RE: DKIM - InternalHosts

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Wed, 26 Jan 2011 09:55:50 -0800

Ah, I think I see what's going on.

There are, of course, two domain names that have to match for a signature to be added. One comes from the From: field and one comes from the Domain list (or database, depending on your configuration). We do convert the former to lowercase, but we're not converting the latter. So you might say:

Domain NiceExample.com

And you might even have:

From: user_at_NiceExample.com<mailto:user_at_NiceExample.com>

...but the latter is converted to lowercase while the former is not, so they don't match. I guess it never occurred that someone would put capitalized letters in the configuration file which is why we haven't seen it before.

This will be fixed in 2.3.0.Beta5. Thanks for the report!

-MSK

From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of John Espiro
Sent: Wednesday, January 26, 2011 1:46 AM
To: opendkim-users_at_lists.opendkim.org
Subject: Re: DKIM - InternalHosts

OK, after following hte guide from Steve, and your post earlier, I have this working now, with the exception that it seems to be case-sensitive. Is that as-designed? Is there a workaround? What do you think?

Steve

On 1/26/2011 1:12 AM, Murray S. Kucherawy wrote:
Is there an upper/lowercase mismatch between what's in your config file and what's in From:?
From: opendkim-users-bounce_at_lists.opendkim.org<mailto:opendkim-users-bounce_at_lists.opendkim.org> [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of John Espiro
Sent: Tuesday, January 25, 2011 4:02 PM
To: opendkim-users_at_lists.opendkim.org<mailto:opendkim-users_at_lists.opendkim.org>
Subject: Re: DKIM - InternalHosts
Hi Murray -
Thanks for your reply.

The Domain line looks like:
Domain domainA.com,domainB.com

There's no space after the comma (I had read a while ago that there were problems with a space). So I wonder what else it could be...

Re: the MTA issue, I'll take a look at my sendmail config - that should be an easy fix.

John

On 1/26/2011 12:09 AM, Murray S. Kucherawy wrote:
Is there a space around the comma in the Domain line? I can't tell from the way this MUA formats your mail. If there is, try without it.
The issue is that "DomainB.com" doesn't appear to be in the domain list. It sees that in your From: but not in the list of domains to sign. Prior to v2.3.0, spaces weren't discarded in the Domain value which can unfortunately lead to mismatches.
"no MTA name match" means the MTA connecting to the filter didn't announce its name as "MSA", matching what you have configured.
The message would be signed if either of those were true.
From: opendkim-users-bounce_at_lists.opendkim.org<mailto:opendkim-users-bounce_at_lists.opendkim.org> [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of John Espiro
Sent: Tuesday, January 25, 2011 2:54 PM
To: opendkim-users_at_lists.opendkim.org<mailto:opendkim-users_at_lists.opendkim.org>
Subject: DKIM - InternalHosts
Hi there -

Sorry for the length of this message, however I wanted to fit as much data in to describe the issue I am having...

I had been using DKIM-milter and switched to OpenDKIM just recently. I have 2 domains: domainA.com and domainB.com.

My server handles email for both, and I use mail.domainA.com as my outgoing server for both. (mail.domainA.com is a pointer for domainA.com).

From Thunderbird, via my home connection (sending with the outgoing smtp as mail.domainA.com) from domainB.com as the "from", I see the following:
Jan 25 22:39:59 opendkim[21561]: p0PMdtQh021667: no MTA name match
Jan 25 22:39:59 opendkim[21561]: p0PMdtQh021667: no signing domain match for `DomainB.com'
Jan 25 22:39:59 opendkim[21561]: p0PMdtQh021667: no signing subdomain match for `DomainB.com'
Jan 25 22:39:59 opendkim[21561]: p0PMdtQh021667: no signature data
Sending via my webmail, I see OpenDKIM working perfectly.

From thunderbird, via my home connection (sending with the outgoing smtp as mail.domainA.com) from domainA.com as the "from", I see OpenDKIM working perfectly. Although it does say " no MTA name match".

1.) What do I need to configure so that sending with domainB.com works?
2.) What does " no MTA name match" mean and how can I fix it?

cat /etc/opendkim.conf:
Syslog yes
UMask 002
Canonicalization relaxed/simple
KeyFile /var/db/dkim/mail.key.pem
MTA MSA
Selector mail
Socket inet:8891_at_localhost
SignatureAlgorithm rsa-sha256
Syslog Yes
Userid opendkim
X-Header Yes
Mode sv
InternalHosts /etc/dkim-internal-hosts
LogWhy True
cat /etc/dkim-internal-hosts:
ip address of domainA.com
ip address of domainB.com
127.0.0.1/8

John
Received on Wed Jan 26 2011 - 17:56:25 PST