so we have PMG configured to sign all emails with DKIM, and have setup an SPF record and a DMARC record for our outgoing domain.
everything works nicely, except... spamreports generated by proxmox.
at least, spamreports directed at users that have setup a forward to an external domain.
afaict, the problem is as follows:
afaict, the problem is really that the sender address is empty, and therefore
so: how can i generate spamreports that pass DKIM/SPF validation even when forwarded to an external domain?
everything works nicely, except... spamreports generated by proxmox.
at least, spamreports directed at users that have setup a forward to an external domain.
afaict, the problem is as follows:
prequel
- our domain is
example.com - our PMG has the fqdn
mailgate.example.com, which resolves to203.0.113.178; reverse lookup of the IP address yieldsip178.example.net(for $reasons); because some mailservers refuse our mails if theHELOdoes not match the reverse lookup of the IP, the PMG postfix is configured withsmtp_helo_name = ip178.example.net - user "jane" (with a local email address
jane@example.com) has left our company a while ago, and her account has been redacted. as a courtesy, we are forwarding all her emails to her new addressjane@example.orgby means of `/etc/aliases` on our main mailserver (the server behind the PMG) - since the mail address has been around for some time, it receives a bit of spam.
the story
- PMG generates spamreport for the
jane@example.comwith an empty Return-path/envelope sender (<>), and aFrom: Proxmox Mail Gateway <postmaster@mailgate.example.com> - the spamreport is sent to our internal mailserver
mail.example.com - our mailserver looks up the alias and forwards the mail to
jane@example.orgvia our outgoing mailserver (the PMG) - PMG attempts to add a DKIM-signature for the forwarded mail but fails (presumably because the sender domain is empty)
- PMG sends the email
Code:
Feb 02 07:05:29 mailgate pmg-smtp-filter[214493]: 211C1679F0B29A65F4: new mail message-id=<20250202060528.880E821C93@mailgate.example.com> Feb 02 07:05:29 mailgate pmg-smtp-filter[214493]: 211C1679F0B29A65F4: Could not create DKIM-Signature - disabling Signing: no domain in sender e-mail Feb 02 07:05:29 mailgate pmg-smtp-filter[214493]: 211C1679F0B29A65F4: accept mail to <jane@example.org.com> (D81F9212CF) (rule: default-accept) Feb 02 07:05:29 mailgate pmg-smtp-filter[214493]: 211C1679F0B29A65F4: processing time: 0.248 seconds (0, 0.169, 0) Feb 02 07:05:29 mailgate postfix/smtpd[216347]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (211C1679F0B29A65F4); from=<> to=<jane@example.org> proto=ESMTP helo=<mail.example.com> - the next day I get a DMARC report from the example.org mailserver, claiming that all things went wrong.
here's an excerpt from the report:XML:<record> <row> <source_ip>203.0.113.178</source_ip> <count>1</count> <policy_evaluated> <disposition>none</disposition> <dkim>fail</dkim> <spf>fail</spf> </policy_evaluated> </row> <identifiers> <envelope_to>example.org</envelope_to> <envelope_from><></envelope_from> <header_from>mailgate.example.com</header_from> </identifiers> <auth_results> <spf> <domain>ip178.example.net</domain> <scope>helo</scope> <result>none</result> </spf> </auth_results> </record>
afaict, the problem is really that the sender address is empty, and therefore
- the mail cannot be DKIM signed
- the receiver (presumably
example.org) uses the helo name to fill in some defaults domains for both SPF and DKIM, which is plain wrong
so: how can i generate spamreports that pass DKIM/SPF validation even when forwarded to an external domain?