Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Sep 2018 16:44:13 -0400
From:      Chris Gordon <freebsd@theory14.net>
To:        William Dudley <wfdudley@gmail.com>
Cc:        "James B. Byrne" <byrnejb@harte-lyne.ca>, freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: DKIM is driving me nuts
Message-ID:  <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net>
In-Reply-To: <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com>
References:  <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
The values in the SigningTable do this mapping. The opendkim.comf man =
page talks about this, but it can be really confusing until you see it =
all pieced together.  First, you can use the same key to sing all mail =
from your domain, so you don=E2=80=99t have to create a different key =
for each host. =20

Here=E2=80=99s what I have (edited for your domain) and assuming you =
want to use the same key for everything in casano.com:

- In /usr/local/etc/mail/opendkim.conf, I have the following settings, =
among others -- mostly defaults:
SigningTable  refile:/usr/local/etc/mail/signing_table
KeyTable      file:/usr/local/etc/mail/key_table

- /usr/local/etc/mail/signing_table should have:

*@casano.com  mail._domainkey.casano.com

- Then in /usr/local/etc/mail/key_table, you have:

mail._domainkey.casano.com  casano.com:mail:/path/to/the/keyfile


The SigningTable matches the domain to value on the right hand side.  =
Then looks up that value in the KeyTable to get the path to the key to =
use to sign.  There may be other ways to do this (I actually sign a =
couple of domains with different keys, so I have more lines in my to =
table files) and it=E2=80=99s been a while since I set it up, so I=E2=80=99=
m a bit rusty and may have something a bit off.

Hope that helps.

Chris


> On Sep 3, 2018, at 3:34 PM, William Dudley <wfdudley@gmail.com> wrote:
>=20
> I have an SPF record.
>=20
> That is not the problem.
>=20
> The problem is that the server has three names:
>=20
> casano.com
> mail.casano.com
> dudley.casano.com
>=20
> and I cannot figure out how opendkim chooses which key
> to use to sign emails.  Does it look at Message-Id?  Does it look
> at Reply-to: (unlikely) ?  Whatever field it uses, changes depending
> on if I use Thunderbird, Mail (mailx), or the mailman listserve to =
send
> the email.
>=20
> Thanks,
> Bill Dudley
>=20
>=20
> This email is free of malware because I run Linux.
>=20
> On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb@harte-lyne.ca>
> wrote:
>=20
>>=20
>> On Sun, September 2, 2018 19:06, William Dudley wrote:
>>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail
>>> system.
>>> Since I don't know if the problem is sendmail or opendkim or DNS or
>>> what, I'm asking here.
>>>=20
>>=20
>> You need a sender policy framework specification in your dns for the
>> domains you wish secured.  You do not put the keys in this, just the
>> policy version, the authorised hosts, and the disposal option.
>>=20
>> Ours is:
>>=20
>> harte-lyne.ca.          172800  IN      TXT
>>   "v=3Dspf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26
>> ip4:216.185.71.128/26 -all"
>>=20
>> The ~all at the end is called a soft fail. It means that recipients
>> may accept mail from another server, but that the sender should be
>> viewed with suspicion. If you change the disposal option to -all you
>> are directing the recipient to reject mail from any server other than
>> these. The soft fail approach is safer and recommended.
>>=20
>> If you employ dkim without a dns entry for your sender policy
>> framework, or with invalid SPF or multiple SPF dns records, then the
>> correct behaviour is to reject all mail from the sender since the
>> policy cannot be determined.
>>=20
>> --
>> ***          e-Mail is NOT a SECURE channel          ***
>>        Do NOT transmit sensitive data via e-Mail
>> Do NOT open attachments nor follow links sent by e-Mail
>>=20
>> James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
>> Harte & Lyne Limited          http://www.harte-lyne.ca
>> 9 Brockley Drive              vox: +1 905 561 1241
>> Hamilton, Ontario             fax: +1 905 561 0757
>> Canada  L8E 3C3
>>=20
>>=20
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to =
"freebsd-questions-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?7CB447CE-B9D5-4E4C-8E10-A431FC8C779E>