I can confirm that after adding the FROM header in the setup as described, system mails and reports get DKIM signed. The only drawback is that the date field is not signed and, for example, the DKIM check in Thunderbird still produces a warning. I can't tell If other mail providers like google or yahoo complain about that.
PMG DKIM Signing....
- Thread starter proxnoci
- Start date
Thanks for keeping this thread updated!
Thanks for the feedback! (not a Thunderbird user myself - so could not tell that this might be an issue).
From a quick test it seems that Date-headers should be part of the signature - so I assume the issue here is that they are not present when the mails is handed to postfix (see `cleanup(8)` - it adds certain headers if missing). - If that's the issue we should add a Date header to those mails.
Could you please share:
* which of the system-generated mails caused this warning (admin-report, spam-report, notification?)
* maybe the headers of such a mail
this would make reproducing this quite a bit easier
Thanks!
Thanks for the feedback! (not a Thunderbird user myself - so could not tell that this might be an issue).
From a quick test it seems that Date-headers should be part of the signature - so I assume the issue here is that they are not present when the mails is handed to postfix (see `cleanup(8)` - it adds certain headers if missing). - If that's the issue we should add a Date header to those mails.
Could you please share:
* which of the system-generated mails caused this warning (admin-report, spam-report, notification?)
* maybe the headers of such a mail
this would make reproducing this quite a bit easier
Thanks!
I tested the admin report and the spam-report, which both lack the date field signature.
This one with the missing date header field from admin-report:
Example with correct signed date header from outgoing mail:
Do you need any other headers?
This one with the missing date header field from admin-report:
Code:
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.xxx; h=cc
:content-transfer-encoding:content-type:content-type:from:from
:mime-version:reply-to:subject:subject:to;Example with correct signed date header from outgoing mail:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.xxx; h=cc
:content-transfer-encoding:content-type:content-type:date:from
:from:message-id:mime-version:reply-to:subject:subject:to:to;Do you need any other headers?
I couldn't find a DKIM signature in the daily admin reports "Proxmox Status Report" e-mails.
What's also strange is that they have an empty envelope from:
Return-Path: <>
But that's likely a different issue.
In e-mails released from the quarantine I see that a DKIM signature is added, but seems to be partially copied from the e-mails original signature.
This is the first signature from the (spam) e-mail:
and this one gets added by mailguard:
What's also strange is that they have an empty envelope from:
Return-Path: <>
But that's likely a different issue.
In e-mails released from the quarantine I see that a DKIM signature is added, but seems to be partially copied from the e-mails original signature.
This is the first signature from the (spam) e-mail:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=axo.ddnsgeek.com; s=cloudron;
h=from:reply-to:subject:date:message-id:to:mime-version;
bh=Oz7bwSZKtr0oDCraU899mkHz/jqLK1WQ4rEY0rhnZto=;
b=Mj5e2xlO603Bejz8Mm3aiOqQG1znduTYwai9ztWMPYw217CGELAlbVOCN2fsGHWCB9RjGt7bR9
YOu/tqwR0sKP6lJo+ydy9kf8SGIvJHDvX1B1gfvOY5kRjBGlT2oB88qQadeAoJdB4vRMUi7ii5K2
LyBEL0VLlQHsoha1qGicM=
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
axo.ddnsgeek.com; h=cc:content-transfer-encoding:content-type
:content-type:date:from:from:list-unsubscribe:message-id
:mime-version:reply-to:reply-to:subject:subject:to:to; s=
guardian; bh=Oz7bwSZKtr0oDCraU899mkHz/jqLK1WQ4rEY0rhnZto=; b=ND3
NLRQdEGnYqz0B0jdxpn1jnPc5niU19XeGQsrDoUlzrjvKuVHkDf+SNGZgIW+XpZT
Uz6Yv40teEp6zr7HO+E9DQSQ3PDErUfmRPs+gv52ImErBRTAyceiRc6hQJfPzGWe
A/tuWmtg1BQlDXNn7M9G/XWpdPhmTl5cyLl6Ks61HzX14JZA9rnsgT9o6l2PFowF
XwLQaSMcP8TuMnEJQrqm/iEUo6MQehQymmcZrzNgcwdT/GBB+Gun/TQ5BolOwr9o
KViFayWYPtBOctfzXWiGvYMp19HxDB4j+p508LCXLuazvw7vsLMULiyWTiZAPjhC
LaleecbOpeSkkzLEcQw==
[CODE]
The selector is correct, but the domain seems to be taken from the original sender?see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_dkim
you need to configure a admin-mail-from with a domain, that would be signed by your PMG (either listed in dkimdomains, or if that's not present listed as relay domain).
yes this is also intended (it should be fully copied not partially) - as the mail in quarantine keeps its From header - the dkim signature remains in place.
I hope this helps!
I didn't and still don't see any information on such an option in the linked DKIM section, but with the exact name I now found one in the Options section: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_options
It lists an admin-mail-from option.
We previously only had "email" set, now I also added "admin-mail-from" ('From:' for Admin Mail) in the UI.
However, after executing
sudo /usr/bin/pmgreport --timespan yesterday --auto
or just sudo /usr/bin/pmgreport, the e-mail won't contain an envelope-from.
In the journal pmgreport now doesn't log anymore the "DKIM signing: no domain found in the headers from ''" line as it did previously.
Maybe the DKIM signing only works when called as systemd timer?
the envelope-sender remains emtpy (in order to not generate bounces for those system-mails)
do the mails now contain a DKIM signature? - if not please check that the e-mail address you entered in the system options would get signed by PMG.
in the DKIM section there is a link to the system-option section (and around the link there is the explanation
Okay, if the empty envelope is expected, then I can confirm that the pmgreport e-mails are now DKIM-signed. The DKIM-verifier confirms the validity, with the warnings that ToKaDe already mentioned ("Sign date: No time included in the signature" and "Expiration date: No time included in the signature").
I sent a patch to add the date-header to the generated mails inside our stack - so that they can be covered by the DKIM signature:
https://lore.proxmox.com/pmg-devel/20250310180612.21877-1-s.ivanov@proxmox.com/T/#t
once this or an improved version is applied the warnings should vanish.