RE: InternalHosts Issue

From: Steve Jenkins <>
Date: Tue, 5 Oct 2010 22:18:04 -0700

Thanks for replying. Actually, you beat me to an update by about 5 mins.
Turns out I misspoke (mistyped?). When the remote server started working in
my testing, I didn't notice that the local server stopped signing mail.


The refile that you mentioned was actually causing the problem. If the
/etc/opendkim.conf file reads:


InternalHosts refile:/etc/mail/dkim/trusted-hosts


Then it appears to only accept the first entry in that file (perhaps it if a
list of regex it would be different, but I just tested the remote hostname
and the local loopback). Whichever one was listed first was seen as internal
and allowed to sign.


If I change it to simply:


InternalHosts /etc/mail/dkim/trusted-hosts


Then it works as expected - not caring about how many, or in which order,
the list of hosts or IPs are listed.





[] On Behalf Of Murray S.
Sent: Tuesday, October 05, 2010 10:07 PM
Subject: RE: InternalHosts Issue


Interesting. It should be matching on that based on that input. I'll see
if I can simulate what you're seeing and thus figure out if it's a bug or


One thing though: You don't need "refile" for a file that contains no
wildcards or regular expressions on which to match. Since everything in
there is a string, you can just change it to "file".




[] On Behalf Of Steve Jenkins
Sent: Tuesday, October 05, 2010 9:24 PM
Subject: RE: InternalHosts Issue


Well, I think I answered my own issue. For some reason I don't understand,
the localhost IP ( must appear LAST in the trusted-hosts list.
If it appears before any of the other trusted hosts, those other hosts
aren't considered "internal." Can someone confirm this is a feature and not
a bug? I couldn't find anything on Google that explains why this works this
way, but I'm glad I figured it out and mail from my trusted host is now
being signed. J





[] On Behalf Of Steve Jenkins
Sent: Tuesday, October 05, 2010 5:11 PM
Subject: InternalHosts Issue


I've googled for the answer, and searched through the archives, but can't
seem to see what I'm doing wrong. It's GOTTA be something simple that I'm
overlooking. J


I have two servers: Zork and Yar. Both are running Postfix and Zork is
running OpenDKIM (2.2.0 released on 10/3/10).


Zork sends signed mail no problem and says:


"Oct 5 16:32:58 zork opendkim[23594]: 0116C15F513: DKIM-Signature header


Yar is set up to relay mail through Zork. I've added Yar's hostname (and IP
for good measure) to the InternalHosts file on Zork, but I still get this
error in Zork's maillog:


Oct 5 17:02:20 zork opendkim[437]: (unknown-jobid):
[] not internal

Oct 5 17:02:20 zork opendkim[437]: (unknown-jobid): not authenticated

Oct 5 17:02:20 zork opendkim[437]: 7DE9915F513: no signature data


Here's my /etc/opendkim.conf:



## opendkim.conf -- configuration file for OpenDKIM filter


## $Id: opendkim.conf.sample,v 1.5 2010/03/05 03:32:12 mmarkley Exp $


ADSPAction Continue

ADSPNoSuchDomain Yes

AutoRestart Yes

AutoRestartRate 10/1h

Canonicalization relaxed/relaxed

ExternalIgnoreList refile:/etc/mail/dkim/trusted-hosts

InternalHosts refile:/etc/mail/dkim/trusted-hosts

KeyTable refile:/etc/mail/dkim/keyTable

LogWhy Yes

On-Default accept

On-BadSignature accept

On-DNSError tempfail

On-InternalError accept

On-NoSignature accept

On-Security tempfail

PidFile /var/run/opendkim/

SignatureAlgorithm rsa-sha256

SigningTable refile:/etc/mail/dkim/signingTable

Socket inet:20209_at_localhost

Syslog Yes

SyslogSuccess Yes

TemporaryDirectory /var/tmp

UMask 022

UserID opendkim-milt:opendkim-milt

X-Header Yes


Here's my /etc/mail/dkim/trusted-hosts file:


I've been pulling my hair out. I'm not sure what else OpenDKIM needs to
accept Yar as "internal." Can anyone shove me in the right direction?


Thanks in advance,


Received on Wed Oct 06 2010 - 05:18:22 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:19:49 PST