Re: DKIM signing for wildcard sub domains

2017-12-13 Thread Benny Pedersen 

Kent skrev den 2017-12-13 08:40:


Is this possible ?


no

http://www.opendkim.org/opendkim-atpszone.8.html

unless its atps signed

imho your server hostnaame must be dkim signed

then you can reuse keys to subdomain signing

its complex setup, so join opendkim maillist asking specific to this

Re: DKIM signing for wildcard sub domains

2017-12-13 Thread Anvar Kuchkartaev 
Just quick fix I wrote wrong instructions s=* means for all services.
You have to edit 
/etc/opendkim.conf 
Subdomains Yes

And 

/etc/opendkim/SigningTable

example.com default._domainkey.example.com
.example.com default._domainkey.example.com

Anvar Kuchkartaev 
an...@anvartay.com
  Original Message  
From: Anvar Kuchkartaev
Sent: miércoles, 13 de diciembre de 2017 09:02
To: Kent; Postfix users
Subject: Re: DKIM signing for wildcard sub domains


In your case you are using selector with the name default. If you use
opendkim-genkey -s mx0 then it will generate key for mx0 selector‎ (you must 
update dns records accordingly instead of default._domainkey.school.kiwi 
mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns 
record mx1._domainkey.school.kiwi) ‎

If you want to create one key which will be copied accross servers and applied 
for subdomains use --subdomains option to generate key for subdomains and in 
dns record use also s=*

Dns record in my case:

Question section:

mx1._domainkey.aegisnet.eu TXT

Answer section:

mx1._domainkey.aegisnet.eu. 21599   IN  TXT "v=DKIM1; k=rsa; s=*; 
h=sha256; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun"
 
"Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB"


Authority section:



Additional section:



Anvar Kuchkartaev 
an...@anvartay.com
  Original Message  
From: Kent
Sent: miércoles, 13 de diciembre de 2017 08:40
To: Postfix users
Cc: Anvar Kuchkartaev
Subject: Re: DKIM signing for wildcard sub domains


Hi Anvar,

> Yes and also it is recommended to setup different selector for each server 
> and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ? How 
would this work on my DNS server - would they have to have unique identifiers 
so that the TXT record on the mail server could be added for both servers as 
well ?


I don't want to create a separate DKIM for each sub domain - there are 
potentially 100's for all our clients. I want a DKIM for the top level 
'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote:
> 
> Yes and also it is recommended to setup different selector for each server 
> and different key per server.
> 
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
> 
> Anvar Kuchkartaev 
> an...@anvartay.com

Re: DKIM signing for wildcard sub domains

2017-12-13 Thread Anvar Kuchkartaev 
In your case you are using selector with the name default. If you use
opendkim-genkey -s mx0 then it will generate key for mx0 selector‎ (you must 
update dns records accordingly instead of default._domainkey.school.kiwi 
mx0._domainkey.school.kiwi and for mx1 generate with selector mx1 and dns 
record mx1._domainkey.school.kiwi) ‎

If you want to create one key which will be copied accross servers and applied 
for subdomains use --subdomains option to generate key for subdomains and in 
dns record use also s=*

Dns record in my case:

Question section:

mx1._domainkey.aegisnet.eu TXT

Answer section:

mx1._domainkey.aegisnet.eu. 21599   IN  TXT "v=DKIM1; k=rsa; s=*; 
h=sha256; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAspG5C7Cb9NipLjFCOdlPWqMybUqqAqnbbts4txUgFJ6XyyDQ58FKNKQmgKP7+/UHaYdPEEyrVJ34SUhg5gx+UWljm/ERROmPA7yDjzX2XZQDhaX1Rl+yZpLc9t1VrAhNHvvmdwiD0KZ3pJXVDYrYZp5NerINpq460Ra4GxUcmIeun"
 
"Vy2eAlfVk2LA7keNlf4UU+Sw3z66A0Yr+JgAf3/YRTDgPFM5vHYL3IHmiz9+ZH+GnGG+xTjm24k0SOr1mqtjkwORNtYg1aub5JmTtc7GaqH6w6cyBVmUylFx3TWL8MlqlxBKkrlQnPG/O7Z1kgUzoS8zx447p0/N1JyyS24rwIDAQAB"


Authority section:



Additional section:



Anvar Kuchkartaev 
an...@anvartay.com
  Original Message  
From: Kent
Sent: miércoles, 13 de diciembre de 2017 08:40
To: Postfix users
Cc: Anvar Kuchkartaev
Subject: Re: DKIM signing for wildcard sub domains


Hi Anvar,

> Yes and also it is recommended to setup different selector for each server 
> and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ? How 
would this work on my DNS server - would they have to have unique identifiers 
so that the TXT record on the mail server could be added for both servers as 
well ?


I don't want to create a separate DKIM for each sub domain - there are 
potentially 100's for all our clients. I want a DKIM for the top level 
'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev <an...@anvartay.com> wrote:
> 
> Yes and also it is recommended to setup different selector for each server 
> and different key per server.
> 
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
> 
> Anvar Kuchkartaev 
> an...@anvartay.com

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Kent 
Hi Anvar,

> Yes and also it is recommended to setup different selector for each server 
> and different key per server.

I'm not sure I fully understand what you are saying.

So I should have created a separate 'default.private' for each server ?   How 
would this work on my DNS server - would they have to have unique identifiers 
so that the TXT record on the mail server could be added for both servers as 
well ?


I don't want to create a separate DKIM for each sub domain - there are 
potentially 100's for all our clients.  I want a DKIM for the top level  
'school.kiwi' domain which is then used for each of the sub domains.

Is this possible ?


Kent.




> On 13/12/2017, at 8:23 PM, Anvar Kuchkartaev  wrote:
> 
> Yes and also it is recommended to setup different selector for each server 
> and different key per server.
> 
> You can test DKIM signature using this website:
> ‎http://dkimvalidator.com/
> 
> Anvar Kuchkartaev 
> an...@anvartay.com

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Maarten 
So right now since it's set to only verify incoming  mail signtures you 
are seeing  the line "DKIM verification sucessful"


You should see the signing happening in the logs:

Dec 13 08:36:32 localhost opendkim[969]: ED6EDFB7: DKIM-Signature field 
added (s=default, d=feedmebits.nl)





On 2017-12-13 08:36, Maarten wrote:

Check  /etc/opendkim.conf. And the line that Says Mode.

You probably have it set like this:
Mode v

Change it to:
Mode sv

sign
verify

On 2017-12-13 08:32, Kent wrote:

Hi Maarten,

Apologies - I missed this when I was copying my setup.

I already have these lines in my  /etc/postfix.main.cf file.


When an e-mail comes in, I'm seeing these lines in the maillog:
Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: 
mail-lf0-f51.google.com [209.85.215.51] not internal

Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification 
successful


So I believe postfix is passing both incoming and outgoing mail via 
opendkim.


It's just my setup isn't adding the 'DKIM' into the outgoing mail.

Kent.



On 13/12/2017, at 8:14 PM, Maarten  
wrote:



Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Maarten 

Check  /etc/opendkim.conf. And the line that Says Mode.

You probably have it set like this:
Mode v

Change it to:
Mode sv

sign
verify

On 2017-12-13 08:32, Kent wrote:

Hi Maarten,

Apologies - I missed this when I was copying my setup.

I already have these lines in my  /etc/postfix.main.cf file.


When an e-mail comes in, I'm seeing these lines in the maillog:
Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: 
mail-lf0-f51.google.com [209.85.215.51] not internal

Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification 
successful


So I believe postfix is passing both incoming and outgoing mail via 
opendkim.


It's just my setup isn't adding the 'DKIM' into the outgoing mail.

Kent.




On 13/12/2017, at 8:14 PM, Maarten  wrote:


Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Kent 
Hi Maarten,

Apologies - I missed this when I was copying my setup.

I already have these lines in my  /etc/postfix.main.cf file.


When an e-mail comes in, I'm seeing these lines in the maillog:
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: mail-lf0-f51.google.com 
> [209.85.215.51] not internal
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: not authenticated
> Dec 13 20:24:45 mx01 opendkim[27470]: 81942208493E: DKIM verification 
> successful

So I believe postfix is passing both incoming and outgoing mail via opendkim.

It's just my setup isn't adding the 'DKIM' into the outgoing mail.

Kent.



> On 13/12/2017, at 8:14 PM, Maarten  wrote:
> 
> 
> Think you are missing something like this in main.cf
> 
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters =  $smtpd_milters
> milter_default_action = accept
> 
> http://www.postfix.org/postconf.5.html#smtpd_milters

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Maarten 

dkim runs on 8891:

tcp0  0 127.0.0.1:8891  0.0.0.0:*   
LISTEN  969/opendkim


This way it will sign the mails, that way you should see something like 
this:


Dec 13 08:14:43 localhost postfix/smtpd[21935]: connect from 
supernova.feedmebits.nl[46.105.136.80]
Dec 13 08:14:43 localhost postfix/smtpd[21935]: Anonymous TLS connection 
established from supernova.feedmebits.nl[46.105.136.80]: TLSv1.2 with 
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 13 08:14:43 localhost postfix/smtpd[21935]: A1346749: 
client=supernova.feedmebits.nl[46.105.136.80], sasl_method=CRAM-MD5, 
sasl_username=maarten
Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749: hold: header 
Received: from a.mx.feedmebits.nl (supernova.feedmebits.nl 
[46.105.136.80])??(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 
(256/256 bits))??(Client did not
 present a certificate)??by supernov from 
supernova.feedmebits.nl[46.105.136.80]; 
from= to= 
proto=ESMTP helo=
Dec 13 08:14:43 localhost postfix/cleanup[21938]: A1346749: 
message-id=
Dec 13 08:14:43 localhost opendkim[969]: A1346749: DKIM-Signature field 
added (s=default, d=feedmebits.nl)



On 2017-12-13 08:14, Maarten wrote:

Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters


On 2017-12-13 03:10, Kent wrote:

Hi All,

I'm trying to get DKIM signing working on our postfix mail server.

We have a wildcard domain   *.school.kiwi.We are providing a mail
service for our clients - who each have their own sub-domain  eg.
abc.school.kiwi  or   cde.school.kiwi


I have two servers, both are identical setups running centOS and
Postfix 2.  One is named mx01.school.kiwi  and the other is named
mx02.school.kiwi
Note: When I created the 'default.private' - I did so on mx01  and
copied it to mx02 so they are the same.  I assume this is the correct
approach ?


I've followed the instructions per this page:
https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

opendkim: OpenDKIM Filter v2.11.0




I've set up my KeyTable:
default._dkim.school.kiwi 
school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private




And my SigningTable:

*school.kiwi default._dkim.school.kiwi
.school.kiwi default._dkim.school.kiwi


This is the current setup.  I've tried different variations including
*@school.kiwi,  *@*school.kiwi,  *@.school.kiwi  and  *@*.school.kiwi


My TrustedHosts:

127.0.0.1
::1
school.kiwi
.school.kiwi




And finally  opendkim.conf itself with:

# KeyFile   /etc/opendkim/keys/default.private
KeyTable/etc/opendkim/KeyTable
SigningTablerefile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts




This is what I see in the  /var/lo/maillog  when I send an e-mail to
my gmail account.

Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 
from=
Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: 
message-id=
Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: 
from=, size=4645, nrcpt=1 
(queue active)
Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection 
established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: 
to=, 
relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, 
delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 
1513130134 33si417943ply.308 - gsmtp)
Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: 
message-id=<20171213015309.8a3d22084...@mx02.school.kiwi>
Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender 
delivery status notification: 8A3D22084427
Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, 
size=2632, nrcpt=1 (queue active)

Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: 
to=, relay=schoolkiwi, 
delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via 
schoolkiwi service)

Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed





When I view a received e-mail, I can see the following line in the
message headers.


DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426




But not DKIM signature itself.   I've obviously something, but not
sure what to look at next.


Any assistance appreciated to get this working with emails from

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Anvar Kuchkartaev 
Yes and also it is recommended to setup different selector for each server and 
different key per server.

You can test DKIM signature using this website:
‎http://dkimvalidator.com/

Anvar Kuchkartaev 
an...@anvartay.com
  Original Message  
From: Maarten
Sent: miércoles, 13 de diciembre de 2017 08:14
To: Postfix users; owner-postfix-us...@postfix.org
Subject: Re: DKIM signing for wildcard sub domains



Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters


On 2017-12-13 03:10, Kent wrote:
> Hi All,
> 
> I'm trying to get DKIM signing working on our postfix mail server.
> 
> We have a wildcard domain *.school.kiwi. We are providing a mail
> service for our clients - who each have their own sub-domain eg.
> abc.school.kiwi or cde.school.kiwi
> 
> 
> I have two servers, both are identical setups running centOS and
> Postfix 2. One is named mx01.school.kiwi and the other is named
> mx02.school.kiwi
> Note: When I created the 'default.private' - I did so on mx01 and
> copied it to mx02 so they are the same. I assume this is the correct
> approach ?
> 
> 
> I've followed the instructions per this page:
> https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/
>> opendkim: OpenDKIM Filter v2.11.0
> 
> 
> 
> I've set up my KeyTable:
>> default._dkim.school.kiwi 
>> school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private
> 
> 
> 
> And my SigningTable:
>> *school.kiwi default._dkim.school.kiwi
>> .school.kiwi default._dkim.school.kiwi
> 
> This is the current setup. I've tried different variations including
> *@school.kiwi, *@*school.kiwi, *@.school.kiwi and *@*.school.kiwi
> 
> 
> My TrustedHosts:
>> 127.0.0.1
>> ::1
>> school.kiwi
>> .school.kiwi
> 
> 
> 
> And finally opendkim.conf itself with:
>> # KeyFile /etc/opendkim/keys/default.private
>> KeyTable /etc/opendkim/KeyTable
>> SigningTable refile:/etc/opendkim/SigningTable
>> ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
>> InternalHosts refile:/etc/opendkim/TrustedHosts
> 
> 
> 
> This is what I see in the /var/lo/maillog when I send an e-mail to
> my gmail account.
> 
>> Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 
>> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>
>> Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: 
>> message-id=<fndqjlkx4fdbrd6gt1eku...@school.kiwi>
>> Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: 
>> from=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, size=4645, nrcpt=1 
>> (queue active)
>> Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection 
>> established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 
>> with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>> Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: 
>> to=<abcdefghi...@gmail.com>, 
>> relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, 
>> delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 
>> 1513130134 33si417943ply.308 - gsmtp)
>> Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: 
>> message-id=<20171213015309.8a3d22084...@mx02.school.kiwi>
>> Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender 
>> delivery status notification: 8A3D22084427
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>,
>> size=2632, nrcpt=1 (queue active)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
>> Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: 
>> to=<fndqjlkx4fdbrd6gt1eku...@hooks.school.kiwi>, relay=schoolkiwi, 
>> delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via 
>> schoolkiwi service)
>> Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed
>> 
> 
> 
> 
> When I view a received e-mail, I can see the following line in the
> message headers.
> 
>> DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426
> 
> 
> 
> But not DKIM signature itself. I've obviously something, but not
> sure what to look at next.
> 
> 
> Any assistance appreciated to get this working with emails from
> n...@anysubdomain.school.kiwi
> 
> 
> thanks
> 
> Kent.

Re: DKIM signing for wildcard sub domains

2017-12-12 Thread Maarten 


Think you are missing something like this in main.cf

milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters =  $smtpd_milters
milter_default_action = accept

http://www.postfix.org/postconf.5.html#smtpd_milters


On 2017-12-13 03:10, Kent wrote:

Hi All,

I'm trying to get DKIM signing working on our postfix mail server.

We have a wildcard domain   *.school.kiwi.We are providing a mail
service for our clients - who each have their own sub-domain  eg.
abc.school.kiwi  or   cde.school.kiwi


I have two servers, both are identical setups running centOS and
Postfix 2.  One is named mx01.school.kiwi  and the other is named
mx02.school.kiwi
Note: When I created the 'default.private' - I did so on mx01  and
copied it to mx02 so they are the same.  I assume this is the correct
approach ?


I've followed the instructions per this page:
https://www.stevejenkins.com/blog/2011/08/installing-opendkim-rpm-via-yum-with-postfix-or-sendmail-for-rhel-centos-fedora/

opendkim: OpenDKIM Filter v2.11.0




I've set up my KeyTable:
default._dkim.school.kiwi 
school.kiwi:default:/etc/opendkim/keys/school.kiwi/default.private




And my SigningTable:

*school.kiwi default._dkim.school.kiwi
.school.kiwi default._dkim.school.kiwi


This is the current setup.  I've tried different variations including
*@school.kiwi,  *@*school.kiwi,  *@.school.kiwi  and  *@*.school.kiwi


My TrustedHosts:

127.0.0.1
::1
school.kiwi
.school.kiwi




And finally  opendkim.conf itself with:

# KeyFile   /etc/opendkim/keys/default.private
KeyTable/etc/opendkim/KeyTable
SigningTablerefile:/etc/opendkim/SigningTable
ExternalIgnoreList  refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts




This is what I see in the  /var/lo/maillog  when I send an e-mail to
my gmail account.

Dec 13 14:53:07 mx02 postfix/pickup[19928]: 280D82084426: uid=0 
from=
Dec 13 14:53:07 mx02 postfix/cleanup[20008]: 280D82084426: 
message-id=
Dec 13 14:53:07 mx02 postfix/qmgr[18077]: 280D82084426: 
from=, size=4645, nrcpt=1 
(queue active)
Dec 13 14:53:08 mx02 postfix/smtp[20036]: Untrusted TLS connection 
established to gmail-smtp-in.l.google.com[108.177.97.27]:25: TLSv1.2 
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Dec 13 14:53:09 mx02 postfix/smtp[20036]: 280D82084426: 
to=, 
relay=gmail-smtp-in.l.google.com[108.177.97.27]:25, delay=2.4, 
delays=0.01/0/1.6/0.81, dsn=2.0.0, status=sent (250 2.0.0 OK 
1513130134 33si417943ply.308 - gsmtp)
Dec 13 14:53:09 mx02 postfix/cleanup[20008]: 8A3D22084427: 
message-id=<20171213015309.8a3d22084...@mx02.school.kiwi>
Dec 13 14:53:09 mx02 postfix/bounce[20012]: 280D82084426: sender 
delivery status notification: 8A3D22084427
Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: from=<>, 
size=2632, nrcpt=1 (queue active)

Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 280D82084426: removed
Dec 13 14:53:09 mx02 postfix/pipe[20013]: 8A3D22084427: 
to=, relay=schoolkiwi, 
delay=0.06, delays=0/0/0/0.06, dsn=2.0.0, status=sent (delivered via 
schoolkiwi service)

Dec 13 14:53:09 mx02 postfix/qmgr[18077]: 8A3D22084427: removed





When I view a received e-mail, I can see the following line in the
message headers.


DKIM-Filter: OpenDKIM Filter v2.11.0 mx02.school.kiwi 7A8CB2084426




But not DKIM signature itself.   I've obviously something, but not
sure what to look at next.


Any assistance appreciated to get this working with emails from
n...@anysubdomain.school.kiwi


thanks

Kent.