RE: OpenDKIM problems with Postfix from Murray S. Kucherawy on 2012-10-26 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Fri, 26 Oct 2012 14:28:35 -0700 (PDT)

On Fri, 26 Oct 2012, Justin T. Stear wrote:
> Attached are the KeyTable, SigningTable, and TrustedHosts.
> [...]

Naturally, the general intent is that mail you originate is signed by you.
There are cases where you might want to sign someone else's mail, but
generally signing mail as it arrives is largely pointless. So signing
your gmail.com mail as it comes in might work if you manage to configure
your system that way, but I doubt that's what you want.

As the man page for opendkim(8) says, mail is signed using this
configuration only when two conditions are met:

a) It appears to have something in the header that tells you it's mail you
should be signing. Most commonly this is the From: domain, but you can
base it on other criteria if you want to.

b) It appears to have come from a source that is supposed to have its mail
signed by you. (This can be determined by IP address, macro value checks,
or by other means.)

(The other "style" is to use Lua scripts, but you're not doing that, so I
won't discuss it here.)

Your configuration has a Domain line, but also a KeyTable and
SigningTable. The Domain line should be commented out, as it will not be
used in the presence of the other two. The same goes for Selector.

The SigningTable contains the rules you will use to satisfy (a) in your
configuration. Your SigningTable looks fine to me, modulo the
anonymization you've done. The KeyTable also appears to be fine.

The missing link is the IP address(es) that are sending mail into postfix
which you believe should be signed, and opendkim's matching of them to the
TrustedHosts file. Neither your descriptions nor the log snippets you've
posted so far don't include that information, so I can't tell if there's
matching happening or not (presumably not). One thing that's clear from
your configuration is that you're using an "refile" for InternalHosts
where you're not actually doing any wildcarding. Although that should
work anyway, you might have better success using "file" instead of
"refile".

So, from what IP address is postfix receiving this traffic?

-MSK
Received on Fri Oct 26 2012 - 21:28:52 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:44 PST