Postfix with DKIM for a mail relay

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix with DKIM for a mail relay

Roberto Carna
Dear, my domain is "example.com".

My cooperative mail server is an Exchange which does not implement DKIM at all.

But also I have a Postfix mail relay for the "example.com" domain.

Is it possible to implement DKIM only in my Postfix server for all the outgoing @example.com mails ??? Or doing this I affect the outgoing mails from my Exchange server because it sends @example.com mails withouth DKIM mechanism ???

Thanks a lot !!!

Robert 
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Dominic Raferd
On Wed, 6 Nov 2019 at 16:12, Roberto Carna <[hidden email]> wrote:
> My cooperative mail server is an Exchange which does not implement DKIM at all.
> But also I have a Postfix mail relay for the "example.com" domain.
> Is it possible to implement DKIM only in my Postfix server for all the outgoing @example.com mails ??? Or doing this I affect the outgoing mails from my Exchange server because it sends @example.com mails withouth DKIM mechanism ???

It is possible, but in my opinion pointless. In fact DKIM without
DMARC is problematic at least, precisely because there are
organisations which send some emails conforming to one or other
standard (or both) and others emails which do not, and the recipient
cannot be confident that non-conformant emails should be rejected -
the very situation you have in mind.

In theory adding DKIM to some emails should not cause any problems.
Might some recipient MTAs see that your domain has a DKIM record in
DNS and then 'downgrade' (treat as spam) or block emails from such
domain that don't have DKIM? I am not sure how big this risk is, but I
can't see you gain anything by running it.

Are you sure your Exchange server can't implement DKIM?
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Roberto Carna
Dear Dominic, thanks for your interesting comments.

I administrate the Postfix mail server, not the Exchange, so I can't do anything to implement DKIM in the second one.

In my Postfix mail server I've just have SPF implemented for outgoing mails.....Maybe it's better to add DKIM + DMARC in place of onl DKIM ???

Thanks a lot again.



El mié., 6 nov. 2019 a las 13:48, Dominic Raferd (<[hidden email]>) escribió:
On Wed, 6 Nov 2019 at 16:12, Roberto Carna <[hidden email]> wrote:
> My cooperative mail server is an Exchange which does not implement DKIM at all.
> But also I have a Postfix mail relay for the "example.com" domain.
> Is it possible to implement DKIM only in my Postfix server for all the outgoing @example.com mails ??? Or doing this I affect the outgoing mails from my Exchange server because it sends @example.com mails withouth DKIM mechanism ???

It is possible, but in my opinion pointless. In fact DKIM without
DMARC is problematic at least, precisely because there are
organisations which send some emails conforming to one or other
standard (or both) and others emails which do not, and the recipient
cannot be confident that non-conformant emails should be rejected -
the very situation you have in mind.

In theory adding DKIM to some emails should not cause any problems.
Might some recipient MTAs see that your domain has a DKIM record in
DNS and then 'downgrade' (treat as spam) or block emails from such
domain that don't have DKIM? I am not sure how big this risk is, but I
can't see you gain anything by running it.

Are you sure your Exchange server can't implement DKIM?
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Dominic Raferd
On Wed, 6 Nov 2019 at 17:04, Roberto Carna <[hidden email]> wrote:

> El mié., 6 nov. 2019 a las 13:48, Dominic Raferd (<[hidden email]>) escribió:
>>
>> On Wed, 6 Nov 2019 at 16:12, Roberto Carna <[hidden email]> wrote:
>> > My cooperative mail server is an Exchange which does not implement DKIM at all.
>> > But also I have a Postfix mail relay for the "example.com" domain.
>> > Is it possible to implement DKIM only in my Postfix server for all the outgoing @example.com mails ??? Or doing this I affect the outgoing mails from my Exchange server because it sends @example.com mails withouth DKIM mechanism ???
>>
>> It is possible, but in my opinion pointless. In fact DKIM without
>> DMARC is problematic at least, precisely because there are
>> organisations which send some emails conforming to one or other
>> standard (or both) and others emails which do not, and the recipient
>> cannot be confident that non-conformant emails should be rejected -
>> the very situation you have in mind.
>>
>> In theory adding DKIM to some emails should not cause any problems.
>> Might some recipient MTAs see that your domain has a DKIM record in
>> DNS and then 'downgrade' (treat as spam) or block emails from such
>> domain that don't have DKIM? I am not sure how big this risk is, but I
>> can't see you gain anything by running it.
>>
>> Are you sure your Exchange server can't implement DKIM?
>
> Dear Dominic, thanks for your interesting comments.
> I administrate the Postfix mail server, not the Exchange, so I can't do anything to implement DKIM in the second one.
> In my Postfix mail server I've just have SPF implemented for outgoing mails.....Maybe it's better to add DKIM + DMARC in place of onl DKIM ???

In this case you can implement DMARC and eventually (when confident)
use p=reject, which I rate highly for stopping straightforward
impersonation of your domain. The only problem is that if a legitimate
email from your domain goes through a relay server before it reaches
its destination server, the destination server will find that the
email fails SPF checking, which results in DMARC fail. The solution is
to use DKIM as well (or instead) but of course this could not cover
emails originating from your Exchange server. To identify if this will
be a problem you could use DMARC with p=none and monitor the results
to see if any apparently-legitimate emails are being flagged as
failing DMARC.

The main problem with DMARC is that some mailing lists (not this one,
I believe) mess it up, so I would suggest not to use it with
p=quarantine or p=reject on any domain where users are likely to post
to mailing lists. One such is (or was) the opendmarc mailing list -
something of an own goal.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Benny Pedersen-2
In reply to this post by Roberto Carna
Roberto Carna skrev den 2019-11-06 17:11:

> Is it possible to implement DKIM only in my Postfix server for all the
> outgoing @example.com [1] mails ??? Or doing this I affect the
> outgoing mails from my Exchange server because it sends @example.com
> [1] mails withouth DKIM mechanism ???

is this really a postfix question ? :=)

if the exchange server have postfix as mail relay, and from: header
domain is in opendkim as signing domain and exchange server is
considered internal ip in opendkim then opendkim will sign emails

join opendkim maillist for more help
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Richard James Salts
In reply to this post by Dominic Raferd
On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
> ...
> The main problem with DMARC is that some mailing lists (not this one,
> I believe) mess it up, so I would suggest not to use it with
> p=quarantine or p=reject on any domain where users are likely to post
> to mailing lists. One such is (or was) the opendmarc mailing list -
> something of an own goal.

Although Wietse has taken steps to minimize the impact of the mailing list on
DKIM signatures it will depend on the headers that were signed in the original
message, and this is the best you can expect from a mailing list as most will
alter the subject or add a footer to the message body. Many other lists have
taken the decision to work around the damage of poorly considered DMARC
policies by rewriting the From header and putting the original author's
address in Reply-to (which isn't without it's downsides given there were
existing practices about Reply-to and mailing lists). I would highly recommend
stopping at quarantine for DMARC policy if your domain is anything other than
a source of transactional emails (e.g. password resets, promotional offers,
etc). Once real humans have mailboxes on the domain and use the corresponding
email address in their outgoing mail you're going to have some collateral
damage from p=reject.


Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Benny Pedersen-2
Richard James Salts skrev den 2019-11-07 02:03:
> email address in their outgoing mail you're going to have some
> collateral
> damage from p=reject.

sure dmarc breaks dkim :(
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Roberto Carna
In reply to this post by Richard James Salts
Thanks a lo to all of you.

Regards !!!

El mié., 6 nov. 2019 a las 22:05, Richard James Salts (<[hidden email]>) escribió:
On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
> ...
> The main problem with DMARC is that some mailing lists (not this one,
> I believe) mess it up, so I would suggest not to use it with
> p=quarantine or p=reject on any domain where users are likely to post
> to mailing lists. One such is (or was) the opendmarc mailing list -
> something of an own goal.

Although Wietse has taken steps to minimize the impact of the mailing list on
DKIM signatures it will depend on the headers that were signed in the original
message, and this is the best you can expect from a mailing list as most will
alter the subject or add a footer to the message body. Many other lists have
taken the decision to work around the damage of poorly considered DMARC
policies by rewriting the From header and putting the original author's
address in Reply-to (which isn't without it's downsides given there were
existing practices about Reply-to and mailing lists). I would highly recommend
stopping at quarantine for DMARC policy if your domain is anything other than
a source of transactional emails (e.g. password resets, promotional offers,
etc). Once real humans have mailboxes on the domain and use the corresponding
email address in their outgoing mail you're going to have some collateral
damage from p=reject.


Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Wietse Venema
In reply to this post by Richard James Salts
Richard James Salts:

> On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
> > ...
> > The main problem with DMARC is that some mailing lists (not this one,
> > I believe) mess it up, so I would suggest not to use it with
> > p=quarantine or p=reject on any domain where users are likely to post
> > to mailing lists. One such is (or was) the opendmarc mailing list -
> > something of an own goal.
>
> Although Wietse has taken steps to minimize the impact of the
> mailing list on DKIM signatures it will depend on the headers that
> were signed in the original message,

In particular, the list server overrides the Sender: header
with the list's address ([hidden email]).
I'm no aware of other changes that may break DKIM signatures.

        Wietse

> and this is the best you can expect from a mailing list as most will
> alter the subject or add a footer to the message body. Many other lists have
> taken the decision to work around the damage of poorly considered DMARC
> policies by rewriting the From header and putting the original author's
> address in Reply-to (which isn't without it's downsides given there were
> existing practices about Reply-to and mailing lists). I would highly recommend
> stopping at quarantine for DMARC policy if your domain is anything other than
> a source of transactional emails (e.g. password resets, promotional offers,
> etc). Once real humans have mailboxes on the domain and use the corresponding
> email address in their outgoing mail you're going to have some collateral
> damage from p=reject.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Roberto Carna
Ok Wietse, I understand.

Thanks a lot!!!

El jue., 7 nov. 2019 a las 11:06, Wietse Venema (<[hidden email]>) escribió:
Richard James Salts:
> On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
> > ...
> > The main problem with DMARC is that some mailing lists (not this one,
> > I believe) mess it up, so I would suggest not to use it with
> > p=quarantine or p=reject on any domain where users are likely to post
> > to mailing lists. One such is (or was) the opendmarc mailing list -
> > something of an own goal.
>
> Although Wietse has taken steps to minimize the impact of the
> mailing list on DKIM signatures it will depend on the headers that
> were signed in the original message,

In particular, the list server overrides the Sender: header
with the list's address ([hidden email]).
I'm no aware of other changes that may break DKIM signatures.

        Wietse

> and this is the best you can expect from a mailing list as most will
> alter the subject or add a footer to the message body. Many other lists have
> taken the decision to work around the damage of poorly considered DMARC
> policies by rewriting the From header and putting the original author's
> address in Reply-to (which isn't without it's downsides given there were
> existing practices about Reply-to and mailing lists). I would highly recommend
> stopping at quarantine for DMARC policy if your domain is anything other than
> a source of transactional emails (e.g. password resets, promotional offers,
> etc). Once real humans have mailboxes on the domain and use the corresponding
> email address in their outgoing mail you're going to have some collateral
> damage from p=reject.
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Dominic Raferd
In reply to this post by Richard James Salts
n 07/11/2019 01:03, Richard James Salts wrote:

> On Thursday, 7 November 2019 4:23:20 AM AEDT Dominic Raferd wrote:
>> ...
>> The main problem with DMARC is that some mailing lists (not this one,
>> I believe) mess it up, so I would suggest not to use it with
>> p=quarantine or p=reject on any domain where users are likely to post
>> to mailing lists. One such is (or was) the opendmarc mailing list -
>> something of an own goal.
> Although Wietse has taken steps to minimize the impact of the mailing list on
> DKIM signatures it will depend on the headers that were signed in the original
> message, and this is the best you can expect from a mailing list as most will
> alter the subject or add a footer to the message body. Many other lists have
> taken the decision to work around the damage of poorly considered DMARC
> policies by rewriting the From header and putting the original author's
> address in Reply-to (which isn't without it's downsides given there were
> existing practices about Reply-to and mailing lists). I would highly recommend
> stopping at quarantine for DMARC policy if your domain is anything other than
> a source of transactional emails (e.g. password resets, promotional offers,
> etc). Once real humans have mailboxes on the domain and use the corresponding
> email address in their outgoing mail you're going to have some collateral
> damage from p=reject.

I have to disagree with the last two sentences. In the real world almost
no-one uses mailing lists - we are a self-selected group. For smaller
domains (unless mailing list use is likely) I think the risks of DMARC
p=reject (once properly tested) are minimal and the advantages (in
reducing the risk of impersonation) significant. We have used it for
several years without adverse effects, and I know (from DMARC reporting)
that fake emails to third party servers are being blocked as a result.

It's perhaps worth mentioning that irrespective of DKIM/DMARC you can
apply aggressive policies on your own server towards emails coming in
from the wild but from your own domain(s). Test the 'From' header using
header_checks and/or milter and/or content_filter. This should include
testing the text part of the From header to stop this type of thing:

   From: [hidden email] <[hidden email]>


Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Jaroslaw Rafa
Dnia  7.11.2019 o godz. 16:16:51 Dominic Raferd pisze:
>
> I have to disagree with the last two sentences. In the real world
> almost no-one uses mailing lists - we are a self-selected group.

People who are members of any kind of organization, like a bicycle club, a
charity organization, a political party, an urban activists' group etc.
massively use mailing lists for intra-organizational communication. Myself
I'm a member of about ten such lists. What you write just simply isn't true.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Ignacio Garcia
El 07/11/2019 a las 17:23, Jaroslaw Rafa escribió:
> Dnia  7.11.2019 o godz. 16:16:51 Dominic Raferd pisze:
>> I have to disagree with the last two sentences. In the real world
>> almost no-one uses mailing lists - we are a self-selected group.
> People who are members of any kind of organization, like a bicycle club, a
> charity organization, a political party, an urban activists' group etc.
> massively use mailing lists for intra-organizational communication. Myself
> I'm a member of about ten such lists. What you write just simply isn't true.

tech-savy  people still use mailing lists, and tech-savy people in
charge of organizations such as the ones you mention still use mailing
lists.  For the other 99.9% of the people in charge of such
organizations they now use things like Whatsapp and Telegram, and to
some lesser degree, web bulletins. We still offer mailing-list services
Frankly I don't know anybody out of the IT world subscribed to mailing lists

--
Ignacio
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Jaroslaw Rafa
Dnia  7.11.2019 o godz. 18:09:23 Ignacio García pisze:
> I don't know anybody out of the IT world subscribed
> to mailing lists

Probably depends a lot on local conditions, because I know many. There are
very few IT people on non-IT related lists I'm subscribed to.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: Postfix with DKIM for a mail relay

Ralph Seichter-2
In reply to this post by Dominic Raferd
* Dominic Raferd:

> I have to disagree with the last two sentences. In the real world
> almost no-one uses mailing lists - we are a self-selected group.

I have to disagree with the last two sentences. Looking at the traffic
we process, our customers very much use mailing lists in the real world.
YMMV, but to dismiss the importance of mailing lists is unreasonable.

I found using different domains (or subdomains) a reasonable approach:

  [hidden email]: Primary address where mail integrity is important.
  [hidden email]: Secondary address for mailing lists etc.

In this scenario, mail from "example.com" would be DKIM signed, and a
DMARC policy of quarantine or even reject is possible. Mail originating
at "sub.example.com" however may or may not be DKIM-signed, and the
DMARC policy should either be completely absent or *not* of the type
quarantine/reject.

Obviously, an unrelated domain "whatever.com" can be used to substitute
"sub.example.com". Given the negligible cost of domains these days, it
is just a matter of personal taste.

-Ralph