Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Sep 2018 10:10:55 -0400
From:      "James B. Byrne" <byrnejb@harte-lyne.ca>
To:        "William Dudley" <wfdudley@gmail.com>
Cc:        "freebsd-questions" <freebsd-questions@freebsd.org>
Subject:   Re: DKIM is driving me nuts
Message-ID:  <a57ff4870e5d68211e673a5383892017.squirrel@webmail.harte-lyne.ca>
In-Reply-To: <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com>
References:  <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Mon, September 3, 2018 15:34, William Dudley wrote:
> I have an SPF record.
>
> That is not the problem.

I beg to differ.  It may not be your ONLY problem but it is a problem.


[byrnejb_hll@vhost04 ~]$ drill casamo.com TXT
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53899
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; QUESTION SECTION:
;; casamo.com.	IN	TXT

;; ANSWER SECTION:
casamo.com.	3600	IN	TXT	"google-site-verification=ljFtgzq9av4Oxtx_FepTKvL7E7xMzlen1UnDKBBWO8g"

;; AUTHORITY SECTION:
casamo.com.	172800	IN	NS	ns63.domaincontrol.com.
casamo.com.	172800	IN	NS	ns64.domaincontrol.com.

;; ADDITIONAL SECTION:
ns63.domaincontrol.com.	172800	IN	A	216.69.185.42
ns63.domaincontrol.com.	172800	IN	AAAA	2607:f208:206::2a
ns64.domaincontrol.com.	172800	IN	A	173.201.69.42
ns64.domaincontrol.com.	172800	IN	AAAA	2603:5:2254::2a

;; Query time: 59 msec
;; SERVER: 216.185.71.33
;; WHEN: Tue Sep  4 09:50:52 2018
;; MSG SIZE  rcvd: 249
[byrnejb_hll@vhost04 ~]$ drill mail.casamo.com TXT
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 50174
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; mail.casamo.com.	IN	TXT

;; ANSWER SECTION:

;; AUTHORITY SECTION:
casamo.com.	600	IN	SOA	ns63.domaincontrol.com. dns.jomax.net.
2018021000 28800 7200 604800 600

;; ADDITIONAL SECTION:

;; Query time: 58 msec
;; SERVER: 216.185.71.34
;; WHEN: Tue Sep  4 09:51:15 2018
;; MSG SIZE  rcvd: 101
[byrnejb_hll@vhost04 ~]$ drill dudley.casamo.com TXT
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56419
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; dudley.casamo.com.	IN	TXT

;; ANSWER SECTION:

;; AUTHORITY SECTION:
casamo.com.	600	IN	SOA	ns63.domaincontrol.com. dns.jomax.net.
2018021000 28800 7200 604800 600

;; ADDITIONAL SECTION:

;; Query time: 17 msec
;; SERVER: 216.185.71.33
;; WHEN: Tue Sep  4 09:51:32 2018
;; MSG SIZE  rcvd: 103

Whatever you believe to be the case your DNS TXT RR with the spf
version and list of authorised senders is not published and this lack
is likely contributing to, if not the entire cause of, your
difficulty.  You do not have any published DNS SPF RRs either, but as
that particular RR is deprecated you should not have such in any case.

> and I cannot figure out how opendkim chooses which key
> to use to sign emails.  Does it look at Message-Id?  Does it look
> at Reply-to: (unlikely) ?  Whatever field it uses, changes depending
> on if I use Thunderbird, Mail (mailx), or the mailman listserve to
> send the email.
>

Read man 5 opendkim.conf re signing table.

For example:

cat /usr/local/etc/mail/opendkim/SigningTable
# OPENDKIM SIGNING TABLE
# This table controls how to apply one or more signatures to
# outgoing messages based on the address found in the
# From: header field. In simple terms, this tells OpenDKIM "how"
# to apply your keys.

# To use this file, uncomment the SigningTable option in
# /etc/opendkim.conf, then uncomment one of the usage examples
# below and replace example.com with your domain name, then
# restart OpenDKIM.

# WILDCARD EXAMPLE
# Enables signing for any address on the listed domain(s), but
# will work only if "refile:/etc/opendkim/SigningTable" is included
# in /etc/opendkim.conf.
# Create additional lines for additional domains.

#*@example.com default._domainkey.example.com

# NON-WILDCARD EXAMPLE
# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf,
# then wildcards will not work. Instead, full user@host is checked
# first, then simply host, then user@.domain (with all superdomains
# checked in sequence, so "foo.example.com" would first check
# "user@foo.example.com", then "user@.example.com", then "user@.com"),
# then .domain, then user@*, and finally *.
# See the opendkim.conf(5) man page under "SigningTable" for more
# details.

#From address                     left hand side key value in KeyTable
*@harte-lyne.ca                   dkim_hll

You need to CAREFULLY consider each option in opendkim.conf and decide
how it fits into your SPF and DMARC scheme.  You must also set up the
support files required for each option that you enable.  And you must
have suitable DNS RRs published.

> On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb@harte-lyne.ca>
> wrote:
>
>>
>> On Sun, September 2, 2018 19:06, William Dudley wrote:
>> > I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail
>> > system.
>> > Since I don't know if the problem is sendmail or opendkim or DNS
>> or
>> > what, I'm asking here.
>> >
>>
>> You need a sender policy framework specification in your dns for the
>> domains you wish secured.  You do not put the keys in this, just the
>> policy version, the authorised hosts, and the disposal option.
>>
>> Ours is:
>>
>> harte-lyne.ca.          172800  IN      TXT
>>    "v=spf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26
>> ip4:216.185.71.128/26 -all"
>>
>> The ~all at the end is called a soft fail. It means that recipients
>> may accept mail from another server, but that the sender should be
>> viewed with suspicion. If you change the disposal option to -all you
>> are directing the recipient to reject mail from any server other
>> than
>> these. The soft fail approach is safer and recommended.
>>
>> If you employ dkim without a dns entry for your sender policy
>> framework, or with invalid SPF or multiple SPF dns records, then the
>> correct behaviour is to reject all mail from the sender since the
>> policy cannot be determined.
>>


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?a57ff4870e5d68211e673a5383892017.squirrel>