opendkim/postfix: no signature for emails submitted through port 25

From: <patrick.proniewski_at_free.fr>
Date: Sun, 17 Mar 2013 15:20:31 +0100

Hello,

I have a small problem with my postfix/opendkim setup:

- opendkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from the server.
- opendkim won't sign emails I send from my workstation to my server via an ssh tunnel (or if i use telnet port 25 to send an email from localhost)

-------------------------------------------------------
transcript for a webmail sending:

 rack postfix/pickup[51760]: 32E681CC025: uid=80 from=<patpro_at_mydomain.tld>
 rack postfix/cleanup[52839]: 32E681CC025: message-id=<eec030e8a722c0c18ea83a504d776005_at_mail.mydomain.tld>
+rack opendkim[50749]: 32E681CC025: DKIM-Signature header added (s=patpro, d=mydomain.tld)
 rack postfix/qmgr[29993]: 32E681CC025: from=<patpro_at_mydomain.tld>, size=994, nrcpt=1 (queue active)
 rack postfix/local[52842]: 32E681CC025: to=<patpro_at_mydomain.tld>, orig_to=<root_at_mydomain.tld>, relay=local, delay=0.21, delays=0.18/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -a "$EXTENSION")
 rack postfix/qmgr[29993]: 32E681CC025: removed

-------------------------------------------------------
transcript for a mail submitted via ssh tunnel (or telnet on localhost):

 rack postfix/smtpd[57044]: connect from localhost[127.0.0.1]
 rack milter-greylist: (unknown id): Sender IP 127.0.0.1 and address <patpro_at_mydomain.tld> are SPF-compliant, bypassing greylist
 rack postfix/smtpd[57044]: NOQUEUE: client=localhost[127.0.0.1]
 rack postfix/smtpd[57049]: connect from localhost[127.0.0.1]
 rack postfix/smtpd[57049]: 5E0BE1CC020: client=localhost[127.0.0.1], orig_client=localhost[127.0.0.1]
 rack postfix/cleanup[57050]: 5E0BE1CC020: message-id=<727D4403-CE21-4282-A3F3-0C056924C270_at_mydomain.tld>
 rack postfix/smtpd[57049]: disconnect from localhost[127.0.0.1]
 rack postfix/qmgr[29993]: 5E0BE1CC020: from=<patpro_at_mydomain.tld>, size=2220, nrcpt=1 (queue active)
 rack amavis[50721]: (50721-14) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1]:13772 [127.0.0.1] <patpro_at_mydomain.tld> -> <root_at_mydomain.tld>, Message-ID: <727D4403-CE21-4282-A3F3-0C056924C270_at_mydomain.tld>, mail_id: 0ha-G1TZRb7p, Hits: -3.4, size: 1712, queued_as: 5E0BE1CC020, 1762 ms
 rack postfix/smtpd[57044]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5E0BE1CC020; from=<patpro_at_mydomain.tld> to=<root_at_mydomain.tld> proto=ESMTP helo=<[127.0.0.1]>
 rack postfix/local[57051]: 5E0BE1CC020: to=<patpro_at_mydomain.tld>, orig_to=<root_at_mydomain.tld>, relay=local, delay=0.06, delays=0.04/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -a "$EXTENSION")
 rack postfix/qmgr[29993]: 5E0BE1CC020: removed

-------------------------------------------------------
opendkim.conf:

LogWhy yes
Syslog yes
SyslogSuccess yes
MilterDebug 3

Canonicalization relaxed/simple

ExternalIgnoreList refile:/usr/local/etc/opendkim/TrustedHosts
InternalHosts refile:/usr/local/etc/opendkim/TrustedHosts
KeyTable refile:/usr/local/etc/opendkim/KeyTable

SigningTable refile:/usr/local/etc/opendkim/SigningTable

Socket inet:8891_at_localhost

ReportAddress root
SendReports yes

AlwaysAddARHeader yes


-------------------------------------------------------
TrustedHosts:

127.0.0.1
localhost
<public_ip_#1>
<public_ip_#2>
<fqdn>
<domain.tld>
<sub.domain.tld>


-------------------------------------------------------
main.cf reads:

smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
non_smtpd_milters = inet:127.0.0.1:8891

I've tried without the milter-greylist filter, but got the same result.

-------------------------------------------------------
and I have a before-queue content filter (master.cf):

smtp inet n - n - 20 smtpd
   -o smtpd_proxy_filter=127.0.0.1:10024
   -o smtpd_client_connection_count_limit=10
   -o smtpd_proxy_ehlo=amavis-at-mydomain.tld
   -o disable_mime_output_conversion=yes

127.0.0.1:10025 inet n - n - - smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=
   -o mynetworks=127.0.0.0/8
   -o receive_override_options=no_unknown_recipient_checks
   -o smtpd_milters=
   -o non_smtpd_milters=


Obviously I'm missing something here. The processing of an email that I feed through the webmail (sitting on the same server as postfix), and the processing of an email I feed through my email client on my workstation via an ssh tunnel are very different.
On workstation side, I'm using an on demand tunnel, everything is piped into nc targeting localhost:25.

Basically, opendkim signs my emails when they trigger the non_smtpd_milters rule, but won't sign my emails when they trigger smtpd_milters.

Any idea? (and by the way, what is the expected behavior of MilterDebug? At "3" it looks like it won't log more than "0".

Patrick
Received on Sun Mar 17 2013 - 14:20:46 PST

This archive was generated by hypermail 2.3.0 : Sun Mar 17 2013 - 14:27:01 PST