Solved Mail generated from sieve filters are not DKIM signed

kristian

kristian

Verified User
Joined
Nov 4, 2005
Messages
439
Location
Norway
When adding a sieve filter for out-of-office, the automatic email is sent without being DKIM signed. Example:

Sieve filter:
Code: 
require ["date","relational","vacation"];
# rule:[Out of Office]
if allof (currentdate :zone "+0200" :value "ge" "iso8601" "2021-07-01T16:30:00+02:00", currentdate :zone "+0200" :value "le" "iso8601" "2021-07-17T23:59:00+02:00")
{
    vacation :days 5 :subject "Feriemelding" text:
<Body of mail here>
.
;
}

When an email is delivered to this account, the normal stuff is logged by exim:

Code: 
2021-06-30 09:58:29 1lyV77-0005O6-Og <= <redacted>@gmail.com H=<redacted> [<redacted>] P=esmtps X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no S=5813 DKIM=gmail.com id=CA+1mp2ZsndiaeMFoPMuJd36UHUkFnJEPS+YhtmbLG1Sqcxmy4Q@mail.gmail.com T="test fra gmail" from <<redacted>@gmail.com> for <redacted>@<redacted>
2021-06-30 09:58:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyV77-0005O6-Og
2021-06-30 09:58:29 cwd=/run/dovecot 6 args: /usr/sbin/sendmail -i -f <> -- <redacted>@gmail.com
2021-06-30 09:58:29 1lyV77-0005OE-SY <= <> U=<redacted> P=local S=943 id=dovecot-sieve-1625039909-869326-0@<redacted> T="Feriemelding" from <> for <redacted>@gmail.com
2021-06-30 09:58:29 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1lyV77-0005OE-SY
2021-06-30 09:58:29 1lyV77-0005O6-Og => <redacted> <<redacted>@<redacted>> F=<<redacted>@gmail.com> R=virtual_user T=dovecot_lmtp_udp S=6038 C="250 2.0.0 <<redacted>@<redacted>> CIx5MyUk3GCRTwAAYMfYVg Saved"
2021-06-30 09:58:29 1lyV77-0005O6-Og Completed

And the dovecot lmtp log shows no issues either:

Code: 
Jun 30 09:58:29 lmtp(20369): Info: Connect from local
Jun 30 09:58:29 lmtp(<redacted>@<redacted>)<20369><CIx5MyUk3GCRTwAAYMfYVg>: Info: sieve: msgid=<CA+1mp2ZsndiaeMFoPMuJd36UHUkFnJEPS+YhtmbLG1Sqcxmy4Q@mail.gmail.com>: vacation action: sent vacation response to <<redacted>@gmail.com>
Jun 30 09:58:29 lmtp(<redacted>@<redacted>)<20369><CIx5MyUk3GCRTwAAYMfYVg>: Info: sieve: msgid=<CA+1mp2ZsndiaeMFoPMuJd36UHUkFnJEPS+YhtmbLG1Sqcxmy4Q@mail.gmail.com>: stored mail into mailbox 'INBOX'
Jun 30 09:58:29 lmtp(20369): Info: Disconnect from local: Client has quit the connection (state=READY)

But the exim log shows an error when trying to deliver the vacation response:

Code: 
2021-06-30 09:58:30 1lyV77-0005OE-SY ** <redacted>@gmail.com F=<> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [74.125.131.27] X=TLS1.2:ECDHE-ECDSA-CHACHA20-POLY1305:256 CV=yes: SMTP error from remote mail server after end of data: 550-5.7.26 Unauthenticated email from <redacted> is not accepted due to\n550-5.7.26 domain's DMARC policy. Please contact the administrator of\n550-5.7.26 <redacted> domain if this was a legitimate mail. Please visit\n550-5.7.26  https://support.google.com/mail/answer/2451690 to learn about the\n550 5.7.26 DMARC initiative. 15si4275330lfz.385 - gsmtp
2021-06-30 09:58:30 1lyV77-0005OE-SY Frozen (message created with -f <>)

And sure enough, the DMARC policy for this domain is strict, v=DMARC1; p=reject; adkim=s; aspf=s;, so the error is legitimate. Now the question is, how can I get dovecot to deliver the vacation response in a way that also gets it DKIM signed?

I tried setting submission_host = localhost:25 in the dovecot config, but this seems to be blocked in Exim by Spamblocker/Blockcracking:

Code: 
2021-06-30 11:53:37 H=localhost (<redacted>) [127.0.0.1] F=<> rejected RCPT <<redacted>@gmail.com>: We didn't send the message

Any ideas on how to resolve this?
 
Turns out this was easier than I expected. On https://wiki2.dovecot.org/Pigeonhole/Sieve/Extensions/Vacation there's a setting that does what I need:
sieve_vacation_send_from_recipient = no

This setting determines whether vacation messages are sent with the SMTP MAIL FROM envelope address set to the recipient address of the Sieve script owner. Normally this is set to <>, which is the default as recommended in the specification. This is meant to prevent mail loops. However, there are situations for which a valid sender address is required and this setting can be used to accommodate for those.
Click to expand...
Setting this to yes means that Exim knows who the sender is, and can apply the proper DKIM signing. It does have some drawbacks as mentioned in the quote above, about possible mail loops. Until I see that happening, I am considering a working DKIM signing more important.

In order to make this setting stick, the setting must be put into a custom config for 90-sieve.conf:

Code: 
# mkdir -p /usr/local/directadmin/custombuild/custom/dovecot/conf.d/
# cp /usr/local/directadmin/custombuild/configure/dovecot/conf.d/90-sieve.conf /usr/local/directadmin/custombuild/custom/dovecot/conf.d/
# vim /usr/local/directadmin/custombuild/custom/dovecot/conf.d/90-sieve.conf

Add the following lines at the end inside the plugin { } section:

Code: 
   # Always send vacation messages with the SMTP MAIL FROM envelope address set
   # to the recipient. This is needed for the vacation response to be DKIM
   # signed by Exim. See
   # <https://wiki2.dovecot.org/Pigeonhole/Sieve/Extensions/Vacation> for more
   # information.
   sieve_vacation_send_from_recipient = yes

Then rewrite the dovecot configuration:

Code: 
# /usr/local/directadmin/custombuild/build dovecot_conf
 
Thanks Mate, you're life saver. I have checked all forum posts looking for this. Had exactly the same issue and your instructions have solved my problem. Tested and received out of office reply to gmail account, before they were being rejected with following error message.

SMTP error from remote mail server after end of data: 550-5.7.26 Unauthenticated email from domin.com is not accepted due to\n550-5.7.26 domain's DMARC policy
Click to expand...
Post should be moved to howto section

Thanks again have a good day.
 
You must log in or register to reply here.
Back
Top