Re: Logging by default

From: Scott Kitterman <>
Date: Thu, 21 Feb 2013 15:47:20 -0500

On Thursday, February 21, 2013 10:48:21 AM Murray S. Kucherawy wrote:
> Based on an offlist conversation:
> Should opendkim's "Syslog" setting default to "true"?
> It's the opposite right now and has been since the beginning. The common
> practice I've had for years now is to be very vocal about errors, and
> refuse to start up, if any problem impeding normal operation can be
> detected. Once started, however, standard output/error are no longer
> available, so you find some way to continue operating (or restarting) at
> all costs, and be as minimally disruptive of the environment as possible.
> Daemons on busy machines can log quite a bit, meaning useful data from
> other daemons can be lost in the noise. We can't make any assumptions
> about which syslog facility should be used, so the whole thing is off by
> default, forcing operators to configure syslogging before it actually does
> anything.
> On the flipside, the filter could start mass-tempfailing your mail and you
> have no idea why unless you turn on the logging or do other in-depth
> debugging.
> What are other opinions on this?
> -MSK

I think it could use some work. In my configuration, I have (for opendkim):

Syslog yes
LogWhy yes
AlwaysAddARHeader yes

In a message, I see (from opendkim and opendmarc):

Authentication-Results:; dmarc=pass

Authentication-Results:; dkim=pass
        reason="1024-bit key; insecure key" header.b=PR5lcvD3;
        dkim-adsp=pass; dkim-atps=neutral

I think that is a reasonable level of information about the message. In my
mail log, for the same message, here's what I have from opendkim and

Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061: [] not internal
Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061: not authenticated
Feb 21 15:30:13 mailout02 opendkim[1740]: 231D920E4061: external host attempted to send as
Feb 21 15:30:13 mailout02 opendmarc[1751]: 231D920E4061: pass

There is nothing from opendkim about the actual verification process. In my
view, the fact that an external host is sending using a domain that this host
also signs for and is not authenticated is not relevant to anything. Not
internal isn't very useful either. I'd think those kinds of things should be
reserved for debug logging. Regular logging should report actual program
errors and optionally (I think default on) signature results.

As an aside (I know this is the wrong list), it would be nice if opendmarc
would include the domain in addition to the result.

Scott K
Received on Thu Feb 21 2013 - 20:47:36 PST

This archive was generated by hypermail 2.3.0 : Thu Feb 21 2013 - 20:54:02 PST