Table des matières

Add DKIM and DMARC support to Proxmox Mail Gateway

Proxmox Mail Gateway is a great email filtering solution, but it lacks DKIM and DMARC support. This how-to explains how to add them. And also how to configure ports 465 and 587 for authenticated clients.

Enable authenticated ports

This is needed if you want your external clients to be able to relay emails through PMG. Ports 465 and 587 will be equivalent to the 26 one, but with encryption (either STARTTLS or SSL in Wrapper mode). I'll use AD to auth my user, but it could be another LDAP server

apt install sasl2-bin libsasl2-modules-ldap
usermod -a -G sasl postfix
cat <<_EOF > /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
OPTIONS="-c -m /var/run/saslauthd"
_EOF
cat <<_EOF > /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
_EOF
cat << _EOF > /etc/saslauthd.conf
ldap_servers: ldap://dc1.domain.tld ldap://dc2.domain.tld
ldap_start_tls: yes
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/ssl/certs/ca-certificates.crt
ldap_search_base: DC=domain,DC=tld
ldap_filter: (&(|(memberOf=CN=Mail,OU=Groups,DC=domain,DC=tld)(sAMAccountName=smtp))(objectClass=user)(|(userPrincipalName=%u@domain.tld)(sAMAccountName=%u)))
ldap_bind_dn: CN=Proxmox Mail Gateway,OU=Apps,DC=doman,DC=tld
ldap_password: SuperSecretPassw0rd
_EOF
You need to adjust the addresses of your servers, the search base, the filter, the bind dn and its password of course
systemctl enable saslauthd
systemctl restart saslauthd
Note that auth is not enabled yet, postfix must be configured for this, we'll do it later, when enabling dkim and dmarc

Configure DKIM

We'll use the opendkim project for this. And we'll use two separated instances

apt install opendkim opendkim-tools
mkdir /etc/opendkim
cat <<_EOF > /etc/opendkim/verifier.conf
Syslog yes
LogResults yes
LogWhy yes
SyslogSuccess yes
UMask 007
Mode v
AllowSHA1Only yes
AlwaysAddARHeader yes
Socket local:/var/run/opendkim/verifier.sock
PidFile /var/run/opendkim/verifier.pid
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
Background no
Nameservers 10.99.2.1
_EOF
Replace 10.99.2.1 with the DNS server you want to use, or remove the line to let opendkim resolv itself. You should use a local, recursive, caching resolver
cat <<_EOF > /etc/opendkim/signer.conf
Syslog yes
LogResults yes
LogWhy yes
SyslogSuccess yes
UMask 007
KeyTable /etc/opendkim/keytable
SigningTable /etc/opendkim/signingtable
Mode s
InternalHosts 0.0.0.0/0
Socket local:/var/run/opendkim/signer.sock
PidFile /var/run/opendkim/signer.pid
TrustAnchorFile /usr/share/dns/root.key
UserID opendkim
Background no
Nameservers 10.99.2.1
_EOF
cat <<_EOF > /etc/opendkim/signingtable
# Add one line per domain you want to sign when email are being sent.
# You can use different keys if needed
# Or just use a wildcard to sign everything with the same key
* default
_EOF
cat <<_EOF > /etc/opendkim/keytable
default %:default:/etc/opendkim/keys/default/default.private
_EOF
mkdir -p /etc/opendkim/keys/default
chown opendkim /etc/opendkim/{keys,keys/default}
chmod 700 /etc/opendkim/{keys,keys/default}
opendkim-genkey -D /etc/opendkim/keys/default/ -s default }}
Replace 10.99.2.1 with the DNS server you want to use, or remove the line to let opendkim resolv itself. You should use a local, recursive, caching resolver
In this example, every outbound emails will be signed, and the same key will be used for all of them. You can configure different key though.
cat <<_EOF > /etc/systemd/system/opendkim-signer.service
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - signer
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
 
[Service]
Type=simple
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim/signer.conf
User=opendkim
Group=opendkim
MemoryLimit=50M
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
 
[Install]
WantedBy=multi-user.target
_EOF
cat <<_EOF > /etc/systemd/system/opendkim-verifier.service
[Unit]
Description=OpenDKIM DomainKeys Identified Mail (DKIM) Milter - verifier
Documentation=man:opendkim(8) man:opendkim.conf(5) man:opendkim-genkey(8) man:opendkim-genzone(8) man:opendkim-testadsp(8) man:opendkim-testkey http://www.opendkim.org/docs.html
After=network.target nss-lookup.target
 
[Service]
Type=simple
UMask=0007
ExecStart=/usr/sbin/opendkim -x /etc/opendkim/verifier.conf
User=opendkim
Group=opendkim
MemoryLimit=50M
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
Restart=on-failure
ExecReload=/bin/kill -USR1 $MAINPID
 
[Install]
WantedBy=multi-user.target
_EOF
systemctl daemon-reload
systemctl stop opendkim
systemctl disable opendkim
systemctl enable opendkim-signer
systemctl start opendkim-signer
systemctl enable opendkim-verifier
systemctl start opendkim-verifier

Configure DMARC

DMARC is a policy framework sitting on top of SPF and DKIM. This time, we only need one instance to filter incoming emails

apt install opendmarc
cat <<_EOF > /etc/opendmarc.conf
Background false
IgnoreAuthenticatedClients true
IgnoreHosts /etc/pmg/mynetworks
PidFile /var/run/opendmarc/opendmarc.pid
PublicSuffixList /usr/share/publicsuffix/
Syslog true
RejectFailures true
UMask 007
Socket local:/var/run/opendmarc/opendmarc.sock
HistoryFile /var/run/opendmarc/history.dat
_EOF
systemctl enable opendmarc
systemctl start opendmarc
Storing and sending DMARC report can be done, but you need a mysql server. I'll leave it out of scope for this how-to, though, reporting is an important piece of DMARC

Configure postfix to use all this

Now, we just have to copy master.cf template and adjust it to make use of the new features

mkdir /etc/pmg/templates
cp -a /var/lib/pmg/templates/master.cf.in /etc/pmg/templates/

Edit /etc/pmg/templates/master.cf.in and apply this patch

   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
+  -o smtpd_milters=unix:/var/run/opendkim/signer.sock
 
 [% pmg.mail.ext_port %]       inet  n -       -       -       1 postscreen
 
@@ -91,6 +23,25 @@
   -o receive_override_options=no_address_mappings
   -o smtpd_discard_ehlo_keywords=silent-discard,dsn
   -o mynetworks=127.0.0.0/8,[% postfix.int_ip %]
+  -o smtpd_milters=unix:/var/run/opendkim/verifier.sock,unix:/var/run/opendmarc/opendmarc.sock
+
+submission       inet  n -       -       -       100      smtpd
+  -o content_filter=scan:127.0.0.1:10023
+  -o smtpd_enforce_tls=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain
+  -o smtpd_sender_restrictions=
+  -o smtpd_helo_restrictions=
+  -o smtpd_milters=unix:/var/run/opendkim/signer.sock
+
+smtps        inet  n -       -       -       100      smtpd
+  -o content_filter=scan:127.0.0.1:10023
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
+  -o smtpd_recipient_restrictions=reject_unknown_recipient_domain
+  -o smtpd_sender_restrictions=
+  -o smtpd_helo_restrictions=
+  -o smtpd_milters=unix:/var/run/opendkim/signer.sock
 
 127.0.0.1:10025 inet  n       -       n       -       -      smtpd
   -o content_filter=
You can see we just add smtpd_milters for inbound and outbound. And we add two new listeners on 465 (smtps) and 587 (submission), with settings equivalent to the listener on port 26