Re: Signing problems with OpenDKIM on Ubuntu

From: Jim Fenton <>
Date: Sun, 21 Apr 2013 11:14:41 -0700

On 04/21/2013 07:21 AM, Murray S. Kucherawy wrote:
> What would be helpful would be to select any message that should have
> been signed but wasn't and then do "fgrep <queueid> mail.log" (or
> equivalent) for that message so we can see what did get logged, and
> then post that here.

Hi Murray,

Here's everything from the mail log at the time of the message

Apr 21 11:02:48 kernel sm-mta[27061]: STARTTLS=server, relay=localhost
[], version=TLSv1/SSLv3, verify=NO,
cipher=DHE-RSA-CAMELLIA256-SHA, bits=256/256
Apr 21 11:02:48 kernel sm-mta[27061]: AUTH=server, relay=localhost
[], authid=fenton, mech=CRAM-MD5, bits=0
Apr 21 11:02:48 kernel sm-mta[27061]: r3LI2l4K027061:
from=<>, size=422, class=0, nrcpts=1,
msgid=<>, proto=ESMTP, daemon=MSP-v6,
relay=localhost []
Apr 21 11:02:48 kernel dovecot: imap(fenton): Disconnected: Disconnected
in IDLE in=975 out=143400
Apr 21 11:02:49 kernel sm-mta[27064]: r3LI2l4K027061:
to=<>, ctladdr=<> (1000/1000),
delay=00:00:01, xdelay=00:00:01, mailer=esmtp, pri=120422, [], dsn=2.0.0, stat=Sent (Ok:
queued as DF/D3-25440-6A924715)

Nothing at all from the opendkim daemon. And I do see messages from
opendkim when I intentionally misconfigure something, as well as
messages from sm-mta when a header field is added.

And here's the current opendkim.conf:

# debugging stuff: log a lot, and try to sign everything
LogWhy yes
AlwaysAddARHeader yes
# This is a basic configuration that can easily be adapted to suit a
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 002

KeyFile /etc/mail/dkim/buttered.key.pem
Selector buttered


# Commonly-used options; the commented-out versions show the defaults.
Canonicalization relaxed
Mode sv
#SubDomains no
#ADSPDiscard no

# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From

# List domains to use for RFC 6541 DKIM Authorized Third-Party Signatures
# (ATPS) (experimental)


#Accept messages regardless
On-Default accept

I'm still struggling to figure out what is unique in my configuration.
Aside from IPv6 (which a lot of others use), I can't think of anything
out of the ordinary.

Received on Sun Apr 21 2013 - 18:14:36 PST

This archive was generated by hypermail 2.3.0 : Sun Apr 21 2013 - 18:18:01 PST