I am wrestling with the issues arising from Yahoo.com, and now AOL.com, enforcing dkim for their addresses. Specifically we run a small number of mailing lists using Mailman which have a large number of subscribers from both these domains. As Mailman is configured to forward mail without altering the FROM: header this trips the DKIM reject.
We have installed and configured OpenDKIM on our smtp relay, generated the private keys, configured the KeyTable and SigningTable files and published the necessary _domainkey.domain DNS records. Our desired solution is to have mail forwared by Mailman resigned using the Sender, where present, instead of the From header. As Mailman does set the Sender properly, according to reports from [email protected] we altered the configuration of opendkim.conf to this: SenderHeaders Sender,From. Dkim is configured in main.cf thus: # set up opendkim - also see: /etc/opendkim.conf and /etc/opendkim/TrustedHosts # make sure opendkim service is running smtpd_milters = inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_default_action = accept milter_protocol = 2 Mailman is interfaced to Postfix using this entry in master.cf # Local delivery of mailing list traffic mailman unix - n n - - pipe flags=FR user=mailman:mailman argv=/usr/lib/mailman/postfix/postfix-to-mailman.py ${nexthop} ${user} The problem that we have is that mail being forwarded from Mailman is not being signed at all. And I suspect that it relates to the fact that the Mailman MLM and the Postfix MTA reside on the same server. When I look at a test message sent through the MLM to the auth-resultes address I see this: [email protected] Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 36876609A5 for <[email protected]>; Mon, 5 May 2014 12:30:20 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JUcMvst-FkzK for <[email protected]>; Mon, 5 May 2014 12:30:19 -0400 (EDT) Received: from inet08.hamilton.harte-lyne.ca (localhost [IPv6:::1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP for <[email protected]>; Mon, 5 May 2014 12:30:19 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id F2EDF609C8 for <[email protected]>; Mon, 5 May 2014 12:30:17 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1]) by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AuPvOnGIir-m for <[email protected]>; Mon, 5 May 2014 12:30:16 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id A9475609A5 for <[email protected]>; Mon, 5 May 2014 12:30:16 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca; s=dkim_hll; t=1399307416; bh=z0DQjPUP3iSnJocIWpmAvVX8Alr4K8XVzrxjZOaSExM=; h=Date:Subject:From:To; b=IzhcNAwvf+zYpkcZNewyIGKhI7KTx0QviTFyWvhDUjzHJHODKVnq555p3QWyLMnWk E0CFEVQov6ehMHDW/OsDJ3MSAAz7ijAU4xe8jl7/j2Tb0msjU0sBJ1nWdupKcl1Bxh A+09YBd/IhBgUZsseUr8gJm8eV566jYmOwitoOpMuCCoDhbarW1YBGfBu3Gvs7hd5w PO4mp3KFK/ym7iFgRg8dVGCR0w+21BcJhqpMrdHs29pEzd2+tpOzCPGVg/fxe/JtsQ JI/cClyHLTGq82wwLHF5xdY+fjCa31xb74sm+0mDNPA6+g1iB9Spn4o2gR0CADRTEr 4PsC8BCP3f8nQ== Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb) by webmail.harte-lyne.ca with HTTP; Mon, 5 May 2014 12:30:16 -0400 Message-ID: <[email protected]> Date: Mon, 5 May 2014 12:30:16 -0400 From: "James B. Byrne" <[email protected]> To: [email protected] User-Agent: SquirrelMail/1.4.22-4.el6 MIME-Version: 1.0 X-Priority: 3 (Normal) Importance: Normal Subject: [Logistics-l] dkim test X-BeenThere: [email protected] X-Mailman-Version: 2.1.12 So, If I read this aright then the test email from me via the webmail interface is send to our MTA at ineto8. Inet08 signs the original mail and sends it to the Amavisd mail scanner. The mail returns to postfix who then submits it to Mailman? from the local address (127.0.0.1) and therein lies the problem I think. The mail then is forwarded on directly to the addresses and does not pass through Postfix again to be re-signed. Is there any way to accomplish this and have the reinjected mail from mailman pass through the dkim milter a second time? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:[email protected] Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
