Implementing on a sendmail mail hub

From: Loudermilk, Stephen <Stephen.Loudermilk_at_finra.org>
Date: Thu, 15 Oct 2015 14:57:20 +0000

We recently installed opendkim milter for sendmail on our mail hub. This is the very first experience we have had with it. We are learning about all the features of DKIM. The first objective is for us to simply sign all outgoing messages from one of our domains. But our environment is such that multiple application servers (Windows) submit the mail to our mail hub, which then relays the messages out to remote recipients.

We are confident the milter is installed and configured correctly. We’ve validated with dkimvalidator.com. We have a domain key in our public DNS. Everything checks out fine as long as I send a message from the sendmail relay. But when we relay messages from other internal hosts (such as our application servers), the key is not inserted on the message with the expected header. This is what we observe in syslog:

Milter insert (1): header: Authentication-Results: relay.finra.org;
 dkim=permerror (bad message/signature format)

relay.finra.org is the name of the sendmail relay.

If messages are submitted directly on the sendmail host, it seems to be fine and this is what we see logged:

Oct 15 10:46:21 sendmail[4135]: t9FEkL2A004135: milter=opendkim, action=header, continue
Oct 15 10:46:21 sendmail[4135]: t9FEkL2A004135: milter=opendkim, action=eoh, continue
Oct 15 10:46:21 sendmail[4135]: t9FEkL2A004135: milter=opendkim, action=body, continue
Oct 15 10:46:21 sendmail[4135]: t9FEkL2A004135: Milter insert (1): header: DKIM-Signature: v=1; a=rsa-sha256; c=relax
ed/simple;\n\td=domain.com; s=ourselector; t=1444920381;\n\tbh=cSAyCJ9bvgBnxKQGW0S45Uk6zPQuGiGTWJbIEt8eYPM=;\n\th=Date:From
:To:Subject;\n\tb=vuJhf0g0mR1Aijrc0hF444LebWi1kt1zJxYOlkJAp03RKRKc7AIQGH7XXWDYWSt1M\n\t EUfWwkaA/Q3GeolFZMqO82MSbHaHVUVG0EqzPwaXaQde
jhoIxMmeRQAxra1cW01bEF\n\t gFkKCZfUneRcrZZMWYIPc8JDJTqCfi6wd092PqfI=
Oct 15 10:46:21 sendmail[4135]: t9FEkL2A004135: Milter accept: message

We’ve tried listing the originating servers in the opendkim “TrustedHosts” file. No change. Any help is greatly appreciated.

Steve Loudermilk
Technology Delivery Lead
Delivery Services Team
301-325-2525 (m)
Financial INdustry Regulatory Authority

Confidentiality Notice:: This email, including attachments, may include non-public, proprietary, confidential or legally privileged information. If you are not an intended recipient or an authorized agent of an intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in or transmitted with this e-mail is unauthorized and strictly prohibited. If you have received this email in error, please notify the sender by replying to this message and permanently delete this e-mail, its attachments, and any copies of it immediately. You should not retain, copy or use this e-mail or any attachment for any purpose, nor disclose all or any part of the contents to any other person. Thank you.
Received on Thu Oct 15 2015 - 14:57:31 PST