DKIM not working

D

danny.peeters

New Member
Jun 26, 2023
6
0
1
Hi,
I have configured a proxmox gateway to replace our current email gateway.
The gateway is on on our IDMZ a zone on the firewall.
I have configured dkim signing for several domains but this is not working.
I send a mail via an internal application to my G-mail address or my email in O365 and always get a dkim failure.
I have also configured other domains with the same problem.
The public key is in /etc/pmg/dkim and /etc/pmg/dkim/domains have cipal.be 1
I am Shure the dkim config in dns is correct because when I send the same mail via our current email gateways in the same setup it is ok.
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@cipal.be header.s=antispam header.b=XH3w42MP;
spf=pass (google.com: domain of dp@cipal.be designates 193.190.120.88 as permitted sender) smtp.mailfrom=dp@cipal.be

My pmg.conf :
section: admin
dkim_selector antispam
dkim_sign 1
dkim_sign_all_mail 0
email danny.peeters@cipalschaubroeck.be

section: mail
ext_port 26
int_port 25
tls 1
tlslog 1

Header in my google mailbox.
ARC-Authentication-Results: i=1; mx.google.com;
dkim=fail header.i=@cipal.be header.s=antispam header.b="RlW/3tos";
spf=pass (google.com: domain of dp@cipal.be designates 193.190.120.72 as permitted sender) smtp.mailfrom=dp@cipal.be
Return-Path: <dp@cipal.be>
Received: from gefwml06.cipalschaubroeck.be (mail.cipal.be. [193.190.120.72])
by mx.google.com with ESMTPS id x21-20020aa7dad5000000b0051d8b5effd4si1819882eds.560.2023.06.26.00.41.10
for <dann.peeters@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 26 Jun 2023 00:41:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of dp@cipal.be designates 193.190.120.72 as permitted sender) client-ip=193.190.120.72;
Authentication-Results: mx.google.com;
dkim=fail header.i=@cipal.be header.s=antispam header.b="RlW/3tos";
spf=pass (google.com: domain of dp@cipal.be designates 193.190.120.72 as permitted sender) smtp.mailfrom=dp@cipal.be
Received: from gefwml06.cipalschaubroeck.be (localhost.localdomain [127.0.0.1]) by gefwml06.cipalschaubroeck.be (Proxmox) with ESMTP id 4292C2524B for <dann.peeters@gmail.com>; Mon, 26 Jun 2023 09:41:10 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cipal.be; h=cc :from:reply-to:subject:subject:to; s=antispam; bh=k951FapS4C0lD+ KMmv5rbvj5fjQvtdUZCVx/jWVP6Os=; b=RlW/3tosTfWcdAQGxIDFn/FOyVbz4K CCiSXMGkbw5y+QGjLc+8cGSc+r9YP8TXAF3Q2FrLy/6nMsTnaeiCZ7/adzXGghvw u0Di8KpbSrVqd0CqNQTR2xQ/AVh9sAPfgvvnvPTFFcatPHOzQ6HY1rip1+SmiNZD r8572rmb6+rGxHvg9pdYhuvTD6lPKN1yx617BQs21QDH76qSOlCY9AjDFkWJwkFY apty8BGfJ4AJ+e5xlVOmOeEQTabzmUs1gVCO9gQEaohoU6zHIzWjvb5Y0T/KYn/I j2gOHO3Kau+wdjTc+G64g2SHSxubisWz45yCVrSBBqX6iomGKcp+7qdw==
Received: from GEMGTnsh.adin.cipal.be (GEMGTnsh.adin.cipal.be [192.168.1.1]) by gefwml06.cipalschaubroeck.be (Proxmox) with SMTP id 26A8425226 for <dann.peeters@gmail.com>; Mon, 26 Jun 2023 09:41:10 +0200 (CEST)
Subject: TEST
Message-Id: <20230626074110.4292C2524B@gefwml06.cipalschaubroeck.be>
Date: Mon, 26 Jun 2023 09:41:10 +0200 (CEST)
From: dp@cipal.be
 
Last edited:
Looking at the DKIM record there seems to be a small issue with the key. I marked it with "^^^" in the line below. You will probably need to scroll right a bit as it is in the middle of the key.
Code: 
$ dig txt antispam._domainkey.cipal.be +short
"v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/oRPEYsi5+1T4+1htn+PbdbKLGv06w2jyEPOpB6v7NwAOYvrupC+DQfUh4ka0oQyeiIqd1jNBRRSEeFcASUL70x+1bP3CHLvxaXubq6OLOTIJp9Ss9HTGKmdwLBtC4vbGgFhlIyMeb6nGAexAPDVga9/77/9yGDN" "626k1cbJte9scyBDWA0XwHuw//8chYb50eAvGNoWbbmj+upZSWi8CLKgb7A5xA2sS8EwR+aJf9EolOMBHUT/hRLDqvRX9xP1qxU11SW0CtQ1QFDl39ZxQmqp3uZhyfak4P/pzLtdfW/YGnLNqEg54UokfXKcEe2+lL/ulFXZO2lGOgk31a4FwIDAQAB"
                                                                                                                                                                                                                                          ^^^
 
This should be no problem.
Some DNS service providers require you to split long TXT resource records into 255 characters parts.
This 255 character restriction is usually encountered with DKIM records, as those are often longer than 255 characters.
If I use a DKIM validator for this domain , it gives : Record is valid.
With this tool you can inspect and validate a DKIM DNS record. We'll test the record against all requirements from the DKIM standards RFC6376 and RFC8463
And also it works with our previous email gateways.
 
Last edited:
Good point.
So do I understand it correctly, that sending email via the PMG to a DKIM validator gives you the green light that the email validates?

Does it only happen with Gmail? Does it happen all the time?
 
could you try the following - should help in seeing that the selector private key indeed corresponds to the public key:
`openssl rsa -pubout -in /etc/pmg/dkim/antispam.private`
either post the output here (it is a public key after all) - or compare it with the result from the DNS TXT record (from the dig command @aaron posted above).
 
Here the result for the requested output
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw/oRPEYsi5+1T4+1htn+
PbdbKLGv06w2jyEPOpB6v7NwAOYvrupC+DQfUh4ka0oQyeiIqd1jNBRRSEeFcASU
L70x+1bP3CHLvxaXubq6OLOTIJp9Ss9HTGKmdwLBtC4vbGgFhlIyMeb6nGAexAPD
Vga9/77/9yGDN626k1cbJte9scyBDWA0XwHuw//8chYb50eAvGNoWbbmj+upZSWi
8CLKgb7A5xA2sS8EwR+aJf9EolOMBHUT/hRLDqvRX9xP1qxU11SW0CtQ1QFDl39Z
xQmqp3uZhyfak4P/pzLtdfW/YGnLNqEg54UokfXKcEe2+lL/ulFXZO2lGOgk31a4
FwIDAQAB
-----END PUBLIC KEY-----

If I send a mail to my google account or to my O365 account I always get a DKIM failure.
Our O365 accounts are filtered by sophos central email and the mail is quarantined because dkim failure.
 
Last edited:
Thanks - the public key seems to match the one from the DNS-record - so if PMG does the dkim signing with the antispam selector it should work:
a) do you have any messages in the log?

b) the test-mail you sent me is missing a To header? - I think I remember a case where this led to weird dkim failures . - please send the test-mail with a normal mail-client which adds all the required headers - maybe this is the issue here

I hope this helps!
 
We don't use email clients to send mail via this gateways. This is done via program's running in our datacenter.
I have used a sendmail client for previous tests. Now I have tested it with powershell script and this seems to work.
But I can not test every program again.
 
You can send me a test-mail (like the one before) through your other gateway where the signing works - maybe I can spot the difference

However the set of headers PMG signs for DKIM was chosen as a sensible default set - and currently we're not planning on changing it (as it works for almost all situations)

I hope this explains it.
 
yes - as expected the other appliance just does not include the To header in the signature if it's not present:
Code: 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cipal.be; h=subject:message-id:date:from; s=antispam;......
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom