RE: how to setup opendkim for signing all outgoing mails from Murray S. Kucherawy on 2012-05-09 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Wed, 9 May 2012 13:38:19 +0000

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Matthias Weiss
> Sent: Wednesday, May 09, 2012 2:02 AM
> To: opendkim-users_at_lists.opendkim.org
> Subject: Re: how to setup opendkim for signing all outgoing mails
>
> > If the Sender field is always the same, then you can use that to make
> > the signing choice.
>
> It is. But we have a multisite webserver setup and I'm concerned that
> maybe configuration will be set wrong in the future and we loose the
> Sender field.
> If that happens we'll send unsigned mails and this will probably go unnoticed.
> So I'd like to have a solution that doesn't rely on the Sender field.

If you don't want to key it on a part of the message, then you have to sign everything that comes from particular IP addresses. This is obviously risky because anything that can be sent through your filter from those addresses gets signed regardless of what's in the Sender, From, or other fields.

> Currently I'm using only the "SenderHeaders" option in opendkim.conf
> and that is sufficient to have all mails signed.
>
> If tried your suggestion, this is what I did:
>
> /etc/opendkim/opendkim.conf:
> ...
> Domain mydomain.com
> SenderHeaders csl:Sender
> KeyTable refile:/etc/opendkim/key_table
> SigningTable refile:/etc/opendkim/signing_table
> ...
>
>
> /etc/opendkim/key_table:
> my_dk_specifier mydomain.com:mail:/etc/opendkim/mydomain.key
>
>
> /etc/opendkim/signing_table:
> postmaster_at_mydomain.com my_dk_specifier @mydomain.com
>
>
> I then send a mail with the postfix "sendmail" command specifying a
> bogus Sender address "test_at_doesnotexist.net". When I use this I'm
> getting the log
> entry:
>
> May 09 10:48:12 [opendkim] 12A3F180E0: no signing table match for
> 'test_at_doesnotexist.net'

Correct. Your signing_table needs an entry for that address, but it doesn't.

> When I comment out the SenderHeaders option opendkim uses the 'From' field and
> also signs no mail because it doesn't find a domain key for the domain of the
> 'From' mail address.
>
> Did I miss something?

Modify your signing_table to include an entry for 'test_at_doesnotexist.net' and try again.

If you want to unbind it from all header fields, use "*" instead of a user_at_host in the signing_table.

-MSK
Received on Wed May 09 2012 - 13:38:32 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST