[TUTORIAL] Authenticated SMTP, DKIM and DMARC

killmasta93

Well-Known Member
Aug 13, 2017
903
50
48
28
really great guide, this would apply for the outbound? even if postfix (email server behind proxmox) has its own DKIM and DMARC?
 

danielb

Well-Known Member
Jun 1, 2018
207
51
48
36
Bordeaux (france)
There's no point in doing the checks twice. The goal is to have Proxmox Mail Gateway handling all the verifications and filtering, and then pass the good email to a "dumb" SMTP server, which won't filter anything.
 

killmasta93

Well-Known Member
Aug 13, 2017
903
50
48
28
very good point, by any chance you have a tutorial on configuring postfix (email server) to use the smarthost (proxmox) to send mails? i have tried but have not been able to configure it as on proxmox logs keeps saying user not found.
 

danielb

Well-Known Member
Jun 1, 2018
207
51
48
36
Bordeaux (france)
You need to add something like in main.cf

Code:
relayhost = [pmg.domain.tld]:26

Port 26 of your Proxmox Mail Gateway should be reachable
 

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
15,522
908
163
You need to add something like in main.cf

Code:
relayhost = [pmg.domain.tld]:26

Port 26 of your Proxmox Mail Gateway should be reachable

See GUI.

Configuration/Mail Proxy/Relaying: Smarthost
 

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
Hi there. Here's a how-to for adding authenticated SMTP (smtps and submission against AD, or LDAP), DKIM (both verifier for inbound and signer for outbound) and DMARC support to PMG

https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

(This is a "translation" from what I do using ansible, so, I hope I haven't missed anything, please let me know)

Where can we access the Ansible playbooks you used? Way better than to do everything manually.

Thanks!
 

danielb

Well-Known Member
Jun 1, 2018
207
51
48
36
Bordeaux (france)
Where can we access the Ansible playbooks you used? Way better than to do everything manually.
It's too tightly integrated with tons of other things I setup (IMAP proxying, AD auth etc...) to be usable as is. That's why I don't share them publicly. I'll send you a PM with a link if you're interested
 
  • Like
Reactions: KatyComputer

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
Hi there. Here's a how-to for adding authenticated SMTP (smtps and submission against AD, or LDAP), DKIM (both verifier for inbound and signer for outbound) and DMARC support to PMG

https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

(This is a "translation" from what I do using ansible, so, I hope I haven't missed anything, please let me know)

@tom Can Proxmox please integrate DKIM ? This is needed very much and actually a bummer in many occasions so that I cannot recommend PMG to customers who absolutely require DKIM. Customization is not an option for everybody, especially when a consultant sets up the system and a firm doesn't have IT personal who can take care of the system immediately if something goes wrong.

Thanks!
 

killmasta93

Well-Known Member
Aug 13, 2017
903
50
48
28
well the fix was removing the smart host and it started to work if anyone else gets the same issue
 

killmasta93

Well-Known Member
Aug 13, 2017
903
50
48
28
@danielb
I was trying to configure using your tutorial but encountered some issue and a few questions which i was wondering if you shed some light?


1) for Enable authenticated ports im guessing its no necessarily, even though i have a postfix email server and all my users authenticates with 465 ssl then on postfix relays to proxmox on port 25

2) for this part
Code:
cat <<_EOF > /etc/opendkim/signingtable
# Add one line per domain you want to sign when email are being sent.
# You can use different keys if needed
# Or just use a wildcard to sign everything with the same key
* default
_EOF
cat <<_EOF > /etc/opendkim/keytable
default domain.tld:default:/etc/opendkim/keys/default/default.private
_EOF
the * default i would change to mydomain.com without the asterisk?
and for the second part would be like this
Code:
default mydomain.com:default:/etc/opendkim/keys/default/default.private

3) once having the Dkim key how can i find it to put it on the domain? i tried sending the email still stays dkim fail. on my postfix i would install
Code:
apt-get install opendkim opendkim-tools
then configure it and at the end i would need to generate the keys
Code:
opendkim-genkey -t -s mail -d mydomain.com
then i could cat mail.txt to get the keys to put it on the domain

Thank you
 
Last edited:

danielb

Well-Known Member
Jun 1, 2018
207
51
48
36
Bordeaux (france)
Because we need a DKIM verifier which adds needed headers so that DMARC can act, and reject the mail if it's the sender's policy. spamassassin DKIm verifier just adjust score (and usually, it just adds (or remove when valid) a tiny 0.1 or similar)
 

danielb

Well-Known Member
Jun 1, 2018
207
51
48
36
Bordeaux (france)
Thx for the missing .conf I've fixed it. Can you elaborate for the permission issue ? And for Background false, it's on purpose. The systemd unit created are of type simple, so thge daemopn must not double fork to run in the background
 

adam.sage

Member
Feb 8, 2019
32
0
11
33
For the permission issues it's just that. In the logs I was seeing: warning: connect to Milter service unix:/var/run/opendkim/signer.sock: Permission denied and same for verifier. I'm assuming if I would have just set the permissions on the files it would work, but I chose to just follow what was posted in the stack exchange article.

For the service file, I was getting errors in syslog about the service timing out. Changing to background mode keeps the timeouts from happening but from what you said may have consequences I did not consider. I'm anything but an expert with this stuff but I would think it would take longer to keep running the service over and over than keeping it open in the background.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!