If you have it signing by IP address, you don’t need to set the MTA name parameter.
If you are seeing the DKIM-Signature: header field in Yahoo’s mail client, then your mail is getting to them signed. I don’t know offhand how Yahoo! indicates the verification result; you might look for an Authentication-Results: header field which is the most common way of showing the results.
From: Murat ALTIPARMAK [mailto:murataltiparmak_at_gmail.com]
Sent: Friday, March 12, 2010 3:00 PM
To: Murray S. Kucherawy
Cc: opendkim-users_at_lists.opendkim.org
Subject: Re: [dkim-ops] no signature data on the log
Hi Murray;
Ok, I really thank you for your help, you shed a light on this issue for me. I added my mail generating system's IP to "InternalHosts" section in /etc/opendkim.conf file and the result belonging to log file as below:
Mar 13 00:32:46 mail01 opendkim[25237]: OpenDKIM Filter v2.0.0 starting (args: -x /etc/opendkim.conf)
Mar 13 00:33:18 mail01 opendkim[25237]: o2CMXIRV025247 no MTA name match
Mar 13 00:34:50 mail01 opendkim[25237]: o2CMYo58025254 no MTA name match
Mar 13 00:41:48 mail01 opendkim[25237]: o2CMflTB025289 no MTA name match
I sent a new mail now and it successfully reached to gmail as signed however in yahoo, despite the fact that I am seeing DKIM header in mail, there is no indication (key sembol or tooltip) that it has been signed. Could it be a spesific issue with yahoo?
By the way, for the "MTA dataset" section of my /etc/opendkim.conf file the line is the following:
MTA MSA
Should I change the "MSA" with the localhost or the FQDN of my Sendmail box?
Any helps? Thanks again.
On Sat, Mar 13, 2010 at 12:16 AM, Murray S. Kucherawy <msk_at_cloudmark.com<mailto:msk_at_cloudmark.com>> wrote:
This was caught by the list software as you're still not subscribed to the list. Please visit
http://lists.opendkim.org to subscribe.
> -----Original Message-----
> From: Listria [mailto:listria_at_lists.opendkim.org<mailto:listria_at_lists.opendkim.org>]
> Sent: Friday, March 12, 2010 2:09 PM
> To: opendkim-users-moderators_at_lists.opendkim.org<mailto:opendkim-users-moderators_at_lists.opendkim.org>
> Subject: opendkim-users: murataltiparmak_at_gmail.com<mailto:murataltiparmak_at_gmail.com> post needs approval
>
> [...]
>
> Hi Murray,
>
> I really appreciate for your reply and help. Ok, I changed the LogWhy
> value
> to "yes" and sent one mail through Sendmail MTA and got the following
> logs:
>
> Mar 12 23:53:55 mail01 opendkim[18687]: OpenDKIM Filter: mi_stop=3D1
> Mar 12 23:53:55 mail01 opendkim[18687]: OpenDKIM Filter v2.0.0
> terminating
> with status 0, errno =3D 0
> Mar 12 23:56:06 mail01 opendkim[25079]: OpenDKIM Filter v2.0.0 starting
> (args: -x /etc/opendkim.conf)
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 no MTA name
> match
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 [10.255.0.2]
> [10.255.0.2] not internal
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 not
> authenticated
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096: no signature
> data
>
> 10.255.0.2 is the IP address that my e-mail client resides.
>
> Could you please explain the logs in detail?
>
> Thanks again for your time.
You should read the section of the opendkim(8) man page called OPERATION. It explains how the filter decides whether or not it should sign a message. There are two requirements: (a) the mail must be "From:" a domain for which you should be signing, and (b) the SMTP client sending the mail must be classified as internal, so you don't end up signing mail that actually comes from unauthorized sources even if the domain name is right.
So looking at these log entries, you probably did get a domain name match on the mail, satisfying (a) above; however:
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 no MTA name match
You didn't have any configuration information that indicates what MTA names should be considered as internal sources;
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 [10.255.0.2] [10.255.0.2] not internal
The internal host table does not contain 10.255.0.2, your SMTP client;
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096 not authenticated
...and SMTP AUTH was not done by the SMTP client sending the mail. So condition (b) above has not been met, so it will not sign your mail.
> Mar 12 23:59:31 mail01 opendkim[25079]: o2CLxTPg025096: no signature data
So it tried to verify the mail instead, and this log entry indicates it was not signed.
Try adding 10.255.0.2 (or perhaps that whole subnet) to your internal hosts table and try sending again. Check the opendkim.conf(5) man page for the InternalHosts setting description.
-MSK
Received on Fri Mar 12 2010 - 23:14:41 PST