Re[4]: How does opendkim determine on whose behalf to sign message?

From: Miha Vrhovnik <>
Date: Sat, 11 Sep 2010 08:20:23 +0200

"Murray S. Kucherawy" <> wrote on 10.9.2010 22:54:29:

>> Correct me of I'm wrong but you can do that if you do know the IP
>> addresses of the senders.
>The filter is given the IP address of the SMTP client that's talking to the MTA. It's that IP address upon which the decision is based. Presumably you have IP addresses that are external to you and some that are internal, so you would list the latter in your InternalHosts data set.
>Are you saying you have some internal addresses that should not have their mail signed by your domain, or that you're concerned they'll send mail from domains to which they otherwise have no right?
No unfortunately I'm having all external. And I'm concerned about the latter (that they will send mail from domains to which they otherwise have no right). And that IS happening as there were some customers who were abusing our server and sending massive amounts of messages once per week (they're "spamming" their customers). Then I've added hourly message limits, they tried to adapt their software where they would be changing MAIL FROM, well that didn't work as limits were implemented per sasl username.

>> A didn't compile with --enable-sender_macro and this was getting a
>> strange error: "opendkim: /etc/opendkim.conf: configuration error at
>> line 269: unrecognized parameter"
>What's on line 269 of your configuration file? If it's SenderMacro then you need to do a "make clean; make; make install" after re-doing your ./configure with --enable-sender_macro.
SenderMacro {mail_addr} was on that line and version reporting the error, was compiled without --enable-sender_macro. Might be the language barrier and I didn't express myself clearly in that paragraph.

>> Nonetheless I'm worried because default settings are so relaxed,
>> because you usually don't have your users under control. It would be
>> better if by default they would be as tight as I'm trying to make them
>> right now.
>So far there hasn't been any demand for tighter settings by default. The design of DKIM is completely agnostic when it comes to the envelope, so it's probably not something that's considered too often.
>> If this would be implemented in native code then my suggestion is, add
>> two new variables to config:
>> TakeEmail(Domain)ForSignatureFrom From field || sender macro || (From
>> field && sender macro)
>> If both compare: full email || domain part ||doesn't matter
>> 2nd option would be just to add Compare variable which would do just
>> that.
>I think we have most of that via the SenderMacro setting, which can be used to get the envelope sender. I believe the {mail_addr} macro is the one you'd want. As far as verifying that the two are the same, we can either do that via a Lua example script or as a native feature that's on by default. If you like, you're welcome to open a feature request for this on the SourceForge tracker and we can schedule that work for the 2.3.0 release.

I've configured it with the SenderMacro last night and will take a look at that lua script today to add a second part.


It's time to get rid of your current e-mail client ...
... and start using si.Mail.
It's small & free. ( )
Received on Sat Sep 11 2010 - 06:20:43 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:48 PST