Opendkim LDAP and signing table references unknown key

From: Sistemisti Posta <sistemisti-posta_at_csi.it>
Date: Fri, 18 Dec 2015 15:14:12 +0100

Hello opendkim users,

  I'm new in this world. I would ask your help to configure this good
software. I tried to configure opendkim as follow:

SigningTable
ldap://ldap.example.com:489/ou=People,c=it?o?sub?(&(|(mail=$d)(mailalternateaddress=$d))(mailuserstatus=active)(|(objectclass=mailrecipient)(objectclass=mailgroup)))

KeyTable is a file which contains:

keyID_it example.com:selector:/etc/opendkim/keys/selector.private


LDAP entries of signing users is like this:

        dn: ...
        mail: me_at_example.com
        o: keyID_it
        ...

My goal is to force all users having LDAP entry with
        o: keyID_it
to sign. All other user can send without sign.


With this configuration, if a user (from) matches o=keyID_it then
opendkim signs the mail and all works as expected. I'm happy.

But if a user doesn't match (such as 'o' attribute doesn't exists in its
LDAP entry) I see:

opendkim[25959]: 3pMVKK6y5HzDc: signing table references unknown key ''
postfix/cleanup[26327]: 3pMVKK6y5HzDc: milter-reject: END-OF-MESSAGE
from example.com[xx.xx.xx.xx]: 4.7.1 Service unavailable - try again
later; from=<me_at_example.com> to=<you_at_example.com> proto=ESMTP
helo=<[xx.xx.xx.xx]>

So my question is: how can I configure the KeyTable to force only
existing references to sign? With my current configuration if a signing
selector doesn't exists the opendkim forces a milter-reject.

I have already tried "On-SignatureError accept".

Thank you very much
Best Regards
Marco
Received on Fri Dec 18 2015 - 14:14:24 PST