I'm running dkim-milter on postfix, and I'm having a lot of trouble
getting it to sign everything I am wanting it to sign. I'm looking for
help here to determine what I might be missing in my configuration.
The server I am trying to get this to work on is primarily an outgoing MX
server (called mx2). It doesn't take "submissions" on the submission
port, nor does it perform SASL authentication locally. It does however
take deliveries from machines that do SASL authentication, or from
internal list servers hosts that relay their mail to this MX server to
then deliver to the world.
Because this server acts as an outgoing relay for a mailing list server,
I am wanting all the messages that come from those internal machines to
get signed on the way out. Messages are getting signed, but not the ones
that I would have expected:
Scenario 1: Messages that I submit via SASL authentication to our
incoming mail server that then get sent on to our list server, which then
explodes those out to the list subscribers by relaying the outgoing mail
to this MX server with dkim running on it -- these messages are not
signed. Header example below.
Scenario 2: Messages that I am sending from gmail to the list have the
gmail dkim/domainkey signatures added, but not mine (even though they get
sent to the list server, which then explodes them and relays that
outgoing delivery through the mail server with dkim running on it).
Header example below.
How can I figure out why these aren't getting signed? My postfix version
is 2.4.5, my dkim-milter version is 2.3.2. I'm running dkim-filter with
the following arguments:
/usr/bin/dkim-filter -x /etc/dkim-filter.conf -u dkim-filter -P /var/run/
dkim-filter/dkim-filter.pid -p /var/run/dkim-filter/dkim-filter.sock -l -
i /etc/dkim-sign -c relaxed/simple -S rsa-sha1 -d *.riseup.net -s mx2
/etc/dkim-filter.conf has:
Syslog yes
SyslogSuccess yes
Domain *.riseup.net
KeyFile /etc/certs/mx2.key.pem
Selector mx2
Mode s
SubDomains yes
Statistics /var/run/dkim-filter/dkim-stats
/etc/dkim-sign has:
127.0.0.1
204.13.168.0/24 (my class C)
10.0.1.0/16 (my internal network)
10.8.0.0/16 (my VPN)
.riseup.net (my domain)
parrot.riseup.net (list server)
lists.riseup.net (CNAME for the list server)
localhost
Postfix is setup to have the following in main.cf:
smtpd_milters = unix:/var/run/clamav/clamav-milter.ctl,unix:/var/run/dkim-
filter/dkim-filter.sock
I dont believe my messages are coming in via 'submission'. Host 'mx2'
accepts mail from host 'listserver' which is configured with the
relayhost = mx2 parameter. When host 'mx2' receives the messages from
'listserver' it sends them out, but unsigned by dkim-milter.
I was hoping I could coax dkim-milter into telling me why it wasn't
signing mails, this would be really useful to me to see what decisions
dkim-milter is making. For example if dkim-milter were to log:
Not signing 32DB7B3294, ENVELOPE_FROM does not match FROM:
"ENVELOPE_FROM" == "riseup.net" && "FROM != "gmail.com";
Not signing 54JD3J3943, originating IP not in internal hosts file:
"ENVELOPE_FROM" == "riseup.net" && "FROM == "riseup.net" && "IP ==
4.2.2.2"
I couldn't find any logging information, besides when a signature is
added:
Nov 9 08:32:46 mx2 dkim-filter[29260]: 32DB7A1102 "DKIM-Signature"
header added
The following are the headers from two messages, the first is scenario
number 1 above, and the second is scenario number 2.
Originated via SASL authenticated submission:
Return-Path: [EMAIL PROTECTED]
X-OfflineIMAP-x1405105391-4c6f63616c-494e424f58: 1194628438-0356639385401-
v5.99.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
spamd2.riseup.net
X-Spam-Level:
X-Spam-Status: No, score=-100.0 required=5.0 tests=USER_IN_WHITELIST
shortcircuit=ham autolearn=disabled version=3.2.3
Delivered-To: [EMAIL PROTECTED]
Received: from mx2.riseup.net (unknown [10.8.0.9])
by cormorant.riseup.net (Postfix) with ESMTP id F37B31CCF53;
Fri, 9 Nov 2007 09:13:32 -0800 (PST)
Received: from parrot.riseup.net (unknown [10.0.1.31])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "parrot.riseup.net", Issuer "CA Cert Signing
Authority" (verified OK))
by mx2.riseup.net (Postfix) with ESMTP id 1DF779FC3A;
Fri, 9 Nov 2007 09:11:49 -0800 (PST)
Received: by parrot.riseup.net (Postfix, from userid 1014)
id A540D1823800; Fri, 9 Nov 2007 09:11:49 -0800 (PST)
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from mx1.riseup.net (mx1.riseup.net [204.13.164.18])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "mx1.riseup.net", Issuer "CA Cert Signing
Authority" (verified OK))
by parrot.riseup.net (Postfix) with ESMTP id 84ECD182C334
for <[EMAIL PROTECTED]>; Fri, 9 Nov 2007 09:11:39 -0800 (PST)
Received: from tern.riseup.net (unknown [10.0.1.12])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "tern.riseup.net", Issuer "CA Cert Signing
Authority" (verified OK))
by mx1.riseup.net (Postfix) with ESMTP id 57CA257012D
for <[EMAIL PROTECTED]>; Fri, 9 Nov 2007 09:11:39 -0800 (PST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender:
[EMAIL PROTECTED]) with ESMTP id
9040914C127
Received: by lillypad (Postfix, from userid 1000)
id 40D6C2CC5E5; Fri, 9 Nov 2007 12:11:33 -0500 (EST)
Date: Fri, 9 Nov 2007 12:11:33 -0500
From: Micah Anderson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.16 (2007-06-11)
X-Virus-Scanned: ClamAV 0.91.2/4724/Thu Nov 8 22:48:44 2007 on
parrot.riseup.net
X-Virus-Status: Clean
Subject: [test] test again
Reply-To: [EMAIL PROTECTED]
X-Loop: [EMAIL PROTECTED]
X-Sequence: 183
Errors-to: [EMAIL PROTECTED]
Precedence: list
X-no-archive: yes
List-Id: <test.lists.riseup.net>
List-Archive: <https://lists.riseup.net/www/arc/test>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Owner: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]
20test>
This one originated from gmail to the list:
Return-Path: [EMAIL PROTECTED]
X-OfflineIMAP-1849546225-4c6f63616c-494e424f58: 1194631319-0115947217501-
v5.99.4
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on
spamd2.riseup.net
X-Spam-Level:
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 shortcircuit=no
autolearn=unavailable version=3.2.3
Delivered-To: [EMAIL PROTECTED]
Received: from mx2.riseup.net (unknown [10.8.0.9])
by cormorant.riseup.net (Postfix) with ESMTP id CD867802096;
Fri, 9 Nov 2007 09:33:56 -0800 (PST)
Received: from parrot.riseup.net (unknown [10.0.1.31])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "parrot.riseup.net", Issuer "CA Cert Signing
Authority" (verified OK))
by mx2.riseup.net (Postfix) with ESMTP id 2141DA1296;
Fri, 9 Nov 2007 09:26:51 -0800 (PST)
Received: by parrot.riseup.net (Postfix, from userid 1014)
id A7DEE17FB1AA; Fri, 9 Nov 2007 09:26:51 -0800 (PST)
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: from nz-out-0506.google.com (nz-out-0506.google.com
[64.233.162.225])
by parrot.riseup.net (Postfix) with ESMTP id 66D4D182CF99
for <[EMAIL PROTECTED]>; Fri, 9 Nov 2007 09:21:08 -0800 (PST)
Received: by nz-out-0506.google.com with SMTP id q3so488613nzb
for <[EMAIL PROTECTED]>; Fri, 09 Nov 2007 09:21:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=beta;
h=domainkey-signature:received:received:message-
id:date:from:to:subject:mime-version:content-type:content-transfe
r-encoding:content-disposition;
bh=dgW91STXjh/mrasRotdNeRpdUNX053GWLg5aAro1egQ=;
b=JuaztTmjmZUUPQ0Ud/2/q2avxRFnD/IknzxTQz/C3+dvwvfrK2
+ELS7SKFt9pSfUMHGqO4RelJr1vejxeyXBo1jDOijdGsL3zP/G0tMJjgc5l3L
nbpfAjopzfwp6hWjG4B7uSQe16mhcUTHINKyym/wwXVXRoBKP+ZfBHcbd3QA=
DomainKey-Signature: a=rsa-sha1; c=nofws;
d=gmail.com; s=beta;
h=received:message-id:date:from:to:subject:mime-version:content-
type:content-transfer-encoding:content-dispositio
n;
b=jVRIhna4BdLblrXMrcz4Q4zLNWzvQX/N0MFj4hIc+q/
C1Qxdr0TsoiB3HalvtWvwpV+ZFK/P0/8kzjKITbYx/XhVFpaW0zUZYzYpmZvG7IfOWb7
LcoZ1Iv+d9TnkEEFkLw6s0XnJ9fFmh40IMXeSO85BcDFi0fLP9NEGndNXUyE=
Received: by 10.142.245.10 with SMTP id s10mr17592wfh.1194628867030;
Fri, 09 Nov 2007 09:21:07 -0800 (PST)
Received: by 10.142.49.17 with HTTP; Fri, 9 Nov 2007 09:21:06 -0800 (PST)
Message-ID: <[EMAIL PROTECTED]>
Date: Fri, 9 Nov 2007 12:21:06 -0500
From: micah milano <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Virus-Scanned: ClamAV 0.91.2/4724/Thu Nov 8 22:48:44 2007 on
parrot.riseup.net
X-Virus-Status: Clean
Subject: [test] test from gmail
Reply-To: [EMAIL PROTECTED]
X-Loop: [EMAIL PROTECTED]
X-Sequence: 185
Errors-to: [EMAIL PROTECTED]
Precedence: list
X-no-archive: yes
List-Id: <test.lists.riseup.net>
List-Archive: <https://lists.riseup.net/www/arc/test>
List-Help: <mailto:[EMAIL PROTECTED]>
List-Owner: <mailto:[EMAIL PROTECTED]>
List-Post: <mailto:[EMAIL PROTECTED]>
List-Subscribe: <mailto:[EMAIL PROTECTED]>
List-Unsubscribe: <mailto:[EMAIL PROTECTED]
20test>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
