Disable DMARC policy for outbound scanning

Richpasty

New Member
Aug 9, 2022
18
0
1
I'm just setting up PMG as a scanning server for my small hosting company, and just in the testing phase now.

i've setup 1 domain as it would be for other clients.

Overview of setup:

For purposes of trying to make things clearer, i'll use these ip addresses and hostnames:
Code:
domain: test.co.uk
mx = pmg.example.net

external: 10.10.10.10, nat to 192.168.0.25 = pmg.example.net
internal: 192.168.0.102 = nginx
internal: 192.168.0.3 = dovecot

incoming into PMG, routed to Dovecot server 192.168.0.3 (virtual domain config in MySQL database)

Clients access the dovecot server via an NGINX proxy (192.168.0.102), which does the authentication against the MySQL database, imap is routed to dovecot server, smtp is routed to PMG (using internal 192.168.0.25 address) port 26.

Using webmail (roundcube), which connects via the nginx to dovecot, and outbound via nginx to pmg.

Initial tests, everything was great.

I then locked the domain down using SPF, DKIM, and DMARC. As the client domains would be.

Code:
test.co.uk            TXT "v=spf1 ip4:10.10.10.10 -all"
_dmarc.test.co.uk    TXT "v=DMARC1 p=reject; rua=mailto:dmarc@example.net; ruf=mailto:dmarc@example.net; pct=100; aspf=s; fo=1;"

Now, when I try to send an email from webmail via pmg, i get an immediate reject, with a message:

Code:
Proxmox Notification:

Sender:   rich@test.co.uk
Receiver: rich@external.co.uk
Targets:  rich@external.co.uk

Subject: Test9


Matching Rule: Block outgoing Spam

Rule: Block outgoing Spam
  Receiver: rich@external.co.uk
  Action: block message
  Action: notify __ADMIN__
  Action: notify __SENDER__



Spam detection results:  3
ALL_TRUSTED                -1 Passed through trusted hosts only via SMTP
AWL                    -0.055 Adjusted score from AWL reputation of From: address
BAYES_50                  0.8 Bayes spam probability is 40 to 60%
KAM_DMARC_REJECT            3 DKIM has Failed or SPF has failed on the message and the domain has a DMARC reject policy
KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
KAM_NUMSUBJECT            0.5 Subject ends in numbers excluding current years

When DMARC policy is set to reject, then sending mail is impossible.

I don't think PMG should be checking SPF, DMARC or DKIM for outbound mail. (Mails which are received on port 26)

I guess I could work around it with split dns, but that'll be a faff.


I assume as PMG uses 2 different ports for pmg-smtp-filter, there are different checks and actions, depending on which port mail is sent to? How are these configured?
 

poetry

Active Member
May 28, 2020
207
51
33
Can you post the full mail log from tracking center or Administration - Syslog of blocked message? You should get more detailed information there why it's failing.

Have you setup DKIM via
Configuration - Mail Proxy - DKIM

Enable DKIM Signing
Selector (select one and publish on dns)
Sign all Outgoing Mail or add only domains you want to DKIM sign

If you want to be DMARC compliant then you need to make sure all your messages pass SPF and DKIM check unless you specify in your DMARC record adkim=r; aspf=r; then it will pass even if SPF or DKIM is failing... https://dmarcly.com/tools/dmarc-checker

adkim
Specifies the 'Alignment Mode' for DKIM signatures, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated DKIM signing domains (d=) that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required.
aspf
Specifies the 'Alignment Mode' for SPF, this can be either 'r' (Relaxed) or 's' (Strict). In Relaxed mode also authenticated SPF domains that share a Organizational Domain with an emails From domain will pass the DMARC check. In Strict mode an exact match is required.

This might be a stupid and not recommended workaround but what about adding your host you are using to send email to whitelist?
You can test adding the whitelist to
Mail Filter - Who Objects - Whitelist - Add IP Address
Configuration - Mail Proxy - Whitelist - Add IP Address - Sender

Restart postfix service via (Administration - Services - Postfix - Restart) after adding this exceptions and test.

You will still need to figure out DKIM and SPF pass to deliver email properly to other mail servers from different providers. You can use https://mxtoolbox.com/deliverability (unlimited tests) or https://www.mail-tester.com/ (limited number of tests per day) to check if everything is working properly and you are passing SPF, DKIM check. This https://mxtoolbox.com/diagnostic.aspx is also useful for additional check.
 
Last edited:

Richpasty

New Member
Aug 9, 2022
18
0
1
Can you post the full mail log from tracking center or Administration - Syslog of blocked message? You should get more detailed information there why it's failing.

Code:
Nov 25 17:04:10 pmg postfix/smtpd[42777]: connect from unknown[192.168.0.102]
Nov 25 17:04:10 pmg postfix/smtpd[42777]: 92F40202C2: client=unknown[192.168.0.102]
Nov 25 17:04:10 pmg postfix/cleanup[42780]: 92F40202C2: message-id=<0adf5e99450c409328e96b472d7bd1f1@test.co.uk>
Nov 25 17:04:10 pmg postfix/qmgr[41626]: 92F40202C2: from=<rich@test.co.uk>, size=417, nrcpt=1 (queue active)
Nov 25 17:04:10 pmg postfix/smtpd[42777]: disconnect from unknown[192.168.0.102] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Nov 25 17:04:10 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: new mail message-id=<0adf5e99450c409328e96b472d7bd1f1@test.co.uk>#012
Nov 25 17:04:11 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: SA score=3/5 time=0.313 bayes=0.48 autolearn=no autolearn_force=no hits=ALL_TRUSTED(-1),AWL(-0.250),BAYES_50(0.8),KAM_DMARC_REJECT(3),KAM_DMARC_STATUS(0.01),KAM_NUMSUBJECT(0.5),TVD_SPACE_RATIO(0.001)
Nov 25 17:04:11 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: notify <rich@external.co.uk> (rule: Block outgoing Spam, 1224321073)
Nov 25 17:04:11 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: notify <rich@test.co.uk> (rule: Block outgoing Spam, 1EBFF21075)
Nov 25 17:04:11 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: block mail to <rich@external.co.uk> (rule: Block outgoing Spam)
Nov 25 17:04:11 pmg pmg-smtp-filter[40651]: 210216380F58AB08C4: processing time: 0.45 seconds (0.313, 0.018, 0)
ov 25 17:04:11 pmg postfix/lmtp[42781]: 92F40202C2: to=<rich@external.co.uk>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.58, delays=0.07/0.01/0.05/0.45, dsn=2.7.0, status=sent (250 2.7.0 BLOCKED (210216380F58AB08C4))
Nov 25 17:04:11 pmg postfix/qmgr[41626]: 92F40202C2: removed

Have you setup DKIM via
Configuration - Mail Proxy - DKIM

Enable DKIM Signing
Selector (select one and publish on dns)
Sign all Outgoing Mail or add only domains you want to DKIM sign

Yes, that's all setup.

But emails received internally on port 26 are to be relayed outbound, so will not pass SPF or be DKIM signed, so will fail DMARC.

DKIM signing is part of PMG's actions, SPF will match the external address once it leaves PMG.

If you want to be DMARC compliant then you need to make sure all your messages pass SPF and DKIM check unless you specify in your DMARC record adkim=r; aspf=r; then it will pass even if SPF or DKIM is failing... https://dmarcly.com/tools/dmarc-checker

adkim

aspf

Yeah, eventually everything should be strict, and DMARC policy will be reject.

This might be a stupid and not recommended workaround but what about adding your host you are using to send email to whitelist?
You can test adding the whitelist to
Mail Filter - Who Objects - Whitelist - Add IP Address
Configuration - Mail Proxy - Whitelist - Add IP Address - Sender

But won't that bypass the spam filter for outbound mail if i add that IP to the whitelist?
 

Richpasty

New Member
Aug 9, 2022
18
0
1
Just checked, and Whitelist only applies to incoming mail, not outgoing mail.

1669505199508.png

I've disabled outbound spam filter for now.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!