From owner-freebsd-questions@freebsd.org Tue Sep 4 14:28:53 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 49A30FF0DDD for ; Tue, 4 Sep 2018 14:28:53 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C73C271D1E for ; Tue, 4 Sep 2018 14:28:52 +0000 (UTC) (envelope-from wfdudley@gmail.com) Received: by mail-yb1-xb34.google.com with SMTP id m123-v6so1361492ybm.0 for ; Tue, 04 Sep 2018 07:28:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lf9wA/WN4ZY81nkJF6fo7yxbej74/tNkF5S7WggQHJg=; b=U83YIwy845uSBJZFxzsUum9dBpXd+gIRt0TrYPhUG9GOX5fl+M+YCUNsnKN4c/2D8Y /Oj68GizeDcwZIf9zlk7U36G0kpTljGbcohS0wkS7HIN3ETIatYhO6OQ1snM3d+8Y8DZ Npph1gHDja85AizO4AbSGugSQcQ62gmNau2Sxc2ycnIESu6cuNFcjDeq4aWBIVWDbs+w TVcCMLuG9JgDzqWU7IQKItCyVPeNgjcKxFbPk36wwrr+ngh+o2t8SKEFYGPXR1vf5AE7 +hJt/3OMGU7mWLhpU+g6atxW/tr0h+HIMylJOcGANBbafqxrWscQeKBS9sWz2pLwPMaw 45/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lf9wA/WN4ZY81nkJF6fo7yxbej74/tNkF5S7WggQHJg=; b=iesZsFLvaqgn/Qv5Xb1mrkoR2OZ22THkT3eFTaTSqG7oFFSUzsM+H5AE8vdK7/+vPC sWpsgwYfOWnQbcNnMr8fQdT3S8jYCmmYEBeIrFCGUxAg0Rx8dOWjVQxgWoj4+CnPxIsR WSJS57r61D4RknG5xTqKJ2gbWQRm9LvFO7R+Syu6msy4/nWN4ynfW4XfFmEya8Jpvtto JvlVwR3n2oTjKQ/ioU52b6HT/Au3I7iLj+OIOCtlmt+4vSD6qwMlLG/1u4UAk3cgFIGU 17guPvwPrXNwTYr3W3/WFfea9MhLozpJ/uWd8ECvFQcKVC7XomdA9WzGvxYRYfUNtbgT Ue1w== X-Gm-Message-State: APzg51ArSXmu30495qf5JzgTHAGsPwFocWiwukcs66ahbytfWddNRbm1 TgBxfHk609LAWkm6JENRrdRLEHZLLy0AN0DRYgw= X-Google-Smtp-Source: ANB0VdapwhYx+kgtVLuLz8nNUuXWxq+YW0cOfHFaztISJkt25boYEasFgcldsSzqiai41Mo9C9rVkSI8IXiy+nasFc8= X-Received: by 2002:a5b:c41:: with SMTP id d1-v6mr18484956ybr.136.1536071331975; Tue, 04 Sep 2018 07:28:51 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a25:2682:0:0:0:0:0 with HTTP; Tue, 4 Sep 2018 07:28:51 -0700 (PDT) In-Reply-To: References: <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> From: William Dudley Date: Tue, 4 Sep 2018 10:28:51 -0400 Message-ID: Subject: Re: DKIM is driving me nuts To: "James B. Byrne" Cc: freebsd-questions Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.27 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 14:28:53 -0000 my domain is not "casaMo.com", so all of your research is irrelevant. Thanks, Bill Dudley This email is free of malware because I run Linux. On Tue, Sep 4, 2018 at 10:10 AM, James B. Byrne wrote: > > On Mon, September 3, 2018 15:34, William Dudley wrote: > > I have an SPF record. > > > > That is not the problem. > > I beg to differ. It may not be your ONLY problem but it is a problem. > > > [byrnejb_hll@vhost04 ~]$ drill casamo.com TXT > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53899 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 > ;; QUESTION SECTION: > ;; casamo.com. IN TXT > > ;; ANSWER SECTION: > casamo.com. 3600 IN TXT "google-site-verification= > ljFtgzq9av4Oxtx_FepTKvL7E7xMzlen1UnDKBBWO8g" > > ;; AUTHORITY SECTION: > casamo.com. 172800 IN NS ns63.domaincontrol.com. > casamo.com. 172800 IN NS ns64.domaincontrol.com. > > ;; ADDITIONAL SECTION: > ns63.domaincontrol.com. 172800 IN A 216.69.185.42 > ns63.domaincontrol.com. 172800 IN AAAA 2607:f208:206::2a > ns64.domaincontrol.com. 172800 IN A 173.201.69.42 > ns64.domaincontrol.com. 172800 IN AAAA 2603:5:2254::2a > > ;; Query time: 59 msec > ;; SERVER: 216.185.71.33 > ;; WHEN: Tue Sep 4 09:50:52 2018 > ;; MSG SIZE rcvd: 249 > [byrnejb_hll@vhost04 ~]$ drill mail.casamo.com TXT > ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 50174 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; mail.casamo.com. IN TXT > > ;; ANSWER SECTION: > > ;; AUTHORITY SECTION: > casamo.com. 600 IN SOA ns63.domaincontrol.com. > dns.jomax.net. > 2018021000 28800 7200 604800 600 > > ;; ADDITIONAL SECTION: > > ;; Query time: 58 msec > ;; SERVER: 216.185.71.34 > ;; WHEN: Tue Sep 4 09:51:15 2018 > ;; MSG SIZE rcvd: 101 > [byrnejb_hll@vhost04 ~]$ drill dudley.casamo.com TXT > ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56419 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUESTION SECTION: > ;; dudley.casamo.com. IN TXT > > ;; ANSWER SECTION: > > ;; AUTHORITY SECTION: > casamo.com. 600 IN SOA ns63.domaincontrol.com. > dns.jomax.net. > 2018021000 28800 7200 604800 600 > > ;; ADDITIONAL SECTION: > > ;; Query time: 17 msec > ;; SERVER: 216.185.71.33 > ;; WHEN: Tue Sep 4 09:51:32 2018 > ;; MSG SIZE rcvd: 103 > > Whatever you believe to be the case your DNS TXT RR with the spf > version and list of authorised senders is not published and this lack > is likely contributing to, if not the entire cause of, your > difficulty. You do not have any published DNS SPF RRs either, but as > that particular RR is deprecated you should not have such in any case. > > > and I cannot figure out how opendkim chooses which key > > to use to sign emails. Does it look at Message-Id? Does it look > > at Reply-to: (unlikely) ? Whatever field it uses, changes depending > > on if I use Thunderbird, Mail (mailx), or the mailman listserve to > > send the email. > > > > Read man 5 opendkim.conf re signing table. > > For example: > > cat /usr/local/etc/mail/opendkim/SigningTable > # OPENDKIM SIGNING TABLE > # This table controls how to apply one or more signatures to > # outgoing messages based on the address found in the > # From: header field. In simple terms, this tells OpenDKIM "how" > # to apply your keys. > > # To use this file, uncomment the SigningTable option in > # /etc/opendkim.conf, then uncomment one of the usage examples > # below and replace example.com with your domain name, then > # restart OpenDKIM. > > # WILDCARD EXAMPLE > # Enables signing for any address on the listed domain(s), but > # will work only if "refile:/etc/opendkim/SigningTable" is included > # in /etc/opendkim.conf. > # Create additional lines for additional domains. > > #*@example.com default._domainkey.example.com > > # NON-WILDCARD EXAMPLE > # If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, > # then wildcards will not work. Instead, full user@host is checked > # first, then simply host, then user@.domain (with all superdomains > # checked in sequence, so "foo.example.com" would first check > # "user@foo.example.com", then "user@.example.com", then "user@.com"), > # then .domain, then user@*, and finally *. > # See the opendkim.conf(5) man page under "SigningTable" for more > # details. > > #From address left hand side key value in KeyTable > *@harte-lyne.ca dkim_hll > > You need to CAREFULLY consider each option in opendkim.conf and decide > how it fits into your SPF and DMARC scheme. You must also set up the > support files required for each option that you enable. And you must > have suitable DNS RRs published. > > > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne > > wrote: > > > >> > >> On Sun, September 2, 2018 19:06, William Dudley wrote: > >> > I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail > >> > system. > >> > Since I don't know if the problem is sendmail or opendkim or DNS > >> or > >> > what, I'm asking here. > >> > > >> > >> You need a sender policy framework specification in your dns for the > >> domains you wish secured. You do not put the keys in this, just the > >> policy version, the authorised hosts, and the disposal option. > >> > >> Ours is: > >> > >> harte-lyne.ca. 172800 IN TXT > >> "v=spf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26 > >> ip4:216.185.71.128/26 -all" > >> > >> The ~all at the end is called a soft fail. It means that recipients > >> may accept mail from another server, but that the sender should be > >> viewed with suspicion. If you change the disposal option to -all you > >> are directing the recipient to reject mail from any server other > >> than > >> these. The soft fail approach is safer and recommended. > >> > >> If you employ dkim without a dns entry for your sender policy > >> framework, or with invalid SPF or multiple SPF dns records, then the > >> correct behaviour is to reject all mail from the sender since the > >> policy cannot be determined. > >> > > > -- > *** e-Mail is NOT a SECURE channel *** > Do NOT transmit sensitive data via e-Mail > Do NOT open attachments nor follow links sent by e-Mail > > James B. Byrne mailto:ByrneJB@Harte-Lyne.ca > Harte & Lyne Limited http://www.harte-lyne.ca > 9 Brockley Drive vox: +1 905 561 1241 > Hamilton, Ontario fax: +1 905 561 0757 > Canada L8E 3C3 > >