search

bokysan / docker-postfix

Multi architecture simple SMTP server (postfix null relay) host for your Docker and Kubernetes containers. Based on Debian/Ubuntu/Alpine.
MIT License
550 stars 149 forks source link

DKIM not working with FQDN (ie. mail.domain.com) #111

Open UzricRash opened 2 years ago

UzricRash commented 2 years ago

At first I thought it was my own incompetence not unlike this fellow: https://github.com/bokysan/docker-postfix/issues/109

But even when using the autogenerated keys function of the image, DKIM validators still report that the message is not DKIM signed.

When using docker start -a postfix to see the STDOUT it looks like the key files are found by the script. There must be a single step missing for opendkim to actually sign with them.

Also, not sure if relevant or not, but it seems that the KeyTable, SigningTable, and TrustedHosts files are missing from /etc/opendkim/.

All this using boky/postfix:latest, that is, the Alpine version. Not tested using the Ubuntu one.

UzricRash commented 2 years ago

Further investigation shows that DKIM signing does work when using a TLD as an allowed sender (i.e.: domain.com), but does not work when using a FQDN (i.e.: mail.domain.com). The culprit seems to be in the generation of the KeyTable and SigningTable files during the execution of /scripts/common-run.sh.

bokysan commented 2 years ago

Thank you for this report. I will have a look at it.

bokysan commented 2 years ago

Can you share the whole set of parameters you used to start the image?

UzricRash commented 2 years ago

Of course. For privacy reasons I changed my domain with mydomain.com, but otherwise it's the same as I use. The content of /home/docker/postfix/opendkim is the key files with the filenames mail.mydomain.com.private and mail.mydomain.com.txt, as your example key generation script used.

docker run \
    -e "ALLOWED_SENDER_DOMAINS=mail.mydomain.com" -e "HOSTNAME=mail.mydomain.com" -e "MASQUERADED_DOMAINS=mydomain.com" \
    -v /home/docker/postfix/opendkim:/etc/opendkim/keys \
    -d -p 127.0.0.1:7320:587 --restart=always --name postfix boky/postfix

With the above configuration DKIM fails. My limited knowledge of opendkim suggests that mail._domainkeys.mail.mydomain.com as /scripts/common-run.sh generate is not a valid entry for KeyTable or SigningTable as it should be mail._domainkeys.mydomain.com. Indeed, with the following configuration DKIM works as intended:

docker run \
    -e "ALLOWED_SENDER_DOMAINS=mydomain.com" -e "HOSTNAME=mydomain.com" -e "MASQUERADED_DOMAINS=mydomain.com" \
    -v /home/docker/postfix/opendkim:/etc/opendkim/keys \
    -d -p 127.0.0.1:7320:587 --restart=always --name postfix boky/postfix

Notice the only change for DKIM to work was to remove mail. from mail.mydomain.com and to change the key filenames the same way.

Saiv46 commented 1 year ago

I have same problem, but also for some reason when mail. from mail.mastodon.example is removed, I started to get the errors:

2023-03-07T12:36:53.212074+03:00 INFO    postfix/error[68060]: AD91C824: to=<notifications@mastodon.example>, relay=none, delay=1201, delays=1200/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.mastodon.example:25: Connection refused)
2023-03-07T12:36:53.212827+03:00 INFO    postfix/error[68060]: AE36493: to=<notifications@mastodon.example>, relay=none, delay=170699, delays=170699/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.mastodon.example:25: Connection refused)
2023-03-07T12:36:53.213422+03:00 INFO    postfix/error[68060]: 6945AB3: to=<notifications@mastodon.example>, relay=none, delay=164144, delays=164144/0.03/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.mastodon.example:25: Connection refused)
2023-03-07T12:36:53.214130+03:00 INFO    postfix/error[68060]: 5C64C4E: to=<notifications@mastodon.example>, relay=none, delay=202161, delays=202161/0.04/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.mastodon.example:25: Connection refused)