Home / server / Questions / 830979
In Process
Isabell Cowan
Asked: 2017-02-07 17:03:45 +0800 CST

OpenDKIM milter not signing relayed mail

  • 772

I'm using OpenDKIM to sign mail on my Postfix server. It works as intended when sending with SMTPS from it's origin domain (let's say example.com). However, mail set out from SMTP clients on the LAN are not being signed. Said clients do not have from the same origin domain (for example client1.lan), but are translated with smtp_generic_maps to the same origin (specifically [email protected]). Ideally, I want to sign that outgoing mail.

In /etc/postfix/main.cf I have:

smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

In /etc/opendkim.conf I have:

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts

In /etc/opendkim/TrustedHosts I have:

::1
127.0.0.1
localhost
ip6-localhost
ip6-loopback
mail
10.0.0.0/24
*.lan
email postfix opendkim

3 Answers

  1. In Postfix make sure /etc/postfix/main.conf contains:

    milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

    This will ensure that mail coming from authenticated users will be signed by OpenDKIM. As per documentation:

    A message will be verified unless it conforms to the signing criteria, which are: (1) the domain on the From: address (if present) must be listed by the -d command line switch or the Domain configuration file setting, and (2) (a) the client connecting to the MTA must have authenticated, or (b) the client connecting to the MTA must be listed in the file referenced by the InternalHosts configuration file setting (or be in the default list for that option), or (c) the client must be connected to a daemon port named by the MTAs configuration file setting, or (d) the MTA must have set one or more macros matching the criteria set by the MacroList configuration file setting.

    For (a) above, the test is whether or not the MTA macro "{auth_type}" is set and contains any non-empty value. This means the MTA must pass the value of that macro to the filter before or during the end-of-header (EOH) phase in order for its value to be tested.

    • 1

  2. If they are to be relayed and signed to other domains (based on the From: header), then you'll have to map these other domains with the SigningTable configuration at opendkim, you may even assign different keys and selectors by matching them at the KeyTable — both point to different mapping files.

    I had a similar problem, but I could debug it by looking at the mail headers — there you'll find the exact hostname and IP address the relayed server is using, for example:

    Received: from client1.lan (client1.localdomain [10.0.0.2]) by example.com 
          (Postfix) with ESMTPS id 71B8D10C1A68 for <[email protected]>;
          Sun, 12 Feb 2017 13:19:33 +0000 (UTC)

    Then you can check if the relayed server is using the internal network, which hostname it's using and to what domain it intends to send e-mail from.

    • 0

  3. Had the same issue: mail being sent from remote host didn't get signed.

    The solution was simple: just to add the IP of a remote sender to /etc/opendkim/TrustedHosts

    • 0