OpenDKIM not signing mail sent to relay host with Ubuntu 18.04

email-serveropendkimpostfix

I recently migrated a server from Ubuntu 14.04 to one running 18.04 but with the same mail setup. I simply copied over Postfix's main.cf and the contents of /etc/mail/opendkim over.

The server is sending mail to a remote mail host over the LAN without problems. However, opendkim refuses to sign the emails as it was before.

My postfix.cf file:

myhostname = host.domain.com
myorigin = $mydomain
relayhost = 10.10.10.105
inet_interfaces = loopback-only
mydestination =
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892
compatibility_level = 2

/etc/opendkim.conf

Syslog                  yes
UMask                   007
Socket                  inet:8892@localhost
PidFile                 /var/run/opendkim/opendkim.pid
OversignHeaders         From
UserID                  opendkim
Canonicalization        relaxed/simple
KeyTable                /etc/mail/opendkim/KeyTable
SigningTable            /etc/mail/opendkim/SigningTable
ExternalIgnoreList      /etc/mail/opendkim/TrustedHosts
InternalHosts           /etc/mail/opendkim/TrustedHosts

The TrustedHosts file contains both the IP and the host name of the sending machine (and hostname -f is correct). Both machines are on the same domain.

I see no errors in either the sender's logs or that of remote mail host. If I shut down the opendkim daemon on the sender, I see postfix complain that it can't connect to the opendkim socket.

I have tried setting the milter_protocol to 2 (it was originally 6) but that has no effect.

Looking at the headers on the mail received from the affected host, there is no mention of dkim.

Best Answer

Adding LogWhy yes to to opendkim.conf turns on verbose logging. This reveals that there is no signing key for the sending host (host.domain.com).

SigningTable is set to sign mails from specific domains, but not individual hosts on those domains. This is correct behaviour.

The sending host is giving a FQDN when it sends out mail through the relay (host@host.domain.com). I therefore need to work out how to get the sending host to send out as host@domain.com, not host@host.domain.com so that the relay will sign its mail on behalf of the domain. I don't need to run opendkim on the sending host.

With the Postfix configuration on Ubuntu 18.04, I had to add masquerade_domains = domain.com to main.cf, whereas Ubuntu 14.04 did not need this.

Related Topic