RE: OpenDKIM problems with Postfix

From: Justin T. Stear <jtstear_at_maurerstutzinc.com>
Date: Tue, 30 Oct 2012 14:46:53 -0500

Murry,
The mailserver is 10.0.1.2. We are using exchange as our mail server
and only incoming goes through postfix. Is this my problem and if so
what alternatives do I have? I am on version 2.7.0.

JS



-----Original Message-----
From: Murray S. Kucherawy [mailto:msk_at_blackops.org]
Sent: Friday, October 26, 2012 4:29 PM
To: Justin T. Stear
Cc: opendkim-users_at_lists.opendkim.org
Subject: RE: OpenDKIM problems with Postfix

On Fri, 26 Oct 2012, Justin T. Stear wrote:
> Attached are the KeyTable, SigningTable, and TrustedHosts.
> [...]

Naturally, the general intent is that mail you originate is signed by
you.
There are cases where you might want to sign someone else's mail, but
generally signing mail as it arrives is largely pointless. So signing
your gmail.com mail as it comes in might work if you manage to configure

your system that way, but I doubt that's what you want.

As the man page for opendkim(8) says, mail is signed using this
configuration only when two conditions are met:

a) It appears to have something in the header that tells you it's mail
you
should be signing. Most commonly this is the From: domain, but you can
base it on other criteria if you want to.

b) It appears to have come from a source that is supposed to have its
mail
signed by you. (This can be determined by IP address, macro value
checks,
or by other means.)

(The other "style" is to use Lua scripts, but you're not doing that, so
I
won't discuss it here.)

Your configuration has a Domain line, but also a KeyTable and
SigningTable. The Domain line should be commented out, as it will not
be
used in the presence of the other two. The same goes for Selector.

The SigningTable contains the rules you will use to satisfy (a) in your
configuration. Your SigningTable looks fine to me, modulo the
anonymization you've done. The KeyTable also appears to be fine.

The missing link is the IP address(es) that are sending mail into
postfix
which you believe should be signed, and opendkim's matching of them to
the
TrustedHosts file. Neither your descriptions nor the log snippets
you've
posted so far don't include that information, so I can't tell if there's

matching happening or not (presumably not). One thing that's clear from

your configuration is that you're using an "refile" for InternalHosts
where you're not actually doing any wildcarding. Although that should
work anyway, you might have better success using "file" instead of
"refile".

So, from what IP address is postfix receiving this traffic?

-MSK

------------------------------------------------------------------------------
***Privacy Statement*** This message and/or attached documents may contain
privileged/confidential information and is intended for use by the intended
recipient only. If you are not the intended recipient indicated in this message
(or responsible for delivery of the message to such person), you may not
transmit, copy, disclose, store, or utilize this communication in any manner.
If you received this message in error, please notify the sender immediately
and permanently delete this message from your computer. If you or your employer
does not consent to internet e-mail messages of this kind, please notify the
sender immediately. The views, opinions, conclusions, and other information
expressed in this message are not given or endorsed by Maurer-Stutz, Inc. unless
it’s related to official business.
Received on Tue Oct 30 2012 - 19:47:08 PST