Disabling SPF and DKIM checking for all mail servers connecting to internal SMTP port

D

dkurel

Member
Aug 7, 2016
3
1
23
52
Is it possible to totally disable SPF and DKIM checking for all mail servers connecting to internal SMTP port? My PMG is set up as a gateway for the whole network and internal port is accessible only from very limited number of internal addresses. PMG is the only way in and out for E-mails for the whole network. However, some of the E-mail servers within the network I have not direct admin access to, so I can't implement DKIM signing. I also don't want to fully disable DKIM checking on mails coming from external ports. Also, for very specific reasons - we have only one set of DNS servers, so all domains are DKIM enabled and with SPF record by default. Thanks in advance.
 
The SPF-checking on smtp-proxy level (GUI->Configuration->Mail Proxy->Options->Use SPF) is not active for mails received on the internal port

as for the checks done by SpamAssassin - these are not customizable on a per direction/port basis (however SpamAssassin does not give too many points to SPF and DKIM failures in it's default configuration - and AFAIK it does not assign any negative score to mails having no DKIM signature).

dkurel said:
so I can't implement DKIM signing.
Click to expand...
You can let PMG do the DKIM signing?

dkurel said:
Also, for very specific reasons - we have only one set of DNS servers, so all domains are DKIM enabled and with SPF record by default.
Click to expand...
Maybe you could configure the DNS servers to provide a different view to the internal systems.
Else you could configure a DNS server on PMG itself - see e.g.:
https://pmg.proxmox.com/wiki/index....edicated_DNS_Resolver_on_Proxmox_Mail_Gateway

I hope this helps!
 
  • Like
Reactions: dkurel
Stoiko Ivanov said:
The SPF-checking on smtp-proxy level (GUI->Configuration->Mail Proxy->Options->Use SPF) is not active for mails received on the internal port

as for the checks done by SpamAssassin - these are not customizable on a per direction/port basis (however SpamAssassin does not give too many points to SPF and DKIM failures in it's default configuration - and AFAIK it does not assign any negative score to mails having no DKIM signature).


You can let PMG do the DKIM signing?


Maybe you could configure the DNS servers to provide a different view to the internal systems.
Else you could configure a DNS server on PMG itself - see e.g.:
https://pmg.proxmox.com/wiki/index....edicated_DNS_Resolver_on_Proxmox_Mail_Gateway

I hope this helps!
Click to expand...

I have already let PMG do the signing and that works like a charm. However, I need PMG to be the ONLY thing that does the DKIM signing. Internal mail servers shouldn't do that.

I was hoping for a simple solution here, as the whole goal was to simplify things, not to make them more complicated. So, unfortunately, in my case, this answer doesn't help too much.
By your answer I would guess that it isn't possible, then?

Thanks again.
 
dkurel said:
By your answer I would guess that it isn't possible, then?
Click to expand...
You could disable spamchecking on outgoing mail (just make sure no rule with direction out (or in and out) has a Spam What Object) - but that's probably not what you want...

Else this is not possible.
 
  • Like
Reactions: dkurel
You must log in or register to reply here.
Top Bottom