Re: Ordering of On- configuration Options

From: Alan Chandler <>
Date: Thu, 13 Mar 2014 15:38:52 +0000

On 13/03/14 15:19, Murray S. Kucherawy wrote:
> On Thu, 13 Mar 2014, Alan Chandler wrote:
>> I am trying to set-up dkim-filter to reject mails from people who
>> have invalidly signed it, but accept mails for domains that do not
>> sign there mail (and unfortunately, since I can't add the publick key
>> to my dns, I can't sign my own outgoing mails)
> dkim-filter has been deprecated ad unsupported for a few years now.
> If you actually meant dkim-filter, you should switch to opendkim.

Ah - I am running Debian Stable, and hadn't appreciated. I can install
opendkim and work with that. I need to bit of reading first on how to
set that up.

>> I am getting a situation where I seem to be rejecting mails with no
>> signature data. These tend to be from mailing lists, and I am
>> getting unsubscribed from the list because of the bounces.
>> My config file has
>> On-Default accept
>> On-NoSignature accept
>> On-DNSError tempfail
>> On-BadSignature reject
>> On-InternalError tempfail
>> On-Security tempfail
>> But I can find no explanation of ordering and if a Bad-Signature
>> reject trumps the On-NoSignature accept.
> The order doesn't matter.
>> It is possible that mail to the mailing list had a dkim signature
>> added, which because of the extra data added by the mailing list
>> causes the signature to be deemed false?
> If the list added a signature, it's more likely added after the
> message is fully generated. On the other hand, the list quite
> possibly invalidated the author signature, if any.
>> I am a nearly complete newbie on this, so any pointers as to what
>> best to do would be appreciated. For the time being I have add to
>> drop the filtering on signatures.
> On-NoSignature has always had "accept" as a default, so you shouldn't
> have to set it. If it's rejecting based on that, something is broken.
Since not much was being logged (see below) I was postulating that if no
signature, then both no-Signature and BadSignature events were being
detected, and the ordering mattered
As you say it doesn't then my postulate was wrong.

> What's being logged when this happens?
Mar 12 13:01:56 piserver milter-greylist: (unknown id): skipping
greylist because this is the default action,
(from=<>, rcpt=<>,[]) ACL 39
Mar 12 13:01:56 piserver postfix/smtpd[19372]: E39DA200C5:[]
Mar 12 13:01:57 piserver postfix/cleanup[19393]: E39DA200C5:
milter-reject: END-OF-MESSAGE from[]:
5.7.0 bad DKIM signature data; from=<>
to=<> proto=ESMTP helo=<>
Mar 12 13:01:57 piserver postfix/smtpd[19372]: disconnect from[]

Here is an example - (although I am getting plenty of good e-mails from
this source)

I expect a submitter to the list is signing his e-mails - when it comes
back from the list its been mangled.

Alan Chandler
Received on Thu Mar 13 2014 - 15:39:08 PST

This archive was generated by hypermail 2.3.0 : Thu Mar 13 2014 - 15:45:02 PST