1

We have modifed the Return-Path: and Reply-To: sections of our email by doing the following:

/etc/postfix/main.cf

smtp_generic_maps = hash:/etc/postfix/generic

/etc/postfix/generic

bounce@mainserver.com       bounce@relay.com
admin@mainserver.com       admin@relay.com

before adding this we get

Return-Path: <bounce@mainserver.com>
Authentication-Results: mta1087.mail.ir2.yahoo.com 
 header.i=@relay.com header.s=mail dkim=pass (ok);
 spfDomain=mainserver.com spfResult=none;
 dmarc=pass(p=none sp=quarantine dis=none) header.from=relay.com
Received-SPF: none (domain of mainserver.com does not designate permitted sender hosts)

after:

Return-Path: <bounce@relay.com>
Authentication-Results: mta1129.mail.ir2.yahoo.com 
 header.i=@relay.com header.s=mail dkim=permerror (bad sig);
 spfDomain=relay.com spfResult=pass;
 dmarc=pass(p=none sp=quarantine dis=none) header.from=relay.com
Received-SPF: pass (domain of relay.com designates xx.xx.xx.xx as permitted sender)

This change is causing our DKIM to get permerror (bad sig) is there a fix for this or another approach?

Toodarday
  • 215
  • 1
  • 2
  • 8

3 Answers3

2

Assuming you are using openDKIM, have you ensured that:

1 - correct DKIM keys are published under the "relay.com" dns records

2 - these are listed in /etc/opendkim/key_table

3 - that the "relay.com" sender addresses are in /etc/opendkim/signing_table

If so, I guess the addresses are being re-written after dkim signing - which breaks DKIM

Checking the dkim signature of the sent mail may give further clues.

Another option

/etc/postfix/main.cf

smtp_generic_maps = hash:/etc/postfix/canonical

/etc/postfix/canonical

bounce@mainserver.com       bounce@relay.com
admin@mainserver.com       admin@relay.com
Toodarday
  • 215
  • 1
  • 2
  • 8
Allan Wallace
  • 271
  • 1
  • 4
  • Yes it's OpenDKIM and yes it's working fine if you look under the "before adding this we get" section in my post you can see it works. mainserver.com does not have any DKIM it's connecting to relay.com SMTP to send the mail. – Toodarday Jun 22 '19 at 20:33
  • I guess the addresses are being re-written after dkim signing then. "With the smtp_generic_maps parameter you can specify generic(5) lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP. " Source: https://de.postfix.org/httpmirror/ADDRESS_REWRITING_README.html#generic – Allan Wallace Jun 22 '19 at 20:35
  • I think this is the solution: http://www.postfix.org/canonical.5.html (instead of Generic) – Allan Wallace Jun 22 '19 at 20:50
  • Yes this fixed it. – Toodarday Jun 22 '19 at 21:12
  • 1
    replacing `smtp_generic_maps = hash:/path/file` with `canonical_maps = hash:/path/file` and restarting postfix fixed the problem, many thanks!!! – lucaferrario Aug 18 '20 at 15:07
  • The correct `/etc/postfix/main.cf` configuration will be `canonical_maps =hash:/etc/postfix/canonical`. – Hasanuzzaman Sattar Apr 23 '22 at 06:48
0

None of the solutions mentioned works, because OpenDKIM signs the email before the address change, either with canonical_maps =hash:/etc/postfix/canonical or smtp_generic_maps = hash:/etc/postfix/canonical

Unfortunately, only two solutions work:

VanVan
  • 19
  • 2
0

And in this post: DKIM not signing with alias addresses - not internal, not authenticated

JChook posts:

"I solved this problem by using the postfix advanced filter and adding the opendkim milter on the final phase."

Allan Wallace
  • 271
  • 1
  • 4