You can add "AlwaysAddARHeader yes" Then opendkim will always add a verification header even if no signature.
There is also also the following options available: On-BadSignature <anything> On-Default <anything> On-DNSError <anything> On-InternalError <anything> On-KeyNotFound <anything> On-NoSignature <anything> On-Security <anything> On-SignatureError <anything> Which can be set if you want to reject or otherwise process mail with certain signature errors. For example, rejecting mails with no DKIM sig. Bill Cole: What he is out after, is the "Theres no signature" result. Not adding a header, could mean a bogus source could insert a fake "Signature valid" header and pass DKIM validation. By always adding a verification result, even when no sig is found, a fake header would mean theres a double result, or (if opendkim is configured to remove fake headers) only the genuine header, which means it can be easily detected that somebody is attempting to cheat. -----Ursprungligt meddelande----- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Robert Fitzpatrick Skickat: den 30 oktober 2016 17:44 Till: Postfix <postfix-users@postfix.org> Ämne: DKIM not verifying without signature The opendkim mailing lists seems not available any longer, so thought I'd try here. I'm trying to get a handle on how to setup DKIM properly on a gateway server, not even sure if what I'm trying to do is possible. This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the smarthost for the subject domain. I can get opendkim to sign when coming from a entry in the TrustedHosts file, but it is not verifying unless a signature if present. Does dkim only verify when a signature is added or can I setup so the domain is verified with or without a signature? It would be ideal to get the 'Authentication-Results' header to use in SA scoring and reject as needed. I do have an SA rule now that gives a high kill score when a message hits SPF_FAIL without hitting DKIM_VALID as well. But, it seems SPF is not enough these days. From what I understand from the opendkim man page is the 'Mode' default is 'sv' to sign and verify. Didn't think 'On-BadSignature' should be used since there is no signature. Here is my opendkim.conf: LogWhy yes Syslog yes SyslogSuccess yes Canonicalization relaxed/simple KeyTable /usr/local/etc/opendkim/KeyTable SigningTable /usr/local/etc/opendkim/SigningTable ExternalIgnoreList /usr/local/etc/opendkim/TrustedHosts InternalHosts /usr/local/etc/opendkim/TrustedHosts Socket inet:8891@localhost ReportAddress postmas...@webtent.net SendReports yes And the contents of my TrustedHosts file: #127.0.0.1 #localhost 208.38.145.0/26 216.139.202.0/27 I commented out the localhost portions because it was signing twice, both after the initial Received header and then again after received by the filter. The latter two networks are internal network sources I do not want to verify, only sign. I send a message hoping to be rejected and it is not, the resulting headers show nothing dkim related: > Return-Path: <administra...@subjectdomain.com> > Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4]) > by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106 > for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:23 -0400 > Received: from localhost (localhost [127.0.0.1]) > by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 5991AD7E50 > for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:23 -0400 (EDT) > Received: from mx2.webtent.net ([127.0.0.1]) by localhost > (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP id > 08148-06 for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) > Received-SPF: Pass (sender SPF authorized) identity=mailfrom; > client-ip=96.254.71.164; helo=[192.168.1.110]; > envelope-from=administra...@subjectdomain.com; > receiver=rob...@rfitz.com > Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164]) > by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id A11D7D7E46 > for <rob...@rfitz.com>; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) > Message-ID: <581617e9.5080...@subjectdomain.com> > Date: Sun, 30 Oct 2016 11:55:21 -0400 > From: MRI Tampa <administra...@subjectdomain.com> > User-Agent: Postbox 4.0.8 (Windows/20151105) > MIME-Version: 1.0 > To: Rob Fitzpatrick <rob...@rfitz.com> > Subject: Test DKIM with no auth > References: <58161558.2090...@subjectdomain.com> > <58161684.7010...@subjectdomain.com> > In-Reply-To: <58161684.7010...@subjectdomain.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > X-Virus-Scanned: WebTent Mailguard 1.0.3 > X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5 > tests=BAYES_00=-1.9, SPF_PASS=-0.001 And the log entries show: > root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog Oct 30 > 11:55:21 mx2 postfix/smtpd[8876]: A11D7D7E46: > client=media.rfitz.com[96.254.71.164] > Oct 30 11:55:21 mx2 postfix/cleanup[8818]: A11D7D7E46: > message-id=<581617e9.5080...@subjectdomain.com> > Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: media.rfitz.com > [96.254.71.164] not internal Oct 30 11:55:21 mx2 opendkim[8799]: > A11D7D7E46: not authenticated Oct 30 11:55:21 mx2 postfix/qmgr[8810]: > A11D7D7E46: from=<administra...@subjectdomain.com>, size=954, nrcpt=1 > (queue active) Oct 30 11:55:23 mx2 postfix/smtp[8901]: A11D7D7E46: > to=<rob...@rfitz.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.5/0/0.01/1.7, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=08148-06, from MTA: 250 2.0.0 Ok: queued as 5991AD7E50) Oct 30 11:55:23 mx2 postfix/qmgr[8810]: A11D7D7E46: removed -- Robert
smime.p7s
Description: S/MIME Cryptographic Signature
