From' address... i think this fills the return-path header)

I get these results from a NDR report forwarded to gmail account

Code: Select all

Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail.domain.nl header.s=mail header.b=T7tmBOJh;
       spf=pass (google.com: domain of mailer-daemon@mail.domain.nl designates xx.xx.xx.xxx as permitted sender) smtp.mailfrom=mailer-daemon@mail.domain.nl;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mail.domain.nl

Re: Server Messages not signed?

Posted: 2019-08-29 00:15
by Freeze
RvdH wrote:
2019-08-29 00:05
1) RewriteEnvelopeFromWhenForwarding=1 enabled?
2) I think for this need the return-path header to be filled (Try option 1 again, only use the original mailer-daemon@mytld.com as 'From' address... i think this fills the return-path header)

I get these results from a NDR report forwarded to gmail account

Code: Select all

Authentication-Results: mx.google.com;
       dkim=pass header.i=@mail.domain.nl header.s=mail header.b=T7tmBOJh;
       spf=pass (google.com: domain of mailer-daemon@mail.domain.nl designates xx.xx.xx.xxx as permitted sender) smtp.mailfrom=mailer-daemon@mail.domain.nl;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=mail.domain.nl
Yes, I tried both, RewriteEnvelopeFromWhenForwarding=1 and =0.
But excuse me, I didn't get you.
What do you mean with "use the original mailer-daemon@mytld.com as 'From' address"?

Attached you can find my current rule.
In addition I created an account mailer-daemon@freeze.ws and of course, DKIM signing is enabled for the domain freeze.ws and is also working for normal mails.

But don't forget, I'm using version 5.6.8-B2451.

Re: Server Messages not signed?

Posted: 2019-08-29 13:45
by RvdH
Ah...i think in know why it works for me, sometimes...

When the NDR domain EnvelopeFrom and From address use the same domain it works
But when you use a second domain, different from EnvelopeFrom it will not work

I have proposed a change in the code to martin, this at least give you the ability to get NDR messages to be DKIM signed (if all required conditions are fulfilled)
https://github.com/hmailserver/hmailserver/pull/301

NDR messages EnvelopeFrom is there set to mailer-daemon@... address when forwarded to external, this adds the mailer-daemon@... address as Return-Path header, which is (seems to be) required to have a message DKIM signed
RewriteEnvelopeFromWhenForwarding setting is ignored for NDR messages


AFAIK this will never be put in the 5.6.8 branch... but you could try my custom 5.6.8-B2467.22 build with this functionality build-in, but you have to upgrade to hMailServer-5.6.8-B2467 first

Re: Server Messages not signed?

Posted: 2019-08-29 23:57
by Freeze
RvdH wrote:
2019-08-29 13:45
Ah...i think in know why it works for me, sometimes...

When the NDR domain EnvelopeFrom and From address use the same domain it works
But when you use a second domain, different from EnvelopeFrom it will not work

I have proposed a change in the code to martin, this at least give you the ability to get NDR messages to be DKIM signed (if all required conditions are fulfilled)
https://github.com/hmailserver/hmailserver/pull/301

NDR messages EnvelopeFrom is there set to mailer-daemon@... address when forwarded to external, this adds the mailer-daemon@... address as Return-Path header, which is (seems to be) required to have a message DKIM signed
RewriteEnvelopeFromWhenForwarding setting is ignored for NDR messages


AFAIK this will never be put in the 5.6.8 branch... but you could try my custom 5.6.8-B2467.22 build with this functionality build-in, but you have to upgrade to hMailServer-5.6.8-B2467 first
Thank you very much for your efforts!

But unfortunately I don't get it working...

See attached screenshots.
I installed version 5.6.8-B2467.22, I set the default domain to freeze.ws, I have a mailer-daemon@freeze.ws account and I have a rule that rewrites the From-Header.

But the NDR is still unsigned :-(

Code: Select all

X-Apparently-To: bhpclan@ymail.com; Thu, 29 Aug 2019 21:45:01 +0000
Return-Path: <>
Authentication-Results: mta4196.mail.gq1.yahoo.com; 
 dkim=neutral (no sig) header.i=@freeze.ws;
 spf=pass smtp.mailfrom=@freeze.ws;
 dmarc=pass(p=quarantine sp=NULL dis=none) header.from=freeze.ws;
Received-SPF: pass (domain of freeze.ws designates 178.77.66.12 as permitted sender)
X-YMailISG: 8mjBpjQWLDup5f_N0QyXpMpjX.70AIBcEO.Fc.9E8xjrUcsu
 qxpTiIribNdFIHTm0rZ7.5DKZXFh4OBKwv40lSBjmtoOAjLXQVhunfpIUP7x
 zFChZdV_ZRgJo3DxLOVZzPZug2R0vURWmATaxZSzcPKV9dWzUT6su2ax94gq
 .Tm0GJt8r9DkiIfYN2JDQ6VYqX7uASlyLGUAeU6B1jh6oOTW_smLZ8egLeUk
 itHV.8wmeRXiZZL6dU9ArYqocgdrlbT8sDyLjetKTHnr_RVIFLPes1tgiPW2
 BKAq5X_0zTdPg.f_nW4tKeuFgS.SL_H7z02aLucZZTL0dZAwt87I_1KKRrrj
 7b94suQ3tV8T7ZSvLzlVU4ByQjgpkRkUL7.QI4_CE3.YU95_InW5LE3rqytL
 0NMxfzb6PbXu8cxTzSXGgezCsgMwo00vs5pO_weRYC9idxzCsmP3rm.Aoeps
 C5KI0MhDg8bLlG33yORV0qqDMrWuSEWp7.wTg5XSGh7S4R25SQFkAa9S6NCY
 yWxMptqlA8T24JP98D_LEhf5ku.hZg6fAUHOYtDJ.L.RrtyPOX1CZtpVKZO9
 w3lXim6fDZmvbt.UzKczPHGr.erNQ7FyA1GbmGNWYlw5eNE33jMvnUnJAlQg
 W_UcG102eKGFoQMS8ctCVWlLLljoqq6o4NvOn3hcdUyhmop.hOJ6lcrEuGqb
 guy0xQYMZyyUfeYtqaosYCDfC5YzYD9xnCnRj43VgmxK048fpPMDGNvB5mIo
 tMi2nyL8hRBn78qzy4d44mRycI_sArfnVRYMb_9wybjwoIBjmTEIJbX8EoTj
 LNz.DUjIGOo_LYxKpRilDUYuU6UwRwXadWcim.0CwowshFvoVs9PaAl.QYwk
 GUC3OTShofY5RQN9aClYT4ji1XHfSUHFxKZO6D3UUw--
X-Originating-IP: [178.77.66.12]
Received: from 10.214.154.149  (EHLO freeze.ws) (178.77.66.12)
  by mta4196.mail.gq1.yahoo.com with SMTPS; Thu, 29 Aug 2019 21:45:00 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <4726DC49-A781-4A02-B229-FFBE7B1F706E@freeze.ws>
Date: Thu, 29 Aug 2019 23:43:57 +0200
From: mailer-daemon@freeze.ws
To: bhpclan@ymail.com
Subject: Message undeliverable: Test
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1
Content-Length: 411

Your message did not reach some or all of the intended recipients.

   Sent: Thu, 29 Aug 2019 23:43:48 +0200
   Subject: Test

The following recipient(s) could not be reached:

dsgwemdiwufn@gmx.de
   Error Type: SMTP
   Remote server (212.227.17.5) issued an error.
   hMailServer sent: RCPT TO:<dsgwemdiwufn@gmx.de>
   Remote server replied: 550 Requested action not taken: mailbox unavailable



hMailServer

Re: Server Messages not signed?

Posted: 2019-08-30 08:22
by RvdH
Ditch the rule, set the (freeze.ws) local host name under SMTP settings, as explained in the github pull request this makes the mailer-daemon@ address used by the mailserver

freeze.png

By using rule you set the From address before it reaches to code change in *.22, the change i made expects it to be empty (yellow marked line), which a NDR always is

Re: Server Messages not signed?

Posted: 2019-08-31 02:44
by Freeze
I removed the rule, but the result stays the same :-(
But, I've received two NDRs though I just sent one mail.
Do I still need the mailer-daemon@freeze.ws user account?

Code: Select all

X-Apparently-To: bhpclan@ymail.com; Sat, 31 Aug 2019 00:41:16 +0000
Return-Path: <>
Authentication-Results: mta4411.mail.ne1.yahoo.com; 
 dkim=neutral (no sig) header.i=@freeze.ws;
 spf=pass smtp.mailfrom=@freeze.ws;
 dmarc=pass(p=quarantine sp=NULL dis=none) header.from=freeze.ws;
Received-SPF: pass (domain of freeze.ws designates 178.77.66.12 as permitted sender)
X-YMailISG: aJHJ7LsWLDuTkabbBaWIphceJMRGJ0mhWmjp2xWK1p4ZxtmY
 YZf_LEn5zHiUeqcC.lb6WLweCes0kglgNtlcnJReXCOZzfDjl0N5UoSakgv7
 soYXDPH_AFFQdGbygqGkE5cSMRkf55FZhVGH2OMc0b8inW0P63dlRG9dYGta
 xBEZSnLXYCFiA6B7tNtu24GFXEAFKQkhwXbes22x4iYlQAHXS0ZHyPjvKFqm
 5ik_rBh5_MfLm2NMlx3XZ690TglfH3OFWTO5mo6CSCJ9hUczJQkx7Epr9SRv
 L9ZNiWscMkoePllozHZlITgd4RNieYimUseB1DdsudkFij4dCicDgsdDgAoZ
 HDNmI0ICoGOXGvLoDc2WzdBGtAXRdzmYzsggc25iqxw2YEHhS8Z0_xfZ4RfB
 kTkKBEfVCTTPRRqLRHOb4Fl37HobYEWKXLT7HVNwFL16URLnisj5bDqvG2Ra
 KsuknQj4lovgxTAYLSXM2zoZMpLQS.KkdI6Qs279HlF4oAkKTd8WvB.FRHsC
 FUfu_H3PIZfapgMC7XvI4w4pPLCAx_2KGtmn8ixs0cqEohoTD7KVclKmRiF3
 x7m.pT_ChIcqP9F6_SyVPyZwG7HQ40c7iCJ7rlSKfUAm_K1S9E6Dmtl66iN0
 6W4uqtOaZt1aH3_yWNnDmi.4CDhWutXA9dIe6AYp3yHsofbe9iBNMYLfSnpZ
 RT1AFSHUMZEDbi7TKXHD7r25ZdeJn2n3mbpr8.qfN6YMaQVGGz7ySUgxF7jz
 9pFCaXs98WhmmuxMKOL8NaDCQP0WIIAIksjs3KXYXQW8D1aijUHQx3ycNhi_
 9tH2_TALt2zO9QEB8cDJ1Hk640MKa7Kk6hAUhCCuKtpQGox3ZAn5MepGgy2i
 AMSKXEe5By7TV9PmnflBjHdaPQbv_epMKTBbViRjnUa6P0tyZpeTlg--
X-Originating-IP: [178.77.66.12]
Received: from 10.217.151.201  (EHLO freeze.ws) (178.77.66.12)
  by mta4411.mail.ne1.yahoo.com with SMTPS; Sat, 31 Aug 2019 00:41:15 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <DC9541B5-513D-40FA-B7D8-815D0A00FACA@freeze.ws>
Date: Sat, 31 Aug 2019 02:40:13 +0200
From: mailer-daemon@freeze.ws
To: bhpclan@ymail.com
Subject: Message undeliverable: Test
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1
Content-Length: 411

Your message did not reach some or all of the intended recipients.

   Sent: Sat, 31 Aug 2019 02:38:06 +0200
   Subject: Test

The following recipient(s) could not be reached:

dsgwemdiwufn@gmx.de
   Error Type: SMTP
   Remote server (212.227.15.9) issued an error.
   hMailServer sent: RCPT TO:<dsgwemdiwufn@gmx.de>
   Remote server replied: 550 Requested action not taken: mailbox unavailable



hMailServer

Code: Select all

X-Apparently-To: bhpclan@ymail.com; Sat, 31 Aug 2019 00:41:18 +0000
Return-Path: <>
Authentication-Results: mta4420.mail.ne1.yahoo.com; 
 dkim=neutral (no sig) header.i=@freeze.ws;
 spf=pass smtp.mailfrom=@freeze.ws;
 dmarc=pass(p=quarantine sp=NULL dis=none) header.from=freeze.ws;
Received-SPF: pass (domain of freeze.ws designates 178.77.66.12 as permitted sender)
X-YMailISG: EjsaADIWLDsfsifPAC1OCCdQy.3XjjoO0JyVtq8AcuxQXpo.
 sLhrSRYiePYhFht04GRhKK7rwLXHtMNhWo4.LLA9..UR7IrqG0bEPREfaGps
 RKiH_ggManURMWBUBUBX7jgASuMgibXge3YXLKhh1sssU33I32MC2ljo_f9H
 GGBfz6eA69Ra_02SbKyXYnFojeyk7YWmpJTUmDrWZwsTlIGaRYRUeDbVh83v
 Cwl_LC7lWjgS0CaYwwYL9MACThWuQ_kxtZqYvMWFUT7yGlyse.blU4OXZQk4
 YYqGZCMFcEjWVBcpRh3cldXX4JHIP8.vTfs0x0qC6mg4zPffnv3AELPtT6GX
 9pBYTgTcsectiS_E4vL8WWORXGjD33v0TXCak8i9Wc1YVX0nJRNqjhAHlKTp
 3DlfdMAzCGn_cNIxfWWawk3jvEpHhEtOUrx14XbK18JDv094uQSHMC1A3MZT
 wk5epOxxNKjZOZww1eoillhvDbvk57gmWTVuAVUc.TnYF_UwJt63gmKd62ze
 yeEXWDO8Qh8Zcqnk4fzVR3_THOY0HIEb_DEFVUubX4iS2O4Qer7sn7vUSr5h
 aYEvbtA9AhFom5_SJBK.ZIe6i20Z635wWXWI9NVJr4_p..ZEzPSI0Qu1hSkb
 mHjh3JcehOWs5sQ3nieRzptS2mwZ6sovQ78xNzuvOxIbLfif9QoZXXIubf8m
 dRzRKj6Qp.054a0xg1OwgQv8YurJ.VphDWaZfGdikQ65N70Ee5AO6QMfmnQ9
 1TAWRlxr0p3j0gosMCZzyarNzPSUD5m1KusGucUF3x4PbdhSAibOxZUYQtBB
 WRnPw3WMgrjwdQ5bhQsvnEanhc606Ff4VbZcbejOACbW0_YinpziJhK1P.XX
 2ZnijtV281VjRe1XCZ14u3seQt6Sn37S5fmTciDxw1hTsb2ueX1fuXE-
X-Originating-IP: [178.77.66.12]
Received: from 10.217.150.12  (EHLO freeze.ws) (178.77.66.12)
  by mta4420.mail.ne1.yahoo.com with SMTPS; Sat, 31 Aug 2019 00:41:17 +0000
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <977ED8F3-C218-405C-BD98-39830573E475@freeze.ws>
Date: Sat, 31 Aug 2019 02:40:13 +0200
From: mailer-daemon@freeze.ws
To: bhpclan@ymail.com
Subject: Message undeliverable: Test
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1
Content-Length: 411

Your message did not reach some or all of the intended recipients.

   Sent: Sat, 31 Aug 2019 02:38:04 +0200
   Subject: Test

The following recipient(s) could not be reached:

dsgwemdiwufn@gmx.de
   Error Type: SMTP
   Remote server (212.227.15.9) issued an error.
   hMailServer sent: RCPT TO:<dsgwemdiwufn@gmx.de>
   Remote server replied: 550 Requested action not taken: mailbox unavailable



hMailServer

Re: Server Messages not signed?

Posted: 2019-08-31 08:06
by RvdH
I only see two external domains in the NDR...whats up with that?

Code: Select all

bhpclan@ymail.com
dsgwemdiwufn@gmx.de

Code: Select all

From: mailer-daemon@freeze.ws
To: bhpclan@ymail.com
In the last "To:" address above i would at least expect a local domain and not a yahoo account, really don't know what you are doing, is that a route?

Run this and post the results:
https://www.hmailserver.com/forum/viewt ... 20&t=30914 and include RULES when prompted.

Re: Server Messages not signed?

Posted: 2019-08-31 23:49
by Freeze
What I'm doing is:
- setup a forward address on my mailserver from test@freeze.ws to dsgwemdiwufn@gmx.de
- send an email from bhpclan@ymail.com to test@freeze.ws
- my server tries to forward the mail to dsgwemdiwufn@gmx.de, but since this account doesn't exist, my server receives an error from gmx.de
- thus my server sends an error message back to bhpclan@ymail.com and this message isn't signed

Here the data:

Code: Select all

2019-08-31   Hmailserver: 5.6.8-B2467.22

DOMAINS

   "Domain1.com" - bhxxxxxx.de                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain1.com\dkim.Domain1.com.private.pem
                                                Selector:    dkim

   "Domain2.com" - doxxxxxxxxxxxxxx.de            Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain2.com\dkim.Domain2.com.private.pem
                                                Selector:    dkim

   "Domain3.com" - frxxxx.ws                      Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain3.com\dkim.Domain3.com.private.pem
                                                Selector:    dkim

   "Domain4.com" - juxxxxxxxxxx.de                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain4.com\dkim.Domain4.com.private.pem
                                                Selector:    dkim

   "Domain5.com" - r-xxxxx.de                     Enabled: False

   "Domain6.com" - rwxx.de                        Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0
                                                                   Greylisting:     False

   "Domain7.com" - sgxxxxxxxxxxxxxx.de            Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain7.com\dkim.Domain7.com.private.pem
                                                Selector:    dkim

   "Domain8.com" - wixxxxxxxxx.net                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: c:\program files (x86)\hmailserver\data\Domain8.com\dkim.Domain8.com.private.pem
                                                Selector:    dkim
-----------------------------------------------------------------------------------------------

GLOBAL RULES
  1, Delete Spam                  Criteria:  Use AND
     Custom: X-hMailServer-Spam        Equals          YES
                                  -----Actions-----
             Delete
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    - False
     External To External - False


IP: ::1 - ::1     Priority: 15     Name: My Computer IPv6

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    - False
     External To External - False


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False


IP: :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff     Priority: 10     Name: Internet IPv6

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      5
                              Minutes Before Reset:           30  (0,50 hours, 0,02 days)
                              Minutes to Autoban:             60  (1,00 hours, 0,04 days)

There is a total of 13 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:        False  Bind:
                     Host: Domain3.com         Empty sender:       True  Batch recipients:   100
Max Msg Size:     0  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr:  True
                                               Max number commands: 100  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "\"
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject:  True    Verify DKIM:       False
              Subject Text: "[SPAM]"
  Spam delete threshold: 8         Maximum message size: 1024

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
           bl.spameatingmonkey.net      Score: 2     Result: 127.0.0.2-3
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Domain3.com
       Certificate: C:\Program Files (x86)\hMailServer\Domain3.com.crt
       Private key: C:\Program Files (x86)\hMailServer\Domain3.com.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             TLS 1.0 :  False
             TLS 1.1 :  False
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256
RC4-SHA                         - HIGH                            - !aNULL
!eNULL                          - !EXPORT                         - !DES
!3DES                           - !MD5                            - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None
               0.0.0.0         / 110   / POP3   -   None
               0.0.0.0         / 143   / IMAP   -   None
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: Domain3.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: Domain3.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: Domain3.com
               ::              / 25    / SMTP   -   None
               ::              / 110   / POP3   -   None
               ::              / 143   / IMAP   -   None
               ::              / 465   / SMTP   -   SSL/TLS             Cert: Domain3.com
               ::              / 993   / IMAP   -   SSL/TLS             Cert: Domain3.com
               ::              / 995   / POP3   -   SSL/TLS             Cert: Domain3.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-08-31.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-08-31.log
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -      .
                        DEBUG       -      .
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\hMailServer-Backup\current is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=
PasswordEncryption=1
Port=              0
Server=
Internal=          1

[Settings]
RewriteEnvelopeFromWhenForwarding=0
-----------------------------------------------------------------------------------------------

Error 438. Out-dated version. Some fields or objects missing.

Generated by HMSSettingsDiagnostics v1.96, Hmailserver Forum.

Re: Server Messages not signed?

Posted: 2019-09-01 01:14
by RvdH
What? Why should the NDR be send back to yahoo account?
That doesn't make any sense at all as the mail from yahoo -> freeze was successfully delivered...anything after that isn't to any concern to yahoo account
It could, with SRS ...but this isn't supported by hmailserver (yet...or ever?)

So you a probably best of setting RewriteEnvelopeFromWhenForwarding=1, that way the message never finds it way back to yahoo account, the yahoo account doesn't need to know you are a bad admin who screwed up configuring accounts/forwards :mrgreen:

Not sure if the mails in your scenario are DKIM signed properly, this is sorely server to server communication so i doubt it will be DKIM signed

please run your test the other way around, set a forward to yahoo on test@freeze and send a mail from test@freeze -> gmx

Re: Server Messages not signed?

Posted: 2019-09-01 02:08
by Freeze
I just use this setup to generate a server error message. Of course in normal operation I don't have forward accounts which forward to non-existing addresses.
But what happens is, that somebody sends a mail to one of my forwarding accounts and then the mail server to which the mail is forwarded declines the reception. Maybe because the sender address is blocked or because there is no valid mx entry of the senders host or anything else.
And RewriteEnvelopeFromWhenForwarding=1 doesn't seem to help in this case. I still get DMARC reports that state the DKIM signing is missing for mails coming from freeze.ws. And these mails are server error messages. And thats exactly what I see with the setup I described above - the error messages are not signed.

Re: Server Messages not signed?

Posted: 2019-09-01 09:21
by RvdH
I still believe the way you test this is all wrong, NDR are sent/should be sent to local accounts only
And only NDR received by local account, forwarded to external are DKIM signed as explained on github pull request
RvdH wrote:
2019-09-01 01:14
please run your test the other way around, set a forward to yahoo on test@freeze and send a mail from test@freeze -> gmx
Same result?

Normal messages of freeze.ws, eg: non NDR are DKIM signed properly?

This is my logic:
Local account -> non-existent external account -> NDR to local -> forward to external

Your logic is like this:
External account -> Local account -> forward to external -> NDR to local -> NDR to external

And therefor i suggest you use RewriteEnvelopeFromWhenForwarding setting, this will omit the last NDR to external

Re: Server Messages not signed?

Posted: 2019-09-01 23:43
by Freeze
Normal messages from freeze.ws are signed properly, yes.

But I don't get your suggestion "set a forward to yahoo on test@freeze and send a mail from test@freeze -> gmx".
test@freeze.ws is no account, its just forward address.
And even if it would be an account. What do you expect in this case? The forward to yahoo won't play any role if I send a message from test@freeze.ws to gmx.

So my logic is: External #1 account -> forward to external #2 -> unsigned NDR to external #1
And in my opinion, the external #1 should get an NDR if there was a problem in sending the message? And this NDR should be signed, shouldn't it?

I can try the RewriteEnvelopeFromWhenForwarding=1 one more time, but it didn't help in the past. I still got DMARC reports stating there are unsigned mails from freeze.ws.
And by going through the logs, I saw, it's because of NDRs sent back to external because the server to which the mail should have been forwarded, rejected it.

Re: Server Messages not signed?

Posted: 2019-09-02 00:23
by RvdH
No, yahoo never send a mail to gmx, so the NDR to yahoo makes no sense...

If you do not understand that, were done talking...back to school for you!
Without SRS (linked to above) we never, ever will be able to do what you want, request.....simple as that!!!

Re: Server Messages not signed?

Posted: 2019-09-02 00:46
by Freeze
Okay, maybe you're right, but maybe we don't understand each other yet :D
I don't expect yahoo to send a message to gmx.

What happens is:
My server connects to yahoo and says: Hey, I have a message from blabla@blocked.com for you!
Then yahoo answers: Oh boy, I don't accept this message, I don't trust blocked.com!
Then my server sends the NDR to blabla@blocked.com, that the delivery didn't work - that's a fact, it sends this message.
And this message isn't signed for whatever reasons.

So where is my fallacy?

Re: Server Messages not signed?

Posted: 2019-09-05 04:56
by Freeze
Here an example:

Code: Select all

Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path:
Message-ID:
Date: Wed, 4 Sep 2019 22:31:59 +0200
From: mailer-daemon@freeze.ws
To: zxknnzxe@chainarchi.com
Subject: Message undeliverable: Michael Kors HandBags on Sale - Up to 80% off Online
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1

Your message did not reach some or all of the intended recipients.

Sent: Thu, 5 Sep 2019 04:31:39 +0800
Subject: Michael Kors HandBags on Sale - Up to 80% off Online

The following recipient(s) could not be reached:

ggraf@lhg.de
Error Type: SMTP
Remote server (195.190.135.25) issued an error.
hMailServer sent: .
Remote server replied: 550 REJECT spam id=3Dexpurgator-69e11b/1567629119-00006D59-2826B648/3/6412542229



hMailServer 
zxknnzxe@chainarchi.com sent a mail to graf@sg-schwarzenfeld.de.
graf@sg-schwarzenfeld.de is a forward address on my server which is forwarded to ggraf@lhg.de
But lhg.de rejected the mail because it classified it as spam.
Thus my server sends the NDR above to zxknnzxe@chainarchi.com and this NDR is not DKIM signed.

Re: Server Messages not signed?

Posted: 2019-09-06 17:38
by Freeze
Perhaps.. for further clarification: When I'm talking about "forward address" I mean "Alias", so there is no real user account on my server for these addresses.

Re: Server Messages not signed?

Posted: 2019-09-20 21:49
by RvdH
No, you are out of luck then, mail forwarded to external email addresses through aliases and distribution list are never DKIM signed