[Rspamd-Users] Solved: dkim_signing: final DKIM domain cuts off subsubdomain

Dauser Martin Johannes mdauser at cs.plus.ac.at
Wed Apr 12 14:31:27 UTC 2023 

On Tue, 2023-04-11 at 17:56 +0100, Vsevolod Stakhov wrote:
> On 11/04/2023 16:15, Dauser Martin Johannes wrote:
> > Hi!
> > 
> > I don't get DKIM signing because module dkim_signing thinks it needs to cut off the subsubdomain:
> > 
> > Apr 11 16:34:11 brieftaube rspamd[458053]: <42172b>; dkim_signing; lua_dkim_tools.lua:183: user is authenticated
> > Apr 11 16:34:11 brieftaube rspamd[458053]: <42172b>; dkim_signing; lua_dkim_tools.lua:405: use domain(envelope) for signature: cs.sbg.ac.at
> > Apr 11 16:34:11 brieftaube rspamd[458053]: <42172b>; dkim_signing; lua_dkim_tools.lua:425: final DKIM domain: sbg.ac.at
> > 
> > After that it tries to find a fitting key file, which doesn't exist as this is the domain of another mail server.
> > 
> > Any idea why this happens?
> > Best regards
> > Dauser Martin
> > 
> > ##################
> > dkim_signing.conf
> > ##################
> > enabled = true
> > try_fallback = true;
> > path = "/var/lib/rspamd/dkim/$domain.$selector.key";
> > selector_map = "/etc/rspamd/local.d/dkim_selectors.map";
> >   # content of dkim_selectors.map:
> >   # <domain>      <selector>
> >   # cs.sbg.ac.at  dkim20230202
> > path_map = "/etc/rspamd/local.d/dkim_paths.map";
> >   # content of dkim_path.map:
> >   # <domain>      <path>
> >   # cs.sbg.ac.at  /var/lib/rspamd/dkim/cs.sbg.ac.at.$selector.key
> > 
> > 
> > sign_networks [
> >      "141.201.2.0/24",
> > ]
> > sign_local = true;
> > sign_authenticated = true;
> > 
> > use_domain = "envelope";
> > use_domain_sign_networks = "envelope";
> > use_domain_sign_local = "envelope";
> > 
> > allow_username_mismatch = true;
> > allow_hdrfrom_mismatch = true;
> > 
> > 
> > 
> > sign_headers = (o)from:(x)sender:(o)reply-to:(x)date:(x)message-
> > id:(o)to:(o)cc:(x)mime-version:(x)content-type:(x)content-transfer-
> > encoding:resent-to:resent-cc:resent-from:resent-sender:resent-message-
> > id:(x)in->
> 
> You can add `use_esld = false` to your configuration to avoid such a 
> behaviour (see [1] for details). However, I don't remember if that will 
> be ok from the perspective of DMARC.
> 
> [1]: https://rspamd.com/doc/modules/dkim_signing.html
> 
Many thanks for your help!
`use_esld = false` did the trick. DMARC is totally fine using
subdomains. You only need matching DNS entries (DKIM,SPF,DMARC) on
subdomain level.

Thank you again,
Dauser Martin

More information about the Users mailing list