PMG breaks DKIM on outgoing multipart mails

[fratre]

Hi

I just debugged why a mail from me got into the spamfolder of an receiver. In the header I found that the DKIM signature was broken (mail was modified).
Test setup which sends invalid DKIM:

Thunderbird -> Mailserver (creates the DKIM signature) -> Proxmox Mail Gateway -> My Test Mailserver

Test setup which sends valid DKIM:

Thunderbird -> Mailserver (creates the DKIM signature) -> My Test Mailserver

I sent the same mail 2 times to my test server. One time with PMG as outgoing mailserver and one time I sent mails out directly.
Result was that the mail going out directly has an valid DKIM signature. The mail sent out over PMG has an invalid DKIM signature.

It looks like PMG adds an empty line between the parts of the mime multipart mail.
If I remove the empty line manually with an text editor the DKIM signature is valid again.

I attached 3 example eml files which shows the problem.
correct_dkim.txt -> This mail was sent without the PMG
wrong_dkim.txt -> This mail was sent with PMG as outgoing server and has a broken DKIM signature
wrong_dkim_manually_repaired.txt -> This is the same mail where I manually removed the extra empty line (so the DKIM signature is valid again)
(Can't attach *.eml files so i changed the file extension to txt)

For testing the DKIM signature I used Thunderbird with the "DKIM Verifier" extension and "ImportExportTools NG" for importing the *.eml files.
As far as I have tested it it only happens with mime multipart mails (html in body + attachment)


Has someone an idea why this empty line is added to the mail by PMG?
Is there maybe somewhere config option for that?
Currently it looks more like a bug for me.

 

[dcsapak]

i guess this can happen when we deconstruct and reconstruct the mail while it's flowing through the rule-system. we could maybe save the original e-mail and send that out at the end, but that obviously cannot work
if we modify the mail (subject/header/etc.)

would you mind opening a bug on https://bugzilla.proxmox.com (or look if someone else has already opened a bug for that)
alternatively you could let pmg generate the dkim signature instead (if possible ofc)

 

[fratre]

I created a bug entry on the bugtracker:
https://bugzilla.proxmox.com/show_bug.cgi?id=4675

 

[rawtsg]

Are there any updates? We have exactly the same issue with incoming mail from Gmail.

 

[ikrsdo]

I wanted to reply to this old topic. Because I realized that I had the same problem. But while doing research on the problem, I realized this;

If I send the email with the Thunderbird application, DKIM is broken and I see it as a failure in the "Authentication-Results" header.
Mail flow is; Thunderbird -> My Mail Server -> PMG -> Recipient Mail Server

spf=pass (sender IP is x.x.x.x) smtp.mailfrom=myemaildomain.com; dkim=fail (signature did not verify) header.d=myemaildomain.com;dmarc=pass action=none header.from=myemaildomain.com;compauth=pass reason=100

But if I send it with a different application (For example, Outlook or iPhone Mail application or Webmail) with the same SMTP settings and the same configuration, the DKIM failure problem does not occur.
Mail flow is; Outlook Desktop/Mobile Apple Mail/Webmail etc. -> My Mail Server -> PMG -> Recipient Mail Server

spf=pass (sender IP is x.x.x.x) smtp.mailfrom=myemaildomain.com; dkim=pass (signature was verified) header.d=myemaildomain.com;dmarc=pass action=none header.from=myemaildomain.com;compauth=pass reason=100

 

[ikrsdo]

New finding;

If I send an email with Thunderbird using the "Only Plain Text" format, there is no problem with the DKIM signature.

spf=pass (sender IP is x.x.x.x) smtp.mailfrom=myemaildomain.com; dkim=pass (signature was verified) header.d=myemaildomain.com;dmarc=pass action=none header.from=myemaildomain.com;compauth=pass reason=100