DKIM integrity after smtp-proxy

edited February 2020 in Firebox - Proxies

We filter incoming e-mail with a firebox with a smtp-proxy rule. Then e-mail is forwarded to another maliserver/SMTP filter (we have different software in different installations).
All messages containing DKIM signature processed by smtp-proxy fail DKIM integrity check on our mailserver/mailfilter.
If we disable smtp-proxy and leave only a normal port 25 mapping, DKIM integrity check is preserved.
Is there some setting we can disable in smtp-proxy to preserve DKIM integrity?

Comments

  • For the record, what XTM version are you running?

    Review the X-WatchGuard Headers section of the following:
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/smtp/proxy_smtp_headers_c.html

    If that doesn't resolve your issue, then you should open a support incident on this

  • M370 with Firebox 12.5.2.B609628
    I will open a support ticket.

  • hello giox069,
    i'm facing the same problem. Were you able to solve it?

  • Ok, found the problem but no solution: some senders, i.e. @gmail.com, fully signs the e-mail body with DKIM (bh= field in DKIM-Signature header).

    When an incoming message travels across WG SMTP Proxy, the WG SMTP Proxy does some modifications to the body, adding extra stuff. This extra stuff breaks the DKIM signature.

    Solutions? A couple of ideas only: the SMTP Proxy should stop modifying the e-mail body. Or, if a body modification is relly needed, DKIM and DMARC verification should be moved to the 1st SMTP filter on the chain, which in my case is the WG SMTP proxy itself. In both cases, these are solutions to be implemented by Watchguard.

  • edited June 2022

    Has a bug report been lodged to fix this problem? We run our own mail server and it is a tough battle to keep up the requirements to stay off the blacklists without some SMTP-proxy bug adding to the problem. I note that this only impacts incoming mail - it that correct?

    Adrian from Australia

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @giox069 @xxup
    There should be an option in your SMTP proxy to not add x-watchguard headers to the mail.

    See: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/proxies/smtp/proxy_smtp_headers_c.html

    -James Carson
    WatchGuard Customer Support

  • Thanks James. The headers have been removed pending more research into the issue.

    Adrian from Australia

  • @james.carson Thank you! Disabiling X-WatchGuard headers in SMTP-Proxy options seems to fix the DKIM signature corruption.

Sign In to comment.