PMG DKIM Config

soapee01

Active Member
Sep 7, 2016
31
2
28
67
I'm just leaving this here so it may help other people. I've been screwing with this for several hours to get it working.

Originally here is what I did to get the keys

  1. enable DKIM
  2. create selector (pmg2021)
  3. tick the box to sign outgoing mail.
  4. View the DNS
  5. change DNS records
  6. add a domain to sign.
DKIM would never come up as valid, no matter what I did. MXTOOLBOX tests (and others) would show that it was a valid DKIM record.

Google would return something like this:
Code:
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=fail header.i=@example.com header.s=pmg2021 header.b=PRuLiID1;

The fix was to re-generate the keys. I cannot find the public key on the system anywhere, but you can tell that the private key gets re-written by looking at /etc/pmg/dkim/pmg2021.private

I'd like to use something like below to verify that the keys are right if anyone can point in the correct direction (verify the fingerprint)
Code:
ssh-keygen -l -f /etc/pmg/dkim/pmg2021.private
ssh-keygen -l -f /etc/pmg/PUBLIC_KEY_WHERE-EVER-YOU-ARE

Basically:
  1. edit selector
  2. leave it as PMG2021 with key size 2048
  3. tick the overwrite existing file box
  4. click the view DNS Record button

Also Note: Both values are required for the DKIM record. I'm not used to seeing it this way, and that caused problems as well.

The text record ends up looking something like:
Selector
Code:
pmg2021._domainkey
Value
Code:
"v=DKIM1; h=sha256; k=rsa; "p=first_long_key_from_pmg" "second_shorter_key_from_pmg"

Validate with mxtoolbox dkim checker

Test Google again
Code:
ARC-Authentication-Results: i=1; mx.google.com;
      dkim=pass header.i=@example.com header.s=pmg2021 header.b=YxEWmdGn;
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,850
1,038
164
The fix was to re-generate the keys. I cannot find the public key on the system anywhere
The public key can be computed from the private key and is thus not stored on disk

In any case thanks for sharing your findings! :)
 

dthompson

Active Member
Nov 23, 2011
139
10
38
Canada
www.digitaltransitions.ca
The public key can be computed from the private key and is thus not stored on disk
Can you please share how to do this? I'm trying to do that myself and cannot figure it out.

I've tried things similar to this, but none of them seem to be working:
ssh-keygen -y -f mail.private > mail.public


UPDATE: I solved my own issue for anyone looking to do this. Nice little web GUI here:
https://8gwifi.org/pempublic.jsp
 
Last edited:

dthompson

Active Member
Nov 23, 2011
139
10
38
Canada
www.digitaltransitions.ca
I used this one and its working for me.
https://www-sysadminsdecuba-com.tra...uto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

If i send email from inside the pmg command prompt the mail is signed with DKIM. But if i send it through mail client ( Outlook - we have Exchange 2016 on premises) the DKIM fails.
Are you signing all your domains with the DNS Record?
Is your exchange using the PMG as a smart host or sending directly? If sending directly, then you need to extract your key above and install it on the exchange server to sign all outgoing emails.

I have it setup as Mail Client --> Send to mail server --> Mail server relays to PMG smart host --> PMG signs DKIM and sends.

In my case, why I asked the question on how to extract the DKIM is I have a customer that has PMG for their front end, but they have another server outside thats part of all their DKIM / DMARC / SPF records, but it is used as bulk mailer and doesn't relay off of the smart host.

They were getting flagged as spam by the missing DKIM record so I needed to add it directly.
 

treloskilo

Member
Aug 12, 2021
57
4
8
46
Mail Client --> Send to mail server --> Mail server relays to PMG smart host --> PMG signs DKIM and sends.

PMG on Exchange is Smarthost

This is what i get from google

Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@domain.com header.s=hg header.b=y3nGPgv4;
spf=pass (google.com: domain of user@domain.com designates x.x.x.x as permitted sender) smtp.mailfrom=user@domain.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=domain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=hg; t=1648821881; bh=zKlHdGOOcf...=; h=From:To:Subject; Date;
b=y3nGPgv4rz.....
 
Last edited:

dthompson

Active Member
Nov 23, 2011
139
10
38
Canada
www.digitaltransitions.ca
Are you signing the DKIM in the outgoing messages in PMG?

Is your exchange server adding its own and sending and over riding your PMG Record?

I know your said PMG is signing it, but is exchange injecting its own?
 

treloskilo

Member
Aug 12, 2021
57
4
8
46
Exchange server is not having DKIM. In fact in local dns (DOMAIN CONTROLLER) i have put the same TXT for DKIM record as it is in our pubic DNS provider.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,850
1,038
164
dkim=neutral (body hash did not verify)
* what's the output of `pmgversion -v` ?
* do you by any chance have a Exclaimer rule configured with a very long text/line?
 

treloskilo

Member
Aug 12, 2021
57
4
8
46
Hello
I have found it out. What is causing the DKIM to fail is the antivirus check from Watchguard firewall. I had enabled an outgoing rule to scan the messages. Since i disabled it DKIM works fine.
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!