PMG DKIM Signing....

I can confirm that after adding the FROM header in the setup as described, system mails and reports get DKIM signed. The only drawback is that the date field is not signed and, for example, the DKIM check in Thunderbird still produces a warning. I can't tell If other mail providers like google or yahoo complain about that.
 
Thanks for keeping this thread updated!

The only drawback is that the date field is not signed and, for example, the DKIM check in Thunderbird still produces a warning. I

Thanks for the feedback! (not a Thunderbird user myself - so could not tell that this might be an issue).
From a quick test it seems that Date-headers should be part of the signature - so I assume the issue here is that they are not present when the mails is handed to postfix (see `cleanup(8)` - it adds certain headers if missing). - If that's the issue we should add a Date header to those mails.
Could you please share:
* which of the system-generated mails caused this warning (admin-report, spam-report, notification?)
* maybe the headers of such a mail
this would make reproducing this quite a bit easier

Thanks!
 
I tested the admin report and the spam-report, which both lack the date field signature.

This one with the missing date header field from admin-report:
Code:
Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.xxx; h=cc
    :content-transfer-encoding:content-type:content-type:from:from
    :mime-version:reply-to:subject:subject:to;

Example with correct signed date header from outgoing mail:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx.xxx; h=cc
    :content-transfer-encoding:content-type:content-type:date:from
    :from:message-id:mime-version:reply-to:subject:subject:to:to;

Do you need any other headers?
 
  • Like
Reactions: Stoiko Ivanov
I couldn't find a DKIM signature in the daily admin reports "Proxmox Status Report" e-mails.

What's also strange is that they have an empty envelope from:
Return-Path: <>
But that's likely a different issue.

In e-mails released from the quarantine I see that a DKIM signature is added, but seems to be partially copied from the e-mails original signature.

This is the first signature from the (spam) e-mail:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
	d=axo.ddnsgeek.com; s=cloudron;
	h=from:reply-to:subject:date:message-id:to:mime-version;
	bh=Oz7bwSZKtr0oDCraU899mkHz/jqLK1WQ4rEY0rhnZto=;
	b=Mj5e2xlO603Bejz8Mm3aiOqQG1znduTYwai9ztWMPYw217CGELAlbVOCN2fsGHWCB9RjGt7bR9
	YOu/tqwR0sKP6lJo+ydy9kf8SGIvJHDvX1B1gfvOY5kRjBGlT2oB88qQadeAoJdB4vRMUi7ii5K2
	LyBEL0VLlQHsoha1qGicM=
and this one gets added by mailguard:
Code:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	axo.ddnsgeek.com; h=cc:content-transfer-encoding:content-type
	:content-type:date:from:from:list-unsubscribe:message-id
	:mime-version:reply-to:reply-to:subject:subject:to:to; s=
	guardian; bh=Oz7bwSZKtr0oDCraU899mkHz/jqLK1WQ4rEY0rhnZto=; b=ND3
	NLRQdEGnYqz0B0jdxpn1jnPc5niU19XeGQsrDoUlzrjvKuVHkDf+SNGZgIW+XpZT
	Uz6Yv40teEp6zr7HO+E9DQSQ3PDErUfmRPs+gv52ImErBRTAyceiRc6hQJfPzGWe
	A/tuWmtg1BQlDXNn7M9G/XWpdPhmTl5cyLl6Ks61HzX14JZA9rnsgT9o6l2PFowF
	XwLQaSMcP8TuMnEJQrqm/iEUo6MQehQymmcZrzNgcwdT/GBB+Gun/TQ5BolOwr9o
	KViFayWYPtBOctfzXWiGvYMp19HxDB4j+p508LCXLuazvw7vsLMULiyWTiZAPjhC
	LaleecbOpeSkkzLEcQw==
[CODE]

The selector is correct, but the domain seems to be taken from the original sender?
 
couldn't find a DKIM signature in the daily admin reports "Proxmox Status Report" e-mails.

What's also strange is that they have an empty envelope from:
Return-Path: <>
see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_dkim
you need to configure a admin-mail-from with a domain, that would be signed by your PMG (either listed in dkimdomains, or if that's not present listed as relay domain).

In e-mails released from the quarantine I see that a DKIM signature is added, but seems to be partially copied from the e-mails original signature.
yes this is also intended (it should be fully copied not partially) - as the mail in quarantine keeps its From header - the dkim signature remains in place.

I hope this helps!
 
see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_mailproxy_dkim
you need to configure a admin-mail-from with a domain, that would be signed by your PMG (either listed in dkimdomains, or if that's not present listed as relay domain).

I didn't and still don't see any information on such an option in the linked DKIM section, but with the exact name I now found one in the Options section: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_options
It lists an admin-mail-from option.
We previously only had "email" set, now I also added "admin-mail-from" ('From:' for Admin Mail) in the UI.

However, after executing
sudo /usr/bin/pmgreport --timespan yesterday --auto
or just sudo /usr/bin/pmgreport, the e-mail won't contain an envelope-from.

In the journal pmgreport now doesn't log anymore the "DKIM signing: no domain found in the headers from ''" line as it did previously.

Maybe the DKIM signing only works when called as systemd timer?
 
sudo /usr/bin/pmgreport --timespan yesterday --auto
or just sudo /usr/bin/pmgreport, the e-mail won't contain an envelope-from.
the envelope-sender remains emtpy (in order to not generate bounces for those system-mails)

do the mails now contain a DKIM signature? - if not please check that the e-mail address you entered in the system options would get signed by PMG.

I didn't and still don't see any information on such an option in the linked DKIM section, but with the exact name I now found one in the Options section: https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_options
It lists an admin-mail-from option.
in the DKIM section there is a link to the system-option section (and around the link there is the explanation :)
 
the envelope-sender remains emtpy (in order to not generate bounces for those system-mails)

do the mails now contain a DKIM signature? - if not please check that the e-mail address you entered in the system options would get signed by PMG.

Okay, if the empty envelope is expected, then I can confirm that the pmgreport e-mails are now DKIM-signed. The DKIM-verifier confirms the validity, with the warnings that ToKaDe already mentioned ("Sign date: No time included in the signature" and "Expiration date: No time included in the signature").
 
  • Like
Reactions: Stoiko Ivanov
  • Like
Reactions: ToKaDE