DKIM with SRS

William Edwards

William Edwards

Well-Known Member
Proxmox Subscriber
May 20, 2017
174
18
58
Netherlands
cyberfusion.io
It has caught my attention that rewritten addresses with SRS are not signed with DKIM, because PMG looks at the domain after @ instead of the rewritten domain:

Code: 
not DKIM signing mail from SRS0=duAC=HO=cyberfusion.nl=wedwards@prorelay.nl

So in this case, email from cyberfusion.nl is signed with DKIM, but as the address is rewritten to originate from prorelay.nl, which is not configured to use DKIM, no DKIM signing takes place...

I'm no email expert, but shouldn't the rewritten domain be extracted from the rewritten address before evaluating if DKIM signing should take place?
 
Couldn't find anything definitive on the recommendations for SRS+DKIM - but to me the behavior of PMG seems all-right:
* the SRS rewrite happened at some downstream system of PMG (sending mails for prorelay.nl)
* PMG relays mail for this system (and not the original one - which sends mails for cyberfusion.nl) - and signs them as coming from this system

You can also just add prorelay.nl to the list of domains which should be DKIM signed (and add the TXT record for to that domain).

Else - we are planning to add support for signing based on the domain in the From header (as opposed to the envelop from) - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971
maybe this would help in your case as well (no promises when this will get implemented though)

I hope this helps!
 
Stoiko Ivanov said:
Couldn't find anything definitive on the recommendations for SRS+DKIM - but to me the behavior of PMG seems all-right:
* the SRS rewrite happened at some downstream system of PMG (sending mails for prorelay.nl)
* PMG relays mail for this system (and not the original one - which sends mails for cyberfusion.nl) - and signs them as coming from this system

You can also just add prorelay.nl to the list of domains which should be DKIM signed (and add the TXT record for to that domain).

Else - we are planning to add support for signing based on the domain in the From header (as opposed to the envelop from) - see https://bugzilla.proxmox.com/show_bug.cgi?id=2971
maybe this would help in your case as well (no promises when this will get implemented though)

I hope this helps!
Click to expand...

I could not find any clear information on SRS and DKIM either. The change proposed in that bug report would indeed 'fix' this! I will add this thread to the Bugzilla bug.
 
You must log in or register to reply here.
Top Bottom