DKIM doesn't sign mails properly

jetmail

New Member
Aug 27, 2020
13
0
1
42
Out-of-box PMG generate DKIM, public part looks good (checked by several services), but outgoing mails doesn't signed properly - DKIM-Result: fail (bad signature)

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=somedomain.tld;
h=cc:from:reply-to:subject:subject:to; s=mgw; bh=ln0DNkj3AbJCDV
RKLELuj2WhxuHA++rvY3c36umBl3U=; b=UF8kcSZdR9svfdPgDb1KpIUzBknSnh
UYIN5LAbeOJs3FQiDoJxbz+2F7iebdug2c24PBUKoGWsoOe71QEIWAFqnq43ClR9
2TKmPobWrk3LDT5kmy+XjAEBTT3kpmMRbNl7yEPiNqt77jwPn9819r3h4EcrXiY9
b8Lj505W8BZMtmgRHv+vGg0VuCZiDzLTZt7pZY0V3gTvCx2Ft5pGJw4ZtjzZNoKK
qknF0Zw4tjFd2cUpv2Lck0hslPSuRzvCuHNEsVlwQwoGzkDrAeF53VguxtVg3C7F
4C9IkFwXav4fMogCF7WT7kf88mSYY+Cs/n/uGlNYj7u54qYVX++J9v/w==
Signed-by: no-reply@somedomain.tld
Expected-Body-Hash: ln0DNkj3AbJCDVRKLELuj2WhxuHA++rvY3c36umBl3U=
Public-Key: v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33mgVy/85cOqM7Wl1vawEb2pbzSq4o4uVO8sR+ltQf/EkNR2y4ivm27+HEy8v1PgmBl+e3cFGLQYI91MPxRjAVW/ML6eSpASswKQNog4oyeIfNR+y+2LxLTwwpOIooZs74oyYl9fcs7X7xSonLD+84HJhNi1c9w1/iq9wTBbtKVy457NPD0B2Sr82FhaJMpoTD8KadePxiEsXppI5V4tKkiqoYaVH15A4fssMjy3iLhBvYIixvac3ipqysN/NTvJkByd2YphABJ3WUNN2fcrj3QBfx7WfTWjXdKI9FXemPDA2j2O4CIUsZCEFJz2+E13hC4Ay6ARvgwh8ifl57r8BwIDAQAB;

DKIM-Result: fail (bad signature)
 
How is PMG integrated in your network - maybe some device/mailserver changes the mail after PMG has signed it?

I just tested DKIM signing with PMG - it does work and the signature gets verified by other software (rspamd in this case)

I hope this helps!
 
PMG is in the internet
I just adjusted relay domain and dkim and use it as SMTP server
I wrote little python script as smtp client and test outgoing mail with it
Also i tested with telnet commands
 
Without a complete signed mail (including headers and body, without obfuscation) this cannot be debugged.
You can try to save the mail you try to send (generate a rule for outbound mail with a bcc-action sending the mail to an address you have).
and then compare that to the mail that arrives with the bad signature.

I assume that somedomain.tld is added to '/etc/pmg/dkim/domains', and that the DNS-records are correct:
Code:
dig txt mgw._domainkey.somedomain.tld
yields the same output as does the 'View DNS Record' button in the GUI

I hope this helps!
 
View DNS records:
Code:
mgw._domainkey    IN    TXT    ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33mgVy/85cOqM7Wl1vawEb2pbzSq4o4uVO8sR+ltQf/EkNR2y4ivm27+HEy8v1PgmBl+e3cFGLQYI91MPxRjAVW/ML6eSpASswKQNog4oyeIfNR+y+2LxLTwwpOIooZs74oyYl9fcs7X7xSonLD+84HJhNi1c9w1/iq9wTBbtKVy457NPD0B2Sr82FhaJMpoTD8KadePxiEsXp"
      "pI5V4tKkiqoYaVH15A4fssMjy3iLhBvYIixvac3ipqysN/NTvJkByd2YphABJ3WUNN2fcrj3QBfx7WfTWjXdKI9FXemPDA2j2O4CIUsZCEFJz2+E13hC4Ay6ARvgwh8ifl57r8BwIDAQAB" )  ; ----- DKIM key mgw

Dig:

Code:
;; ANSWER SECTION:
mgw._domainkey.somedomain.tld. 299 IN    TXT    "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33mgVy/85cOqM7Wl1vawEb2pbzSq4o4uVO8sR+ltQf/EkNR2y4ivm27+HEy8v1PgmBl+e3cFGLQYI91MPxRjAVW/ML6eSpASswKQNog4oyeIfNR+y+2LxLTwwpOIooZs74oyYl9fcs7X7xSonLD+84HJhNi1c9w1/iq9wTBbtKVy457NPD0B2Sr" "82FhaJMpoTD8KadePxiEsXppI5V4tKkiqoYaVH15A4fssMjy3iLhBvYIixvac3ipqysN/NTvJkByd2YphABJ3WUNN2fcrj3QBfx7WfTWjXdKI9FXemPDA2j2O4CIUsZCEFJz2+E13hC4Ay6ARvgwh8ifl57r8BwIDAQAB"

Domain is present in '/etc/pmg/dkim/domains'

This is received origin:

Code:
Return-Path: <no-reply@somedomain.tld>
Received: from mail.mymail.tld (LHLO mail.mymail.tld) (some_ip) by
 mail.mymail.tld with LMTP; Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
    by mail.mymail.tld (Postfix) with ESMTP id 943231FA2406;
    Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
Authentication-Results: mail.mymail.tld (amavisd-new); dkim=neutral
    reason="invalid (public key: invalid data)" header.d=somedomain.tld
Received: from mail.mymail.tld ([127.0.0.1])
    by localhost (mail.mymail.tld [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id lxBmXoLvHHGN; Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
Received: from mgw.maildomain.tld (mgw.maildomain.tld [some_ip])
    by mail.mymail.tld (Postfix) with ESMTPS id 5F7471FA0AA4
    for <mymail@mymail.tld>; Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
Received: from mgw.maildomain.tld (localhost.localdomain [127.0.0.1])
    by mgw.maildomain.tld (Proxmox) with ESMTP id 6CD3F3411FC
    for <mymail@mymail.tld>; Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=somedomain.tld;
     h=cc:from:reply-to:subject:subject:to; s=mgw; bh=ln0DNkj3AbJCDV
    RKLELuj2WhxuHA++rvY3c36umBl3U=; b=UF8kcSZdR9svfdPgDb1KpIUzBknSnh
    UYIN5LAbeOJs3FQiDoJxbz+2F7iebdug2c24PBUKoGWsoOe71QEIWAFqnq43ClR9
    2TKmPobWrk3LDT5kmy+XjAEBTT3kpmMRbNl7yEPiNqt77jwPn9819r3h4EcrXiY9
    b8Lj505W8BZMtmgRHv+vGg0VuCZiDzLTZt7pZY0V3gTvCx2Ft5pGJw4ZtjzZNoKK
    qknF0Zw4tjFd2cUpv2Lck0hslPSuRzvCuHNEsVlwQwoGzkDrAeF53VguxtVg3C7F
    4C9IkFwXav4fMogCF7WT7kf88mSYY+Cs/n/uGlNYj7u54qYVX++J9v/w==
Received: from client.local (unknown [10.0.142.1])
    by mgw.maildomain.tld (Proxmox) with ESMTP id 4F68F340047
    for <mymail@mymail.tld>; Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
Subject: Test mail
Message-Id: <20200828082201.6CD3F3411FC@mgw.maildomain.tld>
Date: Fri, 28 Aug 2020 11:22:01 +0300 (MSK)
From: no-reply@somedomain.tld

Test mail
 
reason="invalid (public key: invalid data)"

seems like the amavisd-new installation sees the public key as wrong - since the mail gets delivered via LMTP - do you maybe have access to the logs of the amavisd-new? (else ask the administrator of mail.mymail.tld for some more detailed logs)

does sending a mail to an outbound system (directly from PMG to the internet) work?
does DNS lookup of the DKIM key work from mail.mymail.tld?
 
Without knowing your domain or getting an unmodified (meaning all addresses are as they are in the original mail) sample mail with signature I cannot do too much here.

As said - check the logs of amavisd-new for why the verification fails
 
Without knowing your domain
i didn't publish domain, because i thought that is not matter

jetmailer.net

i'm looking at logs, but i can't find something with errors
 
ok - found it:
Code:
dig +short txt mgw._domainkey.jetmailer.net
"v=DKIM1; h=sha256; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA33mgVy/85cOqM7Wl1vawEb2pbzSq4o4uVO8sR+ltQf/EkNR2y4ivm27+HEy8v1PgmBl+e3cFGLQYI91MPxRjAVW/ML6eSpASswKQNog4oyeIfNR+y+2LxLTwwpOIooZs74oyYl9fcs7X7xSonLD+84HJhNi1c9w1/iq9wTBbtKVy457NPD0B2Sr8" "2FhaJMpoTD8KadePxiEsXp\"\009  \"pI5V4tKkiqoYaVH15A4fssMjy3iLhBvYIixvac3ipqysN/NTvJkByd2YphABJ3WUNN2fcrj3QBfx7WfTWjXdKI9FXemPDA2j2O4CIUsZCEFJz2+E13hC4Ay6ARvgwh8ifl57r8BwIDAQAB"

the record contains a '\009' - which does not belong there - I guess this is the reason why verification fails -> set the txt record again and check that it is exactly like the one from the GUI
 
So, this is record from PGW:
Code:
gw._domainkey    IN    TXT    ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqC9X0rytiwqT+FITTtT8vc8hn4lpGwlUVfp3sx9y3hJkIE3AC07LHtg2fdvpEVhSmKSv3WEjQshwPTCV5NFKMsOBa+V7DjEKh230Rumjjc0U0+Yj3oH8xXd16mXV7mIOk1Bj2Amz2o2q12/pKyhFijRCyz0Pn9ftJMSXzrvTvepddghqLJOzzJjpVv+1MinDs1VRcmuxJ5/Mnw"
      "kqNbY81gKkW1bV45x4ZHQYCB/yEtLIUJAd0hzqQMBVb3R7SR8W5AF0ycirO7rE1p1CCTl6DGg1C6r0hSfVLLj4te5rdQMr91YaHpFQMcNf+YR5rqNPj4yNzWmFWXVrG1J2NgA64wIDAQAB" )  ; ----- DKIM key gw

i published this one:
Code:
v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqC9X0rytiwqT+FITTtT8vc8hn4lpGwlUVfp3sx9y3hJkIE3AC07LHtg2fdvpEVhSmKSv3WEjQshwPTCV5NFKMsOBa+V7DjEKh230Rumjjc0U0+Yj3oH8xXd16mXV7mIOk1Bj2Amz2o2q12/pKyhFijRCyz0Pn9ftJMSXzrvTvepddghqLJOzzJjpVv+1MinDs1VRcmuxJ5/MnwkqNbY81gKkW1bV45x4ZHQYCB/yEtLIUJAd0hzqQMBVb3R7SR8W5AF0ycirO7rE1p1CCTl6DGg1C6r0hSfVLLj4te5rdQMr91YaHpFQMcNf+YR5rqNPj4yNzWmFWXVrG1J2NgA64wIDAQAB

Where is my fault?
Thank you
 
from what I can see the record looks ok now - anything new in the receiving logs?
 
Where is no errors in logs...
Here sending to gmail

Code:
Delivered-To: mymail@gmail.com
Received: by 2002:a50:1e2:0:0:0:0:0 with SMTP id 89csp1174492ecf;
        Fri, 28 Aug 2020 05:08:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwGG++M49hDFNYIZqgJd+qq2aRkwFmEnPXSijQ29iodGE65He4xRGfS1wrOSACbeWyvtciP
X-Received: by 2002:adf:c981:: with SMTP id f1mr1276317wrh.14.1598616522802;
        Fri, 28 Aug 2020 05:08:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598616522; cv=none;
        d=google.com; s=arc-20160816;
        b=eEWMz1E7E/9wZaxUbfC8+tAkmu/TjiD31e8M4Ext5ld9wZa6dZKlCsMY7EYySEX1G9
         LR5d7sDutO8fp7CS3QczFPoreYBB1jXnVw7LRdP/Lm2xPsFZzEPLQTipzSgo7NqmUgVr
         6eoO1MJ0ES+hB4gk+BhoS8FD+dVGA8bC0V++AIWpgvmh497WT4elW/LdPH4ly05oNdY1
         bGrrP5s2+cToVjlJksIfk7wQes/6QqEkDY6G5kwgwPkzJGsvdxxQFpEm5msZyN1zJFua
         smWWfOptStPs31bh3e7QrUQIY9sazJpSU0xwACpheZFZPzixq/+C5Ft27zpkjKtQG9/F
         3qkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=from:date:message-id:subject:dkim-signature;
        bh=ln0DNkj3AbJCDVRKLELuj2WhxuHA++rvY3c36umBl3U=;
        b=mxk0bXaKkS+vWFuxRLWbr4J7uOq6GsEBmy0FQNjzyw2CV+bjLjcDvEa1G7eAEpZLrS
         nQ7fKcwk8DHcwIDjOjCy4FD5UktF3yKo4USY01PEyu3enSFcBMgZ0UWUE9RGPJkoBj0s
         rv4rXPD5ccVznNP41chTNJt9fRR4geQbRyUHuCptiCZTGJG+Osq8qNoExJkGJSiSAs2W
         y1ZF78+J3SCOcTV7TxT4W5QrsGdNem0cpLIxGtVukdqLSZuYwjejzYYmR3bdUbwUyZeX
         btPKLL6boDzrwXKuu08nNHUvaFQ5emc59FgoyEyVhCJo3P1PAAsemtQVxUGBJHncWjX9
         m4Lw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@jetmailer.net header.s=gw header.b=aIQC2tEC;
       spf=pass (google.com: domain of dkimnew@jetmailer.net designates 51.255.235.150 as permitted sender) smtp.mailfrom=dkimnew@jetmailer.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=jetmailer.net
Return-Path: <dkimnew@jetmailer.net>
Received: from mgw.firmare.cc (mgw.firmare.cc. [51.255.235.150])
        by mx.google.com with ESMTPS id w3si864106wma.110.2020.08.28.05.08.42
        for <mymail@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 28 Aug 2020 05:08:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of dkimnew@jetmailer.net designates 51.255.235.150 as permitted sender) client-ip=51.255.235.150;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@jetmailer.net header.s=gw header.b=aIQC2tEC;
       spf=pass (google.com: domain of dkimnew@jetmailer.net designates 51.255.235.150 as permitted sender) smtp.mailfrom=dkimnew@jetmailer.net;
       dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=jetmailer.net
Received: from mgw.firmare.cc (localhost.localdomain [127.0.0.1])
    by mgw.firmare.cc (Proxmox) with ESMTP id 8BAB4341203
    for <mymail@gmail.com>; Fri, 28 Aug 2020 15:08:42 +0300 (MSK)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jetmailer.net;
     h=cc:from:reply-to:subject:subject:to; s=gw; bh=ln0DNkj3AbJCDVR
    KLELuj2WhxuHA++rvY3c36umBl3U=; b=aIQC2tEC8T9uClSSfy6WeeP8zNGGSqF
    HWO6r2IhE73jErfl2UmQkkiI8HHrIEpqc+G5anUZ8Dibn6NhRr+gmqR5jCh9sFL+
    jhPVRs5WqN9Psb0pGSd/MKS8hiWmN62eIfo2jkuP6P8TCY/peQPfSYrCw1zsDHkz
    N2kiRPJH/OjqkGVG1xIlPHXnSTQMng+WLZOvLfv8WvHhWVi96uuD613Xytcx5dvH
    QoC5EJ9lyrLvGncDvmDWRjgJlUMhlhK8tRW3DwW99BwUHHMlonXUIVezW6OVt6wO
    XcXssBVQHJ9fQbK4XY+hi+WW+IRACjDz2NK/9W5QdLE1mFZ5h0DT7GQ==
Received: from adminka.local (unknown [10.0.142.1])
    by mgw.firmare.cc (Proxmox) with ESMTP id 6EA6F3411FC
    for <mymail@gmail.com>; Fri, 28 Aug 2020 15:08:42 +0300 (MSK)
Subject: Test mail
Message-Id: <20200828120842.8BAB4341203@mgw.firmare.cc>
Date: Fri, 28 Aug 2020 15:08:42 +0300 (MSK)
From: dkimnew@jetmailer.net

Test mail
 
could you try sending an e-mail with a regular mail-client + mail-server -> PMG -> gmail?

(just wondering if maybe the generation of the message-id or the lack of to: header might cause gmail to treat the signature as invalid)

also - could you send such a testmail to my address (s.ivanov _at_ proxmox.com)
 
could you try sending an e-mail with a regular mail-client + mail-server -> PMG -> gmail?
unfortunately, no, because i didn't adjust my mail server
So, i can send to your address
 
unfortunately, no, because i didn't adjust my mail server
you could try to configure your mail client to send unauthenticated via port 26 of your PMG - alternatively if you have before-queue filtering enabled - try disabling it and sending an e-mail
 
Thank you
I sent the e-mail via client and got that dkim passed

BUT:
i need to send emails via application Ruby/python/PHP and they can not to be proper signed...
 
Anyway, it is great step
Stoiko, thank you very much
I think i need to turn on SSL and authorization
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!