Hi Todd,
At 12:06 20-05-10, Todd Lyons wrote:
>I am setting up opendkim 2.0.4 on a CentOS 5 box that is the mail
>server for our local LUG mailing list (mailman), with the goal of
>getting outbound mailing list email to be signed with our dkim key.
>Here is the status at present:
>
>1. Verification works flawlessly.
>2. Signing of locally generated emails from a shell account works flawlessly.
>3. Emails run through mailman do not get signed.
Thanks for the feedback. The openlist-dev mailing list (not using
mailman) is DKIM signed. We have only encountered one verification
issue which is unrelated to OpenDKIM.
>#3 seems obvious at first because the from address could be any of the
>few hundred participants of the list. I'm having trouble wrapping my
Yes.
>head around what I need to do to make it sign all outbound list email.
> This is what I see in the logs when I send an email myself to the
>list:
>
>May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024 no signing
>domain match for `ivenue.com'
>May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024 no signing
>subdomain match for `ivenue.com'
>May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024: no signature data
>
>My gut reaction is that the only thing I can do to make this work
>right is to export all of the subscribers into a text file and
>generate a KeyTable from it. The KeyTable configuration appears to be
Yes, but it would be an administrative headache to do it that way.
>a little more complex than it was on dkim-milter. I have a multi
The KeyTable was changed to support SQL and LDAP.
>domain dkim signing process working on a server running dkim-milter,
>but on this server I cannot get opendkim to start if I uncomment the
>KeyTable line. It blurts out:
>
># /etc/init.d/opendkim restart
>Stopping OpenDKIM Milter: opendkim [ OK ]
>Starting OpenDKIM Milter: opendkim: /usr/local/etc/opendkim.conf: at
>least one selector and key required for signing mode
>opendkim [FAILED]
You did not specify the selector. The KeyTable format for a text file is:
example.org example.org:selector:/path/to/private_key
Define a SigningTable as followed in your opendkim.conf file:
SigningTable refile:/path/signingtable
In that file:
*_at_example.org example.org
Or to signing all mail:
* example.org
The first entry will match the address in the "From:" header.
You can use the ResignTo feature to sign mail sent by the mailing
list. Add the following to your opendkim.conf file:
ResignMailTo /path/resignmail
In that file, add:
list-name_at_example.org
You can use a comma separated list for the different mailing lists addresses.
>What obvious thing(s) am I missing? What does opendkim need different
>in this configuration for it to sign emails submitted to a mailman
>mailing list? And what does opendkim need different in this
>configuration for it to start when I tell it to use KeyTable? I
>suspect I need to somehow incorporate the SigningTable function, but
>the description of that does not make sense to me yet.
Is the documentation for SigningTable confusing?
>P.S. This does happen to be mailman 2.1.9, the version that strips all
>dkim signatures from emails submitted to the list. I don't care about
>that part, I just want the mail server to sign outbound
You should be able to configure mailman not to strip the DKIM
signature, i.e. if you want that.
Regards,
-sm
Received on Thu May 20 2010 - 19:57:10 PST
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thu May 20 2010 - 20:50:01 PST