Re: Opendkim LDAP and signing table references unknown key

From: A. Schulze <>
Date: Sun, 20 Dec 2015 00:02:20 +0100

Sistemisti Posta:

> ldap://,c=it?o?sub?(&(|(mail=$d)(mailalternateaddress=$d))(mailuserstatus=active)(|(objectclass=mailrecipient)(objectclass=mailgroup)))

$d reference the senders domain part. So your ldap filter looks wrong.
I'm not aware about other possible usable macros.
_at_all: is there any documentation?

> KeyTable is a file which contains:
> keyID_it
only one key?

> My goal is to force all users having LDAP entry with
> o: u
> to sign. All other user can send without sign.
that sounds like this filter:

> opendkim[25959]: 3pMVKK6y5HzDc: signing table references unknown key ''
> postfix/cleanup[26327]: 3pMVKK6y5HzDc: milter-reject: END-OF-MESSAGE
> from[xx.xx.xx.xx]: 4.7.1 Service unavailable - try again
> later; from=<> to=<> proto=ESMTP
> helo=<[xx.xx.xx.xx]>
that mean the signingtable lookup give a result, but there is not
keytable entry.
You must construct a ldap query that give no result if message should
not be signed.

you may use opendkim -Q to verify your ldapfilter:

# opendkim -Q
opendkim: enter data set description
> ldap://,c=it?o?sub?(&(o=keyID_it)(|(mail=*_at_$d)(mailalternateaddress=*_at_$d))
opendkim: enter 'query/n' where 'n' is number of fields to request
> <- Query and give one value back
'keyID_it' <- the Lookup result

> I have already tried "On-SignatureError accept".
On-SignatureError is like all other On-foo not relevant for signing.
It matter only on validation.

Received on Sat Dec 19 2015 - 23:02:36 PST

This archive was generated by hypermail 2.3.0 : Sat Dec 19 2015 - 23:09:01 PST