DKIM not verifying without signature

Sun, 30 Oct 2016 09:44:54 -0700

The opendkim mailing lists seems not available any longer, so thought I'd try here. I'm trying to get a handle on how to setup DKIM properly on a gateway server, not even sure if what I'm trying to do is possible. This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the smarthost for the subject domain.
I can get opendkim to sign when coming from a entry in the TrustedHosts file, but it is not verifying unless a signature if present. Does dkim only verify when a signature is added or can I setup so the domain is verified with or without a signature? It would be ideal to get the 'Authentication-Results' header to use in SA scoring and reject as needed. I do have an SA rule now that gives a high kill score when a message hits SPF_FAIL without hitting DKIM_VALID as well. But, it seems SPF is not enough these days. 


From what I understand from the opendkim man page is the 'Mode' default 
is 'sv' to sign and verify. Didn't think 'On-BadSignature' should be 
used since there is no signature. Here is my opendkim.conf:


LogWhy                  yes
Syslog                  yes
SyslogSuccess           yes
Canonicalization        relaxed/simple
KeyTable                /usr/local/etc/opendkim/KeyTable
SigningTable            /usr/local/etc/opendkim/SigningTable
ExternalIgnoreList      /usr/local/etc/opendkim/TrustedHosts
InternalHosts           /usr/local/etc/opendkim/TrustedHosts
Socket                  inet:8891@localhost
ReportAddress           postmas...@webtent.net
SendReports             yes

And the contents of my TrustedHosts file:

#127.0.0.1
#localhost
208.38.145.0/26
216.139.202.0/27


I commented out the localhost portions because it was signing twice, 
both after the initial Received header and then again after received by 
the filter. The latter two networks are internal network sources I do 
not want to verify, only sign.



I send a message hoping to be rejected and it is not, the resulting 
headers show nothing dkim related:



Return-Path: <administra...@subjectdomain.com>
Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4])
        by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106
        for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:23 -0400
Received: from localhost (localhost [127.0.0.1])
        by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with 
ESMTP id 5991AD7E50
        for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:23 -0400 (EDT)
Received: from mx2.webtent.net ([127.0.0.1])
 by localhost (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP
 id 08148-06 for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; 
client-ip=96.254.71.164; helo=[192.168.1.110]; 
envelope-from=administra...@subjectdomain.com; receiver=rob...@rfitz.com
Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164])
        by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with 
ESMTP id A11D7D7E46
        for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:21 -0400 (EDT)
Message-ID: <581617e9.5080...@subjectdomain.com>
Date: Sun, 30 Oct 2016 11:55:21 -0400
From: MRI Tampa <administra...@subjectdomain.com>
User-Agent: Postbox 4.0.8 (Windows/20151105)
MIME-Version: 1.0
To: Rob Fitzpatrick <rob...@rfitz.com>
Subject: Test DKIM with no auth
References: <58161558.2090...@subjectdomain.com> 
<58161684.7010...@subjectdomain.com>
In-Reply-To: <58161684.7010...@subjectdomain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: WebTent Mailguard 1.0.3
X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5
 tests=BAYES_00=-1.9, SPF_PASS=-0.001


And the log entries show:


root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog
Oct 30 11:55:21 mx2 postfix/smtpd[8876]: A11D7D7E46: 
client=media.rfitz.com[96.254.71.164]
Oct 30 11:55:21 mx2 postfix/cleanup[8818]: A11D7D7E46: 
message-id=<581617e9.5080...@subjectdomain.com>
Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: media.rfitz.com [96.254.71.164] 
not internal
Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: not authenticated
Oct 30 11:55:21 mx2 postfix/qmgr[8810]: A11D7D7E46: 
from=<administra...@subjectdomain.com>, size=954, nrcpt=1 (queue active)
Oct 30 11:55:23 mx2 postfix/smtp[8901]: A11D7D7E46: to=<rob...@rfitz.com>, 
relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.5/0/0.01/1.7, dsn=2.6.0, 
status=sent (250 2.6.0 Ok, id=08148-06, from MTA: 250 2.0.0 Ok: queued as 5991AD7E50)
Oct 30 11:55:23 mx2 postfix/qmgr[8810]: A11D7D7E46: removed


--
Robert























					Reply via email to