I have a local application (mailman3) which sends out Emails through a listener, how can these mails be signed with DKIM
on
The key issue here is that Stalwart’s default DKIM signing policy only signs messages from authenticated users. Since Mailman3 submits mail via SMTP (likely without authenticating as a user), the default expression is_local_domain(sender_domain) && !is_empty(authenticated_as) evaluates to false and the message is not signed.
You have two options:
Option 1 (Recommended): Configure Mailman3 to authenticate over SMTP.
Set up Mailman3 to submit via a local SMTP relay with an actual SMTP username/password. That way authenticated_as is populated, the default expression matches, and DKIM signing happens automatically.
Option 2: Modify the dkimSignDomain expression to cover unauthenticated local senders.
In the WebUI under Settings > MTA > Inbound > Sender Authentication, change the dkimSignDomain expression to also sign messages that come from a local domain even without authentication. For example:
{
"dkimSignDomain": {
"match": [{"if": "is_local_domain(sender_domain)", "then": "sender_domain"}],
"else": "false"
}
}
Be careful with this approach: removing the !is_empty(authenticated_as) guard means any unauthenticated sender claiming a local domain (e.g. from the internet, if your inbound policy permits it) would also get signed. Make sure your inbound rules prevent abuse before relaxing this.
Make sure you have a DkimSignature object already defined for your domain (in Management > Domains > DKIM Signatures) with an active key, and the corresponding DNS TXT record published.
Reference docs: DKIM Signing
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
I tried now to authenticate from mailman, I got that working, but stalwart does not allow the account to send with arbitrary adresses
how can I allow the account to send with any address
The setting you need is mustMatchSender, found in the AUTH Stage configuration.
By default it is set to true, meaning the authenticated account must match the MAIL FROM address. Since Mailman3 sends as various list addresses (e.g. [email protected]) but authenticates as a single service account, this check fails.
To disable the restriction for your Mailman3 account specifically, go to Settings > MTA > Session > AUTH Stage in the WebUI and change mustMatchSender to false (or to a conditional expression that only relaxes it for the Mailman3 account):
{
"mustMatchSender": {
"match": [{"if": "authenticated_as == '[email protected]'", "then": "false"}],
"else": "true"
}
}
This keeps the sender-matching protection for all other users while allowing the Mailman3 account to send from any address.
Reference docs: MtaStageAuth - mustMatchSender
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.