From owner-freebsd-questions@freebsd.org Mon Sep 3 21:23:15 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B451DFF7264 for ; Mon, 3 Sep 2018 21:23:15 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yw1-xc2b.google.com (mail-yw1-xc2b.google.com [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 59FEF77536 for ; Mon, 3 Sep 2018 21:23:15 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yw1-xc2b.google.com with SMTP id n207-v6so547352ywn.9 for ; Mon, 03 Sep 2018 14:23:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P2u1vjliL6KTOJ8FPjiKSsXARVHnOEZowmVGdKWEEZ4=; b=f7+WZ9raMQlWWU3o9m3nNW/mEjMOXdj9i+nziGp5RoM2lyQePRQQbOBMHGuUpUa7oI akx+dQn+5Du1ZibIe6YlhY2D6H9QcewkELbNztNh9isRZvIYdiwrtnx/ekeXFr2JlWT7 Ydz45falkoCyop6NlBKwfd/AyPkR0cWvf4FGZ5AeT+vHux23FC3trOqLV3q2rmjYOILQ MRV1kba0118LdlI0ufAMGKNXvf871pS2j6mdBB6ZCksOn26lRbVkV/BoOPLyP1YgqldY gekg6unovj3v9E97id+/srdW4JHB58wB0/fygP60u+DyIcYl5/VoRELYF5Upah4NqI5+ Q0gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P2u1vjliL6KTOJ8FPjiKSsXARVHnOEZowmVGdKWEEZ4=; b=g/X2sWVqayfyhqV6rk8fC+9AtWuyZhPaR0PD9H3t7jZfSDglWXSiltE+VJH+GQxhLK yTGvY4KInvdvWaxWGTM9XYYKE68IESKs8dpseLSuZWMiBASCIbs+x1h1byaR+U6aAlMH TWOIQqI3im6drmXtqSzvop2q8epvug281nljyXK9teTEEL1iaPKvdoia1eLu1f4FHDj1 +ylb+8W1wB1+mwKxT7XOTu2W/PEEo1V0hVmjeSDVln/0yhPc8nTQ4zuqWaWE1Y0gu5lw a8iegDoh8AeGA2wDvEA1B3hclYZgwxoxKIzF2X0uRJvagh4l23Ez1ile+0deG5c/JmWp feqw== X-Gm-Message-State: APzg51DeKngsaPtAcY9C/9SklLbYvsyR50Qwy2ruyUGTZxlTd0lDemdQ 8z9CqJid4oSr1e86jb6nORQzR8mSsBf8cAD8K1cm/Q== X-Google-Smtp-Source: ANB0VdZC5Akl5eqQfWfsCnWTrMe+X6waVcJ2Txah6jY/DjZc+KF1XEgEodtDYoQ4UKXBkqdQorLsc8JctAsP2g7lR3g= X-Received: by 2002:a0d:df93:: with SMTP id i141-v6mr2893533ywe.349.1536009794585; Mon, 03 Sep 2018 14:23:14 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:2682:0:0:0:0:0 with HTTP; Mon, 3 Sep 2018 14:23:14 -0700 (PDT) In-Reply-To: <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net> References: <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net> From: William Dudley Date: Mon, 3 Sep 2018 17:23:14 -0400 Message-ID: Subject: Re: DKIM is driving me nuts To: Chris Gordon Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2018 21:23:15 -0000 Chris, I'm going to hop right on this and will report back with my success or failure. Thanks, Bill This email is free of malware because I run Linux. On Mon, Sep 3, 2018 at 4:44 PM, Chris Gordon wrote: > The values in the SigningTable do this mapping. The opendkim.comf man pag= e > talks about this, but it can be really confusing until you see it all > pieced together. First, you can use the same key to sing all mail from > your domain, so you don=E2=80=99t have to create a different key for each= host. > > Here=E2=80=99s what I have (edited for your domain) and assuming you want= to use > the same key for everything in casano.com: > > - In /usr/local/etc/mail/opendkim.conf, I have the following settings, > among others -- mostly defaults: > SigningTable refile:/usr/local/etc/mail/signing_table > KeyTable file:/usr/local/etc/mail/key_table > > - /usr/local/etc/mail/signing_table should have: > > *@casano.com mail._domainkey.casano.com > > - Then in /usr/local/etc/mail/key_table, you have: > > mail._domainkey.casano.com casano.com:mail:/path/to/the/keyfile > > > The SigningTable matches the domain to value on the right hand side. The= n > looks up that value in the KeyTable to get the path to the key to use to > sign. There may be other ways to do this (I actually sign a couple of > domains with different keys, so I have more lines in my to table files) a= nd > it=E2=80=99s been a while since I set it up, so I=E2=80=99m a bit rusty a= nd may have > something a bit off. > > Hope that helps. > > Chris > > > > On Sep 3, 2018, at 3:34 PM, William Dudley wrote: > > > > I have an SPF record. > > > > That is not the problem. > > > > The problem is that the server has three names: > > > > casano.com > > mail.casano.com > > dudley.casano.com > > > > and I cannot figure out how opendkim chooses which key > > to use to sign emails. Does it look at Message-Id? Does it look > > at Reply-to: (unlikely) ? Whatever field it uses, changes depending > > on if I use Thunderbird, Mail (mailx), or the mailman listserve to send > > the email. > > > > Thanks, > > Bill Dudley > > > > > > This email is free of malware because I run Linux. > > > > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne > > wrote: > > > >> > >> On Sun, September 2, 2018 19:06, William Dudley wrote: > >>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail > >>> system. > >>> Since I don't know if the problem is sendmail or opendkim or DNS or > >>> what, I'm asking here. > >>> > >> > >> You need a sender policy framework specification in your dns for the > >> domains you wish secured. You do not put the keys in this, just the > >> policy version, the authorised hosts, and the disposal option. > >> > >> Ours is: > >> > >> harte-lyne.ca. 172800 IN TXT > >> "v=3Dspf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26 > >> ip4:216.185.71.128/26 -all" > >> > >> The ~all at the end is called a soft fail. It means that recipients > >> may accept mail from another server, but that the sender should be > >> viewed with suspicion. If you change the disposal option to -all you > >> are directing the recipient to reject mail from any server other than > >> these. The soft fail approach is safer and recommended. > >> > >> If you employ dkim without a dns entry for your sender policy > >> framework, or with invalid SPF or multiple SPF dns records, then the > >> correct behaviour is to reject all mail from the sender since the > >> policy cannot be determined. > >> > >> -- > >> *** e-Mail is NOT a SECURE channel *** > >> Do NOT transmit sensitive data via e-Mail > >> Do NOT open attachments nor follow links sent by e-Mail > >> > >> James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > >> Harte & Lyne Limited http://www.harte-lyne.ca > >> 9 Brockley Drive vox: +1 905 561 1241 > >> Hamilton, Ontario fax: +1 905 561 0757 > >> Canada L8E 3C3 > >> > >> > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "freebsd-questions- > unsubscribe@freebsd.org" > >