Debian – OpenDKIM not signing outgoing mail

I'm trying to setup OpenDKIM on my mailserver running Debian and Postfix. This is the configuration I've done:

Generated two keys (for two domains I need to send mail for)
Configured KeyTable, SigningTable and TrustedHosts files:

KeyTable:

mail._domainkey.domain1.com domain1.com:mail:/etc/opendkim/keys/domain1.com/mail.private
mail._domainkey.domain2.com domain2.com:mail:/etc/opendkim/keys/domain2.com/mail.private

SigningTable:

*.domain1.com mail._domainkey.domain1.com
*.domain2.com mail._domainkey.domain2.com

TrustedHosts:

127.0.0.1
::1
localhost

My opendkim.conf reads:

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog          yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           002
LogWhy          yes

OversignHeaders     From

TrustAnchorFile       /usr/share/dns/root.key

KeyTable           /etc/opendkim/KeyTable
SigningTable       refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts      /etc/opendkim/TrustedHosts

Finally, I connected it to Postfix using the milter socket:

Postfix main.cf:

# Milters
smtpd_milters =
    unix:/opendkim/opendkim.sock,
    unix:/clamav/clamav-milter.ctl,
    unix:/spamass/spamass.sock

non_smtpd_milters = unix:/opendkim/opendkim.sock

In this current state, OpenDKIM does correctly verify signatures of incoming mail, but it doesn't sign outgoing mail for some reason. This is logged in mail.log when trying to send a message:

Nov  8 16:35:02 illium opendkim[30142]: 826DF501F39: %clienthostname% %clientip% not internal
Nov  8 16:35:02 illium opendkim[30142]: 826DF501F39: not authenticated
Nov  8 16:35:02 illium opendkim[30142]: 826DF501F39: no signature data

I believe the not authenticated part is incorrect, because the mail is submitted from a client to Postfix using authenticated SMTP.

Best Answer

The problem was caused by two things:

Contrary to what the comments in opendkim.conf claim, mode = sv is not the default. I had to set it explicitly.
I made an error in my SigningTable: *.domain1.com should be *@domain1.com.

After correcting these two points, it is now working correctly.

Best Answer

Related Solutions

Postfix – Fixing Mail Loops Back to Myself Issue

Linux – How to close an open relay in Postfix

Related Topic