Mails not DKIM-signed when sent through Mailcow's unauthenticated relay #6289

Simon1511 · 2025-02-02T15:50:32Z

Contribution guidelines

I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
... I have understood that answers are voluntary and community-driven, and not commercial support.
... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

I set up Mailcow and enabled DKIM. Outgoing mails sent via SOGo or authenticated SMTPS will be successfully DKIM-signed (tested with dmarctester and MXToolbox). After enabling unauthenticated relaying as described in the docs and trying to send mail via it they will be sent as normal, but they wont be DKIM-signed (again, verified via dmarctester/MXToolbox).  I was using MailU before with the same setup (unauthenticated relay) and mails were signed correctly through the unauthenticated relay. Outgoing mail is always sent via a smarthost. The smarthost is not the issue as MailU could send DKIM-signed messages through it just fine.

Logs:

Postfix logs: (Not sure whats responsible exactly for DKIM signing)

postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/postscreen[376]: CONNECT from [192.168.178.39]:60689 to [172.22.1.253]:25
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/postscreen[376]: ALLOWLISTED [192.168.178.39]:60689
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/smtpd[379]: connect from unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/smtpd[379]: 603C92008D8: client=unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/cleanup[380]: 603C92008D8: message-id=<>
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/qmgr[343]: 603C92008D8: from=<[email protected]>, size=356, nrcpt=1 (queue active)
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/smtpd[379]: disconnect from unknown[192.168.178.39] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/smtp[381]: Trusted TLS connection established to 192.168.178.230[192.168.178.230]:26: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/smtp[381]: 603C92008D8: to=<[email protected]>, relay=192.168.178.230[192.168.178.230]:26, delay=0.66, delays=0.27/0.06/0.26/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D975FA1D1)
postfix-mailcow-1  | Feb  2 16:07:16 2cd046d5fadc postfix/qmgr[343]: 603C92008D8: removed
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/postscreen[405]: CONNECT from [192.168.178.39]:61033 to [172.22.1.253]:25
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/postscreen[405]: ALLOWLISTED [192.168.178.39]:61033
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/smtpd[408]: connect from unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/smtpd[408]: 34A242008D8: client=unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/cleanup[409]: 34A242008D8: message-id=<>
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/qmgr[343]: 34A242008D8: from=<[email protected]>, size=370, nrcpt=1 (queue active)
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/smtpd[408]: disconnect from unknown[192.168.178.39] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/smtp[410]: Trusted TLS connection established to 192.168.178.230[192.168.178.230]:26: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/smtp[410]: 34A242008D8: to=<[email protected]>, relay=192.168.178.230[192.168.178.230]:26, delay=0.48, delays=0.17/0.06/0.18/0.08, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 95F0CA233)
postfix-mailcow-1  | Feb  2 16:17:51 2cd046d5fadc postfix/qmgr[343]: 34A242008D8: removed
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/postscreen[423]: CONNECT from [192.168.178.39]:61158 to [172.22.1.253]:25
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/postscreen[423]: ALLOWLISTED [192.168.178.39]:61158
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/smtpd[426]: connect from unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/smtpd[426]: 5C4092008D8: client=unknown[192.168.178.39]
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/cleanup[427]: 5C4092008D8: message-id=<>
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/qmgr[343]: 5C4092008D8: from=<[email protected]>, size=370, nrcpt=1 (queue active)
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/smtpd[426]: disconnect from unknown[192.168.178.39] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/smtp[429]: Trusted TLS connection established to 192.168.178.230[192.168.178.230]:26: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/smtp[429]: 5C4092008D8: to=<[email protected]>, relay=192.168.178.230[192.168.178.230]:26, delay=0.46, delays=0.16/0.05/0.18/0.07, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as BB346A2E6)
postfix-mailcow-1  | Feb  2 16:22:36 2cd046d5fadc postfix/qmgr[343]: 5C4092008D8: removed

Steps to reproduce:

1. Enable unauthenticated relaying as described in the Docs
2. Send an email via unauthenticated SMTP port 25 (for example using Powershell's Send-MailMessage) to an external recipient (I tested with Gmail and DMarcTester/MXToolbox)
3. Check DKIM results from MXtoolBox/Dmarctester -> Result: Message not signed, no DKIM signature was provided

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Debian 12

Server/VM specifications:

8GB RAM, 300GB NVMe, 4c/4t

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

27.5.1

docker-compose version or docker compose version:

v2.32.4

mailcow version:

2025-01

Reverse proxy:

none

Logs of git diff:

No changes except for TLS-certificate and unauthenticated relay:

local_addrs = [127.0.0.0/8, ::ffff:127.0.0.0/104, ::1/128, fe80::/10, 172.22.1.0/24, fd4d:6169:6c63:6f77::/64, 192.168.178.0/24, 10.0.0.0/16];

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.178.0/24 10.0.0.0/16

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
16210   12M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
16722   12M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
16722   12M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0
 5589 5933K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    4   208 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 4778 1225K ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      br-529043ecdb16  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-529043ecdb16  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-529043ecdb16 !br-529043ecdb16  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-529043ecdb16 br-529043ecdb16  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  *      br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-f48a34e53f22 !br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-f48a34e53f22 br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-6b0015a15481 br-6b0015a15481  0.0.0.0/0            0.0.0.0/0
 3736  583K ACCEPT     0    --  *      br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  167  9840 DOCKER     0    --  *      br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0
 4411 1316K ACCEPT     0    --  br-aa2478d296d0 !br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0
 8252 1142K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   92  5520 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
 6957   12M ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (5 references)
 pkts bytes target     prot opt in     out     source               destination
   92  5520 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9001
   40  2252 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:25
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:80
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:110
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:143
   69  4140 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:443
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:465
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:587
   58  3448 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:993
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:995
    0     0 ACCEPT     6    --  !br-aa2478d296d0 br-aa2478d296d0  0.0.0.0/0            192.168.203.4        tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:3306
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    3   156 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    1    52 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:4444
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:8083

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4778 1225K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-529043ecdb16 !br-529043ecdb16  0.0.0.0/0            0.0.0.0/0

    0     0 DOCKER-ISOLATION-STAGE-2  0    --  br-f48a34e53f22 !br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0

    0     0 DROP       0    --  *      br-6b0015a15481 !172.18.0.0/16        0.0.0.0/0
    0     0 DROP       0    --  br-6b0015a15481 *       0.0.0.0/0           !172.18.0.0/16
 4411 1316K DOCKER-ISOLATION-STAGE-2  0    --  br-aa2478d296d0 !br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0

 6957   12M DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
82193  303M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-529043ecdb16  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-f48a34e53f22  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-aa2478d296d0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
37645   32M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
16793 1651K f2b-bad-auth  6    --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 1:1024
82193  303M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Chain f2b-bad-auth (1 references)
 pkts bytes target     prot opt in     out     source               destination
16793 1651K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Logs of ip6tables -L -vn:

No IPv6 configured currently.

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
22027 1252K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   19  1176 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1836  135K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !br-529043ecdb16  172.20.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !br-f48a34e53f22  172.19.0.0/16        0.0.0.0/0
  621 47736 MASQUERADE  0    --  *      !br-aa2478d296d0  192.168.203.0/24     0.0.0.0/0
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0
    0     0 MASQUERADE  6    --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9001
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:80
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:443
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       192.168.203.4        192.168.203.4        tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  6    --  *      *       172.22.1.5           172.22.1.5           tcp dpt:3306
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  6    --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  6    --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:4444
    0     0 MASQUERADE  6    --  *      *       172.22.1.10          172.22.1.10          tcp dpt:8083

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
   54  3240 RETURN     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-529043ecdb16 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-f48a34e53f22 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0
   94  5640 DNAT       6    --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9001 to:172.17.0.2:9001
   41  2312 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:192.168.203.4:25
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:192.168.203.4:80
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:192.168.203.4:110
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:192.168.203.4:143
   69  4140 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4443 to:192.168.203.4:443
    9   540 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:192.168.203.4:465
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:192.168.203.4:587
   59  3508 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:192.168.203.4:993
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:192.168.203.4:995
    0     0 DNAT       6    --  !br-aa2478d296d0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:192.168.203.4:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.5:3306
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1105 to:172.22.1.250:110
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:1435 to:172.22.1.250:143
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9935 to:172.22.1.250:993
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9955 to:172.22.1.250:995
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:41905 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    3   156 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:255 to:172.22.1.253:25
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4655 to:172.22.1.253:465
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5875 to:172.22.1.253:587
    1    52 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4444 to:172.22.1.10:4444
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8083 to:172.22.1.10:8083

Logs of ip6tables -L -vn -t nat:

No IPv6 configured currently.

DNS check:

104.18.32.7
172.64.155.249

The text was updated successfully, but these errors were encountered:

Simon1511 · 2025-02-02T17:10:08Z

Ok, so, after randomly playing around with all kinds of settings I finally figured this out.

I had already added my networks (192.168.178.0/24 and 10.0.0.0/16) to Mailcow's "Forwarding hosts", and had them set to "Disable Spam Filter". Apparently, rspamd (which is responsible for spam filtering), does something(?) with DKIM and having the spam filter disabled for those specific networks would result in my mails bypassing rspamd and not being DKIM signed. I have no idea why this breaks DKIM but perhaps someone with some more knowledge on that topic could step in and help here.

I'm not sure if this is actually a bug now or "intended behaviour". In the latter case it should probably be stated in the docs that hosts/networks might be needed to be added to forwarding hosts, and that it can break DKIM.

FreddleSpl0it · 2025-02-03T11:29:38Z

Rspamd only dkim signs authenticated emails https://rspamd.com/doc/modules/dkim_signing.html#principles-of-operation
dkim settings are defined here

mailcow-dockerized/data/conf/rspamd/local.d/dkim_signing.conf

Lines 32 to 35 in 244d4b8

    
           # forwards are arc signed, rejects are dkim signed 
        
           sign_networks = "/etc/rspamd/custom/dovecot_trusted.map"; 
        
           use_domain_sign_networks = "header"; 
        
           sign_headers = "from:sender:reply-to:subject:date:message-id:to:cc:mime-version:content-type:content-transfer-encoding:content-language:resent-to:resent-cc:resent-from:resent-sender:resent-message-id:in-reply-to:references:list-id:list-help:list-owner:list-unsubscribe:list-subscribe:list-post:list-unsubscribe-post:disposition-notification-to:disposition-notification-options:original-recipient:openpgp:autocrypt";

Simon1511 added the bug label Feb 2, 2025

FreddleSpl0it closed this as completed Feb 3, 2025

FreddleSpl0it added not-a-bug and removed bug labels Feb 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mails not DKIM-signed when sent through Mailcow's unauthenticated relay #6289

Mails not DKIM-signed when sent through Mailcow's unauthenticated relay #6289

Simon1511 commented Feb 2, 2025

Simon1511 commented Feb 2, 2025

FreddleSpl0it commented Feb 3, 2025

Mails not DKIM-signed when sent through Mailcow's unauthenticated relay #6289

Mails not DKIM-signed when sent through Mailcow's unauthenticated relay #6289

Comments

Simon1511 commented Feb 2, 2025

Contribution guidelines

I've found a bug and checked that ...

Description

Logs:

Steps to reproduce:

Which branch are you using?

Which architecture are you using?

Operating System:

Server/VM specifications:

Is Apparmor, SELinux or similar active?

Virtualization technology:

Docker version:

docker-compose version or docker compose version:

mailcow version:

Reverse proxy:

Logs of git diff:

Logs of iptables -L -vn:

Logs of ip6tables -L -vn:

Logs of iptables -L -vn -t nat:

Logs of ip6tables -L -vn -t nat:

DNS check:

Simon1511 commented Feb 2, 2025

FreddleSpl0it commented Feb 3, 2025