From owner-freebsd-questions@freebsd.org Tue Sep 4 14:11:10 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 76F7DFF0316 for ; Tue, 4 Sep 2018 14:11:10 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (mx32.harte-lyne.ca [216.185.71.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx32.harte-lyne.ca", Issuer "CA_HLL_ISSUER_2016" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 14E0E71037 for ; Tue, 4 Sep 2018 14:11:10 +0000 (UTC) (envelope-from byrnejb@harte-lyne.ca) Received: from mx32.harte-lyne.ca (unknown [127.0.32.1]) by mx32.harte-lyne.ca (Postfix) with ESMTP id DAC0710E80; Tue, 4 Sep 2018 10:11:01 -0400 (EDT) X-Virus-Scanned: amavisd-new at harte-lyne.ca Received: from mx32.harte-lyne.ca ([127.0.32.1]) by mx32.harte-lyne.ca (mx32.harte-lyne.ca [127.0.32.1]) (amavisd-new, port 10024) with ESMTP id dz9ziDrcIOPG; Tue, 4 Sep 2018 10:10:55 -0400 (EDT) Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca [216.185.71.24]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx32.harte-lyne.ca (Postfix) with ESMTPSA id E89FC10E75; Tue, 4 Sep 2018 10:10:54 -0400 (EDT) Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb_hll) by webmail.harte-lyne.ca with HTTP; Tue, 4 Sep 2018 10:10:55 -0400 Message-ID: In-Reply-To: References: <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> Date: Tue, 4 Sep 2018 10:10:55 -0400 Subject: Re: DKIM is driving me nuts From: "James B. Byrne" To: "William Dudley" Cc: "freebsd-questions" Reply-To: byrnejb@harte-lyne.ca User-Agent: SquirrelMail/1.4.22-5.el6 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2018 14:11:10 -0000 On Mon, September 3, 2018 15:34, William Dudley wrote: > I have an SPF record. > > That is not the problem. I beg to differ. It may not be your ONLY problem but it is a problem. [byrnejb_hll@vhost04 ~]$ drill casamo.com TXT ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53899 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 ;; QUESTION SECTION: ;; casamo.com. IN TXT ;; ANSWER SECTION: casamo.com. 3600 IN TXT "google-site-verification=ljFtgzq9av4Oxtx_FepTKvL7E7xMzlen1UnDKBBWO8g" ;; AUTHORITY SECTION: casamo.com. 172800 IN NS ns63.domaincontrol.com. casamo.com. 172800 IN NS ns64.domaincontrol.com. ;; ADDITIONAL SECTION: ns63.domaincontrol.com. 172800 IN A 216.69.185.42 ns63.domaincontrol.com. 172800 IN AAAA 2607:f208:206::2a ns64.domaincontrol.com. 172800 IN A 173.201.69.42 ns64.domaincontrol.com. 172800 IN AAAA 2603:5:2254::2a ;; Query time: 59 msec ;; SERVER: 216.185.71.33 ;; WHEN: Tue Sep 4 09:50:52 2018 ;; MSG SIZE rcvd: 249 [byrnejb_hll@vhost04 ~]$ drill mail.casamo.com TXT ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 50174 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; mail.casamo.com. IN TXT ;; ANSWER SECTION: ;; AUTHORITY SECTION: casamo.com. 600 IN SOA ns63.domaincontrol.com. dns.jomax.net. 2018021000 28800 7200 604800 600 ;; ADDITIONAL SECTION: ;; Query time: 58 msec ;; SERVER: 216.185.71.34 ;; WHEN: Tue Sep 4 09:51:15 2018 ;; MSG SIZE rcvd: 101 [byrnejb_hll@vhost04 ~]$ drill dudley.casamo.com TXT ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56419 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;; dudley.casamo.com. IN TXT ;; ANSWER SECTION: ;; AUTHORITY SECTION: casamo.com. 600 IN SOA ns63.domaincontrol.com. dns.jomax.net. 2018021000 28800 7200 604800 600 ;; ADDITIONAL SECTION: ;; Query time: 17 msec ;; SERVER: 216.185.71.33 ;; WHEN: Tue Sep 4 09:51:32 2018 ;; MSG SIZE rcvd: 103 Whatever you believe to be the case your DNS TXT RR with the spf version and list of authorised senders is not published and this lack is likely contributing to, if not the entire cause of, your difficulty. You do not have any published DNS SPF RRs either, but as that particular RR is deprecated you should not have such in any case. > and I cannot figure out how opendkim chooses which key > to use to sign emails. Does it look at Message-Id? Does it look > at Reply-to: (unlikely) ? Whatever field it uses, changes depending > on if I use Thunderbird, Mail (mailx), or the mailman listserve to > send the email. > Read man 5 opendkim.conf re signing table. For example: cat /usr/local/etc/mail/opendkim/SigningTable # OPENDKIM SIGNING TABLE # This table controls how to apply one or more signatures to # outgoing messages based on the address found in the # From: header field. In simple terms, this tells OpenDKIM "how" # to apply your keys. # To use this file, uncomment the SigningTable option in # /etc/opendkim.conf, then uncomment one of the usage examples # below and replace example.com with your domain name, then # restart OpenDKIM. # WILDCARD EXAMPLE # Enables signing for any address on the listed domain(s), but # will work only if "refile:/etc/opendkim/SigningTable" is included # in /etc/opendkim.conf. # Create additional lines for additional domains. #*@example.com default._domainkey.example.com # NON-WILDCARD EXAMPLE # If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, # then wildcards will not work. Instead, full user@host is checked # first, then simply host, then user@.domain (with all superdomains # checked in sequence, so "foo.example.com" would first check # "user@foo.example.com", then "user@.example.com", then "user@.com"), # then .domain, then user@*, and finally *. # See the opendkim.conf(5) man page under "SigningTable" for more # details. #From address left hand side key value in KeyTable *@harte-lyne.ca dkim_hll You need to CAREFULLY consider each option in opendkim.conf and decide how it fits into your SPF and DMARC scheme. You must also set up the support files required for each option that you enable. And you must have suitable DNS RRs published. > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne > wrote: > >> >> On Sun, September 2, 2018 19:06, William Dudley wrote: >> > I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail >> > system. >> > Since I don't know if the problem is sendmail or opendkim or DNS >> or >> > what, I'm asking here. >> > >> >> You need a sender policy framework specification in your dns for the >> domains you wish secured. You do not put the keys in this, just the >> policy version, the authorised hosts, and the disposal option. >> >> Ours is: >> >> harte-lyne.ca. 172800 IN TXT >> "v=spf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26 >> ip4:216.185.71.128/26 -all" >> >> The ~all at the end is called a soft fail. It means that recipients >> may accept mail from another server, but that the sender should be >> viewed with suspicion. If you change the disposal option to -all you >> are directing the recipient to reject mail from any server other >> than >> these. The soft fail approach is safer and recommended. >> >> If you employ dkim without a dns entry for your sender policy >> framework, or with invalid SPF or multiple SPF dns records, then the >> correct behaviour is to reject all mail from the sender since the >> policy cannot be determined. >> -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3