Score:1

Added dkimproxy to OpenSMTPD ... mail loop when sending to my own domain

in flag

I have a nicely working OpenSMTPD configuration and I added dkimproxy to it.

Everything is working nicely and mail-tester, etc., all report that I have proper DKIM signing and my email score is 10/10, etc.

The problem is ...

If I attempt to send an email from [email protected] to [email protected] the mail server gets into a loop and the mail never gets sent. I see this in maillog:

Nov 15 08:34:13 mail dkimproxy.out[38686]: DKIM signing - signed; message-id=<[email protected]>, signer=<[email protected]>, from=<[email protected]>
Nov 15 08:34:13 mail smtpd[33463]: 4dea90938ef29e98 smtp message msgid=0b62ff80 size=104666 nrcpt=1 proto=ESMTP
Nov 15 08:34:13 mail smtpd[33463]: 4dea90938ef29e98 smtp envelope evpid=0b62ff80eb408785 from=<> to=<[email protected]>                                                               
Nov 15 08:34:13 mail smtpd[33463]: 4dea9092f4274d88 mta delivery evpid=6fe8c750a74f16ac from=<> to=<[email protected]> rcpt=<-> source="200.100.240.135" relay="200.100.240.135 (mail.mydomain.com)" delay=1s result="Ok" stat="250 2.0.0 0b62ff80 Message accepted for delivery"

... and it loops like that maybe 50 times over and over - eventually it gives up with this error:

Nov 15 08:34:18 mail smtpd[33463]: warn: loop detected                                                                                                                                            
Nov 15 08:34:18 mail smtpd[33463]: 4dea9097226c93aa smtp failed-command command="DATA" result="500 5.4.6 Routing loop detected: Loop detected"                                                    
Nov 15 08:34:18 mail smtpd[33463]: 4dea90969c6cf495 mta delivery evpid=49514d020281ac48 from=<> to=<[email protected]> rcpt=<-> source="200.100.240.135" relay="200.100.240.135 (mail.mydomain.com)" delay=1s result="PermFail" stat="500 5.4.6 Routing loop detected: Loop detected"

I have no idea what the issue is. This only happens when I send email to myself or to another user with this domain that is hosted on this mail server.

# cat dkimproxy_in.conf

# specify what address/port DKIMproxy should listen on
listen    200.100.240.135:10025

# specify what address/port DKIMproxy forwards mail to
relay     200.100.240.135:10026


# cat dkimproxy_out.conf 

# specify what address/port DKIMproxy should listen on
listen    200.100.240.135:10027

# specify what address/port DKIMproxy forwards mail to
relay     200.100.240.135:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    mydomain.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /root/dkim.private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  selector1

# control how many processes DKIMproxy uses
#  - more information on these options (and others) can be found by
#    running `perldoc Net::Server::PreFork'.
#min_servers 5
#min_spare_servers 2

... and that's everything ... thank you.

EDIT - here is the opensmtpd.conf:

table aliases file:/usr/local/etc/mail/aliases

filter check_dyndns phase connect match rdns regex \
    { '.*\.dyn\..*', '.*\.dsl\..*' } \
    disconnect "550 no residential connections"

filter check_rdns phase connect match !rdns \
    disconnect "550 no rDNS"

filter check_fcrdns phase connect match !fcrdns \
    disconnect "550 no FCrDNS"

listen on 200.100.240.135 filter { check_dyndns, check_rdns, check_fcrdns }

listen on 200.100.240.135 port 10028 tag DKIM

listen on 200.100.240.135 port submission

action "local_mail" mbox alias <aliases>
action "relay_dkim" relay host smtp://200.100.240.135:10027
action "outbound" relay helo mail.mydomain.com
    
match from any mail-from "[email protected]" action "local_mail"

match tag DKIM for any action "outbound"
match for any action "relay_dkim"

match from any for domain "mydomain.com" action "local_mail"
match for local action "local_mail"

match from any auth for any action "outbound"
match for any action "outbound"
Paul avatar
cn flag
What OS are you using? Can you please post `smtpd.conf`?
user227963 avatar
in flag
OS is FreeBSD. I can post the smtpd.conf but, again, everything works great - perfect score from mail-tester, DKIM signing is great ... everything works fine and I could email my own domain before adding dkimproxy ... it is only AFTER adding dkimproxy that I get a mail loop with my own domain ....
user227963 avatar
in flag
OK, added the smtpd.conf ...
Paul avatar
cn flag
If these are all on the same server, it is unusual to not use `lo0` or `127.0.0.1`. Is there any particular reason you are using DKIMproxy? That package doesn't appear to have been updated in ten years or so, plus it may be easier to find configuration examples for the tools used by OpenSMTPD maintainers, such as `rspamd` which is in FreeBSD ports, best I can tell, and is in `smtpd.conf(5)`. Evaluate closer on the `match` order since `smtpd` "match rules are evaluated sequentially, with the first match winning."
user227963 avatar
in flag
I have to use dkimproxy because there is a weird freebsd binary compat issue with rspamd (and senderscore). So I am using dkimproxy which, again, WORKS GREAT ... it's just this weird loop sending to my own domain from my own domain ...
Paul avatar
cn flag
Is there a reason you are using an external interface IP address instead of the loopback?
Score:1
cn flag

This answer is written assuming no reason to use external interface for internal processes. The question does not include the pf.conf configuration which may have settings that conflict with normal mail processing when using an interface other than loopback and should have set skip on lo or equivalent configured.

smtpd.conf:

# Verify this is the correct location of aliases, which normally is
# located in /etc/mail/aliases. If you have changed aliases
# from default, be sure to run newaliases.
table aliases file:/usr/local/etc/mail/aliases

filter check_dyndns phase connect match rdns regex \
    { '.*\.dyn\..*', '.*\.dsl\..*' } \
    disconnect "550 no residential connections"

filter check_rdns phase connect match !rdns \
    disconnect "550 no rDNS"

filter check_fcrdns phase connect match !fcrdns \
    disconnect "550 no FCrDNS"

listen on 127.0.0.1 port 10028 tag DKIM
listen on 200.100.240.135 filter \
    { check_dyndns, check_rdns, check_fcrdns }
listen on 200.100.240.135 port submission

action "local_mail" mbox alias <aliases>
action "relay_dkim" relay host smtp+notls://127.0.0.1:10027
action "outbound" relay helo mail.mydomain.com

match tag DKIM for any action "outbound"
match mail-from "[email protected]" action "local_mail"
match from any for domain "mydomain.com" action "local_mail"
match from any auth for any action "outbound"
match for local action "local_mail"
match for any action "relay_dkim"

# I interpret this to be redundant:
# match for any action "outbound"

# This original configuration line seems nonsensical because
# "mail-from" is also "from any", so removed "from any"
# match from any mail-from "[email protected]" action "local_mail"

Even though dkimproxy_in.conf is configured, there is currently no authentication of DKIM headers in received messages as this is not configured in the original smtpd.conf, so I did not add it.

dkimproxy_in.conf:

# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10025

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10026

dkimproxy_out.conf:

# specify what address/port DKIMproxy should listen on
listen    127.0.0.1:10027

# specify what address/port DKIMproxy forwards mail to
relay     127.0.0.1:10028

# specify what domains DKIMproxy can sign for (comma-separated, no spaces)
domain    mydomain.com

# specify what signatures to add
signature dkim(c=relaxed)
signature domainkeys(c=nofws)

# specify location of the private key
keyfile   /root/dkim.private.key

# specify the selector (i.e. the name of the key record put in DNS)
selector  selector1

# control how many processes DKIMproxy uses
#  - more information on these options (and others) can be found by
#    running `perldoc Net::Server::PreFork'.
#min_servers 5
#min_spare_servers 2
Paul avatar
cn flag
It is probable this still requires some tweaking. Please test and comment.
user227963 avatar
in flag
Thank you very much - this did indeed solve the mail loop.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.