Problems signing outbound DKIM - Solved

Questions and answers about how to do stuff
Post Reply
gdoornenbal
Posts: 4
Joined: 06 Mar 2016 19:34
Location: Netherlands

Problems signing outbound DKIM - Solved

Post by gdoornenbal »

Hi,

First of all sorry for my long post, but with less info i think i will not find a solution for my problem..
I recently migrated successfully from efa 3 to 4. My situation is as following:
I have an internal mailserver, which is using the EFA server as outbound mail relay, and all incoming mail is also flowing through the efa to the internal mailserver. That is working correctly so far.
But now i am trying to get outbound DKIM signing to work, but until now all my efforts fails..

I followed the instructions from jamerson (viewtopic.php?t=4111)
Installing opendkim was not nessecary however.
I ended up with the following configuration:

Code: Select all

# ls -l /etc/opendkim/keys/mydomain.org/
-rw-------. 1 opendkim opendkim 887 Aug 27 22:52 default.private
-rw-------. 1 opendkim opendkim 327 Aug 27 22:52 default.txt

Code: Select all

# cat /etc/opendkim.conf | grep -v "#" | grep -v "^$"
PidFile /var/run/opendkim/opendkim.pid
Mode    sv
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
UserID  opendkim:opendkim
Socket  inet:8891@localhost
Umask   002
SendReports     yes
SoftwareHeader  yes
Canonicalization        relaxed/relaxed
Domain  mydomain.org
MinimumKeyBits  1024
KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
OversignHeaders From

Code: Select all

# cat /etc/opendkim/KeyTable | grep -v "#" | grep -v "^$"
default._domainkey.mydomain.org mydomain.org:default:/etc/opendkim/keys/mydomain.org/default.private

Code: Select all

[root@efa4 admin]# cat /etc/opendkim/SigningTable | grep -v "#" | grep -v "^$"
*@mydomain.org default._domainkey.mydomain.org

Code: Select all

# cat /etc/opendkim/TrustedHosts | grep -v "#" | grep -v "^$"
127.0.0.1
::1
192.168.1.13
internalmail.mydomain.lan
server.mydomain.org

Code: Select all

# tail /etc/postfix/main.cf | grep -v "#" | grep -v "^$"
masquerade_domains = mydomain.org
smtpd_milters = inet:localhost:8891, inet:localhost:8893, inet:127.0.0.1:33333
non_smtpd_milters = inet:localhost:8891, inet:localhost:8893
milter_default_action = accept
qmqpd_authorized_clients = 127.0.0.1 [::1]
message_size_limit = 133169152
mailbox_size_limit = 133169152
qmqpd_authorized_clients = 127.0.0.1 [::1]
enable_long_queue_ids = yes
error_notice_recipient = root
sender_canonical_maps = hash:/etc/postfix/sender_canonical
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
When i send an email the logging in mailog is as following:

Code: Select all

Aug 31 21:05:50 efa4 postfix/smtpd[114559]: connect from internalmail.mydomain.lan[192.168.1.13]
Aug 31 21:05:50 efa4 postfix/smtpd[114559]: Anonymous TLS connection established from internalmail.mydomain.lan[192.168.1.13]: TLSCDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Aug 31 21:05:50 efa4 postfix/smtpd[114559]: 4BgKRL66PkzDm4: client=internalmail.mydomain.lan[192.168.1.13]
Aug 31 21:05:50 efa4 postfix/cleanup[114569]: 4BgKRL66PkzDm4: message-id=<internalmail.5f4d4a0c.262d.4dbad9ed728eba27@internalmail.doornen
Aug 31 21:05:50 efa4 opendkim[117399]: 4BgKRL66PkzDm4: internalmail.mydomain.lan [192.168.1.13] not internal
Aug 31 21:05:50 efa4 opendkim[117399]: 4BgKRL66PkzDm4: not authenticated
Aug 31 21:05:50 efa4 opendkim[117399]: 4BgKRL66PkzDm4: no signature data
Aug 31 21:05:50 efa4 opendmarc[117371]: 4BgKRL66PkzDm4: SPF(mailfrom): gerrit@mydomain.org fail
Aug 31 21:05:50 efa4 opendmarc[117371]: 4BgKRL66PkzDm4: mydomain.org none
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Whitelist refresh time reached
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Starting up MailWatch SQL Whitelist
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Read 12 whitelist entries
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Blacklist refresh time reached
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Starting up MailWatch SQL Blacklist
Aug 31 21:05:51 efa4 MSMilter[114567]: MailWatch: Read 6 blacklist entries
Aug 31 21:05:51 efa4 postfix/cleanup[114569]: 4BgKRL66PkzDm4: milter-discard: END-OF-MESSAGE from internalmail.mydomain.lan[192.16iggers DISCARD action; from=<gerrit@mydomain.org> to=<G.mydomain@gmail.nl> proto=ESMTP helo=<internalmail.mydomain.lan>
Aug 31 21:05:51 efa4 postfix/smtpd[114559]: disconnect from internalmail.mydomain.lan[192.168.1.13] ehlo=2 starttls=1 mail=1 rcpt=mmands=7
Aug 31 21:05:54 efa4 MailScanner[106047]: New Batch: Scanning 1 messages, 3631 bytes
Aug 31 21:05:54 efa4 MailScanner[106047]: Virus and Content Scanning: Starting
Aug 31 21:05:55 efa4 MailScanner[106047]: <A> tag found in message 4BgKRL66PkzDm4 from gerrit@mydomain.org
Aug 31 21:05:55 efa4 MailScanner[106047]: Spam Checks: Starting
Aug 31 21:05:55 efa4 MailScanner[106047]: Expired 2 records from the SpamAssassin cache
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Whitelist refresh time reached
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Starting up MailWatch SQL Whitelist
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Read 12 whitelist entries
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Blacklist refresh time reached
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Starting up MailWatch SQL Blacklist
Aug 31 21:05:55 efa4 MailScanner[106047]: MailWatch: Read 6 blacklist entries
Aug 31 21:05:58 efa4 MailScanner[106047]: Requeue: 4BgKRL66PkzDm4 to 4BgKRV1q0hz5DHL
Aug 31 21:05:58 efa4 postfix/qmqpd[114581]: connect from localhost[127.0.0.1]
Aug 31 21:05:58 efa4 postfix/qmqpd[114581]: 4BgKRV22W5zDmD: client=localhost[127.0.0.1]
Aug 31 21:05:58 efa4 opendmarc[117371]: ignoring connection from localhost
Aug 31 21:05:58 efa4 postfix/cleanup[114569]: 4BgKRV22W5zDmD: message-id=<internalmail.5f4d4a0c.262d.4dbad9ed728eba27@internalmail.doornen
Aug 31 21:05:58 efa4 opendkim[117399]: 4BgKRV22W5zDmD: no signature data
Aug 31 21:05:58 efa4 postfix/qmqpd[114581]: disconnect from localhost[127.0.0.1]
Aug 31 21:05:58 efa4 postfix/qmgr[114558]: 4BgKRV22W5zDmD: from=<gerrit@mydomain.org>, size=4003, nrcpt=1 (queue active)
Aug 31 21:05:58 efa4 MailScanner[106047]: Uninfected: Delivered 1 messages
Aug 31 21:05:58 efa4 MailScanner[106047]: Deleted 1 messages from processing-database
Aug 31 21:05:58 efa4 MailScanner[106047]: MailWatch: Logging message 4BgKRL66PkzDm4 to SQL
Aug 31 21:05:58 efa4 MailScanner[113609]: MailWatch: 4BgKRL66PkzDm4: Logged to MailWatch SQL
Aug 31 21:05:58 efa4 postfix/smtp[114584]: 4BgKRV22W5zDmD: to=<G.mydomain@gmail.nl>, relay=hades62.gmail.nl[80.113.97.199]elays=0.21/0.05/0.18/0.1, dsn=2.0.0, status=sent (250 2.0.0 07VJ5wLJ012157-07VJ5wLL012157 Message accepted for delivery)
Aug 31 21:05:58 efa4 postfix/qmgr[114558]: 4BgKRV22W5zDmD: removed

Something that triggers me: opendkim does not see the internal mailserver as internal? why? I tried some stuff, no results.
But with an eFa internal testmail it doesn't work either..
I don't know where to look anymore, anyone a clue?
Last edited by gdoornenbal on 07 Sep 2020 17:17, edited 1 time in total.
smyers119
Posts: 108
Joined: 29 Nov 2019 11:36

Re: Problems signing outbound DKIM

Post by smyers119 »

Try adding the internal IP of the eFa aka 192.168.1.x to TrustedHosts
gdoornenbal
Posts: 4
Joined: 06 Mar 2016 19:34
Location: Netherlands

Re: Problems signing outbound DKIM

Post by gdoornenbal »

Tried that, but still no DKIM-Signature..
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Problems signing outbound DKIM

Post by shawniverson »

Comment out Domain in /etc/opendkim.conf. It is probably overriding your signing table.
gdoornenbal
Posts: 4
Joined: 06 Mar 2016 19:34
Location: Netherlands

Re: Problems signing outbound DKIM

Post by gdoornenbal »

Grrr... what also helps:

systemctl restart opendkim ; systemctl enable opendkim ; systemctl restart postfix
instead of:
systemctl start opendkim ; systemctl enable opendkim ; systemctl restart postfix

* Adding eFa server ip to the TrustedHosts was the solution.
* I added the internal mailserver (not the eFa) to trustedhosts; but that resulted in double DKIM signatures in the header. So don't do that.
* Commenting out 'Domain' in opendkim.conf was not necessary.

My current TrustedHosts:

Code: Select all

# cat /etc/opendkim/TrustedHosts | grep -v "#" | grep -v "^$"
127.0.0.1
::1
192.168.1.15
server.mydomain.org
Thanks for everybody's help, its working now! ;)
Post Reply