DKIM signing with wrong keys

[procop]

PMG 6.4-3
Have 2 domains:
domain01.com
domain02.com
both in /etc/pmg/domains and /etc/pmg/dkim/domains
Created dkim selector and added to DNS accordingly for both domains.
Problem is that messages from both domains PMG signs with same DKIM key:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain01.com;
h=cc:content-transfer-encoding:content-type:content-type:date

What i expect, when i send message from domain02.com message should be signed with domain02.com,

Any idea?

 

[procop]

installation opendkim solves problem with wrong domain signature but want to solve this with standard setup.

 

[Stoiko Ivanov]

the DKIM signing code uses the envelope from (SMTP-dialogue MAIL FROM) domain for signing (if configured)
could you share the logs of such a mail and the complete headers of it (anonymize what you have to but try to keep it consistent)

 

[procop]

Thanks for reply, i understand the source of problem,
is there a way to change behavior?
the MAIL FROM is not easy to change - we use Exchange Mail Server as source.

pr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11348]: connect from mbxsrv01.domain.com[172.16.1.10]
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11348]: Anonymous TLS connection established from mbxsrv01.domain.com[172.16.1.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11348]: A55A0A011D1: client=mbxsrv01.domain.com[172.16.1.10]
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/cleanup[11351]: A55A0A011D1: message-id=<eedd9ba5-a131-aa2a-f2e1-f39bcccd6f7f@domain02.com>
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/qmgr[2948]: A55A0A011D1: from=<user.name@domain01.com>, size=1129, nrcpt=1 (queue active)
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11348]: disconnect from mbxsrv01.domain.com[172.16.1.10] ehlo=2 starttls=1 mail=1 rcpt=1 bdat=1 quit=1 commands=7
Apr 21 14:39:54 sgqvlp-mailgw01 pmg-smtp-filter[6878]: A013F4607FC8BAB7E57: new mail message-id=<eedd9ba5-a131-aa2a-f2e1-f39bcccd6f7f@domain02.com>#012
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11358]: connect from localhost.localdomain[127.0.0.1]
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11358]: E3DA4A013F6: client=localhost.localdomain[127.0.0.1], orig_client=mbxsrv01.domain.com[172.16.1.10]
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/cleanup[11351]: E3DA4A013F6: message-id=<eedd9ba5-a131-aa2a-f2e1-f39bcccd6f7f@domain02.com>
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/qmgr[2948]: E3DA4A013F6: from=<user.name@domain01.com>, size=1439, nrcpt=1 (queue active)
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/smtpd[11358]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Apr 21 14:39:54 sgqvlp-mailgw01 pmg-smtp-filter[6878]: A013F4607FC8BAB7E57: accept mail to <mailxxx@mail.ru> (E3DA4A013F6) (rule: default-accept)
Apr 21 14:39:54 sgqvlp-mailgw01 pmg-smtp-filter[6878]: A013F4607FC8BAB7E57: processing time: 0.191 seconds (0, 0.042, 0)
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/lmtp[11352]: A55A0A011D1: to=<mailxxx@mail.ru>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.3, delays=0.03/0.06/0.01/0.2, dsn=2.5.0, status=sent (250 2.5.0 OK (A013F4607FC8BAB7E57))
Apr 21 14:39:54 sgqvlp-mailgw01 postfix/qmgr[2948]: A55A0A011D1: removed
Apr 21 14:39:58 sgqvlp-mailgw01 postfix/smtp[11359]: Trusted TLS connection established to mxs.mail.ru[94.100.180.31]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Apr 21 14:40:00 sgqvlp-mailgw01 postfix/smtp[11359]: E3DA4A013F6: to=<mailxxx@mail.ru>, relay=mxs.mail.ru[94.100.180.31]:25, delay=5.9, delays=0.01/0.06/3.5/2.3, dsn=5.7.1, status=bounced (host mxs.mail.ru[94.100.180.31] said: 550 5.7.1 This message was not accepted due to domain (domain02.com) owner DMARC policy (RFC 7489) https://help.mail.ru/mail-help/postmaster/dmarc (in reply to end of DATA command))
Apr 21 14:40:00 sgqvlp-mailgw01 postfix/qmgr[2948]: E3DA4A013F6: removed
~

the messages headers:

Return-Path: <user.name@domain01.com>
Received: from sgqvlp-mailgw01.domain01.com (localhost.localdomain [127.0.0.1])
        by mailgw01.domain.com (Proxmox) with ESMTP id E3DA4A013F6
        for <mailxxx@mail.ru>; Wed, 21 Apr 2021 14:39:54 +0800 (+08)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain01.com;
         h=cc:content-transfer-encoding:content-type:content-type:date
        :from:from:message-id:mime-version:reply-to:subject:subject:to
        :to; s=2021041; bh==; b=
        y87ojBBb+UkhYPqBlKUU5aZ/Y/CTLW8NoIqQ5hyC16ImgxJSl+4169/YE39iqfQv
        OCSqvfKRdyW5qr7nDCIaJQ==
Message-ID: <eedd9ba5-a131-aa2a-f2e1-f39bcccd6f7f@domain02.com>
Date: Wed, 21 Apr 2021 14:39:53 +0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:88.0) Gecko/20100101
Thunderbird/88.0
Content-Language: en-US
To: weblab home-edu <mailxxx@mail.ru>
From: Vlad 002 <user.name@domain02.com>
Subject: sss
Organization: Domain02
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [172.....]
X-ClientProxiedBy: mbxsrv01.domain.com (172.16.1.10) To mbxsrv01.domain.com
(172.16.1.10)
MIME-Version: 1.0

 

[Stoiko Ivanov]

Thanks for reply, i understand the source of problem,

yes - we already have
see https://bugzilla.proxmox.com/show_bug.cgi?id=2971

filed for this (but did not yet get around to implementing it) - you can subscribe there and will get notified once there is some progress there
(of course patches are also welcome if you like/have the time)

Thanks!