Using KeyTable

From: Todd Lyons <>
Date: Thu, 20 May 2010 12:06:20 -0700

I am setting up opendkim 2.0.4 on a CentOS 5 box that is the mail
server for our local LUG mailing list (mailman), with the goal of
getting outbound mailing list email to be signed with our dkim key.
Here is the status at present:

1. Verification works flawlessly.
2. Signing of locally generated emails from a shell account works flawlessly.
3. Emails run through mailman do not get signed.

#3 seems obvious at first because the from address could be any of the
few hundred participants of the list. I'm having trouble wrapping my
head around what I need to do to make it sign all outbound list email.
 This is what I see in the logs when I send an email myself to the

May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024 no signing
domain match for `'
May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024 no signing
subdomain match for `'
May 20 08:20:23 penguin opendkim[4008]: o4KFJava004024: no signature data

My gut reaction is that the only thing I can do to make this work
right is to export all of the subscribers into a text file and
generate a KeyTable from it. The KeyTable configuration appears to be
a little more complex than it was on dkim-milter. I have a multi
domain dkim signing process working on a server running dkim-milter,
but on this server I cannot get opendkim to start if I uncomment the
KeyTable line. It blurts out:

# /etc/init.d/opendkim restart
Stopping OpenDKIM Milter: opendkim [ OK ]
Starting OpenDKIM Milter: opendkim: /usr/local/etc/opendkim.conf: at
least one selector and key required for signing mode
opendkim [FAILED]

Comment the line and it starts right up. Here is the keylist file:

My opendkim.config has:
# egrep '^[^#]' opendkim.conf
Canonicalization relaxed/simple
InternalHosts /usr/local/etc/dkim/local-ips
KeyFile /usr/local/etc/dkim/key1.private
LogWhy yes
Mode sv
PidFile /var/run/opendkim/
RemoveARAll No
RemoveOldSignatures No
Selector key1
Socket inet:49999_at_localhost
SubDomains Yes
Syslog Yes
X-Header Yes

Obviously, the line that I uncomment that causes me problems is:
KeyTable /usr/local/etc/dkim/keylist

...and setting the MTA setting to "MSA" just provided opendkim with
one more setting to choose not to sign the email:
May 20 08:12:39 penguin opendkim[3789]: o4KFCSdf003924 no MTA name match

What obvious thing(s) am I missing? What does opendkim need different
in this configuration for it to sign emails submitted to a mailman
mailing list? And what does opendkim need different in this
configuration for it to start when I tell it to use KeyTable? I
suspect I need to somehow incorporate the SigningTable function, but
the description of that does not make sense to me yet.

P.S. This does happen to be mailman 2.1.9, the version that strips all
dkim signatures from emails submitted to the list. I don't care about
that part, I just want the mail server to sign outbound

Regards...      Todd
I seek the is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius
Received on Thu May 20 2010 - 19:06:30 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:47 PST