Thanks to anybody following.
The last 4 days I took time for some tests and investigations. All tests are based on proxmox 7.4.-17. Proxmox is running on a HP Proliant ML30, enough cpu and ram for any test.
First try was to build a VM based on debian 12, minimal net-install as a server. HD 60 GB, RAM 8 GB, rest default hardware, network bridged. No firewall on the proxmox enabled. In front of the network is an OPNsense, the debian VM got a static IP with ARP mapping. The OPNsense nor proxmox is configured as MTA. No reverse proxy is running on the OPNsense. The mailserver is not intended to be accessable from the WAN, only via VPN or LAN. I created the records in the DNS. On the OPNsense itself is running unbound as DNS. All DNS traffic in the LAN is routed through the OPNsense. As pre-requisites on the OPNsense, I opened the port 80 (acme challenge) for the VM in the OPNsense, and created also a rule for all needed ports in the LAN for the VM.
I followed the install instructions, mailcow came up and was running. The acme challenge didn’t work, I assume a reverse proxy would be needed. The workaround was to disable the letsencrypt part in mailcow, get the cert via OPNsense and copy and rename the certs to the given path from the docs to the mailcow.
I configured a domain a few mailboxes, an alias, copied the dkim key to the DNS, and made a backup the the helper script. I started to send a few emails from sogo to kabelbw.de and mailbox.org, and vice versa. That seemed to work with no errors. The test emails had no signature or system wide footer. Emails ALWAYS sent as PLAIN TEXT, NO html email.
I created an account in thunderbird, now with signature and german umlaute äüöß, … Did the same in sogo. This leads to: dkim=fail (2048-bit key) reason=“fail (message has been altered)”
I deleted the signatures and resent a simple test email. Still dkim fails. I double checked with https://dkimvalidator.com/. I restored from the backup and dkim with a simple test email was o.k.
I created a signature in sogo and a system wide footer. DKIM went false.
I started over with a second VM based on Rocky linux DVD. Configuration in proxmox mainly the same, except the CPU. I tried to restore the mailcow backup I made from the debian VM to save some time. That did not work. Emails stayed encrypted. I did a full restore. Nevertheless I started over to configure mailcow in Rocky linux, at this point I cut it down. Same behaviour and results as in the debian VM.
As I already wrote, I installed mailcow-dockerized also on my laptop, based OS archlinux. In my home-network there’s a consumer asus router/firewall. For the test I configured a port forwarding for the acme challenge in the router. I took another domain name, configured the DNS, so far mailcow is working with no errors.
I’ve another email-server in a network. Also running on proxmox in a VM, bridged network. This server (Nethserver 7) is not containerized. Also an OPNsense as FW in front. Email is working for years flawlessly. No dkim errors. This server even completes the acme challenge every 90 days. Same with an koozali (formerly mitel e-smith) server. No errors at all.
Therefore my questions:
- is mailcow intended for production use in a company network (LAN, centralized/redirected DNS, ActiveDirectory), NOT intended to be accessable from WAN?
- anybody with a similar setup as from me described (signature/domain wide footer with german UMLAUTE, plain text) where dkim passes?
- where could I possibly have made a mistake?
I’d like to seperate my email-servers from the file servers, therefore I’m looking for a suitable solution for production use.