RE: Internal and External Hosts from Murray S. Kucherawy on 2011-12-06 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Tue, 6 Dec 2011 11:28:32 -0800

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Nikolaos Milas
> Sent: Tuesday, December 06, 2011 11:05 AM
> To: opendkim-users_at_lists.opendkim.org
> Subject: Internal and External Hosts
>
> Hello,
>
> We are planning the deployment of DKIM signatures using OpenDKIM on
> Centos 5.7. On the same box we have one Outgoing (SMTP) mail server
> (Postfix) which serves internal clients (on the LAN) and external
> (outside of the organizational LAN) SASL-authenticated clients. We want
> to sign mail messages by clients when they send mail using addresses of
> the form: *_at_example.com, *_at_department1.example.com,
> *_at_department2.example.com, ...
>
> I would like to ask: In order to sign correctly outgoing mail for all
> our clients, is it sufficient to declare 127.0.0.1 as InternalHosts? In
> other words, the opendkim.conf "InternalHosts" setting applies to mail
> clients (local or SASL-authenticated), or in fact only 127.0.0.1 is an
> "InternalHost" since only 127.0.0.1 is actually sending mail?
>
> In essence, what exactly is really matched by OpenDKIM against
> InternalHosts entries (i.e. what is happening behind the scene)?
>
> So, if:
>
> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
> InternalHosts refile:/etc/opendkim/TrustedHosts
>
> then /etc/opendkim/TrustedHosts should be:
>
> 127.0.0.1
> department1.example.com
> department2.example.com
> ...
> example.com
>
> or just:
>
> 127.0.0.1
>
> ??

You probably don’t want both sets to be the same. InternalHosts identifies sources of mail (by host/domain or IP/netblock) whose mail should be signed; ExternalIgnoreList identifies sources of mail that will claim to be you, but for which you shouldn't sign. The latter basically just silences a warning to tell you mail from some outside source is trying to send mail as you, when you might already be aware of that and don't want opendkim whining about it in the logs.

So if the mail you're going to sign is only coming from localhost -- that is, the SMTP connection to the mail server attached to opendkim will always come from localhost -- then you only need the single entry (and, in fact, that's the default, so you don't need to specify InternalHosts at all). If it might come from other IP addresses or hosts besides localhost, you should list them all (including localhost, as you've done).

Hope that clears it up...

-MSK
Received on Tue Dec 06 2011 - 19:28:40 PST