Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Sep 2018 10:28:51 -0400
From:      William Dudley <wfdudley@gmail.com>
To:        "James B. Byrne" <byrnejb@harte-lyne.ca>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: DKIM is driving me nuts
Message-ID:  <CAFsnNZL-C+_VTw7YXvUeyM_BfiikZqgADo+S5KP_zpu7xcUvAg@mail.gmail.com>
In-Reply-To: <a57ff4870e5d68211e673a5383892017.squirrel@webmail.harte-lyne.ca>
References:  <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com> <a57ff4870e5d68211e673a5383892017.squirrel@webmail.harte-lyne.ca>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
my domain is not "casaMo.com", so all of your research is irrelevant.

Thanks,
Bill Dudley


This email is free of malware because I run Linux.

On Tue, Sep 4, 2018 at 10:10 AM, James B. Byrne <byrnejb@harte-lyne.ca>
wrote:

>
> On Mon, September 3, 2018 15:34, William Dudley wrote:
> > I have an SPF record.
> >
> > That is not the problem.
>
> I beg to differ.  It may not be your ONLY problem but it is a problem.
>
>
> [byrnejb_hll@vhost04 ~]$ drill casamo.com TXT
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 53899
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
> ;; QUESTION SECTION:
> ;; casamo.com.  IN      TXT
>
> ;; ANSWER SECTION:
> casamo.com.     3600    IN      TXT     "google-site-verification=
> ljFtgzq9av4Oxtx_FepTKvL7E7xMzlen1UnDKBBWO8g"
>
> ;; AUTHORITY SECTION:
> casamo.com.     172800  IN      NS      ns63.domaincontrol.com.
> casamo.com.     172800  IN      NS      ns64.domaincontrol.com.
>
> ;; ADDITIONAL SECTION:
> ns63.domaincontrol.com. 172800  IN      A       216.69.185.42
> ns63.domaincontrol.com. 172800  IN      AAAA    2607:f208:206::2a
> ns64.domaincontrol.com. 172800  IN      A       173.201.69.42
> ns64.domaincontrol.com. 172800  IN      AAAA    2603:5:2254::2a
>
> ;; Query time: 59 msec
> ;; SERVER: 216.185.71.33
> ;; WHEN: Tue Sep  4 09:50:52 2018
> ;; MSG SIZE  rcvd: 249
> [byrnejb_hll@vhost04 ~]$ drill mail.casamo.com TXT
> ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 50174
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; mail.casamo.com.     IN      TXT
>
> ;; ANSWER SECTION:
>
> ;; AUTHORITY SECTION:
> casamo.com.     600     IN      SOA     ns63.domaincontrol.com.
> dns.jomax.net.
> 2018021000 28800 7200 604800 600
>
> ;; ADDITIONAL SECTION:
>
> ;; Query time: 58 msec
> ;; SERVER: 216.185.71.34
> ;; WHEN: Tue Sep  4 09:51:15 2018
> ;; MSG SIZE  rcvd: 101
> [byrnejb_hll@vhost04 ~]$ drill dudley.casamo.com TXT
> ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56419
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;; dudley.casamo.com.   IN      TXT
>
> ;; ANSWER SECTION:
>
> ;; AUTHORITY SECTION:
> casamo.com.     600     IN      SOA     ns63.domaincontrol.com.
> dns.jomax.net.
> 2018021000 28800 7200 604800 600
>
> ;; ADDITIONAL SECTION:
>
> ;; Query time: 17 msec
> ;; SERVER: 216.185.71.33
> ;; WHEN: Tue Sep  4 09:51:32 2018
> ;; MSG SIZE  rcvd: 103
>
> Whatever you believe to be the case your DNS TXT RR with the spf
> version and list of authorised senders is not published and this lack
> is likely contributing to, if not the entire cause of, your
> difficulty.  You do not have any published DNS SPF RRs either, but as
> that particular RR is deprecated you should not have such in any case.
>
> > and I cannot figure out how opendkim chooses which key
> > to use to sign emails.  Does it look at Message-Id?  Does it look
> > at Reply-to: (unlikely) ?  Whatever field it uses, changes depending
> > on if I use Thunderbird, Mail (mailx), or the mailman listserve to
> > send the email.
> >
>
> Read man 5 opendkim.conf re signing table.
>
> For example:
>
> cat /usr/local/etc/mail/opendkim/SigningTable
> # OPENDKIM SIGNING TABLE
> # This table controls how to apply one or more signatures to
> # outgoing messages based on the address found in the
> # From: header field. In simple terms, this tells OpenDKIM "how"
> # to apply your keys.
>
> # To use this file, uncomment the SigningTable option in
> # /etc/opendkim.conf, then uncomment one of the usage examples
> # below and replace example.com with your domain name, then
> # restart OpenDKIM.
>
> # WILDCARD EXAMPLE
> # Enables signing for any address on the listed domain(s), but
> # will work only if "refile:/etc/opendkim/SigningTable" is included
> # in /etc/opendkim.conf.
> # Create additional lines for additional domains.
>
> #*@example.com default._domainkey.example.com
>
> # NON-WILDCARD EXAMPLE
> # If "file:" (instead of "refile:") is specified in /etc/opendkim.conf,
> # then wildcards will not work. Instead, full user@host is checked
> # first, then simply host, then user@.domain (with all superdomains
> # checked in sequence, so "foo.example.com" would first check
> # "user@foo.example.com", then "user@.example.com", then "user@.com"),
> # then .domain, then user@*, and finally *.
> # See the opendkim.conf(5) man page under "SigningTable" for more
> # details.
>
> #From address                     left hand side key value in KeyTable
> *@harte-lyne.ca                   dkim_hll
>
> You need to CAREFULLY consider each option in opendkim.conf and decide
> how it fits into your SPF and DMARC scheme.  You must also set up the
> support files required for each option that you enable.  And you must
> have suitable DNS RRs published.
>
> > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb@harte-lyne.ca>
> > wrote:
> >
> >>
> >> On Sun, September 2, 2018 19:06, William Dudley wrote:
> >> > I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail
> >> > system.
> >> > Since I don't know if the problem is sendmail or opendkim or DNS
> >> or
> >> > what, I'm asking here.
> >> >
> >>
> >> You need a sender policy framework specification in your dns for the
> >> domains you wish secured.  You do not put the keys in this, just the
> >> policy version, the authorised hosts, and the disposal option.
> >>
> >> Ours is:
> >>
> >> harte-lyne.ca.          172800  IN      TXT
> >>    "v=spf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26
> >> ip4:216.185.71.128/26 -all"
> >>
> >> The ~all at the end is called a soft fail. It means that recipients
> >> may accept mail from another server, but that the sender should be
> >> viewed with suspicion. If you change the disposal option to -all you
> >> are directing the recipient to reject mail from any server other
> >> than
> >> these. The soft fail approach is safer and recommended.
> >>
> >> If you employ dkim without a dns entry for your sender policy
> >> framework, or with invalid SPF or multiple SPF dns records, then the
> >> correct behaviour is to reject all mail from the sender since the
> >> policy cannot be determined.
> >>
>
>
> --
> ***          e-Mail is NOT a SECURE channel          ***
>         Do NOT transmit sensitive data via e-Mail
>  Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
> Harte & Lyne Limited          http://www.harte-lyne.ca
> 9 Brockley Drive              vox: +1 905 561 1241
> Hamilton, Ontario             fax: +1 905 561 0757
> Canada  L8E 3C3
>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAFsnNZL-C+_VTw7YXvUeyM_BfiikZqgADo+S5KP_zpu7xcUvAg>