Date: Mon, 3 Sep 2018 17:23:14 -0400 From: William Dudley <wfdudley@gmail.com> To: Chris Gordon <freebsd@theory14.net> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: DKIM is driving me nuts Message-ID: <CAFsnNZK%2BZ=2_YyYJ8HiFTPFunrt8Qb%2B3LaWa_BzMAOBw65VJxQ@mail.gmail.com> In-Reply-To: <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net> References: <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ%2BiHrnQAzJPwj%2Bb8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com> <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Chris, I'm going to hop right on this and will report back with my success or failure. Thanks, Bill This email is free of malware because I run Linux. On Mon, Sep 3, 2018 at 4:44 PM, Chris Gordon <freebsd@theory14.net> wrote: > The values in the SigningTable do this mapping. The opendkim.comf man pag= e > talks about this, but it can be really confusing until you see it all > pieced together. First, you can use the same key to sing all mail from > your domain, so you don=E2=80=99t have to create a different key for each= host. > > Here=E2=80=99s what I have (edited for your domain) and assuming you want= to use > the same key for everything in casano.com: > > - In /usr/local/etc/mail/opendkim.conf, I have the following settings, > among others -- mostly defaults: > SigningTable refile:/usr/local/etc/mail/signing_table > KeyTable file:/usr/local/etc/mail/key_table > > - /usr/local/etc/mail/signing_table should have: > > *@casano.com mail._domainkey.casano.com > > - Then in /usr/local/etc/mail/key_table, you have: > > mail._domainkey.casano.com casano.com:mail:/path/to/the/keyfile > > > The SigningTable matches the domain to value on the right hand side. The= n > looks up that value in the KeyTable to get the path to the key to use to > sign. There may be other ways to do this (I actually sign a couple of > domains with different keys, so I have more lines in my to table files) a= nd > it=E2=80=99s been a while since I set it up, so I=E2=80=99m a bit rusty a= nd may have > something a bit off. > > Hope that helps. > > Chris > > > > On Sep 3, 2018, at 3:34 PM, William Dudley <wfdudley@gmail.com> wrote: > > > > I have an SPF record. > > > > That is not the problem. > > > > The problem is that the server has three names: > > > > casano.com > > mail.casano.com > > dudley.casano.com > > > > and I cannot figure out how opendkim chooses which key > > to use to sign emails. Does it look at Message-Id? Does it look > > at Reply-to: (unlikely) ? Whatever field it uses, changes depending > > on if I use Thunderbird, Mail (mailx), or the mailman listserve to send > > the email. > > > > Thanks, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb@harte-lyne.ca> > > wrote: > > > >> > >> On Sun, September 2, 2018 19:06, William Dudley wrote: > >>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail > >>> system. > >>> Since I don't know if the problem is sendmail or opendkim or DNS or > >>> what, I'm asking here. > >>> > >> > >> You need a sender policy framework specification in your dns for the > >> domains you wish secured. You do not put the keys in this, just the > >> policy version, the authorised hosts, and the disposal option. > >> > >> Ours is: > >> > >> harte-lyne.ca. 172800 IN TXT > >> "v=3Dspf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26 > >> ip4:216.185.71.128/26 -all" > >> > >> The ~all at the end is called a soft fail. It means that recipients > >> may accept mail from another server, but that the sender should be > >> viewed with suspicion. If you change the disposal option to -all you > >> are directing the recipient to reject mail from any server other than > >> these. The soft fail approach is safer and recommended. > >> > >> If you employ dkim without a dns entry for your sender policy > >> framework, or with invalid SPF or multiple SPF dns records, then the > >> correct behaviour is to reject all mail from the sender since the > >> policy cannot be determined. > >> > >> -- > >> *** e-Mail is NOT a SECURE channel *** > >> Do NOT transmit sensitive data via e-Mail > >> Do NOT open attachments nor follow links sent by e-Mail > >> > >> James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > >> Harte & Lyne Limited http://www.harte-lyne.ca > >> 9 Brockley Drive vox: +1 905 561 1241 > >> Hamilton, Ontario fax: +1 905 561 0757 > >> Canada L8E 3C3 > >> > >> > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFsnNZK%2BZ=2_YyYJ8HiFTPFunrt8Qb%2B3LaWa_BzMAOBw65VJxQ>