Autoreply from exchange not signed DKIM by proxmox outbound gateway

[poetry]

We send test email from gmail.com to one of the exchange mailboxes that has autoresponder set. Autoresponder emails should be signed by DKIM but they are not.

We get back autoresponder email that is not signed by DKIM. If we try to send email from our domain to gmail our email is DKIM signed fine by our proxmox outbound gateway.

Our domain records from signing are properly configured on dns records and on proxmox server but it looks like the auto responder messages are send from localhost.localdomain[127.0.0.1] domain and are not not signed by DKIM.





Header from proxmox outbound server:

Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32740]: connect from unknown[192.168.1.10]
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32740]: Anonymous TLS connection established from unknown[192.168.1.10]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32740]: 079A6181E7B: client=unknown[192.168.1.10]
Aug 11 14:48:18 SMTP1OUT postfix/cleanup[32742]: 079A6181E7B: message-id=<14216954b9514c2698a6b7ec3952721a@EX2019.test.domain>
Aug 11 14:48:18 SMTP1OUT postfix/qmgr[32532]: 079A6181E7B: from=<>, size=5458, nrcpt=1 (queue active)
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32740]: disconnect from unknown[192.168.1.10] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 11 14:48:18 SMTP1OUT pmg-smtp-filter[32228]: 181E846113C712097E0: new mail message-id=<14216954b9514c2698a6b7ec3952721a@EX2019.test.domain>#012
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32758]: connect from localhost.localdomain[127.0.0.1]
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32758]: 0C785181EF0: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.1.10]
Aug 11 14:48:18 SMTP1OUT postfix/cleanup[32581]: 0C785181EF0: message-id=<14216954b9514c2698a6b7ec3952721a@EX2019.test.domain>
Aug 11 14:48:18 SMTP1OUT postfix/qmgr[32532]: 0C785181EF0: from=<>, size=4405, nrcpt=1 (queue active)
Aug 11 14:48:18 SMTP1OUT postfix/smtpd[32758]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 11 14:48:18 SMTP1OUT pmg-smtp-filter[32228]: 181E846113C712097E0: accept mail to <testsender@gmail.com> (0C785181EF0) (rule: default-accept)
Aug 11 14:48:18 SMTP1OUT pmg-smtp-filter[32228]: 181E846113C712097E0: processing time: 0.066 seconds (0, 0, 0)
Aug 11 14:48:18 SMTP1OUT postfix/lmtp[32582]: 079A6181E7B: to=<testsender@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.08, delays=0.01/0/0/0.07, dsn=2.5.0, status=sent (250 2.5.0 OK (181E846113C712097E0))
Aug 11 14:48:18 SMTP1OUT postfix/qmgr[32532]: 079A6181E7B: removed
Aug 11 14:48:18 SMTP1OUT postfix/smtp[32765]: 0C785181EF0: to=<testsender@gmail.com>, relay=gmail-smtp-in.l.google.com[142.251.5.26]:25, delay=0.55, delays=0.06/0/0.2/0.29, dsn=2.0.0, status=sent (250 2.0.0 OK 1628686098 19si5642369wmk.157 - gsmtp)
Aug 11 14:48:18 SMTP1OUT postfix/qmgr[32532]: 0C785181EF0: removed

Header from gmail:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of postmaster@outboundserver.example.com designates 1.2.3.4 as permitted sender) smtp.helo=outboundserver.example.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <>
Received: from outboundserver.example.com (outboundserver.example.com. [1.2.3.4])
        by mx.google.com with ESMTPS id 19si5642369wmk.157.2021.08.11.05.48.18
        for <testsender@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 11 Aug 2021 05:48:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@outboundserver.example.com designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of postmaster@outboundserver.example.com designates 1.2.3.4 as permitted sender) smtp.helo=outboundserver.example.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.com
Received: from SMTP1OUT.example.com (localhost.localdomain [127.0.0.1]) by outboundserver.example.com (Mail) with ESMTP id 0C785181EF0 for <testsender@gmail.com>; Wed, 11 Aug 2021 14:48:18 +0200 (CEST)
From: "Test Receiver" <testreceiver@example.com>
To: "testsender@gmail.com" <testsender@gmail.com>

 

[Stoiko Ivanov]

14:48:18 SMTP1OUT postfix/qmgr[32532]: 0C785181EF0: from=<>, size=4405, nrcpt=1 (queue active)

The issue is that Exchange sends the Autoresponder with an empty envelop address (which is sensible) - and since PMG signs mails based on the envelop address the mail is not signed - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971 for a bit more details (and if you like subscribe to that issue then you'll get notified once there is some progess on it)

I hope this explains it!

 

[poetry]

@Stoiko Ivanov Thank you very much. This makes sense.

I did notice this problem a while ago when testing autoreponse when you send an email to address that does not exist and then you get response back about User unknown.

I was thinking that there was something wrong with our configuration but I am glad that is not the case.

I hope an option just in the configuration to change the behavior for the whole proxmox server is implemented soon. Customers are pushing on us why is this not working and we have no solution.

I have set the DMARC policy to relaxed for both DKIM and SPF signing but DMARC is still failing. Strange. I guess we can try to modify the behavior of exchange but that seems excessive...

The case about response when user is unknown from other mail system that we use.

From proxmox:

Aug 12 15:47:04 SMTP1OUT postfix/smtpd[804]: connect from unknown[192.168.1.10]
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[804]: Anonymous TLS connection established from unknown[192.168.1.10]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[804]: DB5BA181F2D: client=unknown[192.168.1.10]
Aug 12 15:47:04 SMTP1OUT postfix/cleanup[782]: DB5BA181F2D: message-id=<MDAEMON0312202108121547.AA4704184@subdomain.example.com>
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[804]: disconnect from unknown[192.168.1.10] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 12 15:47:04 SMTP1OUT postfix/qmgr[32532]: DB5BA181F2D: from=<>, size=6091, nrcpt=1 (queue active)
Aug 12 15:47:04 SMTP1OUT pmg-smtp-filter[783]: 181F5D61152658DCC1D: new mail message-id=<MDAEMON0312202108121547.AA4704184@subdomain.example.com>#012
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[694]: connect from localhost.localdomain[127.0.0.1]
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[694]: DF384181F6E: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.1.10]
Aug 12 15:47:04 SMTP1OUT postfix/cleanup[800]: DF384181F6E: message-id=<MDAEMON0312202108121547.AA4704184@subdomain.example.com>
Aug 12 15:47:04 SMTP1OUT postfix/qmgr[32532]: DF384181F6E: from=<>, size=5738, nrcpt=1 (queue active)
Aug 12 15:47:04 SMTP1OUT postfix/smtpd[694]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Aug 12 15:47:04 SMTP1OUT pmg-smtp-filter[783]: 181F5D61152658DCC1D: accept mail to <receiver@gmail.com> (DF384181F6E) (rule: default-accept)
Aug 12 15:47:04 SMTP1OUT pmg-smtp-filter[783]: 181F5D61152658DCC1D: processing time: 0.059 seconds (0, 0, 0)
Aug 12 15:47:04 SMTP1OUT postfix/lmtp[794]: DB5BA181F2D: to=<receiver@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.07, delays=0/0/0/0.06, dsn=2.5.0, status=sent (250 2.5.0 OK (181F5D61152658DCC1D))
Aug 12 15:47:04 SMTP1OUT postfix/qmgr[32532]: DB5BA181F2D: removed
Aug 12 15:47:05 SMTP1OUT postfix/smtp[772]: DF384181F6E: to=<receiver@gmail.com>, relay=gmail-smtp-in.l.google.com[142.251.5.26]:25, delay=0.71, delays=0.05/0/0.27/0.4, dsn=2.0.0, status=sent (250 2.0.0 OK 1628776025 h11si2679997wrb.240 - gsmtp)
Aug 12 15:47:05 SMTP1OUT postfix/qmgr[32532]: DF384181F6E: removed

From Gmail header

Delivered-To: receiver@gmail.com
Received: by 2002:a50:7f07:0:0:0:0:0 with SMTP id z7csp651474ect;
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of postmaster@subdomain.example.com designates 1.2.3.4 as permitted sender) smtp.helo=subdomain.example.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.com
Return-Path: <>
Received: from subdomain.example.com (subdomain.example.com. [1.2.3.4])
        by mx.google.com with ESMTPS id h11si2679997wrb.240.2021.08.12.06.47.05
        for <receiver@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 12 Aug 2021 06:47:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of postmaster@subdomain.example.com designates 1.2.3.4 as permitted sender) client-ip=1.2.3.4;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of postmaster@subdomain.example.com designates 1.2.3.4 as permitted sender) smtp.helo=subdomain.example.com;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=example.com
Received: from SMTP1OUT.example.com (localhost.localdomain [127.0.0.1]) by subdomain.example.com (Mail) with ESMTP id DF384181F6E for <receiver@gmail.com>; Thu, 12 Aug 2021 15:47:04 +0200 (CEST)
Date: Thu, 12 Aug 2021 15:47:04 +0200
Reply-To: noreply@server.example.com
From: "MDaemon at server.example.com" <noreply@server.example.com>
Subject: Warning: test.receiver123@example.net - User unknown
To: receiver@gmail.com
X-MDaemon-Deliver-To: receiver@gmail.com
Message-ID: <MDAEMON0312202108121547.AA4704184@server.example.com>
Mime-Version: 1.0
X-Actual-From: noreply@server.example.com
X-Return-Path: <>
Content-Type: multipart/mixed; boundary="0812-1547-04-PART-BREAK"
X-MDCFSigsAdded: server.example.com

 

[PVerberne]

Hi,

It's been a while since the last post. Can someone tell me the current status regarding this issue? Not much to see on: https://bugzilla.proxmox.com/show_bug.cgi?id=2971 either.

Best regards.