Re: opendkim and sendmail starttls auth

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Thu, 7 Jun 2012 06:29:09 -0700 (PDT)

On Thu, 7 Jun 2012, Philippe TEMESI wrote:
> No It's not an open relay of course.
> Users authenticate with a local sasldb. This is the most basic authentication
> method with Sendmail... without ldap, etc.
>
> I wonder why OpenDKIM does not detect that.

The rules for "Should I sign this?" are laid out in the opendkim(8) man
page:

OPERATION
        A message will be verified unless it conforms to the signing criteria,
        which are: (1) the domain on the From: address or Sender: address (if
        present) must be listed by the -d command line switch or the Domain
        configuration file setting, and (2) (a) the client connecting to the
        MTA must have authenticated, or (b) the client connecting to the MTA
        must be listed in the file referenced by the InternalHosts configura-
        tion file setting (or be in the default list for that option), or (c)
        the client must be connected to a daemon port named by the MTAs config-
        uration file setting, or (d) the MTA must have set one or more macros
        matching the criteria set by the MacroList configuration file setting.

        For (a) above, the test is whether or not the MTA macro "{auth_type}"
        is set and contains any non-empty value. This means the MTA must pass
        the value of that macro to the filter before or during the end-of-
        header (EOH) phase in order for its value to be tested. Check your
        MTA's configuration documentation for details.

You might try turning on the LogWhy feature and restarting opendkim, then
sending a message. The log will indicate whether or not the MTA passed
the required authentication data to the filter.

(Note that "From and Sender" is wrong in the man page; I'll have to fix
that.)

-MSK
Received on Thu Jun 07 2012 - 13:29:30 PST