[TUTORIAL] Authenticated SMTP, DKIM and DMARC

Discussion in 'Mail Gateway: Installation and configuration' started by danielb, Oct 17, 2018.

Tags:
  1. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    Hi there. Here's a how-to for adding authenticated SMTP (smtps and submission against AD, or LDAP), DKIM (both verifier for inbound and signer for outbound) and DMARC support to PMG

    https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

    (This is a "translation" from what I do using ansible, so, I hope I haven't missed anything, please let me know)
     
    DerDanilo, killmasta93, horde and 2 others like this.
  2. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    404
    Likes Received:
    12
    really great guide, this would apply for the outbound? even if postfix (email server behind proxmox) has its own DKIM and DMARC?
     
  3. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    There's no point in doing the checks twice. The goal is to have Proxmox Mail Gateway handling all the verifications and filtering, and then pass the good email to a "dumb" SMTP server, which won't filter anything.
     
  4. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    404
    Likes Received:
    12
    very good point, by any chance you have a tutorial on configuring postfix (email server) to use the smarthost (proxmox) to send mails? i have tried but have not been able to configure it as on proxmox logs keeps saying user not found.
     
  5. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    You need to add something like in main.cf

    Code:
    relayhost = [pmg.domain.tld]:26
    Port 26 of your Proxmox Mail Gateway should be reachable
     
  6. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,448
    Likes Received:
    387
    See GUI.

    Configuration/Mail Proxy/Relaying: Smarthost
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    In this case, @killmasta93 wants to use PMG as a smarthost from another postfix (at least that's how I understand it), so, PMG's GUI cannot help here ;-)
     
  8. DerDanilo

    DerDanilo Member
    Proxmox Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    253
    Likes Received:
    22
    Where can we access the Ansible playbooks you used? Way better than to do everything manually.

    Thanks!
     
  9. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    It's too tightly integrated with tons of other things I setup (IMAP proxying, AD auth etc...) to be usable as is. That's why I don't share them publicly. I'll send you a PM with a link if you're interested
     
  10. DerDanilo

    DerDanilo Member
    Proxmox Subscriber

    Joined:
    Jan 21, 2017
    Messages:
    253
    Likes Received:
    22
    @tom Can Proxmox please integrate DKIM ? This is needed very much and actually a bummer in many occasions so that I cannot recommend PMG to customers who absolutely require DKIM. Customization is not an option for everybody, especially when a consultant sets up the system and a firm doesn't have IT personal who can take care of the system immediately if something goes wrong.

    Thanks!
     
  11. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    404
    Likes Received:
    12
  12. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    404
    Likes Received:
    12
    well the fix was removing the smart host and it started to work if anyone else gets the same issue
     
  13. killmasta93

    killmasta93 Member

    Joined:
    Aug 13, 2017
    Messages:
    404
    Likes Received:
    12
    @danielb
    I was trying to configure using your tutorial but encountered some issue and a few questions which i was wondering if you shed some light?


    1) for Enable authenticated ports im guessing its no necessarily, even though i have a postfix email server and all my users authenticates with 465 ssl then on postfix relays to proxmox on port 25

    2) for this part
    Code:
    cat <<_EOF > /etc/opendkim/signingtable
    # Add one line per domain you want to sign when email are being sent.
    # You can use different keys if needed
    # Or just use a wildcard to sign everything with the same key
    * default
    _EOF
    cat <<_EOF > /etc/opendkim/keytable
    default domain.tld:default:/etc/opendkim/keys/default/default.private
    _EOF
    the * default i would change to mydomain.com without the asterisk?
    and for the second part would be like this
    Code:
    default mydomain.com:default:/etc/opendkim/keys/default/default.private
    3) once having the Dkim key how can i find it to put it on the domain? i tried sending the email still stays dkim fail. on my postfix i would install
    Code:
    apt-get install opendkim opendkim-tools
    then configure it and at the end i would need to generate the keys
    Code:
    opendkim-genkey -t -s mail -d mydomain.com
    then i could cat mail.txt to get the keys to put it on the domain

    Thank you
     
    #13 killmasta93, Dec 24, 2018
    Last edited: Dec 24, 2018
  14. William Edwards

    Proxmox Subscriber

    Joined:
    May 20, 2017
    Messages:
    51
    Likes Received:
    2
    Can you share your Ansible tasks? I want to automate exactly this in Ansible while you have translated it to commands :)
     
  15. ChFin

    ChFin Member
    Proxmox Subscriber

    Joined:
    Jan 30, 2018
    Messages:
    50
    Likes Received:
    13
    @danielb Why did u implement a DKIM verifier? Isn't verification already done by the spamassassin DKIM plugin?
     
  16. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    Because we need a DKIM verifier which adds needed headers so that DMARC can act, and reject the mail if it's the sender's policy. spamassassin DKIm verifier just adjust score (and usually, it just adds (or remove when valid) a tiny 0.1 or similar)
     
  17. adam.sage

    adam.sage Member

    Joined:
    Feb 8, 2019
    Messages:
    32
    Likes Received:
    0
  18. danielb

    danielb Member

    Joined:
    Jun 1, 2018
    Messages:
    66
    Likes Received:
    13
    Thx for the missing .conf I've fixed it. Can you elaborate for the permission issue ? And for Background false, it's on purpose. The systemd unit created are of type simple, so thge daemopn must not double fork to run in the background
     
  19. adam.sage

    adam.sage Member

    Joined:
    Feb 8, 2019
    Messages:
    32
    Likes Received:
    0
    For the permission issues it's just that. In the logs I was seeing: warning: connect to Milter service unix:/var/run/opendkim/signer.sock: Permission denied and same for verifier. I'm assuming if I would have just set the permissions on the files it would work, but I chose to just follow what was posted in the stack exchange article.

    For the service file, I was getting errors in syslog about the service timing out. Changing to background mode keeps the timeouts from happening but from what you said may have consequences I did not consider. I'm anything but an expert with this stuff but I would think it would take longer to keep running the service over and over than keeping it open in the background.
     
    #19 adam.sage, Feb 15, 2019
    Last edited: Feb 15, 2019
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice