PMG - adding a second domain

[Mark-A]

I have been running PMG for some time and it is working.
I have 2 domain names a .com and a .net
until now all i had PMG doing was the .com

I have now added my .net domain for the purpose of out-going email only
I added DNS entries just like the ones that are working for the .com.
When testing, GOOGLE rejects the email because DKIM failed
returned from GOOGLE ===> Authentication results: 550-5.7.26 DKIM = did not pass

after double, then triple checking everything i cloned the PMG and only changed ip addresses and removed the .com domain, and changed the ip address in DNS. I did NOT change DKIM, its the same both in DNS and PMG.

The first email sent from a .net vm worked flawlessly. others followed with no reject from GOOGLE.

So i now have PMG running twice, and all is working.

I am assuming that i should be able to do this with just one PMG.

Looking for ideas as to what i did wrong

 

[Stoiko Ivanov]

Please share the exact logs for these mails from the PMG.
also the relevant config-sections and your dkim domains in the PMG config.

 

[Mark-A]

DKIM from DNS, note i removed the double quotes, and i took the text data that gets chopped off and copy/past it seperately. also the entire error message is pasted in.

"v=DKIM1; h=sha256; k=rsa; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvWg5vHVNkJzTMUybbtJl9FNAYIVw7KvzZxzTtNj7SjFcUDQFoMRo+Bfz9BS6Hn0Z4zaD9R1abCgiITrAiMZNsrBuubxCBxV6km4Mh5kMpEE22XaWiaqcP7KczJ6EzRP+Wq2BXDSi36ybaDQRjrf5TKAtTuVVAIiwYuSq9UUaQIRk8n9rXqnERyE" "uPXmZ2s5zIZngq0r0ssZzSlH/qgpwpj4h+j0Jc3Zkzrafml5Rk6hbB3WYNJlM4t6TxDj4qZEMXbRkWDJV1ycCEQLwPUgLVxYyh7TJ3dnpvf/LDBJYa/IGqJWGlzagVtnjF+mWT59X2NeGEcTXp/oULWzZpflrMLaekJfqAf3WASRkfi9MXIDTCnv0/b9DIuGEWnpU/2L0h/GhpIlSKcfm/BEaEoGRKdImqg56Kaib9PEC/g6TaxtOmg4Et2QQsU" "vmm8yRjra0eHgOeIQ+1r1KYKpGTOxa1zvec0jD6hX7dhu7l06mZcZRI87AvlzwAagQIybc/tRrc1XjiIRUs4bTXDrbFz7QzS"




dkim from pmg:

 

[Mark-A]

error message did not get into last reply so here it is:


2024-01-05T04:30:54.802231+00:00 gateway postfix/smtpd[7939]: connect from unknown[2001:470:1d:223::1:3]
2024-01-05T04:30:54.810140+00:00 gateway postfix/smtpd[7939]: C5C46807DE: client=unknown[2001:470:1d:223::1:3]
2024-01-05T04:30:54.810521+00:00 gateway postfix/cleanup[7942]: C5C46807DE: message-id=<2WRtAmEixTNiBeNoclwiT48NTWFdeImlIVESHlJrQ@newfoundserver.net>
2024-01-05T04:30:54.812898+00:00 gateway postfix/smtpd[7939]: disconnect from unknown[2001:470:1d:223::1:3] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-01-05T04:30:54.813088+00:00 gateway postfix/qmgr[3938]: C5C46807DE: from=<www-data@webpage.newfoundserver.net>, size=1247, nrcpt=1 (queue active)
2024-01-05T04:30:54.886710+00:00 gateway pmg-smtp-filter[7810]: 8188E659785FED7E5C: new mail message-id=<2WRtAmEixTNiBeNoclwiT48NTWFdeImlIVESHlJrQ@newfoundserver.net>#012
2024-01-05T04:30:54.920018+00:00 gateway postfix/smtpd[7947]: connect from localhost.localdomain[127.0.0.1]
2024-01-05T04:30:54.921075+00:00 gateway postfix/smtpd[7947]: E0DA18191D: client=localhost.localdomain[127.0.0.1], orig_client=unknown[2001:470:1d:223::1:3]
2024-01-05T04:30:54.963878+00:00 gateway postfix/cleanup[7942]: E0DA18191D: message-id=<2WRtAmEixTNiBeNoclwiT48NTWFdeImlIVESHlJrQ@newfoundserver.net>
2024-01-05T04:30:54.966862+00:00 gateway postfix/qmgr[3938]: E0DA18191D: from=<www-data@webpage.newfoundserver.net>, size=2439, nrcpt=1 (queue active)
2024-01-05T04:30:54.966904+00:00 gateway postfix/smtpd[7947]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-01-05T04:30:54.967005+00:00 gateway pmg-smtp-filter[7810]: 8188E659785FED7E5C: accept mail to <markarnaldo1@gmail.com> (E0DA18191D) (rule: default-accept)
2024-01-05T04:30:54.968848+00:00 gateway pmg-smtp-filter[7810]: 8188E659785FED7E5C: processing time: 0.082 seconds (0, 0.017, 0)
2024-01-05T04:30:54.969139+00:00 gateway postfix/lmtp[7943]: C5C46807DE: to=<markarnaldo1@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.16, delays=0.01/0.03/0.04/0.09, dsn=2.5.0, status=sent (250 2.5.0 OK (8188E659785FED7E5C))
2024-01-05T04:30:54.969207+00:00 gateway postfix/qmgr[3938]: C5C46807DE: removed
2024-01-05T04:31:26.110081+00:00 gateway postfix/smtp[7948]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:4023:1413::1b]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1)
2024-01-05T04:31:26.694112+00:00 gateway postfix/smtp[7948]: E0DA18191D: to=<markarnaldo1@gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4023:1413::1b]:25, delay=32, delays=0.05/0.03/31/0.39, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4023:1413::1b] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [webpage.newfoundserver.net] with ip: [2001:470:1d:223::ffff] = 550-5.7.26 did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication p13-20020a0cf54d000000b0067fe06ad843si988994qvm.518 - gsmtp (in reply to end of DATA command))
2024-01-05T04:31:26.697403+00:00 gateway postfix/qmgr[3938]: E0DA18191D: removed

 

[Stoiko Ivanov]

seems the txt-record is not set correctly - see e.g.: https://easydmarc.com/tools/dkim-lookup?domain=newfoundserver.com&selector=zippy


It's probably best to ask your provider how to enter it correctly but - after looking through the pasted text and the screenshot from PMG (please post this as plain-text in code blocks next time as visually scanning base64 encoded 4096 public keys is really painful) - this part:

1r1KYKpGTOxa1zvec0jD6hX7dhu7l06mZcZRI87AvlzwAagQIybc/tRrc1XjiIRUs4bTXDrbFz7QzS

seems wrong in your DNS-record...

 

[Mark-A]

please verify, i think i may have found a bug?!

2048 works.

look at these differences, this is what PMG generates for 2048

the spot to look at is the very end,
" ) ; ----- DKIM key zippy
this apears for 1024 and 2048

now compare that to a 4096


I have tried to stretch the window, but all i get is more black not more data.
the end is missing, i also tried 8192 and it looks the same.

 

[Mark-A]

good morning, got a DMARC report back from gmail and it looks like the dkim is now working, here is the extract:

<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>

so that proves the 2048 works

I would be nice if PMG would process DMARC reports to help with diagnosing problems.

 

[Mark-A]

ok, now back to the original problem, adding a second domain gets failures at google.
.com works
.net fails

I have done a spf and dkim check and both pass.

it appears that both spf and dkim fail. this is the failure from the pmg log:
2024-01-11T20:05:21.561132+00:00 gateway postfix/smtpd[55512]: connect from unknown[2001:470:1d:223::1:3]
2024-01-11T20:05:21.569251+00:00 gateway postfix/smtpd[55512]: 8AF3E819EC: client=unknown[2001:470:1d:223::1:3]
2024-01-11T20:05:21.569658+00:00 gateway postfix/cleanup[55515]: 8AF3E819EC: message-id=<Z2VYQfSMjg0PIHaTEbcPA7zEi1Q77VdjCbxgGWAt8@newfoundserver.net>
2024-01-11T20:05:21.571590+00:00 gateway postfix/smtpd[55512]: disconnect from unknown[2001:470:1d:223::1:3] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
2024-01-11T20:05:21.571821+00:00 gateway postfix/qmgr[55066]: 8AF3E819EC: from=<www-data@webpage.newfoundserver.net>, size=1248, nrcpt=1 (queue active)
2024-01-11T20:05:21.647037+00:00 gateway pmg-smtp-filter[50082]: 819EF65A04A019D4F3: new mail message-id=<Z2VYQfSMjg0PIHaTEbcPA7zEi1Q77VdjCbxgGWAt8@newfoundserver.net>#012
2024-01-11T20:05:21.675780+00:00 gateway postfix/smtpd[55520]: connect from localhost.localdomain[127.0.0.1]
2024-01-11T20:05:21.676860+00:00 gateway postfix/smtpd[55520]: A53B1819F0: client=localhost.localdomain[127.0.0.1], orig_client=unknown[2001:470:1d:223::1:3]
2024-01-11T20:05:21.720009+00:00 gateway postfix/cleanup[55515]: A53B1819F0: message-id=<Z2VYQfSMjg0PIHaTEbcPA7zEi1Q77VdjCbxgGWAt8@newfoundserver.net>
2024-01-11T20:05:21.723061+00:00 gateway postfix/smtpd[55520]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-01-11T20:05:21.723140+00:00 gateway postfix/qmgr[55066]: A53B1819F0: from=<www-data@webpage.newfoundserver.net>, size=2085, nrcpt=1 (queue active)
2024-01-11T20:05:21.723196+00:00 gateway pmg-smtp-filter[50082]: 819EF65A04A019D4F3: accept mail to <markarnaldo1@gmail.com> (A53B1819F0) (rule: default-accept)
2024-01-11T20:05:21.725157+00:00 gateway pmg-smtp-filter[50082]: 819EF65A04A019D4F3: processing time: 0.078 seconds (0, 0.016, 0)
2024-01-11T20:05:21.725445+00:00 gateway postfix/lmtp[55516]: 8AF3E819EC: to=<markarnaldo1@gmail.com>, relay=127.0.0.1[127.0.0.1]:10023, delay=0.16, delays=0.01/0.03/0.04/0.08, dsn=2.5.0, status=sent (250 2.5.0 OK (819EF65A04A019D4F3))
2024-01-11T20:05:21.725506+00:00 gateway postfix/qmgr[55066]: 8AF3E819EC: removed
2024-01-11T20:05:52.916681+00:00 gateway postfix/smtp[55521]: Trusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:4023:1009::1b]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1)
2024-01-11T20:05:53.539705+00:00 gateway postfix/smtp[55521]: A53B1819F0: to=<markarnaldo1@gmail.com>, relay=gmail-smtp-in.l.google.com[2607:f8b0:4023:1009::1b]:25, delay=32, delays=0.05/0.03/31/0.41, dsn=5.7.26, status=bounced (host gmail-smtp-in.l.google.com[2607:f8b0:4023:1009::1b] said: 550-5.7.26 This mail has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [webpage.newfoundserver.net] with ip: [2001:470:1d:223::ffff] = 550-5.7.26 did not pass 550-5.7.26 550-5.7.26 For instructions on setting up authentication, go to 550 5.7.26 https://support.google.com/mail/answer/81126#authentication lv27-20020a056871439b00b00205f07b3172si632106oab.240 - gsmtp (in reply to end of DATA command))
2024-01-11T20:05:53.542987+00:00 gateway postfix/qmgr[55066]: A53B1819F0: removed


here are screen shots of the configuration from PMG:




this is what is defined in the dns, only 1 entry allowed for the reverse





hit max attachments - continue in second posting.

 

[Mark-A]

continued from previous posting.....




.com text data
"v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0vQoYFOGnZ+EBo7d4jsD6TRTgtq7UNGt4AgxojepHbTTz58H5Zhpyb9Ra78byC5Gb/zA6OP8U2u0w7y1LpcwlZIrYl3lxkz2rhIFh4eHmCwxG7M5+KeO0RexKz1Yf7IIM2blUBIoD9+2AfpyOlfwXtPyyg7mzr7kPXudwn2jVf43V0ANRnNB3FyAciNN4CnBHePUEF2vNoqTS" "AXedmHEixNdh3v6gHLBNuJhJOlk/3Y7wBmbIWrk5GhM+QSWt2Pn7kwyJtuv79D0l08JWJLW9w+4TX5iP9nEDISky5H3teQXy82TEKZP+faTA3nDyYGHjL1IflyaA76chiNe0ckPQIDAQAB"

.net text data
"v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi0vQoYFOGnZ+EBo7d4jsD6TRTgtq7UNGt4AgxojepHbTTz58H5Zhpyb9Ra78byC5Gb/zA6OP8U2u0w7y1LpcwlZIrYl3lxkz2rhIFh4eHmCwxG7M5+KeO0RexKz1Yf7IIM2blUBIoD9+2AfpyOlfwXtPyyg7mzr7kPXudwn2jVf43V0ANRnNB3FyAciNN4CnBHePUEF2vNoqTS" "AXedmHEixNdh3v6gHLBNuJhJOlk/3Y7wBmbIWrk5GhM+QSWt2Pn7kwyJtuv79D0l08JWJLW9w+4TX5iP9nEDISky5H3teQXy82TEKZP+faTA3nDyYGHjL1IflyaA76chiNe0ckPQIDAQAB"




.com text data
"v=DMARC1; p=none; pct=100; rua=mailto:re+eda9pw65q0g@dmarc.postmarkapp.com,mailto:dmarc@newfoundserver.com; sp=none; aspf=r;"

.net text data
"v=DMARC1; p=none; pct=100; rua=mailto:re+oywua330s4a@dmarc.postmarkapp.com,mailto:dmarc@newfoundserver.net; sp=none; aspf=r;"