[SOLVED] PMG 6.2 DKIM signing fail

ddangel0

New Member
Aug 21, 2020
9
1
1
47
Hello, i'm testing PMG 6.2 and i active dkim for my domains, i create a selector : pmg, then, the gui generate in /etc/pmg/dkim/pmg.private the private key, and then i add the record in dns

pmg._domainkey IN TXT "v=DKIM1; h=sha256; k=rsa; "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCTZGJvrVIH7gcl6Lgr55xATxTcsWNvMQXIdpHzuI8tDpIQfDVOuCwZyJe1nZaL9t68rzqp4FIQiM0vCgL6gTQVXPDXETxYb4Bt5VLY9pbMIq0TE85vPJ8uS+8i1sIcj1m7dQkdPv3dqi7hqsLYdwws1w71XI4HvYQYqLmILFGLwIDAQAB"

dig txt pmg._domainkey.rosario.gov.ar
looks fine
i tested it with https://www.mailhardener.com/tools/dkim-validator
and it's ok

when I send emails to gmail and everywhere:

header in gmail:

dkim=fail header.i=@rosario.gov.ar header.s=pmg header.b=sWf9HTnX;


on the other hand, i execute :

openssl rsa -in /etc/pmg/dkim/pmg.private -pubout -outform der 2>/dev/null | openssl base64 -A

and the result is the exact key in the dns txt

Something is surely escaping me, what could it be?
 
Last edited:
could you post the DKIM header of a mail signed by PMG (just send it to an external address)
 
The signature seems strange - the signed headers are:
Code:
h=cc:from:reply-to:subject:to;
however PMG does sign a few headers once more than they appear (oversigns them): from, to, cc, reply-to, subject (i.e. all of those headers should be present 2x in the header field of the DKIM signature, if they exist in the mail).

Is the signing happening on PMG with PMG's DKIM configuration (GUI->Configuration->Mail Proxy->DKIM)?


one potential further cause of the signature being treated as invalid is that the key is 1024 bits - and gmail could consider this too short.
 
The signature seems strange - the signed headers are:
Code:
h=cc:from:reply-to:subject:to;
however PMG does sign a few headers once more than they appear (oversigns them): from, to, cc, reply-to, subject (i.e. all of those headers should be present 2x in the header field of the DKIM signature, if they exist in the mail).

Is the signing happening on PMG with PMG's DKIM configuration (GUI->Configuration->Mail Proxy->DKIM)?


one potential further cause of the signature being treated as invalid is that the key is 1024 bits - and gmail could consider this too short.

I have used the DKIM settings in the gui,
on the other hand, on another server with postfix and opendkim using the same selector and private key (1024bit), you can sign the emails well
.
I'm going to try using a 2048 key, so far I haven't
 
I have used the DKIM settings in the gui,
Then this sounds odd - if the mail actually does have a From, To, CC header...

please send a mail through your PMG - to some other address apart from gmail - to see if the header arrives intact there
 
I have tried to create a new selector in proxmox with 2048 bits, then add in the dns the public key that the gui shows, check with a dns query and that is fine, but when I activate the signature of emails in proxmox, the signature keeps failing dkim, in hotmail, gmail and yahoo (another I have not tried).

So i conclude that it does not work at least with this version 6.2-5.
On the other hand I made it work deactivating the signed dkim in PMG and activating it with opendkim and milters, using this guide:

https://www.sysadminsdecuba.com/2018/07/configurando-dkim-sobre-proxmox-mail-gateway/amp/

I have used the same selector that I had previously created with pmg and it work without problem
 
I have tried to create a new selector in proxmox with 2048 bits, then add in the dns the public key that the gui shows, check with a dns query and that is fine, but when I activate the signature of emails in proxmox, the signature keeps failing dkim, in hotmail, gmail and yahoo (another I have not tried).

dkim signing works here (I just tested it in a test-setup and the signature verifies for rspamd).

Try sending an e-mail to a external address (not gmail, yahoo, hotmail, but something smaller) and paste the mail here - then we can check if the signature verifies.
 
Mysteriously, after having deactivated the signatures with DKIM, and activated it again, I did a last test and the signature succeeded.
The funny thing about all this is that I did this process around at least 5 times.
This last time it worked alone, and I don't understand why.

 
Mysteriously, after having deactivated the signatures with DKIM, and activated it again
That sounds odd - here it worked directly.
Do you have a clustered environment?
Check the system's journal for any messages related to a restart/reload of pmg-smtp-filter around the time where you made the change

In any case - glad it worked now!
 
That sounds odd - here it worked directly.
Do you have a clustered environment?
Check the system's journal for any messages related to a restart/reload of pmg-smtp-filter around the time where you made the change

In any case - glad it worked now!

Yes, is a cluster! but i don't find any issue.
When I make a modification in the master through the guide, I always check for hysterical, if the change was applied in the node, and that has never failed, also in the logs I have not found any indication of any synchronization problem.
In syslog, nothing

root@smtpsrv3:~# pmgcm status
NAME(CID)--------------IPADDRESS----ROLE-STATE---------UPTIME---LOAD----MEM---DISK
smtpsrv4(2) 192.168.1.154 node A 5 days 04:10 0.05 46% 12%
smtpsrv3(1) 192.168.1.153 master A 4 days 01:13 0.00 22% 10%

Where else do you think I could look for some indication where the problem was?
Thank you very much for the support
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!