Re: opendkim getting hardfail with Google

From: Chris C <mazzystr_at_gmail.com>
Date: Wed, 9 Mar 2011 15:53:41 -0500

I thought I had this working but again something is happening.

Do you guys have some time to assist?

Thanks,
/Chris C

On Wed, Mar 9, 2011 at 2:07 PM, Chris C <mazzystr_at_gmail.com> wrote:
> I went with option 3.
>
> I added this to /etc/opendkim.conf...
> ReplaceRules            /etc/mail/dkim/replace_rules
>
> and added this to /etc/mail/dkim/replace_rules...
> _at_mailgate1.akc.org      @akc.org
>
> and I get this from Google...
> Authentication-Results: mx.google.com; spf=pass (google.com: domain of
> crc_at_akc.org designates 74.203.101.147 as permitted sender)
> smtp.mail=crc_at_akc.org; dkim=pass header.i=_at_akc.org
>
> Thanks for your help Gents!
>
> /Chris C
>
>
>
> On Wed, Mar 9, 2011 at 1:53 PM, Murray S. Kucherawy <msk_at_cloudmark.com> wrote:
>>> -----Original Message-----
>>> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Chris C
>>> Sent: Wednesday, March 09, 2011 10:34 AM
>>> To: Murray S. Kucherawy
>>> Cc: opendkim-users_at_lists.opendkim.org
>>> Subject: Re: opendkim getting hardfail with Google
>>>
>>> [...]
>>
>> Your configuration file confirms my suspicion.  After OpenDKIM adds your signature, which covers the From: field, sendmail is changing the From: field which immediately invalidates the signature.
>>
>>> Any ideas?
>>
>> Any of these should give you what you want:
>>
>> 1) Arrange to inject mail into sendmail in a way that won't be modified.  In your case, generate mail as "crc_at_akc.org" instead of with the longer name, which turns masquerading into a no-op.  I use alpine to read my mail at home and doing this via its configuration solved the problem for me.
>>
>> 2) Do some layered sendmail trickery.  (See the end of the top-level README for details.)
>>
>> 3) Enable the "replace rules" feature (--enable-replace_rules at compile time) and then configure them so that OpenDKIM will anticipate the rewrite sendmail will do, meaning it will sign the mail as though the rewrite had already occurred, and thus it should pass.  See "ReplaceRules" in opendkim.conf(5) for details.
>>
>> 4) Use the Lua "setup" script's odkim.replace_header() function to do the same thing.
>>
>> -MSK
>>
>>
>>
>>
>
Received on Wed Mar 09 2011 - 20:53:54 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:16 PST