Re: Allowing mail from multiple domains

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Tue, 22 Apr 2014 10:01:15 -0700 (PDT)

On Mon, 21 Apr 2014, Phil Stracchino wrote:
> It's supposed to be, yes, both internally and externally. The TXT
> record is set in both the internal and external view of the domain. I
> could tell there was a DNS issue, what's not clear to me is *why* there
> is a DNS issue. Everything looks correct to me at the DNS level. Do
> you have any advice for troubleshooting this specific problem? How
> would you go about troubleshooting a failure of opendkim to retrieve the
> key?

Other than basic things like doing "dig" on various nameservers to figure
out why data aren't synchronized (did you increase the serial number, for
instance?), I don't have any specific advice.

opendkim relies on resolver libraries to go get the data, and one of them
is telling opendkim that the key isn't there. There's likely nothing in
opendkim to debug. Assuming the details in your opendkim.conf are
current, I can't resolve it even from the command line here:

% host -t txt dkim._domainkey.caerllewys.net
Host dkim._domainkey.caerllewys.net not found: 3(NXDOMAIN)

>> ExternalIgnoreList, set correctly, should remove the warning you're
>> getting. How did you set it?
>
> As follows, in /etc/opendkim/opendkim.conf:
>
> ExternalIgnoreList babcom.com

But the host that connected is babylon5.babcom.com. As specified, only a
direct string match will be considered a hit. Check the man page for
complete documentation; what you probably want is ".babcom.com" instead,
which adds the whole subdomain to the set for matching.

> (adding epsilon3.caerllewys.net to Domain was an experiment, I don't
> know whether it's doing anything for me. It doesn't appear to be helping.)

"Domain" is ignored in the presence of "KeyTable" and "SigningTable".

-MSK
Received on Tue Apr 22 2014 - 17:01:37 PST