From owner-freebsd-questions@freebsd.org Mon Sep 3 20:44:15 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 67BA4FF5FDE for ; Mon, 3 Sep 2018 20:44:15 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id 185297602B for ; Mon, 3 Sep 2018 20:44:15 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [173.79.136.84]) by bacon.theory14.net (Postfix) with ESMTPSA id 60FEC125E88; Mon, 3 Sep 2018 16:44:14 -0400 (EDT) Received: from anubis.int.theory14.net (anubis.int.theory14.net [192.168.10.50]) by remote.theory14.net (Postfix) with ESMTPS id 3869C9FFC; Mon, 3 Sep 2018 16:44:14 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=theory14.net; s=mail; t=1536007454; bh=VKYcibP8cCK9Z/1PjaL15IZTleCo6JIn9K+hiSpYVHY=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=kxMDYVC7GaC7vkDoiewJo6ypfblxdOZrAJQcMLm5LdE0Rltgn2ZkFvH2Exb1td/21 dtGm5/D3G1RhOb5FaBa/7Jr38jUusKrCM/xLAzAy1GDyoOZjeFkP5yXyM5o2YlbZd4 muoHKb3CmoYYxl4Tc8sODsV03CCaWj6XBL1kJEJE= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: DKIM is driving me nuts From: Chris Gordon In-Reply-To: Date: Mon, 3 Sep 2018 16:44:13 -0400 Cc: "James B. Byrne" , freebsd-questions Content-Transfer-Encoding: quoted-printable Message-Id: <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net> References: <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> To: William Dudley X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2018 20:44:15 -0000 The values in the SigningTable do this mapping. The opendkim.comf man = page talks about this, but it can be really confusing until you see it = all pieced together. First, you can use the same key to sing all mail = from your domain, so you don=E2=80=99t have to create a different key = for each host. =20 Here=E2=80=99s what I have (edited for your domain) and assuming you = want to use the same key for everything in casano.com: - In /usr/local/etc/mail/opendkim.conf, I have the following settings, = among others -- mostly defaults: SigningTable refile:/usr/local/etc/mail/signing_table KeyTable file:/usr/local/etc/mail/key_table - /usr/local/etc/mail/signing_table should have: *@casano.com mail._domainkey.casano.com - Then in /usr/local/etc/mail/key_table, you have: mail._domainkey.casano.com casano.com:mail:/path/to/the/keyfile The SigningTable matches the domain to value on the right hand side. = Then looks up that value in the KeyTable to get the path to the key to = use to sign. There may be other ways to do this (I actually sign a = couple of domains with different keys, so I have more lines in my to = table files) and it=E2=80=99s been a while since I set it up, so I=E2=80=99= m a bit rusty and may have something a bit off. Hope that helps. Chris > On Sep 3, 2018, at 3:34 PM, William Dudley wrote: >=20 > I have an SPF record. >=20 > That is not the problem. >=20 > The problem is that the server has three names: >=20 > casano.com > mail.casano.com > dudley.casano.com >=20 > and I cannot figure out how opendkim chooses which key > to use to sign emails. Does it look at Message-Id? Does it look > at Reply-to: (unlikely) ? Whatever field it uses, changes depending > on if I use Thunderbird, Mail (mailx), or the mailman listserve to = send > the email. >=20 > Thanks, > Bill Dudley >=20 >=20 > This email is free of malware because I run Linux. >=20 > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne > wrote: >=20 >>=20 >> On Sun, September 2, 2018 19:06, William Dudley wrote: >>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail >>> system. >>> Since I don't know if the problem is sendmail or opendkim or DNS or >>> what, I'm asking here. >>>=20 >>=20 >> You need a sender policy framework specification in your dns for the >> domains you wish secured. You do not put the keys in this, just the >> policy version, the authorised hosts, and the disposal option. >>=20 >> Ours is: >>=20 >> harte-lyne.ca. 172800 IN TXT >> "v=3Dspf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26 >> ip4:216.185.71.128/26 -all" >>=20 >> The ~all at the end is called a soft fail. It means that recipients >> may accept mail from another server, but that the sender should be >> viewed with suspicion. If you change the disposal option to -all you >> are directing the recipient to reject mail from any server other than >> these. The soft fail approach is safer and recommended. >>=20 >> If you employ dkim without a dns entry for your sender policy >> framework, or with invalid SPF or multiple SPF dns records, then the >> correct behaviour is to reject all mail from the sender since the >> policy cannot be determined. >>=20 >> -- >> *** e-Mail is NOT a SECURE channel *** >> Do NOT transmit sensitive data via e-Mail >> Do NOT open attachments nor follow links sent by e-Mail >>=20 >> James B. Byrne mailto:ByrneJB@Harte-Lyne.ca >> Harte & Lyne Limited http://www.harte-lyne.ca >> 9 Brockley Drive vox: +1 905 561 1241 >> Hamilton, Ontario fax: +1 905 561 0757 >> Canada L8E 3C3 >>=20 >>=20 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"