DKIM Signing NDR Emails

adam.sage

Member
Feb 8, 2019
32
0
11
35
I have outgoing email DKIM signing set up using this tutorial https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg However, our NDR messages are not getting signed and I am lost as to why. Due to that, our NDR messages are either completely blocked or sent to spam by most email servers because the DMARC check is failing. SPF passes but does not align because the reply-to is blank. I'm assuming I'm missing something in /etc/pmg/templates/master.cf.in but I do not know what.
 
Haven't dealt with dkim/dmarc myself and cannot say too much about the tutorial - but as far as I see it handles this via milter.

Check out the milter_readme of postfix (http://www.postfix.org/MILTER_README.html - look for 'Signing internally-generated bounce messages')
Hope this helps!
 
I added internal_mail_filter_classes = bounce to the bottom of /etc/postfix/main.cf but it did not make a difference. I also tried editing the bounce line in /etc/pmg/templates/master.cf.in to
bounce unix - - - - 0 bounce
-o smtpd_milters=unix:/var/run/opendkim/signer.sock
But that also had no effect. Any other ideas or did I do something wrong?
 
After learning a bit more about the templates what I had above probably wouldn't have worked anyway. I added the internal_mail_filter_classes = bounce line to /etc/pmg/templates/main.cf.in but still am not getting the messages signed.
 
hm - could you provide a (anonymized) sample of the mail.log for:
* a mail which gets signed successfully
* a bounce which does not get signed
 
Signed:
Feb 15 09:48:24 mg1 postfix/smtpd[1451]: connect from unknown[x.x.x.x]
Feb 15 09:48:24 mg1 postfix/smtpd[1451]: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Feb 15 09:48:24 mg1 postfix/smtpd[1451]: 58997220A38: client=unknown[x.x.x.x]
Feb 15 09:48:24 mg1 postfix/cleanup[1453]: 58997220A38: info: header From: Adam Sage <internalemail@internaldomain.com> from unknown[x.x.x.x]; from=<internalemail@internaldomain.com> to=<externalemail@externaldomain.com> proto=ESMTP helo=<internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/cleanup[1453]: 58997220A38: info: header To: Adam <externalemail@externaldomain.com> from unknown[x.x.x.x]; from=<internalemail@internaldomain.com> to=<externalemail@externaldomain.com> proto=ESMTP helo=<internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/cleanup[1453]: 58997220A38: info: header Subject: DKIM test from unknown[x.x.x.x]; from=<internalemail@internaldomain.com> to=<externalemail@externaldomain.com> proto=ESMTP helo=<internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/cleanup[1453]: 58997220A38: message-id=<9ef7d5c529b74763ad681725cebd3769@internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/qmgr[1086]: 58997220A38: from=<internalemail@internaldomain.com>, size=41977, nrcpt=1 (queue active)
Feb 15 09:48:24 mg1 postfix/smtpd[1451]: disconnect from unknown[x.x.x.x] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Feb 15 09:48:24 mg1 pmg-smtp-filter[1333]: 2217EF5C66D13871667: new mail message-id=<9ef7d5c529b74763ad681725cebd3769@internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/smtpd[1460]: connect from localhost.localdomain[127.0.0.1]
Feb 15 09:48:24 mg1 postfix/smtpd[1460]: D167E2217F0: client=localhost.localdomain[127.0.0.1], orig_client=unknown[x.x.x.x]
Feb 15 09:48:24 mg1 postfix/cleanup[1453]: D167E2217F0: message-id=<9ef7d5c529b74763ad681725cebd3769@internal.exchange.server.com>
Feb 15 09:48:24 mg1 postfix/qmgr[1086]: D167E2217F0: from=<internalemail@internaldomain.com>, size=42718, nrcpt=1 (queue active)
Feb 15 09:48:24 mg1 postfix/smtpd[1460]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Feb 15 09:48:24 mg1 pmg-smtp-filter[1333]: 2217EF5C66D13871667: accept mail to <externalemail@externaldomain.com> (D167E2217F0)
Feb 15 09:48:24 mg1 pmg-smtp-filter[1333]: 2217EF5C66D13871667: processing time: 0.439 seconds (0, 0.18)
Feb 15 09:48:24 mg1 postfix/lmtp[1455]: 58997220A38: to=<externalemail@externaldomain.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.67, delays=0.1/0.02/0.04/0.51, dsn=2.5.0, status=sent (250 2.5.0 OK (2217EF5C66D13871667))
Feb 15 09:48:24 mg1 postfix/qmgr[1086]: 58997220A38: removed
Feb 15 09:48:25 mg1 postfix/smtp[1461]: D167E2217F0: to=<externalemail@externaldomain.com>, relay=gmail-smtp-in.l.google.com[173.194.205.26]:25, delay=0.88, delays=0.05/0.02/0.41/0.39, dsn=2.0.0, status=sent (250 2.0.0 OK 1550242105 s44si3692625qvs.36 - gsmtp)
Feb 15 09:48:25 mg1 postfix/qmgr[1086]: D167E2217F0: removed

Not Signed:
Feb 15 09:50:04 mg1 postfix/cleanup[1467]: C802B2217EF: info: header From: MAILER-DAEMON (Mail Delivery System) from local; from=<> to=<externalemail@externaldomain.com>
Feb 15 09:50:04 mg1 postfix/cleanup[1467]: C802B2217EF: info: header Subject: Undelivered Mail Returned to Sender from local; from=<> to=<externalemail@externaldomain.com>
Feb 15 09:50:04 mg1 postfix/cleanup[1467]: C802B2217EF: info: header To: externalemail@externaldomain.com from local; from=<> to=<externalemail@externaldomain.com>
Feb 15 09:50:04 mg1 postfix/cleanup[1467]: C802B2217EF: message-id=<20190215145004.C802B2217EF@pmg.gateway.com>
Feb 15 09:50:04 mg1 postfix/qmgr[1086]: C802B2217EF: from=<>, size=6462, nrcpt=1 (queue active)
Feb 15 09:50:05 mg1 postfix/smtp[1461]: C802B2217EF: to=<externalemail@externaldomain.com>, relay=gmail-smtp-in.l.google.com[173.194.205.26]:25, delay=0.5, delays=0.08/0/0.18/0.24, dsn=2.0.0, status=sent (250 2.0.0 OK DMARC:Quarantine 1550242205 x53si1407028qvh.161 - gsmtp)
Feb 15 09:50:05 mg1 postfix/qmgr[1086]: C802B2217EF: removed
 
Last edited:
Thats odd my NDR are getting signed what does not get signed is when proxmox rejects and email
 
same question new pmg 6.1 with where dkim signing are integrated. i enabled sign-all-outgoing-mails, bot rejected/notified emails by filters dose not signed with dkim?
 
but i guess thats normal the rejected emails not getting signed not sure if its real important or maybe in the future they will add it
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!