Re: Opendkim LDAP and signing table references unknown key from A. Schulze on 2015-12-19 (OpenDKIM Users mailing list)

From: A. Schulze <sca_at_andreasschulze.de>
Date: Sun, 20 Dec 2015 00:02:20 +0100

Sistemisti Posta:

> ldap://ldap.example.com:489/ou=People,c=it?o?sub?(&(|(mail=$d)(mailalternateaddress=$d))(mailuserstatus=active)(|(objectclass=mailrecipient)(objectclass=mailgroup)))

$d reference the senders domain part. So your ldap filter looks wrong.
I'm not aware about other possible usable macros.
_at_all: is there any documentation?

> KeyTable is a file which contains:
>
> keyID_it example.com:selector:/etc/opendkim/keys/selector.private
only one key?

> My goal is to force all users having LDAP entry with
> o: u
> to sign. All other user can send without sign.
that sounds like this filter:
(&(o=keyID_it)(|(mail=*_at_$d)(mailalternateaddress=*@$d))

> opendkim[25959]: 3pMVKK6y5HzDc: signing table references unknown key ''
> postfix/cleanup[26327]: 3pMVKK6y5HzDc: milter-reject: END-OF-MESSAGE
> from example.com[xx.xx.xx.xx]: 4.7.1 Service unavailable - try again
> later; from=<me_at_example.com> to=<you_at_example.com> proto=ESMTP
> helo=<[xx.xx.xx.xx]>
that mean the signingtable lookup give a result, but there is not
keytable entry.
You must construct a ldap query that give no result if message should
not be signed.

you may use opendkim -Q to verify your ldapfilter:

# opendkim -Q
opendkim: enter data set description
         csl:entry1[,entry2[,...]]
         file:path
         refile:path
         db:path
         dsn:<backend>://[user[:pwd]_at_][port+]host/dbase[/key=val[?...]]
         ldapscheme://host[:port][/dn[?attrs[?scope[?filter[?exts]]]]]
         repute:server[:reporter]
> ldap://ldap.example.com:489/ou=People,c=it?o?sub?(&(o=keyID_it)(|(mail=*_at_$d)(mailalternateaddress=*_at_$d))
opendkim: enter 'query/n' where 'n' is number of fields to request
> user_at_example.com/1 <- Query and give one value back
'keyID_it' <- the Lookup result

> I have already tried "On-SignatureError accept".
On-SignatureError is like all other On-foo not relevant for signing.
It matter only on validation.

Andreas
Received on Sat Dec 19 2015 - 23:02:36 PST

This archive was generated by hypermail 2.3.0 : Sat Dec 19 2015 - 23:09:01 PST