Re: opendkim and sendmail starttls auth from Philippe TEMESI on 2012-06-07 (OpenDKIM Users mailing list)

From: Philippe TEMESI <philippe.temesi_at_gmail.com>
Date: Thu, 07 Jun 2012 23:24:12 +0200

Thank you. {auth_type} was the key.

Finally I've got the solution.

My sendmail configuration was wrong.

The 'confMILTER_MACROS_ENVFROM' parameter was set to '{auth_authen}' only.
So no '{auth_type}' was passed to OpenDKIM.

After adding that everything works fine now.

I don't know if its correct but now it's set like this:
define(`confMILTER_MACROS_ENVFROM', `i,*{auth_type}*, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host}, {mail_addr}')

Anyway all of this has forced me to look further in sendmail's
configuration... That's probably a good thing.

Kind regards,

Philippe

On 7/06/2012 15:29, Murray S. Kucherawy wrote:
> On Thu, 7 Jun 2012, Philippe TEMESI wrote:
>> No It's not an open relay of course.
>> Users authenticate with a local sasldb. This is the most basic
>> authentication method with Sendmail... without ldap, etc.
>>
>> I wonder why OpenDKIM does not detect that.
>
> The rules for "Should I sign this?" are laid out in the opendkim(8)
> man page:
>
> OPERATION
> A message will be verified unless it conforms to the signing
> criteria,
> which are: (1) the domain on the From: address or Sender:
> address (if
> present) must be listed by the -d command line switch or
> the Domain
> configuration file setting, and (2) (a) the client connecting
> to the
> MTA must have authenticated, or (b) the client connecting to
> the MTA
> must be listed in the file referenced by the InternalHosts
> configura-
> tion file setting (or be in the default list for that
> option), or (c)
> the client must be connected to a daemon port named by the MTAs
> config-
> uration file setting, or (d) the MTA must have set one or
> more macros
> matching the criteria set by the MacroList configuration file
> setting.
>
> For (a) above, the test is whether or not the MTA macro
> "{auth_type}"
> is set and contains any non-empty value. This means the MTA
> must pass
> the value of that macro to the filter before or during the
> end-of-
> header (EOH) phase in order for its value to be tested.
> Check your
> MTA's configuration documentation for details.
>
> You might try turning on the LogWhy feature and restarting opendkim,
> then sending a message. The log will indicate whether or not the MTA
> passed the required authentication data to the filter.
>
> (Note that "From and Sender" is wrong in the man page; I'll have to
> fix that.)
>
> -MSK
Received on Thu Jun 07 2012 - 21:24:33 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST