On 20 October 2017 at 18:28, Fazzina, Angelo <angelo.fazz...@uconn.edu> wrote:
> Hi, i have a small DKIM question. config files are at bottom of email. > I got it working but don't understand why ? > > The one change i made to get it to work was add > 137.99.0.0/16 to the TrustedHosts file. > > So tests with from of x...@appmail.uconn.edu and x...@uconn.edu are getting > signed and I see it in the Postfix logs. > > > My question: > my prod servers(3 of them) smtp.uconn.edu allow authenticated users to > send over 465 and 587. > So they could come from any IP address in the world. > I assume all users are using a from address of x...@uconn.edu or > x...@yyy.uconn.edu. > Is it possible to get emails signed with DKIM ? > > > > These are the 3 files i configured > SigningTable = > *@appmail.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu > *@uconn.edu dkim1._domainkey.mta4.uits.uconn.edu > *@uits.uconn.edu dkim1._domainkey.mta4.uits.uconn.edu > > KeyTable = > dkim1._domainkey.mta4.uits.uconn.edu mta4.uits.uconn.edu:dkim1:/ > etc/opendkim/keys/uconn/dkim1.private > > TrustedHosts = > 127.0.0.1 > 137.99.0.0/16 > ::1 > > This is the opendkim.conf file = > > PidFile /var/run/opendkim/opendkim.pid > Mode sv > Syslog yes > SyslogSuccess yes > LogWhy yes > UserID opendkim:opendkim > Socket inet:8891@localhost > Umask 002 > SendReports yes > ReportAddress "UITS-SSG OpenDKIM" <ang...@uconn.edu> > SoftwareHeader yes > Canonicalization relaxed/simple > Selector dkim1 > MinimumKeyBits 1024 > KeyTable /etc/opendkim/KeyTable > SigningTable refile:/etc/opendkim/SigningTable > ExternalIgnoreList refile:/etc/opendkim/TrustedHosts > InternalHosts refile:/etc/opendkim/TrustedHosts Referring to man opendkim.conf, under 'Mode' I see you are using mode (b) in which case I think 'Selector' should not be defined. (I use mode (a), which is rather simpler.) Try removing 'Selector' from opendkim.conf and see what happens. Presuming that your setup already blocks unauthenticated senders purporting to be from @your_domain, I don't think you should need or have to rely on InternalHosts or ExternalIgnoreList. Emails that need signing, and do not need testing for an existing valid signature, should be identified solely from SigningTable. There shouldn't be any that don't need signing *and* don't need testing for a valid signature (i.e. that need to be specified in ExternalIgnoreList) except perhaps for an intranet mail system - emails must either be from the outside world and require testing for dkim, or be from a recognised sender using one of your domains, and require a signature to be added. Similarly there shouldn't be any, even from the local system, that are not from one of your domains and do need a signature adding (i.e. that need to be specified in InternalHosts). If rewriting any (local) sender addresses be sure to use postfix's canonical_maps and not smtp_generic_maps so that the change precedes the adding of the signature by opendkim.
