DKIM fail (bad signature) on duplicated setup

From: David Lindauer <david_at_wheresweed.com>
Date: Tue, 16 Jun 2015 09:15:41 -0400

We've had opendkim setup on our primary mail server with postfix, amavis
and a handful of other programs, running fine no problems. This message
will come from that server and be properly DKIM signed. We tried to
copy this OpenDKIM setup to a new server, and it's signing but the
signature is bad.

ALL of the config files are saved in /etc/opendkim + /etc/opendkim.conf,
and I have copied the whole folder (both Ubuntu 14.04 servers) + setup
opendkim and opendkim-tools. The emails all outgoing get signed and I
get a proper maillog / syslog entry with "opendkim[3980]: 3DF8717E5D32:
DKIM-Signature field added (s=default, d=wheresweed.com)". The certs
are the same on both machines (unchanged configs etc after they were
copied.)

But on the new server, even though everything gets signed and has 100%
the same config files and opendkim -V reports identical results
(OpenDKIM filter v.2.9.1), it will not correctly sign from the second
server no matter what. There are no syslog or maillog entries that have
extra data, and manually compiling the latest version of opendkim did
not make any difference.

I am at a loss right now as how to get it online. I even tried adding
a 'SignHeaders' declaration to see if forcing it would help (it did
not). The original mail server it was duplicated from has a much more
complex setup for postfix, the new server is really basic and only has
the milter setup for DKIM processing and nothing else really.

Here is my opendkim.conf because I expect that'll be the first thing I'm
asked for. The IP is only 1 off between the 2 servers and the IP range
still fits in TrustedHosts, so that's not it as well.

AutoRestart yes
AutoRestartRate 10/1h
Syslog yes
Canonicalization simple
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
LogWhy Yes
Mode sv
PidFile /var/run/opendkim/opendkim.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/opendkim/SigningTable
Socket inet:8891_at_localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim:opendkim


Thanks for any insight you guys can give!
Received on Tue Jun 16 2015 - 13:15:49 PST

This archive was generated by hypermail 2.3.0 : Tue Jun 16 2015 - 13:18:01 PST