Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. DKIM when external relay is configured

DKIM when external relay is configured

Scheduled Pinned Locked Moved Unsolved Support
maildkimmail relay
5 Posts 2 Posters 31 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    C Offline
    caspear
    wrote last edited by
    #1

    When external SMTP relay is configured Cloudron still signs all outgoing mail with DKIM, but the UI hides the DNS entry it wants.

    Without the matching entry some mail servers then reject the mail because of the DKIM failure.

    Please either:

    • Do not sign the mail when using external relay to send mail
    • Expose the expected DKIM DNS entry to the end user so that they can configure it

    The half-way house does not work.

    As a workaround I disabled external relay to reveal the DNS entry, created the DNS entry, and then added the SMTP relay back again.

    1 Reply Last reply
    1
    • jamesJ Offline
      jamesJ Offline
      james
      Staff
      wrote last edited by james
      #2

      Hello @caspear

      Thanks for reporting this.
      I could reproduce the behaviour:
      35632743-5b36-47c6-bd90-154250b48e0a-image.jpeg

      1 Reply Last reply
      0
      • jamesJ Offline
        jamesJ Offline
        james
        Staff
        wrote last edited by
        #3

        Hello @caspear
        I have looked a little more into this.
        When using a mail relay, DKIM and everything that is marked as skipped should be handled by the upstream relay server.

        You have stated:

        @caspear said:

        Cloudron still signs all outgoing mail with DKIM

        How did you validate this?

        1 Reply Last reply
        1
        • C Offline
          C Offline
          caspear
          wrote last edited by
          #4

          Send an email through the Cloudron and look at the mail headers in the mail you end up with.

          It will include DKIM signature from Cloudron, which fails to validate if the DNS entry is missing.

          DMARC reports will also list it as an issue, if you have that configured.

          1 Reply Last reply
          1
          • C Offline
            C Offline
            caspear
            wrote last edited by
            #5

            Without the DNS entry mail from cloudron ends up with

            ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@smtpcorp.com header.s=a1-4 header.b=38VpoA5C;
       dkim=pass header.i=@permamed.org header.s=s1004192 header.b=IvzZvAEF;
       dkim=permerror (no key for signature) header.i=@permamed.org header.s=cloudron-0d9262 header.b=cSc2yqyX;
       spf=pass (google.com: domain of bounce.3wqhqixyft3pua6=46muc2596w7f=34l98tc3oj4uzw@em1004192.permamed.org designates 158.120.86.203 as permitted sender)

            Once I add the entry I get

            ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@smtpcorp.com header.s=a1-4 header.b=hge5ICDL;
       dkim=pass header.i=@permamed.org header.s=s1004192 header.b=HnqT1ibh;
       dkim=pass header.i=@permamed.org header.s=cloudron-0d9262 header.b="bpPl/+t5";
       spf=pass (google.com: domain of bounce.w5qkkdyfnaxsxb7=ojoiat7bxbcy=pc4cfvy7huru7n@em1004192.permamed.org designates 158.120.86.203 as permitted sender)
            1 Reply Last reply
            1

            Hello! It looks like you're interested in this conversation, but you don't have an account yet.

            Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

            With your input, this post could be even better 💗

            Register Login
            Reply
            • Reply as topic
            Log in to reply
            • Oldest to Newest
            • Newest to Oldest
            • Most Votes

            • Login
            • Don't have an account? Register
            • Login or register to search.
            • First post
              Last post
            0
            • Categories
            • Recent
            • Tags
            • Popular
            • Bookmarks
            • Search