DKIM issues, continued
by mfoley from LinuxQuestions.org on (#5721E)
I believe I have successfully configured DKIM on my sendmail mail server. However, I am getting mixed results when recipients of email from that server try to validate its DKIM. For example, the following is the header of a message from the server running opendkim received on my personal server:
Code:From noreply@ohprs.org Wed Aug 12 00:01:31 2020
Return-Path: <noreply@ohprs.org>
Received: from mail.ohprs.org (mail.ohprs.org [98.102.63.107])
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 07C41TWv015009
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <mfoley@novatec-inc.com>; Wed, 12 Aug 2020 00:01:30 -0400
Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=loMw2ZHp
Received: from common.hprs.local ([192.168.0.58])
by mail.hprs.local (8.15.2/8.15.2) with ESMTPS id 07C41SG2018241
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <sysadmin@mail.hprs.local>; Wed, 12 Aug 2020 00:01:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ohprs.org;
s=hprsmail; t=1597204889;
bh=N1h2kkntuY1ypSooI+tmDO+9aSkot/zE4XjW0D7Ybos=;
h=Date:From:To:Subject;
b=loMw2ZHpbUOr/ERMQkuQ1KmoP7Qu24pai9bHk78UbFK5hVRH7NJP+GWcAFKgwIWZI
h4abdevU76fkRHq9P81PS1OqKXSrv4FrjBxKGAk36Esaj9s+rTqOGC5wezCCVIfblH
LHOH2Uo+RhqvYZmMPJoom2rS9hrqIqKqfbmw/o8M=
Received: from common.hprs.local (localhost [127.0.0.1])
by common.hprs.local (8.15.2/8.15.2) with ESMTP id 07C41SxQ031669
for <sysadmin@common.hprs.local>; Wed, 12 Aug 2020 00:01:28 -0400
Received: (from root@localhost)
by common.hprs.local (8.15.2/8.15.2/Submit) id 07C41Sdb031667
for sysadmin; Wed, 12 Aug 2020 00:01:28 -0400This is "dkim=pass". This message was sent by host common.hprs.local, which is a Linux host on the 192.168.0.0/24 subnet. It uses mail.hprs.local (192.168.0.2) as the SMART_HOST, so this message is routed through that server. Note also that it is specifying noreply@ohprs.org as the reply address.
Now, the following is a message sent directly from host mail.ohprs.org (the one actually running opendkim and supposedly the one the DKIM TXT record references):
Code:From noreply@ohprs.org Sun Aug 16 12:42:11 2020
Return-Path: <noreply@ohprs.org>
Received: from mail.ohprs.org (mail.ohprs.org [98.102.63.107])
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 07GGgAbd015207
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <mfoley@novatec-inc.com>; Sun, 16 Aug 2020 12:42:10 -0400
Authentication-Results: server.novatec-inc.com;
dkim=fail reason="signature verification failed" (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=WaIQbsoS
Received: from mail.hprs.local (localhost [127.0.0.1])
by mail.hprs.local (8.15.2/8.15.2) with ESMTPS id 07GGg9jM015260
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <sysadmin@mail.hprs.local>; Sun, 16 Aug 2020 12:42:09 -0400
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ohprs.org;
s=hprsmail; t=1597596129;
bh=Be30ywlNvCV9FnZuPw8Yh2Gxy7fH76e6jeY7IVlhkT0=;
h=Date:From:To:Subject;
b=WaIQbsoS3P0FQB5knVddCuC72huJW0a0PVEad3rjY60r7Gkl7IlZXsbUH2KBgPJVs
QgyShnO1YAbzIlmNfqfCIaV0rJSKB0Xabmr3OnIVYjyogbu+gdegk3kf6PN+jU2Ucm
z/9FTCof/eBjT+ViTfH3xpWNzribuoC5ovAdtqaI=
Received: (from root@localhost)
by mail.hprs.local (8.15.2/8.14.9/Submit) id 07GGg94V015259
for sysadmin; Sun, 16 Aug 2020 12:42:09 -0400That server's public FDQN is mail.ohprs.org. Notice that it has "dkim=fail". Why?
My /etc/opendkim.conf is:
Code:LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain ohprs.org
Selector hprsmail
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
mode sv
PidFile /var/run/opendkim/opendkim.pid
Socket inet:8891@localhost
ReportAddress sysadmin@ohprs.org
SendReports yes
UserID opendkim:opendkimWhy would the receiving server at novatec-inc.com be able to validate the DKIM for hosts on the 192.168.0.0/24 subnet which use mail.hprs.local (192.168.0.2) as the SMART_HOST, but messages sent directly from that host mail.hprs.local (mail.ohprs.org) fails validation, even though that is the host running opendkim?
Also note that on https://mxtoolbox.com/dkim.aspx, ohprs.org with selector hprsdmail validates.
Code:From noreply@ohprs.org Wed Aug 12 00:01:31 2020
Return-Path: <noreply@ohprs.org>
Received: from mail.ohprs.org (mail.ohprs.org [98.102.63.107])
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 07C41TWv015009
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <mfoley@novatec-inc.com>; Wed, 12 Aug 2020 00:01:30 -0400
Authentication-Results: server.novatec-inc.com;
dkim=pass (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=loMw2ZHp
Received: from common.hprs.local ([192.168.0.58])
by mail.hprs.local (8.15.2/8.15.2) with ESMTPS id 07C41SG2018241
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <sysadmin@mail.hprs.local>; Wed, 12 Aug 2020 00:01:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ohprs.org;
s=hprsmail; t=1597204889;
bh=N1h2kkntuY1ypSooI+tmDO+9aSkot/zE4XjW0D7Ybos=;
h=Date:From:To:Subject;
b=loMw2ZHpbUOr/ERMQkuQ1KmoP7Qu24pai9bHk78UbFK5hVRH7NJP+GWcAFKgwIWZI
h4abdevU76fkRHq9P81PS1OqKXSrv4FrjBxKGAk36Esaj9s+rTqOGC5wezCCVIfblH
LHOH2Uo+RhqvYZmMPJoom2rS9hrqIqKqfbmw/o8M=
Received: from common.hprs.local (localhost [127.0.0.1])
by common.hprs.local (8.15.2/8.15.2) with ESMTP id 07C41SxQ031669
for <sysadmin@common.hprs.local>; Wed, 12 Aug 2020 00:01:28 -0400
Received: (from root@localhost)
by common.hprs.local (8.15.2/8.15.2/Submit) id 07C41Sdb031667
for sysadmin; Wed, 12 Aug 2020 00:01:28 -0400This is "dkim=pass". This message was sent by host common.hprs.local, which is a Linux host on the 192.168.0.0/24 subnet. It uses mail.hprs.local (192.168.0.2) as the SMART_HOST, so this message is routed through that server. Note also that it is specifying noreply@ohprs.org as the reply address.
Now, the following is a message sent directly from host mail.ohprs.org (the one actually running opendkim and supposedly the one the DKIM TXT record references):
Code:From noreply@ohprs.org Sun Aug 16 12:42:11 2020
Return-Path: <noreply@ohprs.org>
Received: from mail.ohprs.org (mail.ohprs.org [98.102.63.107])
by server.novatec-inc.com (8.15.2/8.15.2) with ESMTPS id 07GGgAbd015207
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <mfoley@novatec-inc.com>; Sun, 16 Aug 2020 12:42:10 -0400
Authentication-Results: server.novatec-inc.com;
dkim=fail reason="signature verification failed" (1024-bit key) header.d=ohprs.org header.i=@ohprs.org header.b=WaIQbsoS
Received: from mail.hprs.local (localhost [127.0.0.1])
by mail.hprs.local (8.15.2/8.15.2) with ESMTPS id 07GGg9jM015260
(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
for <sysadmin@mail.hprs.local>; Sun, 16 Aug 2020 12:42:09 -0400
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.99.2 at mail
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ohprs.org;
s=hprsmail; t=1597596129;
bh=Be30ywlNvCV9FnZuPw8Yh2Gxy7fH76e6jeY7IVlhkT0=;
h=Date:From:To:Subject;
b=WaIQbsoS3P0FQB5knVddCuC72huJW0a0PVEad3rjY60r7Gkl7IlZXsbUH2KBgPJVs
QgyShnO1YAbzIlmNfqfCIaV0rJSKB0Xabmr3OnIVYjyogbu+gdegk3kf6PN+jU2Ucm
z/9FTCof/eBjT+ViTfH3xpWNzribuoC5ovAdtqaI=
Received: (from root@localhost)
by mail.hprs.local (8.15.2/8.14.9/Submit) id 07GGg94V015259
for sysadmin; Sun, 16 Aug 2020 12:42:09 -0400That server's public FDQN is mail.ohprs.org. Notice that it has "dkim=fail". Why?
My /etc/opendkim.conf is:
Code:LogWhy yes
Syslog yes
SyslogSuccess yes
Canonicalization relaxed/simple
Domain ohprs.org
Selector hprsmail
ExternalIgnoreList refile:/etc/opendkim/TrustedHosts
InternalHosts refile:/etc/opendkim/TrustedHosts
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
mode sv
PidFile /var/run/opendkim/opendkim.pid
Socket inet:8891@localhost
ReportAddress sysadmin@ohprs.org
SendReports yes
UserID opendkim:opendkimWhy would the receiving server at novatec-inc.com be able to validate the DKIM for hosts on the 192.168.0.0/24 subnet which use mail.hprs.local (192.168.0.2) as the SMART_HOST, but messages sent directly from that host mail.hprs.local (mail.ohprs.org) fails validation, even though that is the host running opendkim?
Also note that on https://mxtoolbox.com/dkim.aspx, ohprs.org with selector hprsdmail validates.