DKIM signing for bounces

linushstge

Active Member
Dec 5, 2019
77
10
28
In the current PMG 8.0.7 version postfix internal mails (bounce & notify) will not be DKIM signed - even if the source domain is part of the signing domains.
If the bounce sender domain have a strict DKIM / DMARC alignment, some providers are rejecting these important mails.

e.G. Incoming mail can't be delivered in maximal_queue_lifetime:

Code:
pmg14 postfix/smtp[3048]: 93E50140417: 
to=<original-sender@gmail.com>, 
relay=gmail-smtp-in.l.google.com[2a00:1450:400c:c0b::1b]:25, 
delay=0.91, 
delays=0/0/0.24/0.67, dsn=5.7.26, 
status=bounced (host gmail-smtp-in.l.google.com[2a00:1450:400c:c0b::1b] said: 

550-5.7.26 Unauthenticated email from bounce-domain.com is not accepted due to 550-5.7.26 domain's DMARC policy. 
Please contact the administrator of 550-5.7.26 bounce-domain.com if this was a legitimate mail. 
Please visit 550-5.7.26 https://support.google.com/mail/answer/2451690 to learn about the 550 5.7.26 DMARC initiative.
 gsmtp (in reply to end of DATA command))

pmg14 postfix/qmgr[1894]: 93E50140417: removed

In the official postfix documentation, there is a internal_mail_filter_classes setting.
Source: https://www.postfix.org/postconf.5.html#internal_mail_filter_classes

Is there a simple way to implement the local pmg content filter for dkim signing for bounce and notify mails?
 
  • Like
Reactions: sws-it
Sadly this is currently not possible with the dkim-implementation of PMG (it's quite high on our TODO list - but no promises)
If you need this - you can always use another dkim implementation (opendkim-milter for example)
 
This is known issue allready for years, and i mean many years, still no fix @Stoiko Ivanov , that is very disapointing :/ , it seems like it is time to ditch proxmox.
There is a workaround that worked some time ago, see attachment.
Sometimes you have to play with escape/ing characters if it does not work.
And offcourse you will have to recreate config after updates.
Insert selected lines in /usr/share/perl5/PMG/RuleDB/Accept.pm
 

Attachments

  • PrxMxWorkaround.JPG
    PrxMxWorkaround.JPG
    35 KB · Views: 37
Last edited:
I have the same issue now, and the more companies moving to dkim/spf forced checks, bounces wont work.
microsoft does now for example, soon gmail+yahoo will also.

I see the only workaround, as disabling bounces, which isn't a solution at all.

Alternatively, disregard all DMARC mails incoming, just to find out the 'fail's are for bounced messages.
 
Last edited:
  • Like
Reactions: sws-it
The more I think about it, it actually makes sense disabling bounces.
As they are generated by postmaster / locally, they won't get signed.
And to be fair, most regular users getting a postmaster notification error, do not read and even less understands the errors there anyways. So it feels there's no point in sending the bounces. (With exception of the few percentages of people (like us) who would read and understand the errors).
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!