Bingo! I added dpiems.entrust.com to the InternalHosts file, and I am
now the proud owner of a DKIM-Signature header.
So, if I am understanding correctly, only messages being relayed from
hosts in the InternalHosts file will be signed (and also messages from
authenticated connections).
What does the ExternalIgnoreList setting do? The error I was receiving
("external host attempted...") led me to this setting, but presumably it
was not the one I was looking for, because when I added
dpiems.entrust.com to the ExternalIgnoreList file, the error went away
but I was not getting a signature either.
Thanks
Dave I
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Murray S. Kucherawy
Sent: Wednesday, October 17, 2007 4:51 PM
To: dkim-milter general discussion
Subject: Re: [dkim-milter-discuss] Dkim-filter not signing
On Wed, 17 Oct 2007, Dave Isaacs wrote:
> In /var/log/maillog, the only dkim-filter related message that appears
> is "external host dpiems.entrust.com attempted to send as
> dpiems.entrust.com" (dpiems.entrust.com is the localhost), so this
> syslog message doesn't make sense. I thought dkim-filter would
> automatically accept and sign messages from localhost.
I'm not familiar with postfix, so I can only speak to dkim-filter's
operation.
The man page for dkim-filter(8) describes the conditions under which
signing occurs:
OPERATION
A message will be verified unless it conforms to the signing
criteria,
which are: (1) the domain on the From: address or Sender:
address (if
present) must be listed by the -d command line switch or the
Domain
configuration file setting, and (2) the client connecting to
the MTA
must (a) have authenticated, or (b) be listed in the file
referenced by
the -i command line switch (or be in the default list for that
option),
or (c) be connected to a daemon port named by the -m
command line
switch.
Sounds like you're matching (1) based on the log message. You'll have
to verify whether or not one of the criteria under (2) has been met.
The default for "-i" is a list containing only 127.0.0.1. My only guess
is that the TCP connection to the signing instance of Postfix is not
coming from there. For example, your previous mail talked about a
message passing through the filter more than once as it goes through
other content filters, so perhaps one of those is hiding "127.0.0.1" by
coming from some other interface or host.
------------------------------------------------------------------------
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
