On 29 janv. 2015, at 09:28, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> On Thu, 29 Jan 2015, Patrick Proniewski wrote:
>> Config file options apparently work for now. But as Andreas wrote, the option I'm relying on is disappearing. The fact my use case scenario was covered by the README and an config option made me think my requirements are pretty common.
>>
>> How does it work for this mailing list? I know from,subject and body are not altered so it won't break the subscriber DKIM signature, but the list server manage to add it's own valid signature too. That's what I want to achieve in the end.
>
> The machine running this list simply signs everything passing through it.
>
> Why do you want to treat list traffic differently from regular stuff?
I don't. I want to sign everything going out, but with basic settings, OpenDKIM refuses to sign emails with a From that is not in my own domain. That's why I applied settings described in opendkim README in the first place (signature based on Sender header).
Content of my SigningTable is the following:
*_at_patpro.net patpro._domainkey.patpro.net
but it yields to this kind of result for email sent by the list server:
... opendkim[50990]: 6DF13F81: no signing table match for 'a-subscriber_at_gmail.com'
... opendkim[50990]: 6DF13F81: s=20120113 d=gmail.com SSL error:04077068:rsa routines:RSA_verify:bad signature
... opendkim[50990]: 6DF13F81: bad signature data
Which is obviously right, according to my SigningTable. Am I supposed to sign "*" ?
("bad signature" is triggered by the list server tempering with subject and body, I'm aware of the issue, and it's going to be fixed)
--
opendkim.conf:
LogWhy yes
Syslog yes
SyslogSuccess yes
MilterDebug 4
Canonicalization relaxed/simple
ExternalIgnoreList refile:/usr/local/etc/opendkim/TrustedHosts
InternalHosts refile:/usr/local/etc/opendkim/TrustedHosts
KeyTable refile:/usr/local/etc/opendkim/KeyTable
SigningTable refile:/usr/local/etc/opendkim/SigningTable
Socket inet:8891_at_localhost
ReportAddress root
SendReports yes
AlwaysAddARHeader yes
SenderHeaders Sender,From
cat /usr/local/etc/opendkim/KeyTable
patpro._domainkey.patpro.net patpro.net:patpro:/var/db/opendkim/patpro.private
cat /usr/local/etc/opendkim/SigningTable
*_at_patpro.net patpro._domainkey.patpro.net
Received on Thu Jan 29 2015 - 08:46:13 PST