Have a multi-domain Postfix+Dovecot+MySQL+SpamAssassin working nicely.
Added OpenDKIM and it works, passing some 'tests', but not others. I
notice that outgoing mail appears to be signed twice. Is this correct?
The two signatures are otherwise identical but with marginally different
timestamps (and thus different hashes). I notice (of the few people who
appear to be using DKIM) Wietse's emails are signed only once - which
I'd imagine is correct (for at least two reasons...)
In case it is helpful, herewith Postfix definitions and a Validator
report (to save you looking at the (original) headers of this message):
main.cf
#DKIM
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
#smtpd_milters = local:/var/run/opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
[should the non_smtpd_milters be (what appears to me, to be) a repetition?]
[Different tutorials use the socket approach, and others the one
implemented here. I'm curious about any pros-and-cons]
DKIMValidator.com
[first it reproduces the headers]
Original Message (includes)
DKIM-Filter: OpenDKIM Filter v2.11.0 vps.rangi.cloud 0AB68561C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=danceswithmice.info;
s=staff; t=1649930978;
bh=zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=;
h=Date:From:Subject:To:From;
b=aJM9/Vj+2t6x8sGjYbLXhcPCUc9W2dYJ6N4RrlFkbVNmnNbThZoC4UWsxY7hS610U
l4+gOQ4N9Ya0+s3YWbMSdEykuzOA5Q+STyS3ljND5XRhV7QnHtK5vmXcGHxwL5ui6m
0P1QOj2xjbK+i5toNKz9uOZcSHW+dRu8XWk6wyjSKl7afKCqtx6QgxptJRrOhiuU4M
OoQw/jD5krI3SxHAaN/FcdoKoWIfGUdiYpLhXx/9YSkp3zFjQLVMAx0d6hzwWK7tbY
4VooYnP1tTFSiG6u+DfBomD3Daw9YQ0MktkYHYpxkj/6AIRQDod7JkDOrbCqjDx4cK
zPDnWfP7+E5pA==
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on vps517507.ovh.net
X-Spam-Level:
X-Spam-Status: No, score=-3.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,T_SCC_BODY_TEXT_LINE autolearn=ham
autolearn_force=no version=3.4.0
Received: from [192.168.7.57] (118-92-199-252.dsl.dyn.ihug.co.nz
[118.92.199.252])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
(Authenticated sender: domainadmin@rangi.cloud)
by vps.rangi.cloud (Postfix) with ESMTPSA id 9AC0E5614
for <eemzi5zyvvp...@dkimvalidator.com>; Thu, 14 Apr 2022 10:09:36 +0000
(UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 vps.rangi.cloud 9AC0E5614
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=danceswithmice.info;
s=staff; t=1649930977;
bh=zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=;
h=Date:From:Subject:To:From;
b=S6fq1BJnSLkzf9o2ty+CQz1yx7OSbY7NVH33a1PeKGmDlLh3VS/O1gk1EMsgMAKr9
qwMCjGJy0mZQ1ZMRDqh78HFDvgxLhCvcR6bM8WmvZmnr4EFYbUl0z4Hfne2gwxtRl+
k+XCfk6iZt3eoNfQdbyqIcOAZRFL0u4jIgmSLh6FifPLF1koMoVQ7fWgEXgJ1CxC8g
8CPu6tf/VUvzKTmBFbqVOGOEN9j2Hu39AYovLpl+huL7p2NHpoTut4py6+alp4gaXR
yJq4N9WuGXJEqc4QP/Mz8CNWrdD0lHTZfHRafTf1XLz3sHd7ysfmeA0MktfgDtVnSi
+V2ChfMaMQEEQ==
Message-ID: <3d3a6f7b-25ac-eeb3-06bd-7f4096b8c...@danceswithmice.info>
D
[Now it starts its analysis and reporting. Note how it picks-up both
signatures, but only one appears in the report below]
DKIM Signature
[snipped repetition of (both) above]
Signature Information:
v= Version: 1
a= Algorithm: rsa-sha256
c= Method: relaxed/simple
d= Domain: danceswithmice.info
s= Selector: staff
q= Protocol:
bh= zGisXci4PDXL/JL6Wa7U+L8MDKVB1Mt9llnbf2jgwaI=
h= Signed Headers: Date:From:Subject:To:From
b= Data:
aJM9/Vj+2t6x8sGjYbLXhcPCUc9W2dYJ6N4RrlFkbVNmnNbThZoC4UWsxY7hS610U
l4+gOQ4N9Ya0+s3YWbMSdEykuzOA5Q+STyS3ljND5XRhV7QnHtK5vmXcGHxwL5ui6m
0P1QOj2xjbK+i5toNKz9uOZcSHW+dRu8XWk6wyjSKl7afKCqtx6QgxptJRrOhiuU4M
OoQw/jD5krI3SxHAaN/FcdoKoWIfGUdiYpLhXx/9YSkp3zFjQLVMAx0d6hzwWK7tbY
4VooYnP1tTFSiG6u+DfBomD3Daw9YQ0MktkYHYpxkj/6AIRQDod7JkDOrbCqjDx4cK
zPDnWfP7+E5pA==
[the next stage of the analysis shows where/how it picked-up the DKIM
settings]
Public Key DNS Lookup
Building DNS Query for staff._domainkey.danceswithmice.info
Retrieved this publickey from DNS:
v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqr7MeOrYgSUc17kYIR65gFTUX6/UjJvFySRw3kzG/Jp+G8bjLv6ssMaziw0EZBtFsI0moywuXq+n74xUWX/a2vOnmOnG/IAmtw5hg7eiUQFGgUx/MOeXIS1nU3ziekrAwWSEWEuF9/IaSPEhZZDBOGS2anBij/itTLo1tn32cA6I8dQ/4Gg58SVfBQw/KPupgn5URVtQAeGKDW3GInyAet7di2XHncEztCMYIlmAFWkfDS5dFd182pbusmBE+X86tKYjdVp7tf0Cim7zNUSf41IZgCG/fhM+d/d7MpX4Pe7iEsXnNRPDz/dKhHUv23ExvymVb/IL6QGcuMEm0Y3mLwIDAQAB
Validating Signature
result = pass
Details:
[I'm curious that there are no details - something I said - something
else that I should have done?]
Will welcome any and all advice, and/or pointers to further reading!
--
Regards,
=dn
