I’m facing the following issue and I don’t know how to solve it
Suppose a user starts a restore job. When this job is done, an email is being sent to the user’s email address. This message is being sent from the email address [email protected]. If the recipient’s email server is using rspamd, spamassasin, etc, then this email is being rejected (with the error 550 High scoring spam message has been dropped), because it does not follow email best practices (like SPF, DKIM, etc).
I suppose, this is also true for password recovery emails, or other email messages that are being sent by Hestia, but I haven’t tested those.
What I would like to accomplish, is to be able to configure the Hestia server to use an external SMTP host (which is 100% compliant with email best practices), to send those emails. But I have no idea if this is possible or how to accomplish this.
Except using an external SMTP host, as I described above, is there any other way to configure Hestia so that the emails sent from the Control Panel are compatible with DKIM and SPF?
I’m not sure that this will work, because I see this in the email headers for the sent message:
X-Mailer: Php/libMailv1.3
which makes me think that even if I setup a mail domain for server.example.com and configured a mailbox named hestia, the sent emails will still not get signed with DKIM. I may be wrong though…
Complete headers below for a message as it is being sent now by Hestia:
Return-path: <[email protected]>
Received: from root by server.example.com with local (Exim 4.93)
(envelope-from <[email protected]>)
id 1lDOCM-008Cwi-Gc
for [email protected]; Sat, 20 Feb 2021 11:05:10 +0200
To: <[email protected] >
Subject: =?utf-8?B?c29feW91X2FyZV9zbWFydCDihpIgcmVzdG9yZSBoYXMgYmVlbiBjb21wbGV0ZWQ==?=
From: Hestia Control Panel <[email protected]>
X-Priority: 3 (Normal)
CC:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Mailer: Php/libMailv1.3
Message-Id: <[email protected]>
Date: Sat, 20 Feb 2021 11:05:10 +0200
My first try was with ssmtp, which is quite easy to configure. But that completely uninstalled exim4 So I removed it, installed exim4 again and made sure it works OK.
Nice find @eris So I setup exim like this, allowing emails from some senders to go through the remote SMTP host. Working great as we speak.
Now I’m facing a different issue while trying to setup DKIM for the subdomain server.example.com The zone for example.com is hosted on a different Hestia server (than the one I’m trying to send email from). I have an A record for server.example.com in that zone. When I try to add the TXT record for the DKIM for the subdomain (which is selector._domainkey.server.example.com) I get the error:
Error: invalid record format :: selector._domainkey.server.
Moving forward with this, I see that the From email of the Hestia notifications is hard coded and cannot be configured in the panel. So I see only one possible solution to send out fully authenticated emails: Create both mail domain and DNS domain for server.example.com and also create mail user (mailbox) [email protected]
These need to be created on the server.example.com. Here is the DNS zone for server.example.com
$TTL 3600
@ IN SOA server.example.com. root.server.example.com. (
2021022111
7200
3600
1209600
180 )
@ 3600 IN NS server.example.com.
@ 3600 IN A 185.185.185.185
mail 3600 IN A 185.185.185.185
webmail 3600 IN A 185.185.185.185
@ 3600 IN MX 0 server.example.com.
@ 3600 IN TXT "v=spf1 a mx ip4:185.185.185.185 -all"
_dmarc 3600 IN TXT "v=DMARC1; p=quarantine; pct=100"
_domainkey 3600 IN TXT "t=y; o=~;"
mail._domainkey 3600 IN TXT "v=DKIM1; k=rsa; p=[very-long-string]"
But we also need to create a DNS entry on the authoritative name server for example.com. This will be the NS record for server.example.com like this:
server 3600 IN NS server.example.com.
Yes! It’s working.
Emails sent from Hestia (like restore complete notification) are fully authenticated with SPF and DKIM. Yay!
But…
I believe this setup is not optimal because we need to maintain different DNS zones and mailbox, and can be quite confusing for people not “fluent” with how the Domain Name System works. I think it would be easier to be able to configure the Hestia From address for system messages, and then add some config lines in exim to route messages to the correct SMTP host.
Why bother you ask?
I took the time to analyze this, because with every passing day email gets more and more complicated and pretty soon messages with no authentication will be dropped by default. When this happens, Hestia end users (and maybe admins) will get no email notifications from Hestia (unless they configure whitelists).