Hello!
I have an Ubuntu 18.04 server running Postfix 3.3 that relays through a
local OpenSMTPD mail relay on OpenBSD 7.0. Messages sent from system
messages and directly from mail command are signed by dkimsign as
expected.
Messages sent from letstencrypt run through cron.weekly are not being
signed by dkimsign with the expected domain. Log entries for correctly
signed and incorrectly signed messages are identical on both client and
relay server.
Here are the key portions of the header in the received inbox for the
cron.weekly job:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021;
bh=rNFy7e0QC/J
YFcHTI8wUywlRSY3eJ4LLLsOZrSC0XBc=; h=date:subject:to:from;
d=example.com; b=KqmB7rxJfpLcF6Nif/4bQRAbcQDDhVmFh+8KDeCqc9ujlr8ogK7...
Received: from relayclient.example.com (<unknown> [172.16.13.2])
by smtp.example.com (OpenSMTPD) with ESMTPS id 44fa8358
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO)
for <u...@example.net>;
Sun, 14 Nov 2021 06:47:03 -0800 (PST)
Received: by relayclient.example.com (Postfix)
id 881F75F401; Sun, 14 Nov 2021 06:47:03 -0800 (PST)
Delivered-To: r...@relayclient.example.com
Received: by relayclient.example.com (Postfix, from userid 0)
id 81D885F402; Sun, 14 Nov 2021 06:47:03 -0800 (PST)
From: r...@relayclient.example.com (Cron Daemon)
To: r...@relayclient.example.com
Subject: Cron <root@relayclient> test -x /usr/sbin/anacron || ( cd / &&
run-parts --report /etc/cron.weekly )
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env:
<PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20211114144703.81d885f...@relayclient.example.com>
Date: Sun, 14 Nov 2021 06:47:03 -0800 (PST)
Note in this above headers that d=example.com and expected is
d=relayclient.example.com
Here are the key portions of the headers in the received inbox from the
same client but for some other system message:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=10172021;
bh=r8XLAjeCvrx
jCndiJeywanw7UmGo9LRF4gIb07HheJc=; h=date:to:from:subject;
d=relayclient.example.com;
b=QfD3av5+JxEZyCgzeZ7GcnhIf3/sMmeCNDtEvz/4/hGZf...
Received: from relayclient.example.com (<unknown> [172.16.13.2])
by relayclient.example.com (OpenSMTPD) with ESMTPS id b3c796f1
(TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO)
for <u...@example.net>;
Sat, 20 Nov 2021 06:40:29 -0800 (PST)
Received: by relayclient.example.com (Postfix)
id AFFC95E476; Sat, 20 Nov 2021 06:40:29 -0800 (PST)
Delivered-To: r...@relayclient.example.com
Received: by relayclient.example.com (Postfix, from userid 0)
id A961A5F42E; Sat, 20 Nov 2021 06:40:29 -0800 (PST)
Subject: unattended-upgrades result for relayclient.example.com: True
From: r...@relayclient.example.com
To: r...@relayclient.example.com
Auto-Submitted: auto-generated
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <20211120144029.a961a5f...@relayclient.example.com>
Date: Sat, 20 Nov 2021 06:40:29 -0800 (PST)
Note in this above headers that d=relayclient.example.com, as expected.
Here is smtpd.conf:
pki int_net cert "/etc/ssl/176.16.13.1.crt"
pki int_net key "/etc/ssl/private/smtp.example.com.key"
table aliases file:/etc/mail/aliases
filter "dkimsign_loc_rsa" proc-exec "filter-dkimsign \
-d smtp.example.com -s 10172021 \
-k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group _dkimsign
filter "dkimsign_int_rsa" proc-exec "filter-dkimsign \
-d example.com \
-d smtp.example.com \
-d relayclient.example.com
-s 10172021 -k /etc/mail/dkim/10172021.rsa.key" user _dkimsign group
_dkimsign
listen on socket
listen on lo0 filter "dkimsign_loc_rsa"
listen on vio1 tls pki int_net filter "dkimsign_int_rsa"
action "local_mail" mbox alias <aliases>
action "local_redirect" relay host smtp+notls://127.0.0.1:25
action "outbound" relay
match from socket action "local_redirect"
match for local action "local_mail"
match from any for any action "outbound"
The vio1 interface is on the private network and access is controlled
through PF.
Thank you!
Paul
