[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Gmail bounce unauthenticated @debian.org addresses

On Fri, 4 Mar 2022 at 23:34, Ansgar <ansgar@43-1.org> wrote:
On Fri, 2022-03-04 at 13:27 +0100, Stephan Lachnit wrote:
> On Fri, Mar 4, 2022 at 12:47 PM Baptiste Beauplat <lyknode@cilg.org>
> wrote:
> > As a reminder debian.org addresses does support DKIM. After
> > configuration on your mail server, you can publish your DKIM public
> > key
> > to db.debian.org [1][2].
>
> Can you point to some quick guide on how to do this for gmail? The
> support page seems kinda confusing to me.

This usually requires you running your own mail server (for outgoing
mail).

I don't think mail providers like GMail allow you to set up DKIM for
individual IP addresses.
This is basically how I do it. My setup is I have G-Suite or whatever its name is this week and a separate outbound server. I'm not sure what the "to do this for gmail" means here, so there is three parts to this:
* What Gmail does with DKIM
* How I send emails from @debian.org using mutt etc
* How I send emails from @debian.org using Gmail

First, Gmail likes DKIM signed mails; some of these bounces are caused by DKIM problems. DKIM is basically a signature to say the senders server is allow to send those emails. You have to set it up (sign) on the outbound servers and check it on the inbound servers.

For any of my servers/laptops I send outbound email to my own outbound server. This server signs emails using opendkim with the dropbear.xyz key or the debian key depending on the from address. It's no good sending email from joe@cow.com with a key good for joe@sheep.net

Last of all, to send emails within Gmail using csmall@debian.org as my from address, you go into Settings->Accounts->Send mail as. The outbound mailserver is my server (that signs my debian emails).  Of course my outbound server requires a username and password to send emails so that is recorded in the settings too (and is unique for each sending system/server).

The result is this goodness I can see with an email from my laptop into Gsuite using my debian email address:
Authentication-Results: mx.google.com;
       dkim=pass header.i=@debian.org header.s=debian1.csmall.user header.b=uVHcNrjO;

header.i is identity, e.g. what domain are you trying to prove you can use. header.s is selector, which is what method/key am I using to prove this. header.b is the hash/signature.

I'm a network engineer, not a mail server admin so this might not be 100%, but it does give me the happy mailserver headers I want.

 - Craig

Reply to: