RE: [dkim-milter-discuss] sendmail non-smtpd possible?

From: Murray S. Kucherawy <>
Date: Mon, 8 Aug 2011 10:34:41 -0700

(Since you installed OpenDKIM instead, I'll Cc: that list and we should move this discussion over there.)

There are rewrite rules in the sendmail configuration that change the From: field (features called "masquerade" and "genericstable"). That's why it appears to be delivered with the From: field you expect. The problem is that those changes are made only after the filter has seen them, which is why you have to tell opendkim to sign for "localhost.localdomain" because that's what the filter sees.

In fact, you might want to check that the signatures are being validated, because they probably are failing since the data are essentially being changed in transit.

You will probably need either the "replace rules" feature to deal with this, or you'll need to arrange that your mail is generated with the final domain name in there and not "localhost.localdomain" to get it verifying properly.

From: Willem Kossen []
Sent: Monday, August 08, 2011 5:16 AM
To: dkim-milter general discussion
Subject: Re: [dkim-milter-discuss] sendmail non-smtpd possible?

Ah, I think i figured it out...
what happens in many cases is that mail originates from user_at_localhost.localdomain. I didn't tell opendkim to sign mail from that domain. Still the mail ends up as<> in the recipients mailbox, but sendmail didn't know that at the time the mail was delivered to it. during input, it was localhost.localdomain. therefor no signing. Now I told opendkim in the config file that the domain localhost.localdomain should be signed and it worked.

and squirrelmail delivered mail as user_at_localhost (no localdomain) I added that domain too. this is far from ideal, a bit of a hack, but I guess it works.

thanks for the help
On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <<>> wrote:
First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years.

I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard.

You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding.

Good luck,

From: Willem Kossen [<>]
Sent: Friday, August 05, 2011 5:57 AM
Subject: [dkim-milter-discuss] sendmail non-smtpd possible?

Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed.


Willem Kossen
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
dkim-milter-discuss mailing list<>
Willem Kossen<>
Received on Mon Aug 08 2011 - 17:34:52 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:19 PST