It seems I stumbled upon a bug in opendkim. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695145 I am using Ubuntu 12.04. Using Backport also and the latest opendkim version is 2.6.8
In opendkim.conf I have added "LogWhy Yes" Now, in mail.log I can see: Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: nm23-vm6.bullet.mail.ne1.yahoo.com [98.138.91.116] not internal Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: not authenticated Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing domain match for 'yahoo.com' Oct 5 22:08:17 ns4 opendkim[25822]: 3927844893: no signing subdomain match for 'yahoo.com' Oct 5 22:08:18 ns4 opendkim[25822]: 3927844893: s=s2048 d=yahoo.com SSL error:04091068:rsa routines:INT_RSA_VERIFY:bad signature Oct 5 22:08:18 ns4 opendkim[25822]: 3927844893: bad signature data Will try to make a tcpdump -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Wietse Venema Sent: Sunday, October 05, 2014 7:48 PM To: Postfix users Subject: Re: opendkim and opendmarc failure for yahoo.com Inteq Solution - Dep. tehnic: > No security appliance in front of Postifix. > I use SpamAssassin that tags with X-Spam. > > I have disabled AV scanning. No luck > I have disabled dkim-milter. No luck > > Weird thing is that from other dmarc enabled domains, the result is > pass and email delivery is OK. opendkim *must* be used before any software that modifies headers or content. Instead of posting message headers, I prefer tcpdump content, off-list. Wietse
