encoding from different mail clients using mailcow as mail server

Every DNS (port 53) request from the VM with mailcow (the whole LAN) is redirected to the OPNsense unbound. BTW unbound-mailcow shows healthy status. And port 53 is open.

For email the only open port is 25. All other ports (as in the docs described) are only allowed in the LAN. The mailserver is meant for internal access. No public access at all.

May I ask if you have mailcow-dockerized running in a VM? If so, qemu, virtualbox, proxmox, …? What host OS?

For the prerequisites, what could be wrong? I mean, on my laptop at home I did the same as in the VM. Except that at home the host in archlinux and not a VM based on debian 12.

Well, I can try with another host OS for the VM. Have you got a special recommendation?

Thanks to anybody following.

The last 4 days I took time for some tests and investigations. All tests are based on proxmox 7.4.-17. Proxmox is running on a HP Proliant ML30, enough cpu and ram for any test.

First try was to build a VM based on debian 12, minimal net-install as a server. HD 60 GB, RAM 8 GB, rest default hardware, network bridged. No firewall on the proxmox enabled. In front of the network is an OPNsense, the debian VM got a static IP with ARP mapping. The OPNsense nor proxmox is configured as MTA. No reverse proxy is running on the OPNsense. The mailserver is not intended to be accessable from the WAN, only via VPN or LAN. I created the records in the DNS. On the OPNsense itself is running unbound as DNS. All DNS traffic in the LAN is routed through the OPNsense. As pre-requisites on the OPNsense, I opened the port 80 (acme challenge) for the VM in the OPNsense, and created also a rule for all needed ports in the LAN for the VM.

I followed the install instructions, mailcow came up and was running. The acme challenge didn’t work, I assume a reverse proxy would be needed. The workaround was to disable the letsencrypt part in mailcow, get the cert via OPNsense and copy and rename the certs to the given path from the docs to the mailcow.

I configured a domain a few mailboxes, an alias, copied the dkim key to the DNS, and made a backup the the helper script. I started to send a few emails from sogo to kabelbw.de and mailbox.org, and vice versa. That seemed to work with no errors. The test emails had no signature or system wide footer. Emails ALWAYS sent as PLAIN TEXT, NO html email.

I created an account in thunderbird, now with signature and german umlaute äüöß, … Did the same in sogo. This leads to: dkim=fail (2048-bit key) reason=“fail (message has been altered)”

I deleted the signatures and resent a simple test email. Still dkim fails. I double checked with DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com

dkimvalidator.com

DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com

I created a signature in sogo and a system wide footer. DKIM went false.

I started over with a second VM based on Rocky linux DVD. Configuration in proxmox mainly the same, except the CPU. I tried to restore the mailcow backup I made from the debian VM to save some time. That did not work. Emails stayed encrypted. I did a full restore. Nevertheless I started over to configure mailcow in Rocky linux, at this point I cut it down. Same behaviour and results as in the debian VM.

As I already wrote, I installed mailcow-dockerized also on my laptop, based OS archlinux. In my home-network there’s a consumer asus router/firewall. For the test I configured a port forwarding for the acme challenge in the router. I took another domain name, configured the DNS, so far mailcow is working with no errors.

I’ve another email-server in a network. Also running on proxmox in a VM, bridged network. This server (Nethserver 7) is not containerized. Also an OPNsense as FW in front. Email is working for years flawlessly. No dkim errors. This server even completes the acme challenge every 90 days. Same with an koozali (formerly mitel e-smith) server. No errors at all.

Therefore my questions:

• is mailcow intended for production use in a company network (LAN, centralized/redirected DNS, ActiveDirectory), NOT intended to be accessable from WAN?
• anybody with a similar setup as from me described (signature/domain wide footer with german UMLAUTE, plain text) where dkim passes?
• where could I possibly have made a mistake?

I’d like to seperate my email-servers from the file servers, therefore I’m looking for a suitable solution for production use.

Is an already proper installed and running opendkim service a prerequisite before installing mailcow-dockerized?

More or less a guess. What else can I do as to copy’n paste the dkim key from mailcow to my DNS? I think there is no mistake. I’d like to know, what causes the dkim failure in DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com

dkimvalidator.com

DKIM, SPF, and Spam Assassin Validator - dkimvalidator.com

Validating Signature

result = fail
Details: bad RSA signature

To the question of running filters on the OPNsense. No, not for outgoing email, afaik.

Getting closer. Your guess might lead in the right direction. Thank you for pointing to the records.

I did a dkim check in another tool. mxtoolbox does indeed show a different record as dkimvalidator.com. And here we go - mail-tester.com and mxtoolbox are identical. And correct.

So, for the DKIM it’s a dkimvalidator and cache/update problem. Thank you so far.

Now I will try to find the error with the umlaute problem. I’ll keep investigating.

Well, I’d like to check this. What’s the best approach to access the DB?

BTW here’s the email to the vodafone account:

"
test
–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,

Mit freundlichen Gr=C3=BC=C3=9Fen,

=C3=B6=C3=A4=C3=BC=C3=9F

"

Umlaute in signature and domain footer… as already seen. Of course with a failed dkim key after a restore. To verify the suspicion I’ll wipe/delete the mailcow install on my laptop and start over with a new, clean install. No restores, no imports, nothing. Means from scratch. Will report.

esackbauer Now I am thinking that the Umlaute conversion is the reason why the DKIM fails. Something is changing the character encoding in transit and changing the “checksum”.

Let me start over with a fresh clean install. I’ll create a domain (same I use for tests), a user, will copy the new dkim key to DNS, nothing more. I’ll do a “vanilla” backup. First email will be with no umlaute. Second email will have umlaute. Third email will have signature and Umlaute. Forth one will have the signature and a system wide footer with umlaute.

I’ll report.

I did the tests. Here are the results:

1. Sending an email from SOGO in HTML format, no matter what language, with signature and footer, with german umlaute, works correct. The dkim test pass:
   mx5.vodafonemail.de/4SVGtc1n9xz9rxk;
   dkim=pass (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=An7pjvp1;
   dkim-atps=neutral

2. Sending an email from SOGO in plain text format, no matter what language, with signature and footer, with german umlaute, will not work. The dkim test fails.
   mx5.vodafonemail.de/4SVH2f6TNFz6vhw;
   dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=QWmUDGNz;
   dkim-atps=neutral

Reverting in SOGO back to html text will pass the dkim test (again).

3. Sending an email form email-client thunderbird in HTML format, no matter what language, with signature and footer, with german umlaute, will not work. dkim test fails. The layout of the email looks like:
   "
   umlaute: =C3=B6=C3=A4=C3=BC=C3=9F

–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,

4. Sending emails from thunderbird will always fail the dkim test. No matter if plain text or html.

To resume:

• sending emails from SOGO in html containing german umlaute, works. DKIM will pass.
• sending emails from SOGO in plain text containing german umlaute leads to DKIM fails.
• sending emails from email-client thunderbird will always fail the dkim test. And the german umlaute are in a wrong format.

As we need thunderbird out of several reasons, at this moment with the results above, I cannot migrate my email servers to mailcow. We send, and will this probably do also in future, emails only in plain text format. And we need dkim, dmarc and spf - valid.

Besides the question of restoring a backup to different box with another underlying OS and the decryption of the emails, while doing a restore of all items including the keys. But this point for the moment is less important, it could be solved in another way.

How to proceed?

Can’t tell. Sending emails composed in sogo with plain text and umlaute to i.e. domain hosted at allinkl brings up the same result:

Authentication-Results: q.kasserver.com;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=x.de header.i=@x.de header.a=rsa-sha256 header.s=dkim header.b=JevnIlCW;
dkim-atps=neutral

I’m sending from a socalled pool IP: IP-x.x.x.x-um38.pools.vodafone-ip.de. Means not a static IP. But if this causes the failure, then the failure should also be while sending in HTML. As I pointed out, DKIM passes with email sent from the same (dynamic) IP(4).

IMVHO I don’t think so.