[TUTORIAL] Authenticated SMTP, DKIM and DMARC

really great guide, this would apply for the outbound? even if postfix (email server behind proxmox) has its own DKIM and DMARC?
 
There's no point in doing the checks twice. The goal is to have Proxmox Mail Gateway handling all the verifications and filtering, and then pass the good email to a "dumb" SMTP server, which won't filter anything.
 
very good point, by any chance you have a tutorial on configuring postfix (email server) to use the smarthost (proxmox) to send mails? i have tried but have not been able to configure it as on proxmox logs keeps saying user not found.
 
You need to add something like in main.cf

Code:
relayhost = [pmg.domain.tld]:26

Port 26 of your Proxmox Mail Gateway should be reachable

See GUI.

Configuration/Mail Proxy/Relaying: Smarthost
 
Hi there. Here's a how-to for adding authenticated SMTP (smtps and submission against AD, or LDAP), DKIM (both verifier for inbound and signer for outbound) and DMARC support to PMG

https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

(This is a "translation" from what I do using ansible, so, I hope I haven't missed anything, please let me know)

Where can we access the Ansible playbooks you used? Way better than to do everything manually.

Thanks!
 
Hi there. Here's a how-to for adding authenticated SMTP (smtps and submission against AD, or LDAP), DKIM (both verifier for inbound and signer for outbound) and DMARC support to PMG

https://wiki.fws.fr/tuto/linux_divers/dkim_dmarc_onpmg

(This is a "translation" from what I do using ansible, so, I hope I haven't missed anything, please let me know)

@tom Can Proxmox please integrate DKIM ? This is needed very much and actually a bummer in many occasions so that I cannot recommend PMG to customers who absolutely require DKIM. Customization is not an option for everybody, especially when a consultant sets up the system and a firm doesn't have IT personal who can take care of the system immediately if something goes wrong.

Thanks!
 
well the fix was removing the smart host and it started to work if anyone else gets the same issue
 
@danielb
I was trying to configure using your tutorial but encountered some issue and a few questions which i was wondering if you shed some light?


1) for Enable authenticated ports im guessing its no necessarily, even though i have a postfix email server and all my users authenticates with 465 ssl then on postfix relays to proxmox on port 25

2) for this part
Code:
cat <<_EOF > /etc/opendkim/signingtable
# Add one line per domain you want to sign when email are being sent.
# You can use different keys if needed
# Or just use a wildcard to sign everything with the same key
* default
_EOF
cat <<_EOF > /etc/opendkim/keytable
default domain.tld:default:/etc/opendkim/keys/default/default.private
_EOF
the * default i would change to mydomain.com without the asterisk?
and for the second part would be like this
Code:
default mydomain.com:default:/etc/opendkim/keys/default/default.private

3) once having the Dkim key how can i find it to put it on the domain? i tried sending the email still stays dkim fail. on my postfix i would install
Code:
apt-get install opendkim opendkim-tools
then configure it and at the end i would need to generate the keys
Code:
opendkim-genkey -t -s mail -d mydomain.com
then i could cat mail.txt to get the keys to put it on the domain

Thank you
 
Last edited:
@danielb Why did u implement a DKIM verifier? Isn't verification already done by the spamassassin DKIM plugin?
 
Because we need a DKIM verifier which adds needed headers so that DMARC can act, and reject the mail if it's the sender's policy. spamassassin DKIm verifier just adjust score (and usually, it just adds (or remove when valid) a tiny 0.1 or similar)
 
Thx for the missing .conf I've fixed it. Can you elaborate for the permission issue ? And for Background false, it's on purpose. The systemd unit created are of type simple, so thge daemopn must not double fork to run in the background
 
For the permission issues it's just that. In the logs I was seeing: warning: connect to Milter service unix:/var/run/opendkim/signer.sock: Permission denied and same for verifier. I'm assuming if I would have just set the permissions on the files it would work, but I chose to just follow what was posted in the stack exchange article.

For the service file, I was getting errors in syslog about the service timing out. Changing to background mode keeps the timeouts from happening but from what you said may have consequences I did not consider. I'm anything but an expert with this stuff but I would think it would take longer to keep running the service over and over than keeping it open in the background.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!