encoding from different mail clients using mailcow as mail server

@esackbauer

Could you tell me where exactly are the dkim keys in mailcow stored? Files or database? And I’d like to know how to get there.

More testing with emails to a vodafone account:

mx5.vodafonemail.de/4SV90B37Vyz9ryY;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=x.de header.i=@x.de header.a=rsa-sha256 header.s=dkim header.b=cVJitv3G;
dkim-atps=neutral

I did a diff -s file1 <– dkim from mailcow file2 <– dkim copied to DNS. They are identical.

Could it be, that if restoring a mailcow backup, the keys are messed up? I’d like to check the keys (public and private) before restore and after restore.

Well, I’d like to check this. What’s the best approach to access the DB?

BTW here’s the email to the vodafone account:

"
test
–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,

Mit freundlichen Gr=C3=BC=C3=9Fen,

=C3=B6=C3=A4=C3=BC=C3=9F

"

Umlaute in signature and domain footer… as already seen. Of course with a failed dkim key after a restore. To verify the suspicion I’ll wipe/delete the mailcow install on my laptop and start over with a new, clean install. No restores, no imports, nothing. Means from scratch. Will report.

esackbauer Now I am thinking that the Umlaute conversion is the reason why the DKIM fails. Something is changing the character encoding in transit and changing the “checksum”.

Let me start over with a fresh clean install. I’ll create a domain (same I use for tests), a user, will copy the new dkim key to DNS, nothing more. I’ll do a “vanilla” backup. First email will be with no umlaute. Second email will have umlaute. Third email will have signature and Umlaute. Forth one will have the signature and a system wide footer with umlaute.

I’ll report.

I did the tests. Here are the results:

1. Sending an email from SOGO in HTML format, no matter what language, with signature and footer, with german umlaute, works correct. The dkim test pass:
   mx5.vodafonemail.de/4SVGtc1n9xz9rxk;
   dkim=pass (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=An7pjvp1;
   dkim-atps=neutral

2. Sending an email from SOGO in plain text format, no matter what language, with signature and footer, with german umlaute, will not work. The dkim test fails.
   mx5.vodafonemail.de/4SVH2f6TNFz6vhw;
   dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=y.de header.i=@y.de header.a=rsa-sha256 header.s=dkim header.b=QWmUDGNz;
   dkim-atps=neutral

Reverting in SOGO back to html text will pass the dkim test (again).

3. Sending an email form email-client thunderbird in HTML format, no matter what language, with signature and footer, with german umlaute, will not work. dkim test fails. The layout of the email looks like:
   "
   umlaute: =C3=B6=C3=A4=C3=BC=C3=9F

–=20
Mit freundlichen Gr=C3=BC=C3=9Fen,

4. Sending emails from thunderbird will always fail the dkim test. No matter if plain text or html.

To resume:

• sending emails from SOGO in html containing german umlaute, works. DKIM will pass.
• sending emails from SOGO in plain text containing german umlaute leads to DKIM fails.
• sending emails from email-client thunderbird will always fail the dkim test. And the german umlaute are in a wrong format.

As we need thunderbird out of several reasons, at this moment with the results above, I cannot migrate my email servers to mailcow. We send, and will this probably do also in future, emails only in plain text format. And we need dkim, dmarc and spf - valid.

Besides the question of restoring a backup to different box with another underlying OS and the decryption of the emails, while doing a restore of all items including the keys. But this point for the moment is less important, it could be solved in another way.

How to proceed?

Can’t tell. Sending emails composed in sogo with plain text and umlaute to i.e. domain hosted at allinkl brings up the same result:

Authentication-Results: q.kasserver.com;
dkim=fail reason=“signature verification failed” (2048-bit key; unprotected) header.d=x.de header.i=@x.de header.a=rsa-sha256 header.s=dkim header.b=JevnIlCW;
dkim-atps=neutral

I’m sending from a socalled pool IP: IP-x.x.x.x-um38.pools.vodafone-ip.de. Means not a static IP. But if this causes the failure, then the failure should also be while sending in HTML. As I pointed out, DKIM passes with email sent from the same (dynamic) IP(4).

IMVHO I don’t think so.

@DocFraggle

If you like, you could tell me one of your email adresses (is in this forum a pm function?). I’ll send you an email. Let’s see how this works.

O.k. thank’s for sharing your thoughts.

I’ll check/disable in case anything on my asus home router, and will test again. I’ll be back.

I disabled diversion and skynet, the router DNS is unbound.

DKIM passes, encoding/format is faulty:

Date: Fri, 17 Nov 2023 14:32:31 +0100
To: djrEXr4DjZ2CAP@dkimvalidator.com
MIME-Version: 1.0
Message-ID: <41-65576b80-d-677bcc00@203232121>
Subject: =?utf-8?q?T=C3=84SCHT?=
User-Agent: SOGoMail 5.9.0
X-Last-TLS-Session-Version: None

——==-OpenGroupware_org_NGMime-65-1700227951.204159-2——
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

sogo html text, signatur and footer mit umlaute
=C3=A4=C3=B6=C3=BC=C3=9F

–=C2=A0
signature plain text =C3=B6=C3=A4=C3=BC=C3=9F

plain footer
=C3=B6=C3=A4=C3=BC=C3=9F

——==-OpenGroupware_org_NGMime-65-1700227951.204159-2——
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>sogo html text, signatur and footer mit umlaute<br />=C3=A4=C3=B6=C3=BC=
=C3=9F<br /><br />–&nbsp;<br />signature plain text =C3=B6=C3=A4=C3=BC=C3=9F</=
html>

html footer
=C3=B6=C3=A4=C3=BC=C3=9F

——==-OpenGroupware_org_NGMime-65-1700227951.204159-2——–

What is this ——==-OpenGroupware_org_NGMime-65-1700227951.204159-2——– about?

From the postfix log, sent with TB, no matter same result with SOGo:

B0AD2427BCA: replace: header Received: from cdc97c45df2b (mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network [172.22.1.248])??(Authenticated sender: x.y@z.de)??by mail.z.de (Postcow) with ESMTP from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=x.y@z.de to=check-auth@verifier.port25.com proto=ESMTP helo=<cdc97c45df2b>: Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPA id B0AD2427BCA??for check-auth@verifier.port25.com; Sat, 18 Nov 2023 01:54:47 +0100 (CET)

The header, the body and the DKIM key is corrupted. No idea what replace: header received means…

DNS-Check in mailcow says everything is fine.

Mailcow is running on top of archlinux. Laptop is WLAN connected. Static IP is 192.168.XX.YYY. Gateway is the router (for test every possible interference disabled), tried DMZ, portforwarding, etc. There’s no reverse proxy running on the laptop. No firewall, no filters on the laptop. Something must be wrong on the way from the container via docker to the router.

As I already mentioned, I’m running a few other mailservers NOT DOCKERIZED, nearly the same configuration (postfix, dovecot, fail2ban, rspamd, sogo (same ver.).

I have to give up. At this very moment I cannot use mailcow in production environment. I’m sorry.

esackbauer That is true. It is working for receiving mails, but no chance to send mails via a dynamic IP.
Pay for a relay service then (they can read your mails…), or get a business cable product with static IP and the possibility to have a reverse DNS entry, or pay for a decent hoster.

In business we have only static IP’s. Not for private. Question is, could a dynamic IP have an impact on DKIM? Hmm…?

Anyone out there running mailcow on top of any linux OS with a dynamic IP?

Maybe I didn’t make it clear enough: in business we do only use static IP’s and email-servers without relay, smarthost, … All business domains have 10/10 at mail-tester. No issues at all, no matter where or what I test against.

Not so for private. As I said, the vodafone IP is so-called pool-IP, not static.

I don’t have a customized FritzBox. It’s an original. Therefore I can’t help. You should ask Vodafone.

Vodafone is my provider. At home I don’t have a static IP. Therefore I use an unbranded (no customized firmware) fritzbox.

Read this: Fritz!Box | Cable (6490, 6590, 6591, 6660) Bridge-Mode freischalten - ubiquiti - Deutsches Fan Forum

ubiquiti - Deutsches Fan Forum

Fritz!Box | Cable (6490, 6590, 6591, 6660) Bridge-Mode freischalten - ubiquiti - Deutsches Fan Forum

And this: Fritz!Box JSTool

mengelke.de

Fritz!Box JSTool

Checksum mit JavaScript berechnen, Konfig-Datei entschl

This adds the option “bridged mode” to an unbranded fritzbox.

In business we use Vodafone only with static IP’s. This allows to run their customized fritzbox firmware in bridged mode.

If all pre-requisites are fulfilled (read mailcow docs) the mailserver works flawless.

@sOliver

Even with this hack you’ll have an IP from their pool. It’s not a dedicated static IP which only belongs to you. You’ll definitely have problems sending emails. Check the blacklists… A mailserver without a static dedicated IP is not recommended.