OpenDKIM milter not signing relayed mail

emailopendkimpostfix

I'm using OpenDKIM to sign mail on my Postfix server. It works as intended when sending with SMTPS from it's origin domain (let's say example.com). However, mail set out from SMTP clients on the LAN are not being signed. Said clients do not have from the same origin domain (for example client1.lan), but are translated with smtp_generic_maps to the same origin (specifically client1@example.com). Ideally, I want to sign that outgoing mail.

In /etc/postfix/main.cf I have:

smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

In /etc/opendkim.conf I have:

ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts

In /etc/opendkim/TrustedHosts I have:

::1
127.0.0.1
localhost
ip6-localhost
ip6-loopback
mail
10.0.0.0/24
*.lan

Best Answer

In Postfix make sure /etc/postfix/main.conf contains:

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

This will ensure that mail coming from authenticated users will be signed by OpenDKIM. As per documentation:

A message will be verified unless it conforms to the signing criteria, which are: (1) the domain on the From: address (if present) must be listed by the -d command line switch or the Domain configuration file setting, and (2) (a) the client connecting to the MTA must have authenticated, or (b) the client connecting to the MTA must be listed in the file referenced by the InternalHosts configuration file setting (or be in the default list for that option), or (c) the client must be connected to a daemon port named by the MTAs configuration file setting, or (d) the MTA must have set one or more macros matching the criteria set by the MacroList configuration file setting.

For (a) above, the test is whether or not the MTA macro "{auth_type}" is set and contains any non-empty value. This means the MTA must pass the value of that macro to the filter before or during the end-of-header (EOH) phase in order for its value to be tested.

Related Solutions

Linux – How to close an open relay in Postfix

I just ran an open relay test from http://www.abuse.net/relay.html and your server passed all the 17 relay tests? May be a local user himself is using your server for abuse.

Centos – OpenDKIM milter with Postfix

In your opendkim.conf file

Mode    v

sets the operating mode to verify only, so your outgoing messages will never be signed.
This is explained in the comment right above the relevant line:

Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
messages.

I suspect your log entries come from incoming mail (i.e. from verifier.port25.com) being verified rather than outgoing mail being signed.

A "good" log entry for signing an outgoing message would be

opendkim[23616]: 085726031E: DKIM-Signature header added (s=mail1, d=example.tld)

Best Answer

Related Solutions

Linux – How to close an open relay in Postfix

Centos – OpenDKIM milter with Postfix

Related Topic