Proxmox Mail Gateway DKIM Configuration

Hugo Almeida

Member
Jul 15, 2019
35
0
6
32
Good afternoon,

You want instructions for setting up DKIM functionality on the Proxmox Mail Gateway.

Please, if anyone can guide me.

Thanks in advance for your attention.

Sincerely,

Hugo Almeida
 
Good Morning,

I need help deploying DKIM on Proxmox Mail Gateway.

We are trying to copy DNS TXT, but the syntax error, please, can help me a lot.
 
Which exact error do you get? (a text description or screenshot) Otherwise it's a bit hard to provide help.

The TXT-record as shown by PMG is in the same format as the ones generated by opendkim-genkey - maybe your DNS-provider can help you with those?

Last but not least you could try pasting the complete key, by removing the spaces and " characters between the individual chunks - e.g.
Code:
selector._domainkey    IN    TXT    "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA41ZFc6I9/T5TggcPkewql/FOl+iboU1P5Rveo3D4ACDZ1pfSfnlCRwpL09EXnVcaWIXeR8ERLqPBvE6n1CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

I hope this helps
 
Good Morning,

Make all configurations as per configurations, and perform an email test, parsing the header identifies an error (dkim = fail (no signature key)).

Attached is the print of the error.

Thanks in advance for your attention.

Sincerely,

Hugo Almeida
 

Attachments

  • fail dkim.JPG
    fail dkim.JPG
    85.8 KB · Views: 341
the whole Authentication result header indicates that the mail-server providing it has a DNS Problem?

Without the selector and sender domain (the DKIM-Signature header) it is hard to verify where the problem actually is

I hope this helps!
 
Then all emails sent when parsing the header check for this error.

Following is our configuration on the PMG console and the directory structure on the PMG server.

No right TXT DNS entered as the application teaches us.

Sincerely,

Hugo Almeida
 

Attachments

  • configuração do DKIM na console.JPG
    configuração do DKIM na console.JPG
    46.2 KB · Views: 362
  • dkim no servidor.JPG
    dkim no servidor.JPG
    43.9 KB · Views: 344
  • selector.JPG
    selector.JPG
    36.7 KB · Views: 339
A few things:
* don't enable 'Sign all Outgoing Mail' - if you have a domain for which you want to sign mails (al.mt.gov.br)

The selector almt.private on PMG is a valid RSA key (otherwise you would not be able to view the TXT record)

checking here - it seems that you have not entered the TXT record in the Zone al.mt.gov.br:
Code:
$ dig txt almt._domainkey.al.mt.gov.br

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> txt almt._domainkey.al.mt.gov.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58971
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;almt._domainkey.al.mt.gov.br.    IN    TXT

;; AUTHORITY SECTION:
al.mt.gov.br.        1718    IN    SOA    serv05.al.mt.gov.br. root.al.mt.gov.br. 2015083000 43200 900 1814400 7200

;; Query time: 0 msec
;; SERVER: 192.168.2.15#53(192.168.2.15)
;; WHEN: Wed Dec 18 17:02:24 CET 2019
;; MSG SIZE  rcvd: 105

You need to add a text record for each domain you want to sign - in the domain's DNS records!

Please provide a DKIM-Signature header as created by PMG if you need further help in debugging
 
  • Like
Reactions: H.c.K
A few things:
* don't enable 'Sign all Outgoing Mail' - if you have a domain for which you want to sign mails (al.mt.gov.br)

The selector almt.private on PMG is a valid RSA key (otherwise you would not be able to view the TXT record)

checking here - it seems that you have not entered the TXT record in the Zone al.mt.gov.br:
Code:
$ dig txt almt._domainkey.al.mt.gov.br

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> txt almt._domainkey.al.mt.gov.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58971
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;almt._domainkey.al.mt.gov.br.    IN    TXT

;; AUTHORITY SECTION:
al.mt.gov.br.        1718    IN    SOA    serv05.al.mt.gov.br. root.al.mt.gov.br. 2015083000 43200 900 1814400 7200

;; Query time: 0 msec
;; SERVER: 192.168.2.15#53(192.168.2.15)
;; WHEN: Wed Dec 18 17:02:24 CET 2019
;; MSG SIZE  rcvd: 105

You need to add a text record for each domain you want to sign - in the domain's DNS records!

Please provide a DKIM-Signature header as created by PMG if you need further help in debugging

Hi @Stoiko Ivanov ,
I have more than one domain name. How should I go about signing them all?
 
I have more than one domain name. How should I go about signing them all?
if possible please open a new thread instead of answering one which is 10 months old

else - add all your domains to 'Sign Domains' in GUI->Configuration->Mail Proxy->DKIM
 
  • Like
Reactions: H.c.K
if possible please open a new thread instead of answering one which is 10 months old

else - add all your domains to 'Sign Domains' in GUI->Configuration->Mail Proxy->DKIM


I did not open a new topic to prevent forum pollution. I will pay attention from now on, thank you. Overall I created a selector. I added the DNS record and it works successfully. My next job will be to enter this dns record for all domains.



1602063577987.png

1602063763613.png
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!