Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 920 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG doesn't add DKIM signatures to outbound e-mail

dma0

Hi there. I'm running Sophos XG 19.01 using it in MTA mode for e-mail. I am attempting to enable DKIM signatures on outbound e-mail without much luck. I've followed the details in the documentation (https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/GeneralSettings/EmailDKIMSignatureAdd/index.html and https://support.sophos.com/support/s/article/KB-000034335?language=en_US), but still can't get outbound e-mails with DKIM signatures.

Some additional details:

  • I've generated the RSA public and private keys using openssl on a Windows machine following the directions of the second link above
  • I've tried copying and pasting into Sophos the generated private key in the form originally generated (i.e. with the ------BEGIN PRIVATE KEY------ and ------END PRIVATE KEY------ headers and footers and all CRs), and then tried stripping out the headers and all CRs) - no difference
  • I've used the string "dkim" as the selector in Sophos XG
  • I'm testing by sending e-mails from a server behind the firewall to a test e-mail address at https://www.appmaildev.com/
  • The e-mails received by appmaildev.com shows x-sender: root@[servername].[domain name].com
  • Sophos XG is configured to use a smarthost for outbound e-mail (mailout.zoneedit.com)

I've checked and rechecked but can't quite figure out what the problem is. Any suggestions would be most appreciated.



This thread was automatically locked due to age.
  • 0

    OK so after a bit of digging around I figured it out. The short version is that the private key must be copied and pasted into Sophos exactly as it's generated - i.e. with the header and footer. Otherwise, Sophos won't recognize it at all. Nothing is shown in the logs accessible in the UI, but it will generate an error in /var/tslog/smtpd_panic.log that includes the following:

    DKIM: signing failed: PRIVKEY
    signing_init: privkey PEM-block import: error:0909006C:PEM routines:get_name:no start line

    While I did try this previously, there appears to be another reason why Sophos wasn't adding a DKIM signature: Apparently, you need to specify the exact domain name, including subdomain/hostname, of the originating e-mail address when adding the DKIM signature in Sophos. So, for example, if you add a private key in Sophos and specify the domain name "domain.com" for that private key, if you use Sophos to relay from a host and the e-mail address from that host is "bonehead@hostname.domain.com" rather than "bonehead@domain.com" then Sophos won't apply a DKIM signature, and won't show anything in the logs to indicate that it hasn't. However, if you add another entry in Sophos and specify the domain name as "hostname.domain.com" then it will work. I just used the same private key to avoid the need to create a separate DNS TXT record with a different public key, which seems to work.

    It would be nice to figure out a way to have Sophos apply a DKIM signature for all e-mails with a hostname/subdomain in the e-mail address to avoid the need to create separate entries. No idea if Sophos will accept wildcards in the domain specification (e.g. *.domain.com). Might give it a try later.

  • 0 in reply to dma0

    Quick follow-up - nope, Sophos won't permit a domain name with a wildcard. Oh well.

  • 0 in reply to dma0

    One further correction to the above: Each subdomain/host will require a separate DNS record for the public key. The public key itself I think can be the same for all of them, but you need to add an additional TXT record for each one, using [selector]._domainkey.[hostname/subdomain] in the DNS record.

Unfiltered HTML