If you need to send e-mail from one domain using not default MX server with all header info correctly rewritten this is guide for you.
Real world scenario:
- there is MX server for domain dupa.com that you use for normal delivery for users from dupa.com,
- there is also phpList service on the very same server that you want to use for massmailing but you want your emails to look like sent from domains:
kurka.plandwodna.org, with all SPF, DKIM things magically written in headers, - you are able to edit DNS records and change configuration of Postfix and rspamd.
Quick solution is like that:
Postfix
The two emails you need to be used in phpList configuration are:
zdzichu@kurka.pl
stefan@wodna.org
Add local emails account to your Postfix, I will not cover it here because there are many methods to do it. For this solution I will choose:
kurka@dupa.com (will be used for zdzichu@kurka.pl)
wodka@dupa.com (will be used for stefan@wodna.org)
Check if you really can authorize and send emails, just to not mess with it when something will not work later.
In a Postfix configuration (/etc/postfix/main.cf) allow your server to be relay for both kurka.pland wodna.org:
relay_domains = kurka.pl, wodna.orgThen add following line which will instruct Postfix how to map particular local emails to emails from both external domains:
smtp_generic_maps = hash:/etc/postfix/rewrite_phplistsContent of /etc/postfix/rewrite_phplist is:
kurka@dupa.com zdzichu@kurka.pl
wodka@dupa.com stefan@wodna.orgDo you see how they maps togheter? OK, now make hash table from this file:
cd /etc/postfix
postmap rewrite_phplistDo ls to check if rewrite_phplist.db file were created.
If so, reload Postfix:
systemctl reload postfixSPF
Add IP address of dupa.com to your SPF record in your DNS zone form kurka.pl, it should be something like:
"v=spf1 a mx ip4:yyy.yyy.yyy.yyy ip4:xxx.xxx.xxx.xxx ~all"where yyy.yyy.yyy.yyy is IP of kurka.pl, and xxx.xxx.xxx.xxx of dupa.com.
Then same for wodna.org:
"v=spf1 a mx ip4:zzz.zzz.zzz.zzz ip4:xxx.xxx.xxx.xxx ~all"where zzz.zzz.zzz.zzz is IP of wodna.pl, and xxx.xxx.xxx.xxx IP is for… gues what? Of course, also dupa.com.
RSPAMD
Now, we need DKIM keys for both extrenal domains. I presume that you already have DKIM records in your DNS zone. I will not cover it here, look for it in Internet or ask you local guru.
Copy both DKIM keys on dupa.com server into /var/lib/rspamd/dkim/ folder. Key for dupa.com should already be there as dupa.key.
Let’s say keyfile for kurka.pl is named: kurka.key and keyfile for wodna.org is named: wodna.key.
Now edit file /etc/rspamd/local.d/dkim_signing.conf and put following directives in it:
### Enable DKIM signing for alias sender addresses
allow_username_mismatch = true;
# If true, envelope/header domain mismatch is ignored
# it will allow to sign emails from external domains
allow_hdrfrom_mismatch = true;
# This allows to sign also local emails
sign_local = true;
# This maps domains with corresponding keys
domain {
# DUPA.COM (we want sign original emails)
dupa.com {
# Private key path
path = "/var/lib/rspamd/dkim/dupa.key";
selector = "dupa2022";
}
# KURKA.pl
kurka.pl {
# Private key path
path = "/var/lib/rspamd/dkim/kurka.key";
selector = "kurka2022";
}
# WODNA.ORG
wodna.org {
# Private key path
path = "/var/lib/rspamd/dkim/wodna.key";
selector = "wodna2022";
}
}
Save it and copy file /etc/rspamd/local.d/dkim_signing.conf to /etc/rspamd/local.d/arc.conf:
cd /etc/rspamd/local.d/
cp dkim_signing.conf arc.confNow, restart rspamd:
systemctl restart rspamdNow, it should work.
You can check it with following tool: https://www.mail-tester.com/
In case something is wrong you can check rspamd log for DKIM errors, add following lines to /etc/rspamd/local.d/logging.inc:
type = "file";
filename = "/var/log/rspamd/rspamd.log";
level = "error";
debug_modules = ["dkim_signing"];Then look what happens in log file:
tail -f /var/log/rspamd/rspamd.logRemeber to comment out last line when you will finish debbuging.
Thanks for listening, don’t comment (no comments), you can share it wherever you want.