DKIM for Quarantine Notifications

D

d6E8JsV2tvtkeYp

Member
Jun 6, 2020
4
0
21
55
Hi folks,

is there any way to sign with DKIM the Quarantine Notification emails?
I haven't find any solution, but it's important because if the email has been forwarded, got rejected by DMARC.

T
 
Do you have the logs of the sent quarantine report? (maybe also from the destination system, which rejected it)?

It's odd, because the spamreports get sent out with an empty sender (and I would assume that this should not cause a dmarc failure)?
 
Hi Stoiko,

I just saw on the DMARC Analyser, because it was forwarded. ("forwarded: looks forwarded, downgrade to quarantine with phishing warning")

The journey of email looks like this:
PMG (Quarantine Notification) > Internal mail system (without SRS support) >> gmail.com.

But if I can have DKIM signature, gmail.com would accept it.

postfix/smtpd[21639]: connect from localhost[127.0.0.1] postfix/smtpd[21639]: D7C22202BC: client=localhost[127.0.0.1] postfix/cleanup[21880]: D7C22202BC: message-id=<20200819163259.D7C22202BC@pmg.domain.tld> postfix/qmgr[18206]: D7C22202BC: from=<>, size=37832, nrcpt=1 (queue active) postfix/smtpd[21639]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 commands=4 postfix/smtp[21640]: D7C22202BC: to=<original@doamin.tld>, relay=xx.xx.xx.xx[xx.xx.xx.xx]:25, delay=0.41, delays=0.02/0/0.29/0.11, dsn=2.0.0, status=sent (250 21111781 message accepted for delivery) postfix/qmgr[18206]: D7C22202BC: removed

Now I tested and got this on Gmail.com:

And at the gmail.com getting this alert:
Why is this message in spam?
It seems to be an auto-reply to a message that pretended to be sent from your email address.
 
The report gets sent with an empty sender - so it is not possible to chose a domain for signing the message (and it is sent with an empty sender to prevent mail loops) - I'm not sure whether sending bounce-messages (mails with empty senders) signed would help at all (or in which context this makes sense)

you could try to setup a DKIM signing software on your internal mail system - so that the mail gets a signature - but I'm not sure that it would help with getting the mail accepted by gmail.
 
Sign on internal system is impossible, because this is a simple redirect.

"The report gets sent with an empty sender" Yeah, this is the problem for me. Is there any hack to add sender just for this type of email?
 
LeftWingNetwork said:
Is there any hack to add sender just for this type of email?
Click to expand...
This is quite deep in the source of PMG - you could try to adapt the postfix config of the smtpd on port 10025 to add a sender for mails originating locally - though I haven't tried something like that yet - see the postfix documentation:
http://www.postfix.org/ADDRESS_REWRITING_README.html
and the reference documentation for getting this into the templateting system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine
 
Hi Stoiko,

I did try, but didn't work, meanwhile, at this stage I ran out of any idea, but this issue can be common if the Quarantine Email Notification has been forwarded.
Any suggestion? :)
 
Don't sent the mail on unmodified, but actively resent it from your downstream server for mails with empty senders

Sorry - those things are the problematic cases of SMTP (and spamprevention) quite often (think mailinglists)
 
I am in the same hole.

I would like to know how to sign all proxmox mail gateway root notifications with dkim, I have tried to add in the dkim but not dkim signing for local messages notifications and i am having problems, the clients does not receive the messages because dmarc is on reject policy.

When i need to do a notification on a rule the message go out from the pmg without DKIM signning. It is only signing domains that are being sent throught it but not those ones who are being sent by it.

Any solution?
 
I am installing a proxmox mail gateway under a close enviroment and i will test installing a dkim on the postfix of proxmox and do testing experiments.

I will comment the outcomming.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom