Join Log in
Score:2
avatar Server

OpenDKIM on MTA not signing mails from remote mail servers

us flag
btongeorge

I have a configuration where we have one MTA responsible for sending emails from a number of internal servers.

The internal servers all run Postfix on a number of different domains. They are all configured to relay via the MTA. I am attempting to setup DKIM to sign outbound emails from all internal servers.

I have installed opendkim and the server is able to sign locally generated outbound emails.

The MTA config is as follows:

opendkim.conf:

Syslog          yes
Logwhy          yes

UMask           002

Canonicalization    relaxed/simple
Mode            s
SubDomains      no

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
DNSTimeout          5
SignatureAlgorithm  rsa-sha256

OversignHeaders     From

UserID             opendkim

KeyTable           refile:/etc/opendkim/key.table
SigningTable       refile:/etc/opendkim/signing.table
ExternalIgnoreList  refile:/etc/opendkim/trusted.hosts

InternalHosts       refile:/etc/opendkim/trusted.hosts
Socket    inet:8891@localhost

main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

append_dot_mydomain = no
readme_directory = no

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mta.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mta.mydomain.com localhost
relayhost =
mynetworks = 127.0.0.0/8 1.1.1.0/24 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

canonical_maps = hash:/etc/postfix/canonical

milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8891

non_smtpd_milters = $smtpd_milters

signing.table:

*@domain1.com    default._domainkey.domain1.com
*@*.domain1.com    default._domainkey.domain1.com
*@domain1.co.uk    default._domainkey.domain1.co.uk
*@*.domain1.co.uk    default._domainkey.domain1.co.uk
*@domain2.co.uk    default._domainkey.domain2.co.uk
*@*.domain2.co.uk    default._domainkey.domain2.co.uk
*@domain3.co.uk    default._domainkey.domain3.co.uk
*@*.domain3.co.uk    default._domainkey.domain3.co.uk

trusted.hosts:

127.0.0.1
localhost
1.2.3.50
1.2.3.52
1.2.3.53
1.2.3.54
1.2.3.29
service2.domain2.co.uk
host2.domain2.co.uk

I have configured /etc/opendkim/trusted.hosts with a list of the internal hosts which whose emails I would like signed. I have also added keys and added them to the relevant DNS records.

I have tested generating mails on the MTA itself using sendmail and the emails are signed correctly. However when testing generating emails from the other, remote internal servers, none of the emails are signed. I also do not see anything logged on the MTA in terms of the reason, although using tcpdump I can see that traffic is going to port 8891 on localhost.

The host I am testing from identifies itself to Postfix as host2.domain2.co.uk:

Dec 20 16:28:32 mta postfix/smtpd[3765]: connect from host2.domain2.co.uk[1.2.3.50]
Dec 20 16:28:32 mta postfix/smtpd[3765]: 1B4BB439BD: client=host2.domain2.co.uk[1.2.3.50]
Dec 20 16:28:32 mta postfix/cleanup[3768]: 1B4BB439BD: message-id=<Asterisk-779-1806140173-205-16888@gw2.domain2.co.uk>
Dec 20 16:28:32 mta postfix/qmgr[1494]: 1B4BB439BD: from=<asterisk@service2.domain2.co.uk>, size=109206, nrcpt=1 (queue active)
Dec 20 16:28:32 mta postfix/smtpd[3765]: disconnect from host2.domain2.co.uk[1.2.3.50]
Dec 20 16:28:32 mta postfix/smtp[3759]: 1B4BB439BD: enabling PIX workarounds: disable_esmtp delay_dotcrlf for somecompany-co-uk.mail.protection.outlook.com[104.47.0.36]:25
Dec 20 16:28:33 mta postfix/smtp[3759]: 1B4BB439BD: to=<voicemail@somecompany.co.uk>, relay=somecompany-co-uk.mail.protection.outlook.com[104.47.0.36]:25, delay=1.3, delays=0.14/0/0.18/1, dsn=2.6.0, status=sent (250 2.6.0 <Asterisk-779-1806140173-205-16888@gw2.domain2.co.uk> [InternalId=73138998102968, Hostname=AS8PR05MB8037.eurprd05.prod.outlook.com] 119126 bytes in 0.104, 1115.744 KB/sec Queued mail for delivery)
Dec 20 16:28:33 mta postfix/qmgr[1494]: 1B4BB439BD: removed

EDIT: Further investigation of the headers of two test messages (one sent from the host directly using sendmail, the other from a host behind the MTA), and further investigation of the opendkim logs, has revealed that DKIM is signing both messages apparently successfully, but the DKIM signature is rejected for messages from the other hosts.

This is the DKIM log for two such messages (the first succeeded, the second failed):

Dec 22 12:06:16 mta opendkim[8130]: 65EB043A13: DKIM-Signature field added (s=default, d=domain3.co.uk)
Dec 22 12:06:52 mta opendkim[8130]: E723543AF0: DKIM-Signature field added (s=default, d=domain3.co.uk)

However looking at the DKIM results in Gmail, they are different:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@domain3.co.uk header.s=default header.b=MVo7iz6A;

and for the second:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@domain3.co.uk header.s=default header.b=TktWbhpC;

I don't understand why this is different, but it must be the cause of the issues I'm seeing.

202
0 + 6
us flag
glts
Difficult to say without knowing what's in those files. Is the format of the `InternalHosts` file correct? Are the domains to sign for all listed in `SigningTable` in the correct format? Is `refile:` (rather than `file:`) the correct data set type for the file contents?
0
Reply
us flag
btongeorge
I'll anonymise and then upload the contents of those files - I think they're all good, but I'm no expert at this!
0
Reply
us flag
btongeorge
Added contents of both files, and also a snip from the mail.log @glts
0
Reply
us flag
glts
Read what `man 8 opendkim` has to say on `file:` versus `refile:` data sets. `InternalHosts` looks like it should use the `file:` type. Also try dropping `ExternalIgnoreList`, it might not be necessary.
0
Reply
us flag
btongeorge
Thanks - read the man page and tried both suggestions, but no change.
0
Reply
us flag
btongeorge
Updated the question with further detail - looks like DKIM is signing, but the signatures aren't working. Interested to hear any thoughts.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.