Bounce + DKIM

Mar 21, 2019
20
1
3
34
Hi,
We are currenty signing outgoing messages for specific domains with DKIM.
The problem is that all bounce messages are not signed with DKIM.
It is flooding our DMARC reports with PMG hostname as subdomain.

Can we sign bounce messages with DKIM in any way?

Or the only option is to create custom policy for DMARC for specific subdomain (hostname of PMG) ?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
Can we sign bounce messages with DKIM in any way?
Not that I'm aware of - mail-processing (including DKIM-signing) happens for mails arriving on port 25 and 26 (or the ones you've configured for internal and external respectively)

The problem is that all bounce messages are not signed with DKIM.
It is flooding our DMARC reports with PMG hostname as subdomain.
Depending on the number of bounces generated by PMG - I would check why it is rejecting so many mails ?

I hope this helps!
 

Alexey

New Member
Jan 4, 2021
3
1
3
41
Hi Stoiko,

It seems that we are having same issue. Just recently we re-routed traffic through PMG and activated DKIM/DMARC
Out setup:
[Exchange 2013] <-> [PMG 6.3-5] <-> [internet]
PMG is configured to "Sign all Outgoing Mail"

The issue - NDRs and Out-of-Office notifications from Exchange to Internet are not signed with DKIM (so DMARC is failing and we also getting extra reports).
In the logs following error is recorded:
pmg-smtp-filter[4560]: Could not create DKIM-Signature - disabling Signing: no domain in sender e-mail

I can assume, that the error is related to "Return-Path" header which is set to "<>" by our exchange servers.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
The issue - NDRs and Out-of-Office notifications from Exchange to Internet are not signed with DKIM (so DMARC is failing and we also getting extra reports).
Currently PMG DKIM-signs mails based on their envelope-from only - and this is empty for a bounce-message (and needs to be else you'll likely get mail-loops)...

The problem is which domain should be used for signing the bounce-message - see https://serverfault.com/questions/8...mpliant-mdns-with-a-null-mailfrom-can-it-work for a quick discussion on the topic...

What do the reports about the failing NDRs say where the problem is?

also consider setting a envelop from for the out-of-office mails
 

Alexey

New Member
Jan 4, 2021
3
1
3
41
Probably the issue from serverfault will follow, if out NDRs will be signed with DKIM.
In our case NDRs and OOFs have "From" header with email of postmaster or user.

Reports are just about failed DMARC with related email attached
This is an email abuse report for an email message received from IP xxxxx on Fri, 01 Jan 2021 04:45:24 +0000.
The message below did not meet the sending domain's dmarc policy.
The message below could have been accepted or rejected depending on policy.
For more information about this format please see http://tools.ietf.org/html/rfc6591 .
 
Last edited:

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,968
1,080
164
Thanks for the report mail - sadly without the IP and domain it's impossible to see how the dmarc policy is ...

in any case - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971 - we might at some point support adding a signature where domain is taken from the header-from ... - however that would still not help with a strict alignment of SPF (which in case of an empty from would be taken from the HELO name) and DKIM (which would be from the from-header domain)
 

Alexey

New Member
Jan 4, 2021
3
1
3
41
It will help in our case.
I did small test - modified /usr/share/perl5/PMG/RuleDB/Accept.pm in following way:

Diff:
97c97
<
---
>     my $senderNew =  $msginfo->{sender};
103a104,106
>             if ($senderNew eq "") {
>                 $senderNew = "postmaster\@example.com";
>             }
106c109
<                   $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
---
>                   $dkim->{selector}, $senderNew, $dkim->{sign_all});

As result NDR got signed, DKIM and DMARC checks were passed (at least tested against google).
 
Last edited:
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!