Signing after verifying "unverifiable" messages

From: Дилян Палаузов <>
Date: Wed, 11 Apr 2012 03:48:08 +0200


I observed a situation, which I find strange. OpenDKIM 2.5.2 signs all
emails properly, except the one I submit (over SMTP-Submit). In those
emails, the bh= value was always the same and did not depend on the
content of the message. However, when I turned off the verification in
setup.lua and left only signing, the bh= value started getting right.

Here is my setup.lua script

local mtaname = odkim.get_mtasymbol(ctx, "{daemon_name}")
if mtaname == "sm-80" then
         odkim.sign(ctx, "aegee", "")
elseif mtaname == "sm-localhost" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "")
elseif mtaname == "sm-karlsruhe" then
         odkim.sign(ctx, "lists", "")
elseif mtaname == "sm-lists" then
elseif mtaname == "MSA-ssl" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "")
elseif mtaname == "MSA-tls" then
-- odkim.verify(ctx)
         odkim.sign(ctx, "aegee", "")
elseif mtaname == "sm-mail" then
         odkim.sign(ctx, "aegee", "")
         odkim.sign(ctx, "aegee", "")
return nil

The point is, that the emails for MSA-tls/MSA-ssl/sm-localhost are not
signed, so the verification is not supposed to do something useful
(except the cases, where the user signs emails before submitting them,
otherwise it adds correctly Authentication-Results:; dkim=none
(no signature) ). But putting those comments there / disabling the
verification really starts generating different bh= for those emails.
Otherwise only emails, that can be verifies, are signed. Any ideas?

Със здраве


AddAllSignatureResults yes
AlwaysAddARHeader yes
AuthservIDWithJobID yes
Canonicalization relaxed/relaxed
#Domain ",,"
DisableADSP yes
EnableCoreDumps yes
InternalHosts file:/etc/mail/dkim/internal-hosts
KeepAuthResults yes
KeyTable file:/etc/mail/dkim/keys.dataset
LogWhy yes
MaximumSignaturesToVerify 5
MilterDebug 10
PidFile /var/run/
#SignatureAlgorithm rsa-sha1
#SingleAuthResult yes
SenderHeaders Sender
#SenderMacro {daemon_name}
SendReports yes
SetupPolicyScript /etc/mail/dkim/setup.lua
Socket local:/var/run/opendkim.sock
SubDomains yes
Syslog yes
SyslogSuccess yes
TemporaryDirectory /dev/shm
WeakSyntaxChecks yes
X-Header yes

opendkim -V
opendkim: OpenDKIM Filter v2.5.2
         Compiled with GnuTLS 3.0.18
         SMFI_VERSION 0x1000001
         libmilter version 1.0.1
         Supported signing algorithms:
         Supported canonicalization algorithms:
         Active code options:
         libopendkim 2.5.2: diffheaders xtags query_cache
Received on Wed Apr 11 2012 - 01:48:25 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:39 PST