Hi folks,
So I privately have an old domain, and a new domain, however, for various reasons that don't really matter for the issue, I still use the old domain, and that will stay that way for the foreseeable future. However its clear i will switch to the new TDL some day in the future.
Just recently I ditched my old old kopano, and setup grommunio. from the official release.
So i set out to fix all the stuff like mx, spf, dkim, dmarc, bimi etc. pp
all that works fine so far with my newTDL. What I did was I setup my user with the new TLD and made a script to add my TDL to the DKIM and in the end got all that to work.
In case someone wants that script:
#!/bin/bash
# dkim_add.sh
# Fügt eine neue DKIM-Domain zu grommunio-antispam hinzu
set -euo pipefail
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <domain>"
exit 1
fi
DOMAIN="$1"
PRIVATE_KEY="/var/lib/grommunio-antispam/dkim/${DOMAIN}.dkim.key"
PUBLIC_KEY="/root/dkim/${DOMAIN}.dkim.pub"
CONFIG_FILE="/etc/grommunio-antispam/local.d/dkim_signing.conf"
# Schlüssel generieren
mkdir -p /var/lib/grommunio-antispam/dkim
rspamadm dkim_keygen -s 'dkim' -b 2048 -d "$DOMAIN" -k "$PRIVATE_KEY" > "$PUBLIC_KEY"
# Berechtigungen setzen
chown groas:grommunio "$PRIVATE_KEY"
chmod 440 "$PRIVATE_KEY"
# DKIM-Konfiguration ergänzen
if ! grep -q "$DOMAIN" "$CONFIG_FILE"; then
cat <<EOF >> "$CONFIG_FILE"
domain {
"$DOMAIN" {
selector = "dkim";
path = "$PRIVATE_KEY";
}
}
EOF
fi
# Syntax test
CONFIG_OUTPUT=$(rspamadm configtest 2>&1)
if echo "$CONFIG_OUTPUT" | grep -q "syntax OK"; then
echo "Config test successful: syntax OK"
else
echo "Config test failed:"
echo "$CONFIG_OUTPUT"
echo "Check config file:"
echo "$CONFIG_FILE"
exit 1
fi
# Dienst neu starten
systemctl restart grommunio-antispam
# Public Key ausgeben
echo "=== Public Key for DNS ==="
cat "$PUBLIC_KEY"
echo "=========================="
# Logs überwachen
echo "=== Monitoring grommunio-antispam for DKIM ==="
journalctl -u grommunio-antispam -f | grep -E "frank.jetzt|strahlwerk-24.de|$DOMAIN"
now, since I still want to send as user@oldTLD, cant be that difficult, right? So I moved on and:
created the same user with the old TLD as shared mailbox. made it redirect all incoming email to user@newTLD, got my user@newTLD added to the user@oldTLD as "send as" and "additional mailstore owner" privileges, but not as "representative" privilege, as Ive read somewhere that this could or does actually cause trouble.
So: now I can send as user@oldTLD just fine, but it wont get signed with DKIM,
I also still can send as user@newTDL and DKIM works just as expected.
Ive set up an testuser@oldTLD (not shared MailBox, a normal one, just for a test) and emails from that box do get signed just fine too, so i know the setup worked, no issues.
but with the cross domain auth (authentication as user@newTLD, send as "from:user@oldTLD") no matter what i try, i cant get it to sign the emails.
Get me right, its not some false signature, or what ever, it just doesn't add the dkim signature at all, while at the same time i do positively know from tests, that the signature for that oldTLD does work just fine in itself.
Since I'm for sure not the only one with multiple domains, and domain swap procedures and such.
What the heck am I missing?
here is my dkim conf:
localhost:~ # cat /etc/grommunio-antispam/local.d/dkim_signing.conf
use_domain = "header";
# sign_authenticated = true;
use_esld = true;
sign_local = true;
# cross domain send as:
# use domain from header for signing
use_domain = header;
# allow mismatch between authenticated user domain and header from domain
allow_hdrfrom_mismatch = true;
# sign mail from authenticated users
sign_authenticated = true;
# end cross domain send as section
sign_networks = [
"127.0.0.0/24",
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"::1"
];
domain {
"mydomain.com" {
selector = "dkim";
path = "/var/lib/grommunio-antispam/dkim/mydomain.com.dkim.key";
}
}
any and all help will be highly appreciated. In my quest to get that fixed, I've even tried google ai and chatgpt, but they just bring up stuff I've checked and tried over and over.
