Second domain no DKIM signing

[JensSpanier]

Support guidelines

• I've read the support guidelines

I've found a bug and checked that ...

• ... the documentation does not mention anything about my problem
• ... there are no open or closed issues that are related to my problem

Description

I've added another domain to ANONADDY_ALL_DOMAINS. So my config looks like this:

ANONADDY_DOMAIN=example.com
ANONADDY_ALL_DOMAINS=example.com,example2.com
RSPAMD_ENABLE=true
RSPAMD_NO_LOCAL_ADDRS=true

I also created DKIM keys for both domains. The folder data/dkim has the following files:

• example.com.private
• example.com.txt
• example2.com.private
• example2.com.txt

Signing mails with DKIM from example.com works just fine. But in mails from example2.com there is no DKIM header.

Expected behaviour

All domains should get a DKIM singature.

Actual behaviour

Only first domain and custom domains get a DKIM signature.

Steps to reproduce

1. Add two domains to ANONADDY_ALL_DOMAINS
2. Create DKIM keys
3. Send mail to second domain in ANONADDY_ALL_DOMAINS

Docker info

Client: Docker Engine - Community
 Version:    24.0.6
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.11.2
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.21.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 4
  Running: 3
  Paused: 0
  Stopped: 1
 Images: 3
 Server Version: 24.0.6
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 8165feabfdfe38c65b599c4993d227328c231fca
 runc version: v1.1.8-0-g82f18fe
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 5.15.0-84-generic
 Operating System: Ubuntu 22.04.3 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 957.5MiB
 Name: ina.spnr.de
 ID: 0dd3d1d8-58d7-49a8-8704-2ead68269b64
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Docker Compose config

No response

Logs

/

Additional info

No response

[PaddyPat]

Create only for master domain example.com a dkim privatekey and add in dns from example.com a txt record default._domainkey dkim,… FJFKKFBFJFKFNFBFBFJFJFB==

For domains added via anonaddy web ui goto dns and create a cname redirect default._domainkey (on example2 domain dns) to default._domainkey.example.com.

[JensSpanier]

Thanks for your reply. But that’s not what I was planning to do. I want to add example.com and example2.com globally so every user can use these domains. Adding example2.com via web ui only allows one user to use this domain.

Like I said, DKIM signing for example.com and all Domains added via web ui by users works fine. But a second global domain doesn’t get a DKIM signature.

[willbrowningme]

What is the contents of the Rspamd DKIM config file? Typically /etc/rspamd/local.d/dkim_signing.conf but may be different with Docker.

[willbrowningme]

I think 14-config-rspamd.sh may need updating to loop over all the domains in ANONADDY_ALL_DOMAINS and to add each of them to the signing table - https://github.com/anonaddy/docker/blob/master/rootfs/etc/cont-init.d/14-config-rspamd.sh#L22-L29

And also update DKIM_PRIVATE_KEY so that it copies all keys from data/dkim. Or just sign all additional domains with they same key to simplify things.

[JensSpanier]

In my opinion signing everything with the same key would be fine.

[Waffleophagus]

I have been fighting failing DKIM setup on a similar setup to you @JensSpanier for days now. Did you successfully get this solution setup and if so, would you be willing to elaborate on how you set things up in both your configuration (docker/podman/whatever) and DNS? I would wildly appreciate any help!

[JensSpanier]

I’m sorry @Waffleophagus, but I couldn't get it to work. I only kept one domain.

[Waffleophagus]

Gotcha, thanks for letting me know. I think I finally got DKIM setup and working on one domain, so that'll have to do for now. Thank you for letting me know @JensSpanier!!

[cryptelli]

Hey @JensSpanier and @Waffleophagus,

I came across this issue while trying to self host AnonAddy without Docker and was experiencing the issue you were except I couldn't even sign for the primary domain either.

It started looking into the problem with greater detail and discovered this line allow_hdrfrom_mismatch_sign_networks = true; in /etc/rspamd/local.d/dkim_signing.conf looked to to two separate keys (allow_hdrfrom_mismatch and sign_networks) when reading through the official documentation of rspamd.

In order to test my theory I split sign_networks onto a new line and added the below IPs in table format, and it worked! I now have my instance of AnonAddy DKIM signing three of my global domains (not custom).

In my testing only the external IPs were necessary but left the local ones just in case:

sign_networks = [
  "127.0.0.0/8",
  "[::1]/128",
  "anonaddy_server_ipv4",
  "anonaddy_server_ipv6",
];

My final file looks like the below:

signing_table = [
  "*@domain1 domain1",
  "*@*.domain1 domain1",
  "*@domain2 domain2",
  "*@*.domain2 domain2",
  "*@domain3 domain3",
  "*@*.domain3 domain3",
];

key_table = [
  "domain1 domain1:default:/var/lib/rspamd/dkim/domain1.default.key",
  "domain2 domain2:default:/var/lib/rspamd/dkim/domain2.default.key",
  "domain3 domain3:default:/var/lib/rspamd/dkim/domain3.default.key",
];

sign_networks = [
  "127.0.0.0/8",
  "[::1]/128",
  "anonaddy_server_ipv4",
  "anonaddy_server_ipv6",
];

use_domain = "envelope";
allow_hdrfrom_mismatch = true;
allow_username_mismatch = true;
use_esld = true;
sign_authenticated = false;

If you enable rspamd logging for the dkim_signing module you should see something similar to the below if it's all working correctly.

/etc/rspamd/local.d/logging.inc

level = "error";
debug_modules = ["dkim_signing"]

Checking /etc/rspamd/local.d/dkim_signing.conf you should see an output similar to the below.

2025-01-20 07:03:12 #92348(main) <7y73xi>; cfg; rspamd_config_action_from_ucl: action rewrite subject has no threshold being set and it is not a no threshold action
2025-01-20 07:03:26 #92351(normal) <147B22>; dkim_signing; lua_dkim_tools.lua:195: mail is ineligible for signing
2025-01-20 07:03:27 #92351(normal) <5D4D12>; dkim_signing; lua_dkim_tools.lua:189: mail is from address in sign_networks
2025-01-20 07:03:27 #92351(normal) <5D4D12>; dkim_signing; lua_dkim_tools.lua:275: signing_table: found entry for [email protected]: domain.com
2025-01-20 07:03:27 #92351(normal) <5D4D12>; dkim_signing; lua_dkim_tools.lua:329: perform dkim signing for domain.com, selector=default, domain=domain.com, key file=/var/lib/rspamd/dkim/domain.com.default.key
2025-01-20 07:03:27 #92351(normal) <5D4D12>; dkim_signing; dkim_signing.lua:130: using key "/var/lib/rspamd/dkim/domain.com.default.key", use selector "default" for domain "domain.com"

Hopefully this helps you, if it does I can look at raising a PR to have the self hosted documentation updated. Keep me posted 😄.