Dovecot emails not signed by DKIM

I'm using mail/opendkim to sign all emails for my domain. It's working correctly when any email is sent directly form the server (PHPMailer, WordPress, Forum, etc).

However when I try to send email from home (using my domains mailbox), anything dovecot handles does not get signed when the email is delivered (using Postfix).

Any idea where I can start troubleshooting this?
 
Dovecot doesn't send e-mail, it only allows you to retrieve that from your mailboxes, your MTA handles all that.

I'd say start by checking your logfiles. See what your MTA is doing with the e-mails. Is it possible that only locally generated e-mail (here's looking at /usr/sbin/sendmail) gets handled and remote gets ignored?
 
Ah that's right, my mistake. When connecting through Postfix at home to send emails, the emails are not getting signed.

The mail log doesn't show anything out of the ordinary.
Code:
From home (not signed)

Nov 11 13:29:14 localhost postfix/smtpd[74492]: connect from me.some.isp.com[11.22.33.44]
Nov 11 13:29:14 localhost postfix/smtpd[74492]: ED9BA45CDFE: client=me.some.isp.com[11.22.33.44]
Nov 11 13:29:15 localhost postfix/cleanup[74495]: ED9BA45CDFE: message-id=<232E5C68288D4A79BAEB7F8913FD619C@HOME>
Nov 11 13:29:15 localhost postfix/qmgr[73739]: ED9BA45CDFE: from=<me@example.com>, size=1364, nrcpt=1 (queue active)
Nov 11 13:29:15 localhost postfix/smtpd[74492]: disconnect from me.some.isp.com[11.22.33.44] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 11 13:29:15 localhost postfix/smtp[74496]: ED9BA45CDFE: to=<you@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.199.26]:25, delay=0.55, delays=0.34/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1510435756 u128si5764224oib.144 - gsmtp)
Nov 11 13:29:15 localhost postfix/qmgr[73739]: ED9BA45CDFE: removed


localhost (signed email)

Nov 11 13:30:28 localhost postfix/smtpd[74492]: connect from localhost[127.0.0.1]
Nov 11 13:30:28 localhost postfix/smtpd[74492]: 4426C45CDFF: client=localhost[127.0.0.1]
Nov 11 13:30:28 localhost postfix/cleanup[74495]: 4426C45CDFF: message-id=<yZeC3PEWrVwanHGc4PJ5WIUhmvGdZpWdGvCkshQzI@www.domain.com>
Nov 11 13:30:28 localhost postfix/qmgr[73739]: 4426C45CDFF: from=<me@example.com>, size=667, nrcpt=1 (queue active)
Nov 11 13:30:28 localhost postfix/smtpd[74492]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 11 13:30:28 localhost postfix/smtp[74496]: 4426C45CDFF: to=<you@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.199.26]:25, delay=0.38, delays=0.22/0/0.06/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1510435830 v13si3442254oif.174 - gsmtp)
Nov 11 13:30:28 localhost postfix/qmgr[73739]: 4426C45CDFF: removed
 
Actually those logs show a lot. They show that Postfix doesn't do a thing with signing (or other external activities), so that most likely explains the cause. So how did you configure all this?

My theory at this point is that you only set up local filtering, maybe messing with the sendmail program or such. You should know though because you configured it :p

Anyway, the solution to all this is to move the whole signing / filtering process onto Postfix so that it can take care of all that. Being unfamiliar with Opendkim my best guess is to look into transport filtering, see transport(5) for that. This might be a good read.
 
In postfix do you have non_smtpd_milters and/or smtpd_milters set?

Sounds like just non_smtpd_milters is set which allows the sendmail like applications listed above to processed by opendkim.
 
Actually those logs show a lot. They show that Postfix doesn't do a thing with signing (or other external activities), so that most likely explains the cause. So how did you configure all this?

I use smtpd_milters / non_smtpd_milters set in main.cf. I don't use sendmail, I have Postfix running on my server.

In postfix do you have non_smtpd_milters and/or smtpd_milters set?

Yes, I sure do :
Code:
smtpd_milters = inet:localhost:10028
non_smtpd_milters = inet:localhost:10028
 
I see that logging is not enabled by default. I enabled it and now see this when my email doesn't get signed :
Code:
Nov 11 17:48:33 localhost opendkim[84752]: 6A13445CF3B: me.some.isp.com[11.22.33.44] not internal
Nov 11 17:48:33 localhost opendkim[84752]: 6A13445CF3B: not authenticated
 
Whoops, and I misread your post, silly me.. I thought you had found a solution.

Anyway, I'd keep an eye out for this bug report. And could this post be of any use? Or this, it also seems to hint at a bug.

Note: I have no idea because I don't use Opendkim myself, but still hope those links could be of some use.
 
I have this in my opendkim.conf:

Code:
InternalHosts           /usr/local/etc/mail/relayhosts

The latter contains the relaying IPs/networks.

That is with Sendmail, but should be generic.
 
I managed to find a solution that didn't require me to add my public IP address.

In /usr/local/etc/postfix/main.cf add :
Code:
milter_mail_macros = i {mail_addr}
In /usr/local/etc/mail/opendkim.conf add:
Code:
MacroList               mail_addr=user@domain.com
Now all my emails from user@domain.com are now being signed. Also, you can use all sorts of macros to identify whether you want OpenDKIM to sign the emails or not.

The list can be found here : http://www.postfix.org/MILTER_README.html (Sendmail macro emulation)
 
Back
Top