DKIM integrity after smtp-proxy
edited February 2020 in Firebox - Proxies
We filter incoming e-mail with a firebox with a smtp-proxy rule. Then e-mail is forwarded to another maliserver/SMTP filter (we have different software in different installations).
All messages containing DKIM signature processed by smtp-proxy fail DKIM integrity check on our mailserver/mailfilter.
If we disable smtp-proxy and leave only a normal port 25 mapping, DKIM integrity check is preserved.
Is there some setting we can disable in smtp-proxy to preserve DKIM integrity?
Sign In to comment.
For the record, what XTM version are you running?
Review the X-WatchGuard Headers section of the following:
If that doesn't resolve your issue, then you should open a support incident on this
M370 with Firebox 12.5.2.B609628
I will open a support ticket.
i'm facing the same problem. Were you able to solve it?
Ok, found the problem but no solution: some senders, i.e. @gmail.com, fully signs the e-mail body with DKIM (bh= field in DKIM-Signature header).
When an incoming message travels across WG SMTP Proxy, the WG SMTP Proxy does some modifications to the body, adding extra stuff. This extra stuff breaks the DKIM signature.
Solutions? A couple of ideas only: the SMTP Proxy should stop modifying the e-mail body. Or, if a body modification is relly needed, DKIM and DMARC verification should be moved to the 1st SMTP filter on the chain, which in my case is the WG SMTP proxy itself. In both cases, these are solutions to be implemented by Watchguard.
Has a bug report been lodged to fix this problem? We run our own mail server and it is a tough battle to keep up the requirements to stay off the blacklists without some SMTP-proxy bug adding to the problem. I note that this only impacts incoming mail - it that correct?
Adrian from Australia
There should be an option in your SMTP proxy to not add x-watchguard headers to the mail.
WatchGuard Customer Support
Thanks James. The headers have been removed pending more research into the issue.
Adrian from Australia
@james.carson Thank you! Disabiling X-WatchGuard headers in SMTP-Proxy options seems to fix the DKIM signature corruption.