DKIM with SRS

William Edwards

William Edwards

Well-Known Member
Proxmox Subscriber
May 20, 2017
172
18
58
Netherlands
cyberfusion.io
It has caught my attention that rewritten addresses with SRS are not signed with DKIM, because PMG looks at the domain after @ instead of the rewritten domain:

Code: 
not DKIM signing mail from SRS0=duAC=HO=cyberfusion.nl=wedwards@prorelay.nl

So in this case, email from cyberfusion.nl is signed with DKIM, but as the address is rewritten to originate from prorelay.nl, which is not configured to use DKIM, no DKIM signing takes place...

I'm no email expert, but shouldn't the rewritten domain be extracted from the rewritten address before evaluating if DKIM signing should take place?
 
Couldn't find anything definitive on the recommendations for SRS+DKIM - but to me the behavior of PMG seems all-right:
* the SRS rewrite happened at some downstream system of PMG (sending mails for prorelay.nl)
* PMG relays mail for this system (and not the original one - which sends mails for cyberfusion.nl) - and signs them as coming from this system

You can also just add prorelay.nl to the list of domains which should be DKIM signed (and add the TXT record for to that domain).

Else - we are planning to add support for signing based on the domain in the From header (as opposed to the envelop from) - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971
maybe this would help in your case as well (no promises when this will get implemented though)

I hope this helps!
 
Stoiko Ivanov said:
Couldn't find anything definitive on the recommendations for SRS+DKIM - but to me the behavior of PMG seems all-right:
* the SRS rewrite happened at some downstream system of PMG (sending mails for prorelay.nl)
* PMG relays mail for this system (and not the original one - which sends mails for cyberfusion.nl) - and signs them as coming from this system

You can also just add prorelay.nl to the list of domains which should be DKIM signed (and add the TXT record for to that domain).

Else - we are planning to add support for signing based on the domain in the From header (as opposed to the envelop from) - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971
maybe this would help in your case as well (no promises when this will get implemented though)

I hope this helps!
Click to expand...

I could not find any clear information on SRS and DKIM either. The change proposed in that bug report would indeed 'fix' this! I will add this thread to the Bugzilla bug.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back