SMIME problem with PM6

S

spaxxilein

Well-Known Member
Oct 8, 2019
31
3
48
36
Some of the encrypted SMIME mails will show certificate error after decrypting in Outlook. If i deactivate Proxmox and send mails directly to the Exchange Server there is no more problem. It seem that PM is tampering with the mails. Does somebody know how to deactivate inspecting decrypted mails?

Thanks in advance!
 
hm - virus scanning happens quite unconditionally, but you should be able to prevent encrypted mails from being run through spamassassin, by creating a rule with high priority (above all rules which do match on spam-score) and simply accepting those mails. You need to find a deterministic way of identifying S/MIME encrypted mails (probably a specific present header field or content-type of the mail

I hope this helps!
 
Unfortuately i have no clue how to define an object that only contains encrypted SMIME mails. If somebody has an idea i would be very thankful.

Thanks in advance.
 
If you could post an anonymized S/MIME email as .eml - that would help quite a lot.
additionally the logs for such a mail might be helpful.
 
Code: 
Oct 8 14:09:30 pmg postfix/smtpd[1398]: connect from XXXXX]
Oct 8 14:09:30 pmg postfix/smtpd[1398]: Anonymous TLS connection established from XXXXXX: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Oct 8 14:09:31 pmg postfix/smtpd[1398]: 0D75641DB1: client=XXXX]
Oct 8 14:09:31 pmg postfix/cleanup[1402]: 0D75641DB1: message-id=<4a440bb7ad36470792daf44e7f8d8af0@199EXL14.XXXXX>
Oct 8 14:09:31 pmg postfix/smtpd[1398]: disconnect from XXXXXX] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 8 14:09:31 pmg postfix/qmgr[768]: 0D75641DB1: from=<Kevin.XXXX.de>, size=46314, nrcpt=1 (queue active)
Oct 8 14:09:32 pmg pmg-smtp-filter[995]: 218335D9C7C7BBA56F: new mail message-id=<4a440bb7ad36470792daf44e7f8d8af0@199EXL14.XXXXXX>#012
Oct 8 14:09:35 pmg pmg-smtp-filter[995]: 218335D9C7C7BBA56F: SA score=0/5 time=3.330 bayes=undefined autolearn=ham autolearn_force=no hits=DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),JMQ_SPF_NEUTRAL(0.5),RCVD_IN_DNSWL_MED(-2.3),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001)
Oct 8 14:09:35 pmg postfix/smtpd[1428]: connect from localhost.localdomain[127.0.0.1]
Oct 8 14:09:35 pmg postfix/smtpd[1428]: D696041DB6: client=localhost.localdomain[127.0.0.1], orig_client=XXXXX]
Oct 8 14:09:35 pmg postfix/cleanup[1403]: D696041DB6: message-id=<4a440bb7ad36470792daf44e7f8d8af0@199EXL14.XXXXXX>
Oct 8 14:09:35 pmg postfix/qmgr[768]: D696041DB6: from=<Kevin.XXXXXX.de>, size=47470, nrcpt=1 (queue active)
Oct 8 14:09:35 pmg pmg-smtp-filter[995]: 218335D9C7C7BBA56F: accept mail to <XXXXXXX.de> (D696041DB6) (rule: default-accept)
Oct 8 14:09:35 pmg postfix/smtpd[1428]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Oct 8 14:09:36 pmg pmg-smtp-filter[995]: 218335D9C7C7BBA56F: processing time: 4.127 seconds (3.33, 0.218, 0)
Oct 8 14:09:36 pmg postfix/lmtp[1404]: 0D75641DB1: to=<XXXXX.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.1, delays=0.16/0.39/0.2/4.3, dsn=2.5.0, status=sent (250 2.5.0 OK (218335D9C7C7BBA56F))
Oct 8 14:09:36 pmg postfix/qmgr[768]: 0D75641DB1: removed
Oct 8 14:09:36 pmg postfix/smtp[1431]: D696041DB6: to=<XXXXX.de>, relay=192.168.0.18[192.168.0.18]:25, delay=0.4, delays=0.07/0.21/0.01/0.11, dsn=2.6.0, status=sent (250 2.6.0 <4a440bb7ad36470792daf44e7f8d8af0@199EXL14.XXXX> [InternalId=39608188403721, Hostname=XXXXX.local] 48836 bytes in 0.093, 511,497 KB/sec Queued mail for delivery)
Oct 8 14:09:36 pmg postfix/qmgr[768]: D696041DB6: removed

I cannot send you the .eml data, but please find the PMG log attached.
 
hmm - could you maybe post an anonymized test-mail (send one to yourself with no relevant information and anonymize the readable parts )?

in any case the concrete error-message you get from exchange/outlook would also be helpful...

you could also save the mail somewhere on the way before it passes through PMG and the one after and compare both - maybe you will see where the problem is introduced...
 
Outlook says it cannot verify if the mail has been tampered with. When i route mails directly to the Exchange server without going trough the Proxmox, there is no error with the certificate. I cannot send signed mail to myself because it will be routed internally on the Exchange and therefor not pass trough Proxmox. Please see attached screenshot.
 

Attachments

  • Unbenannt.jpg
    Unbenannt.jpg
    20.1 KB · Views: 16
hm - save the email after it went through pmg in full and the same e-mail without passing it through pmg and compare both (I'd use vimdiff)

any information what is wrong when you click on the 'Signaturschaltfäche' ?
 
I dont know how to save the mail before going to PMG.... If i click on "Signaturschaltfläche" it says: The digital signature is invalid or not trustable. Please click on Details to get more information. If i click details it says: "The content of the message has maybe been changed. Signed by XXX with RSA/SHA256 at 15:50:39 08.10.2019"

EDIT: i think this must be a bug in Proxmox... I have added the sender to my whitelist, which according to the Help documents and the "User Whitelist"-page "With this feature, you can manually bypass spam checking for certain domains or E-mail addresses. ". But according to the logfile the mail is still being processed by the SMTP Filter plugin of PMG.

Code: 
Oct 8 16:32:17 pmg pmg-smtp-filter[7338]: 2001A5D9C9DEDAE978: SA score=0/5 time=3.596 bayes=undefined autolearn=ham autolearn_force=no hits=AWL(-1.025),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_BLOCKED(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),URIBL_BLOCKED(0.001)
 
spaxxilein said:
I dont know how to save the mail before going to PMG.... If i click on "Signaturschaltfläche" it says: The digital signature is invalid or not trustable. Please click on Details to get more information. If i click details it says: "The content of the message has maybe been changed. Signed by XXX with RSA/SHA256 at 15:50:39 08.10.2019"
Click to expand...

* send it once through pmg, and a second time directly to the exchange
* get the full mails (as eml)
* diff both mails

spaxxilein said:
EDIT: i think this must be a bug in Proxmox... I have added the sender to my whitelist, which according to the Help documents and the "User Whitelist"-page "With this feature, you can manually bypass spam checking for certain domains or E-mail addresses. ". But according to the logfile the mail is still being processed by the SMTP Filter plugin of PMG.
Click to expand...
hmm - I guess our documentation could profit from a bit more clarification...
PMG has 3 levels of whitelists:
* the mail-proxy-whitelist (GUI->Configuration->Mail Proxy->Whitelist):
adding items there bypasses:
** greylisting
** the spf-check in the mailproxy (not the checks working with SPF inside SpamAssassin)
** various early checks in postfix/postscreen
* the Whitelist, a Who-Object, which can be used in the rule-system (GUI->Mail Filter) - here you can add the domain/ip/..., but you need to create a dedicated rule with high priority (higher than any rule which has a what-object with Spam) and an action of Accept.
* the User-Whitelist - where individual users/mailboxes can whitelist mail-senders, to prevent the mails from entering the quarantine (this happens by giving whitelisted mails a very low SpamAssassin score) - but this happens after the mail has passed through Spamassassin (and might have been modified on the way

I hope this helps!
 
Hello Stoiko,

yes this helps, but why does the WHO object rule not work? "Content-Type: application/pkcs7-mime" is my What object, Whitelist is my from object and Action-object is just Accept. Still the mail goes through SMTP-Filter pmg Plugin.

If i send the same mail twice once through PMG and once direct, direct has certificate issues, direct no issues at all. So it is clear that the error comes from PMG.

Any ideas what i am doing wrong with the mail filter?

Thanks for your help mate.
 
I just tried this here - and as far as the spam-header is concerned - if you add sender or recipient to a whitelist with a higher priority than any of the rules that add/modify the header the mail passes through mostly unchanged (since it gets processed and decomposed there is no guarantee that the output will be byte-by-byte identical to the input).

In any case in my testsetup a mail passing through PMG (with a whitelist) even retains a valid DKIM-Signature

In order to know where the problem is we need to understand where the difference between the mail that goes directly into your exchange and the one that passes through PMG is - otherwise this is rather hopeless guesswork. - You can save both e-mails as .eml or start by examining their full headers...

I hope this helps!
 
Hello Stoiko,

i still have the same issue. I examined two mails from this domain one passed without issues, the other has signature issues.

What i have from the email header is, that one mail (which works fine) has:

Code: 
Received-SPF: pass (XXXX.de: XXX.XXX.XXX.XX is authorized to use 'XXXX.XXXXX@XXXXX.de' in 'mfrom' identity (mechanism 'mx:XXXXX' matched)) receiver=XXXXX.de; identity=mailfrom; envelope-from="XXXX.XXXXX@XXXX.de"; helo=mgate02.XXXXXX.com; client-ip=XXX.XXX.XXX.XX

The other mail with has the signature issues does not have that SPF pass. Could that be the issue? If yes do you have any idea whats the reason?

Regards,
spaxxilein
 
Last edited:
hmm - quick question:
* do both mails have a DKIM-Signature header - and if so - what's written in the 'h=...' part of the signature
(if in doubt paste the whole header and remove the domain-names)
 
Hello Stoiko,

yes both have DKIM-Signature, h=From:To:Date; for both messages.

If the message is encrypted the mail comes trough without any issues, just signed is a problem.

PMG Mail Header:

Code: 
Received: from XXXXX.np.local (192.168.0.18) by XXXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3 via Mailbox
Transport; Tue, 8 Oct 2019 14:09:36 +0200
Received: from XXXX.np.local (192.168.0.18) by XXXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Tue, 8 Oct 2019
14:09:36 +0200
Received: from PMG.DOMAIN.de (192.168.0.3) by XXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3 via Frontend
Transport; Tue, 8 Oct 2019 14:09:36 +0200
Received: from PMG.DOMAIN.de (localhost.localdomain [127.0.0.1])
    by PMG.DOMAIN.de (Proxmox) with ESMTP id D696041DB6
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:35 +0200 (CEST)
Received: from mgate02.SENDER-DOMAIN.COM (mgate02.SENDER-DOMAIN.COM [XXX.XXX.XXX.XXX])
    by PMG.DOMAIN.de (Proxmox) with ESMTPS id 0D75641DB1
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:31 +0200 (CEST)
Received: from mgate02.SENDER-DOMAIN.COM (magte03.SENDER-DOMAIN.COM [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id 79DB4EA072
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:24 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=SENDER-DOMAIN.DE; s=mail;
    t=1570536564; bh=vCPQANmAt/kd6G+9XBKCl5gZIYYNcon4lrsd0uLHwcU=;
    h=From:To:Date;
    b=Ig44jGa/s6ozswVDgyjbHZl6XkpucFQ+5xpNgkJKgY+1T1om9ksKtnkd/zf5oEl2f
     Em+dBaXI8BwPHBvhhAmablznW7cJC8DcD3D5IR0263Er02HuCrnhs6Kl5xE8TzwJ/e
     amm/RAl8PPY6vkr2ui9oVtstAu56g2Q18qotK8fA=
Received: from mgate02.SENDER-DOMAIN.COM (magte03.SENDER-DOMAIN.COM [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id 5A75DEA05A
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:24 +0200 (CEST)
Received: from 999z2cmgl03.SENDER-DOMAIN.COM (unknown [XXX.XXX.XXX.XXX])
    by mgate02.SENDER-DOMAIN.COM (Postfix) with ESMTPS
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:24 +0200 (CEST)
Received: from 999z2cmgl03.SENDER-DOMAIN.COM (localhost [127.0.0.1])
    by 999z2cmgl03.SENDER-DOMAIN.COM (Postfix) with ESMTP id 3D46C1A0D5D
    for <MYMAIL@MYDOMAIN.de>; Tue,  8 Oct 2019 14:09:24 +0200 (CEST)
From: <SENDER@SENDER-DOMAIN:DE>
To: <MYMAIL@MYDOMAIN.de>
CC: <COLLEAGUE@MYDOMAIN.de>
Subject: Signiert Test
Thread-Topic: Signiert Test
Thread-Index: AdV90Qr2HuCGEs/BR/G8wj5nveutqA==
Date: Tue, 8 Oct 2019 12:09:22 +0000
Message-ID: <4a440bb7ad36470792daf44e7f8d8af0@199EXL14.XXXXX-199.loc>
Accept-Language: de-DE, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.111.168.86]
x-tm-snts-smtp: 54C6024A3430B238B845EAAEE415A60C1A448E1C6D208F24885EEE78E428F5302000:8
x-exclaimer-md-config: 0f43791b-a292-456b-913b-99c4fe190328
x-exclaimer-md-bifurcation-instance: 0
x-exclaimer-md-search-key: VTKSiuuWfU2A0+ALlUjBKw==
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
    micalg=sha-256; boundary="----DDA397B59AC46D61424C8DBE86B3C5E7"
X-TM-AS-GCONF: 00
X-SPAM-LEVEL: Spam detection results:  0
    DKIM_SIGNED               0.1 Message has a DKIM or DK signature, not necessarily valid
    DKIM_VALID               -0.1 Message has at least one valid DKIM or DK signature
    DKIM_VALID_AU            -0.1 Message has a valid DKIM or DK signature from author's domain
    DKIM_VALID_EF            -0.1 Message has a valid DKIM or DK signature from envelope-from domain
    HTML_MESSAGE            0.001 HTML included in message
    JMQ_SPF_NEUTRAL           0.5 SPF set to ?all
    RCVD_IN_DNSWL_MED        -2.3 Sender listed at https://www.dnswl.org/, medium trust
    SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
    SPF_PASS               -0.001 SPF: sender matches SPF record
    URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [XXXXXX,SENDER-DOMAIN.DE]
Return-Path: SENDER@SENDER-DOMAIN:DE
X-MS-Exchange-Organization-Network-Message-Id: 95c57d6d-7eee-4d47-d437-08d74be86300
X-AS2-DEV-Spam: No  (0)
X-EndpointSecurity-SpamStamp: Build: [Engines: 2.15.9.1278, Dats: 653615, Stamp: 3], Multi:
[Enabled, t: (0.000012,0.018988)], BW: [Disabled], RBL DNSBL: [Disabled],
APM: [Enabled, Score: 500, t: (0.010788), Flags: BA7B0291; NN_DE_FREE_BGU;
NN_LEGIT_EXEC_H_MORE_THAN_5_PARTS_NEW], SGN: [Enabled, t:
(0.010426,0.000202)], URL: [Enabled, t: (0.000270)], RTDA: [Enabled, t:
(0.040295), Hit: No, Details: v2.7.59; Id: 15.1i6hafq.1dmlkclaa.9117l],
total: 0(775)
X-EndpointSecurity-0xde81-EV: v:6.6.13.183, d:inc, a:n, w:t, t:103, sv:1570523301,
ts:1570536576
X-MS-Exchange-Organization-AuthSource: XXXXX.np.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.3720076
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1531.010

Direct to Exchange Header:

Code: 
Received: from XXXX.np.local (192.168.0.18) by XXXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3 via Mailbox
Transport; Tue, 8 Oct 2019 11:13:57 +0200
Received: from XXXXX.np.local (192.168.0.18) by XXXXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3; Tue, 8 Oct 2019
11:13:57 +0200
Received: from mgate02.SENDER-DOMAIN.com (XXX.XXX.XXX.XXX) by XXXXX.np.local
(192.168.0.18) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1531.3 via Frontend
Transport; Tue, 8 Oct 2019 11:13:57 +0200
Received: from mgate02.SENDER-DOMAIN.com (mgate04.SENDER-DOMAIN.com [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id D1C8712404D
    for <ME@MYDOMAIN.DE>; Tue,  8 Oct 2019 11:13:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=SENDER-DOMAIN.de; s=mail;
    t=1570526036; bh=QkgfEfPVmiDmweE1HkeDnu9pTNFJfmBRbf9dr2+BJMg=;
    h=From:To:Date;
    b=L1K/kOv7BVsJjy2/XUTss2xXWqbY4Ix5g4Z4huzHId6VbpmMEydprfOEo9Fwwwl72
     yNeCAVp7goJOkpbCBAKU3Dp85dn8Y56dLM7SRuAw1Aceef64gy2J1dXTsku6A2od1I
     +N41XDXcd3j/2yNuNNUVAvLSa1D5BbhJutHUyLoA=
Received: from mgate02.SENDER-DOMAIN.com (mgate04.SENDER-DOMAIN.com [127.0.0.1])
    by IMSVA (Postfix) with ESMTP id B265112404B
    for <ME@MYDOMAIN.DE>; Tue,  8 Oct 2019 11:13:56 +0200 (CEST)
Received: from 999z2cmgl03.SENDER-DOMAIN.com (unknown [XXX.XXX.XXX.XXX])
    by mgate02.SENDER-DOMAIN.com (Postfix) with ESMTPS
    for <ME@MYDOMAIN.DE>; Tue,  8 Oct 2019 11:13:56 +0200 (CEST)
Received: from 999z2cmgl03.SENDER-DOMAIN.com (localhost [127.0.0.1])
    by 999z2cmgl03.SENDER-DOMAIN.com (Postfix) with ESMTP id 9422C1A0D5F
    for <ME@MYDOMAIN.DE>; Tue,  8 Oct 2019 11:13:56 +0200 (CEST)
From: <SENDER@SENDER-DOMAIN.de>
To: <ME@MYDOMAIN.DE>
CC: <s.ehle@northpoint.de>
Subject: Test - signiert2
Thread-Topic: Test - signiert2
Thread-Index: AdV9uLCWB0lnM3moT0ScBB5rNKXngA==
Date: Tue, 8 Oct 2019 09:13:49 +0000
Message-ID: <67dcf219f888481bb86c94e6c930be3e@199EXL14.XXXX-199.loc>
Accept-Language: de-DE, en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.111.168.86]
x-tm-snts-smtp: ABA6C0B1025FF456F4B1FD3B6061C8206AF366E953C3E857D6FE559C5FD8CDFF2000:8
x-exclaimer-md-config: 0f43791b-a292-456b-913b-99c4fe190328
x-exclaimer-md-bifurcation-instance: 0
x-exclaimer-md-search-key: xqL6uKh4SUm5/TTgRCKIsw==
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
    micalg=sha-256; boundary="----D9B72CA2AA8C625D01F79B4AAF3128EA"
X-TM-AS-GCONF: 00
Return-Path: SENDER@SENDER-DOMAIN.de
X-MS-Exchange-Organization-Network-Message-Id: 0546e372-824e-4e4e-e5b9-08d74bcfd952
X-AS2-DEV-Spam: No  (0)
X-EndpointSecurity-SpamStamp: Build: [Engines: 2.15.9.1278, Dats: 653536, Stamp: 3], Multi:
[Enabled, t: (0.000014,0.019096)], BW: [Disabled], RBL DNSBL: [Disabled],
APM: [Enabled, Score: 500, t: (0.010205), Flags: BA7B0291; NN_DE_FREE_BGU;
NN_LEGIT_EXEC_H_MORE_THAN_5_PARTS_NEW], SGN: [Enabled, t:
(0.011401,0.000190)], URL: [Enabled, t: (0.000370)], RTDA: [Enabled, t:
(0.099867), Hit: No, Details: v2.7.59; Id: 15.1i6tt4c.1dmlab1h6.8qstp],
total: 0(775)
X-EndpointSecurity-0xde81-EV: v:6.6.13.183, d:inc, a:n, w:t, t:194, sv:1570512973,
ts:1570526037
X-MS-Exchange-Organization-AuthSource: XXXXX.np.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.4830633
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1531.010


Regards,

spaxxilein
 
hmm - that could be the reason:
see:
Code: 
From: <SENDER@SENDER-DOMAIN.de>
vs.
Code: 
From: <SENDER@SENDER-DOMAIN.DE>

if there is indeed a difference in the case (upper case vs. lower case) then the signature would become invalid (because the sender-domain uses simple/simple as canonicalization (see point 3.4 in https://tools.ietf.org/html/rfc6376)

If that's the reason there is sadly little you can do (apart from either asking the sender-domain to change to the more robust 'relaxed/relaxed' canonicalization, or to remove the DKIM-Signature header (which also is not nice, and will break if any of the receiving domains uses DMARC)

I hope this helps!
 
Stoiko Ivanov said:
hmm - that could be the reason:
see:
Code: 
From: <SENDER@SENDER-DOMAIN.de>
vs.
Code: 
From: <SENDER@SENDER-DOMAIN.DE>

if there is indeed a difference in the case (upper case vs. lower case) then the signature would become invalid (because the sender-domain uses simple/simple as canonicalization (see point 3.4 in https://tools.ietf.org/html/rfc6376)

If that's the reason there is sadly little you can do (apart from either asking the sender-domain to change to the more robust 'relaxed/relaxed' canonicalization, or to remove the DKIM-Signature header (which also is not nice, and will break if any of the receiving domains uses DMARC)

I hope this helps!
Click to expand...
Hello Stoiko,

sorry this was a TYPO. The upper/lower case is actually identical between both From: parts of the mail.
 
Hmm - I also tested sending a mail with simple/simple through PMG - it was still correct on the other side (and the PMG spam header also got added) ...

comparing both headers also does not indicate that there is anything else which changed ...

You could try to compare the bodies as well (if anything was added in between)

I guess the problem is not related to DKIM (I just saw in the headers that S/MIME also uses sha256)
 
Hi, I have the same problem here. I sent you both mails, once going through my PMG, my Plesk and going to my Hosted Exchange finally. Second going directly to my Hosted Exchange. First is showing invalid signature (message has been tampered), second shows valid signature. I sent you both raw message files. Using any kind of rules doesn't help, I believe your rule system is just deciding on how to handle with the result of SpamAssassin but does not bypass SpamAssassin? So message is anyhow rewritten.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back