Re: Internal and External Hosts

From: SM <sm_at_resistor.net>
Date: Tue, 06 Dec 2011 11:33:39 -0800

Hi Nikolaos,
At 11:04 06-12-2011, Nikolaos Milas wrote:
>We are planning the deployment of DKIM signatures using OpenDKIM on
>Centos 5.7. On the same box we have one Outgoing (SMTP) mail server
>(Postfix) which serves internal clients (on the LAN) and external
>(outside of the organizational LAN) SASL-authenticated clients. We
>want to sign mail messages by clients when they send mail using
>addresses of the form: *_at_example.com, *_at_department1.example.com,
>*_at_department2.example.com, ...
>
>I would like to ask: In order to sign correctly outgoing mail for
>all our clients, is it sufficient to declare 127.0.0.1 as
>InternalHosts? In other words, the opendkim.conf "InternalHosts"
>setting applies to mail clients (local or SASL-authenticated), or in
>fact only 127.0.0.1 is an "InternalHost" since only 127.0.0.1 is
>actually sending mail?
>
>In essence, what exactly is really matched by OpenDKIM against
>InternalHosts entries (i.e. what is happening behind the scene)?

InternalHosts identifies a set internal hosts whose mail should be
signed rather than verified. Entries in this data set follow the same
form as those of the PeerList option below. If not specified, the
default of "127.0.0.1" is applied. Naturally, providing a value here
overrides the default, so if mail from 127.0.0.1 should be signed,
the list provided here should include that address explicitly.

InternalHost is a way to tell OpenDKIM to work in Sign mode instead
of verify mode.

>So, if:
>
> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts

You do not need the above.

>then /etc/opendkim/TrustedHosts should be:
>
> 127.0.0.1

Put in that IP address only.

Regards,
-sm
Received on Tue Dec 06 2011 - 19:33:50 PST