On 30 Oct 2016, at 12:43, Robert Fitzpatrick wrote:
The opendkim mailing lists seems not available any longer, so thought
I'd try here. I'm trying to get a handle on how to setup DKIM properly
on a gateway server, not even sure if what I'm trying to do is
possible. This gateway serves as an MX with ClamAV+Amavisd+SA
filtering as well as the smarthost for the subject domain.
I can get opendkim to sign when coming from a entry in the
TrustedHosts file, but it is not verifying unless a signature if
present. Does dkim only verify when a signature is added or can I
setup so the domain is verified with or without a signature?
Can you set up magic? or machine telepathy?
If there's no DKIM signature, what exactly do you think opendkim can use
to do a verification?
[snip... I'm sure it's significant, but I'm not familiar enough with
opendkim to see a problem...]
And the contents of my TrustedHosts file:
#127.0.0.1
#localhost
208.38.145.0/26
216.139.202.0/27
I commented out the localhost portions because it was signing twice,
both after the initial Received header and then again after received
by the filter. The latter two networks are internal network sources I
do not want to verify, only sign.
The trick in preventing that is not to stop trusting localhost but
rather to make the after-filter smtpd instance not use opendkim. Share
your 'postconf -nf' and 'postconf -Mf' output for help on doing that.
It's probably just a matter of adding no_milters to the "-o
receive_override_options=" directive for the after-filter smtpd
definition in master.cf.
I send a message hoping to be rejected and it is not, the resulting
headers show nothing dkim related:
Right. It's not from a source you want opendkim to sign for and opendkim
has no signature it could try to verify. DKIM can only provide a
thumbs-up or a shrug, it has no useful repudiation result. Anything
looking at headers afterwards can see that there's no signature, which
by the definition of DKIM is logically equivalent to an invalid
signature. To convert the meaning of no signature into a derogatory
assertion, you would need to use something like ADSP or DMARC whereby a
domain owner can assert that unsigned or mis-signed mail claiming to be
from them should be deemed bogus.
HOWEVER, note this:
Return-Path: <administra...@subjectdomain.com>
[...]
Received-SPF: Pass (sender SPF authorized) identity=mailfrom;
client-ip=96.254.71.164; helo=[192.168.1.110];
envelope-from=administra...@subjectdomain.com;
receiver=rob...@rfitz.com
[...]
From: MRI Tampa <administra...@subjectdomain.com>
This means SPF has authenticated the RC5321.MailFrom (envelope
sender/Return-Path) which happens in this case to match the RFC5322.From
(From header) so no rational filtering system would consider it forged
or reject the mail on the basis that it lacks a DKIM signature.
