Re: opendkim getting hardfail with Google
Hm, we had that working also. That was the first thing we got working
then built up from there. This is our main email router that has
exchange, strongmail, majordomo lists on other servers sitting behind
this box. We have to masq or business functions would break.
Here is my configuration (minus comments)...
divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MASQUERADE_AS(`akc.org')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(`localhost')dnl
MASQUERADE_DOMAIN(`localhost.localdomain')dnl
MASQUERADE_DOMAIN(`mailgate1.akc.org')dnl
INPUT_MAIL_FILTER(`opendkim', `S=inet:8891_at_127.0.0.1')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
Any ideas?
Thanks,
/Chris Callegari
On Wed, Mar 9, 2011 at 1:23 PM, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> On Wed, 9 Mar 2011, Chris C wrote:
>>
>> When things were working I would see...
>> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
>> crc_at_akc.org designates 74.203.101.142 as permitted sender)
>> smtp.mail=crc_at_akc.org; domainkeys=pass header.From=crc_at_akc.org
>>
>> Note the header.From header.
>
> Note also that that's domainkeys, not dkim.
>
>> I'm not sure at what point this changed or what directive changed it.
>
> Could be a change on Google's side, that now they prefer DKIM over DK.
>
> Your private test to me also failed. The "z=" tag tells why:
>
> DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=akc.org; s=mail;
> t=1299693952; bh=vxHXq7bMZ9+UHGuKBsbQKsDHmmk=;
> h=Date:From:Message-Id:To:Subject:Yes;
> z=Date:=20Wed,=209=20Mar=202011=2013:05:52=20-0500|From:=20Chris=20
> Callegari=20<crc_at_mailgate1.akc.org>|Message-Id:=20<201103091805.p2
> 9I5qWL010100_at_mailgate1.akc.org>|To:=20msk_at_blackops.org|Subject:=20
> TEST;
> b=Uc4oZ0xTH2n018W+fzwnMni7jh4Ioppr7cHJeXoa576pJbYv0mYOuAFK9CKzv8T+w
> Hv5elYMv5CpcsnKr95UpQlcViw2dEAj93UEu0HuN+azlB3K9AftLM7fVJN2r3B3fpU
> sVsngNPtL09xRASS7dhtsdu+DdIhQWueER3J/QRw=
>
> The encoded From: field contains "<crc_at_mailgate1.akc.org>", but the From: I
> got was:
>
> From: Chris Callegari <crc_at_akc.org>
>
> So your sendmail MTA is configured to masquerade, which alters your mail
> post-signature, which breaks the signatures. See the last section of
> opendkim's README for an explanation.
>
> -MSK
>
Received on Wed Mar 09 2011 - 18:34:29 PST
This archive was generated by hypermail 2.3.0
: Mon Oct 29 2012 - 23:20:16 PST