DKIM for relayed domain (rspamd)

Postfix

The two emails you need to be used in phpList configuration are:

zdzichu@kurka.pl
stefan@wodna.org

Add local emails account to your Postfix, I will not cover it here because there are many methods to do it. For this solution I will choose:

kurka@dupa.com (will be used for zdzichu@kurka.pl)
wodka@dupa.com (will be used for stefan@wodna.org)

Check if you really can authorize and send emails, just to not mess with it when something will not work later.

In a Postfix configuration (/etc/postfix/main.cf) allow your server to be relay for both kurka.pland wodna.org:

relay_domains = kurka.pl, wodna.org

Then add following line which will instruct Postfix how to map particular local emails to emails from both external domains:

smtp_generic_maps = hash:/etc/postfix/rewrite_phplists

Content of /etc/postfix/rewrite_phplist is:

kurka@dupa.com zdzichu@kurka.pl
wodka@dupa.com stefan@wodna.org

Do you see how they maps togheter? OK, now make hash table from this file:

cd /etc/postfix
postmap rewrite_phplist

Do ls to check if rewrite_phplist.db file were created.

If so, reload Postfix:

systemctl reload postfix

SPF

Add IP address of dupa.com to your SPF record in your DNS zone form kurka.pl, it should be something like:

"v=spf1 a mx ip4:yyy.yyy.yyy.yyy ip4:xxx.xxx.xxx.xxx  ~all"

where yyy.yyy.yyy.yyy is IP of kurka.pl, and xxx.xxx.xxx.xxx of dupa.com.

Then same for wodna.org:

"v=spf1 a mx ip4:zzz.zzz.zzz.zzz ip4:xxx.xxx.xxx.xxx ~all"

where zzz.zzz.zzz.zzz is IP of wodna.pl, and xxx.xxx.xxx.xxx IP is for... gues what? Of course, also dupa.com.

RSPAMD

Now, we need DKIM keys for both extrenal domains. I presume that you already have DKIM records in your DNS zone. I will not cover it here, look for it in Internet or ask you local guru.

Copy both DKIM keys on dupa.com server into /var/lib/rspamd/dkim/ folder. Key for dupa.com should already be there as dupa.key.

Let's say keyfile for kurka.pl is named: kurka.key and keyfile for wodna.org is named: wodna.key.

Now edit file/etc/rspamd/local.d/dkim_signing.conf and put following directives in it:

### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;

# If true, envelope/header domain mismatch is ignored
# it will allow to sign emails from external domains
allow_hdrfrom_mismatch = true;

# This allows to sign also local emails
sign_local = true;

# This maps domains with corresponding keys
domain {
        # DUPA.COM (we want sign original emails)
        dupa.com {
        # Private key path
        path = "/var/lib/rspamd/dkim/dupa.key";
        selector = "dupa2022";
        }
        # KURKA.pl
        kurka.pl {
        # Private key path
        path = "/var/lib/rspamd/dkim/kurka.key";
        selector = "kurka2022";
        }
        # WODNA.ORG
        wodna.org {
        # Private key path
        path = "/var/lib/rspamd/dkim/wodna.key";
        selector = "wodna2022";
        }
}

Save it and copy file /etc/rspamd/local.d/dkim_signing.conf to /etc/rspamd/local.d/arc.conf:

cd /etc/rspamd/local.d/
cp dkim_signing.conf arc.conf

Now, restart rspamd:

systemctl restart rspamd

Now, it should work.

You can check it with following tool: https://www.mail-tester.com/

In case something is wrong you can check rspamd log for DKIM errors, add following lines to /etc/rspamd/local.d/logging.inc:

type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "error";
debug_modules = ["dkim_signing"];

Then look what happens in log file:

tail -f /var/log/rspamd/rspamd.log

Remeber to comment out last line when you will finish debbuging.

Thanks for listening, don't comment (no comments), you can share it wherever you want.