Thanks for replying. Actually, you beat me to an update by about 5 mins.
Turns out I misspoke (mistyped?). When the remote server started working in
my testing, I didn't notice that the local server stopped signing mail.
The refile that you mentioned was actually causing the problem. If the
/etc/opendkim.conf file reads:
InternalHosts refile:/etc/mail/dkim/trusted-hosts
Then it appears to only accept the first entry in that file (perhaps it if a
list of regex it would be different, but I just tested the remote hostname
and the local loopback). Whichever one was listed first was seen as internal
and allowed to sign.
If I change it to simply:
InternalHosts /etc/mail/dkim/trusted-hosts
Then it works as expected - not caring about how many, or in which order,
the list of hosts or IPs are listed.
SJ
From: opendkim-users-bounce_at_lists.opendkim.org
[mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Murray S.
Kucherawy
Sent: Tuesday, October 05, 2010 10:07 PM
To: opendkim-users_at_lists.opendkim.org
Subject: RE: InternalHosts Issue
Interesting. It should be matching on that based on that input. I'll see
if I can simulate what you're seeing and thus figure out if it's a bug or
not.
One thing though: You don't need "refile" for a file that contains no
wildcards or regular expressions on which to match. Since everything in
there is a string, you can just change it to "file".
-MSK
From: opendkim-users-bounce_at_lists.opendkim.org
[mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Steve Jenkins
Sent: Tuesday, October 05, 2010 9:24 PM
To: opendkim-users_at_lists.opendkim.org
Subject: RE: InternalHosts Issue
Well, I think I answered my own issue. For some reason I don't understand,
the localhost IP (127.0.0.1/8) must appear LAST in the trusted-hosts list.
If it appears before any of the other trusted hosts, those other hosts
aren't considered "internal." Can someone confirm this is a feature and not
a bug? I couldn't find anything on Google that explains why this works this
way, but I'm glad I figured it out and mail from my trusted host is now
being signed. J
SteveJ
From: opendkim-users-bounce_at_lists.opendkim.org
[mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Steve Jenkins
Sent: Tuesday, October 05, 2010 5:11 PM
To: opendkim-users_at_lists.opendkim.org
Subject: InternalHosts Issue
I've googled for the answer, and searched through the archives, but can't
seem to see what I'm doing wrong. It's GOTTA be something simple that I'm
overlooking. J
I have two servers: Zork and Yar. Both are running Postfix and Zork is
running OpenDKIM (2.2.0 released on 10/3/10).
Zork sends signed mail no problem and says:
"Oct 5 16:32:58 zork opendkim[23594]: 0116C15F513: DKIM-Signature header
added"
Yar is set up to relay mail through Zork. I've added Yar's hostname (and IP
for good measure) to the InternalHosts file on Zork, but I still get this
error in Zork's maillog:
Oct 5 17:02:20 zork opendkim[437]: (unknown-jobid): yar.gamerid.com
[216.168.47.162] not internal
Oct 5 17:02:20 zork opendkim[437]: (unknown-jobid): not authenticated
Oct 5 17:02:20 zork opendkim[437]: 7DE9915F513: no signature data
Here's my /etc/opendkim.conf:
##
## opendkim.conf -- configuration file for OpenDKIM filter
##
## $Id: opendkim.conf.sample,v 1.5 2010/03/05 03:32:12 mmarkley Exp $
##
ADSPAction Continue
ADSPNoSuchDomain Yes
AutoRestart Yes
AutoRestartRate 10/1h
Canonicalization relaxed/relaxed
ExternalIgnoreList refile:/etc/mail/dkim/trusted-hosts
InternalHosts refile:/etc/mail/dkim/trusted-hosts
KeyTable refile:/etc/mail/dkim/keyTable
LogWhy Yes
On-Default accept
On-BadSignature accept
On-DNSError tempfail
On-InternalError accept
On-NoSignature accept
On-Security tempfail
PidFile /var/run/opendkim/dkim-milter.pid
SignatureAlgorithm rsa-sha256
SigningTable refile:/etc/mail/dkim/signingTable
Socket inet:20209_at_localhost
Syslog Yes
SyslogSuccess Yes
TemporaryDirectory /var/tmp
UMask 022
UserID opendkim-milt:opendkim-milt
X-Header Yes
Here's my /etc/mail/dkim/trusted-hosts file:
127.0.0.1
216.168.47.162
yar.gamerid.com
I've been pulling my hair out. I'm not sure what else OpenDKIM needs to
accept Yar as "internal." Can anyone shove me in the right direction?
Thanks in advance,
Steve
Received on Wed Oct 06 2010 - 05:18:22 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:19:49 PST