Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 3 Sep 2018 17:23:14 -0400
From:      William Dudley <wfdudley@gmail.com>
To:        Chris Gordon <freebsd@theory14.net>
Cc:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   Re: DKIM is driving me nuts
Message-ID:  <CAFsnNZK+Z=2_YyYJ8HiFTPFunrt8Qb+3LaWa_BzMAOBw65VJxQ@mail.gmail.com>
In-Reply-To: <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net>
References:  <mailman.104.1535976002.94972.freebsd-questions@freebsd.org> <2d9ca6fc33b9aa430233bc0862b65453.squirrel@webmail.harte-lyne.ca> <CAFsnNZ+iHrnQAzJPwj+b8i4ML0c=dXOsn3UzhhyDrTB6EHn=hg@mail.gmail.com> <7CB447CE-B9D5-4E4C-8E10-A431FC8C779E@theory14.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Chris,

I'm going to hop right on this and will report back with my success or
failure.

Thanks,
Bill


This email is free of malware because I run Linux.

On Mon, Sep 3, 2018 at 4:44 PM, Chris Gordon <freebsd@theory14.net> wrote:

> The values in the SigningTable do this mapping. The opendkim.comf man pag=
e
> talks about this, but it can be really confusing until you see it all
> pieced together.  First, you can use the same key to sing all mail from
> your domain, so you don=E2=80=99t have to create a different key for each=
 host.
>
> Here=E2=80=99s what I have (edited for your domain) and assuming you want=
 to use
> the same key for everything in casano.com:
>
> - In /usr/local/etc/mail/opendkim.conf, I have the following settings,
> among others -- mostly defaults:
> SigningTable  refile:/usr/local/etc/mail/signing_table
> KeyTable      file:/usr/local/etc/mail/key_table
>
> - /usr/local/etc/mail/signing_table should have:
>
> *@casano.com  mail._domainkey.casano.com
>
> - Then in /usr/local/etc/mail/key_table, you have:
>
> mail._domainkey.casano.com  casano.com:mail:/path/to/the/keyfile
>
>
> The SigningTable matches the domain to value on the right hand side.  The=
n
> looks up that value in the KeyTable to get the path to the key to use to
> sign.  There may be other ways to do this (I actually sign a couple of
> domains with different keys, so I have more lines in my to table files) a=
nd
> it=E2=80=99s been a while since I set it up, so I=E2=80=99m a bit rusty a=
nd may have
> something a bit off.
>
> Hope that helps.
>
> Chris
>
>
> > On Sep 3, 2018, at 3:34 PM, William Dudley <wfdudley@gmail.com> wrote:
> >
> > I have an SPF record.
> >
> > That is not the problem.
> >
> > The problem is that the server has three names:
> >
> > casano.com
> > mail.casano.com
> > dudley.casano.com
> >
> > and I cannot figure out how opendkim chooses which key
> > to use to sign emails.  Does it look at Message-Id?  Does it look
> > at Reply-to: (unlikely) ?  Whatever field it uses, changes depending
> > on if I use Thunderbird, Mail (mailx), or the mailman listserve to send
> > the email.
> >
> > Thanks,
> > Bill Dudley
> >
> >
> > This email is free of malware because I run Linux.
> >
> > On Mon, Sep 3, 2018 at 3:03 PM, James B. Byrne <byrnejb@harte-lyne.ca>
> > wrote:
> >
> >>
> >> On Sun, September 2, 2018 19:06, William Dudley wrote:
> >>> I'm trying to make DKIM work on my FreeBSD 10.3, stock sendmail
> >>> system.
> >>> Since I don't know if the problem is sendmail or opendkim or DNS or
> >>> what, I'm asking here.
> >>>
> >>
> >> You need a sender policy framework specification in your dns for the
> >> domains you wish secured.  You do not put the keys in this, just the
> >> policy version, the authorised hosts, and the disposal option.
> >>
> >> Ours is:
> >>
> >> harte-lyne.ca.          172800  IN      TXT
> >>   "v=3Dspf1 ip4:209.47.176.16/26 ip4:216.185.71.0/26
> >> ip4:216.185.71.128/26 -all"
> >>
> >> The ~all at the end is called a soft fail. It means that recipients
> >> may accept mail from another server, but that the sender should be
> >> viewed with suspicion. If you change the disposal option to -all you
> >> are directing the recipient to reject mail from any server other than
> >> these. The soft fail approach is safer and recommended.
> >>
> >> If you employ dkim without a dns entry for your sender policy
> >> framework, or with invalid SPF or multiple SPF dns records, then the
> >> correct behaviour is to reject all mail from the sender since the
> >> policy cannot be determined.
> >>
> >> --
> >> ***          e-Mail is NOT a SECURE channel          ***
> >>        Do NOT transmit sensitive data via e-Mail
> >> Do NOT open attachments nor follow links sent by e-Mail
> >>
> >> James B. Byrne                mailto:ByrneJB@Harte-Lyne.ca
> >> Harte & Lyne Limited          http://www.harte-lyne.ca
> >> 9 Brockley Drive              vox: +1 905 561 1241
> >> Hamilton, Ontario             fax: +1 905 561 0757
> >> Canada  L8E 3C3
> >>
> >>
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe@freebsd.org"
>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?CAFsnNZK+Z=2_YyYJ8HiFTPFunrt8Qb+3LaWa_BzMAOBw65VJxQ>