Re: Only signing when listed in TrustedHosts AND authenticated

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 7 Oct 2015 00:02:10 -0700 (PDT)

On Mon, 20 Jul 2015, Aaron Paetznick wrote:
> Ok after further testing, I don't think this is going to work. OpenDKIM
> is always signing if authenticated for some reason, and I can't get it
> to stop. This happens whether it matches any or all macros, or none.

There's other signing logic that comes into play, not just macros. The
documentation (opendkim(8) under OPERATION) lays it out. In essence, both
of the following must be true for a signature to be applied (independent
of anything done with Lua):

1) The From domain has to be one for which you are signing, or there has
to be a SigningTable entry matching the From domain;

2) One or more of the following:
a) the client connecting to the MTA must have authenticated;
b) the client connecting to the MTA must be listed in the file referenced
by the InternalHosts configuration file setting (or be in the default list
for that option)
c) the client must be connected to a daemon port named by the MTAs
configuration file setting
d) the MTA must have set one or more macros matching the criteria set by
the MacroList configuration file setting

So even if your MacroList setting is garbage, you might have one of the
other conditions "true" in (2), and signing would result (assuming (1) is
also satisfied). If you turn on "LogWhy", it'll tell you which one.

-MSK
Received on Wed Oct 07 2015 - 07:02:40 PST

This archive was generated by hypermail 2.3.0 : Wed Oct 07 2015 - 07:09:01 PST