Re: Opendkim LDAP and signing table references unknown key

From: Sistemisti Posta <>
Date: Mon, 21 Dec 2015 09:18:21 +0100


Il 20/12/2015 00:02, A. Schulze ha scritto:
> Sistemisti Posta:
>> ldap://,c=it?o?sub?(&(|(mail=$d)(mailalternateaddress=$d))(mailuserstatus=active)(|(objectclass=mailrecipient)(objectclass=mailgroup)))
> $d reference the senders domain part. So your ldap filter looks wrong.
> I'm not aware about other possible usable macros.
> _at_all: is there any documentation?

Really, "Any instances of `$d' in the LDAP
filter will be replaced with the domain or email address being queried".
This works. I query entire from email address as well, not only domain part.

>> KeyTable is a file which contains:
>> keyID_it
> only one key?
>> My goal is to force all users having LDAP entry with
>> o: u
>> to sign. All other user can send without sign.
> that sounds like this filter:
> (&(o=keyID_it)(|(mail=*_at_$d)(mailalternateaddress=*@$d))

Maybe I explain wrong, sorry. The "keyID_it" is the result attribute,
not the search attribute. But you suggest me a way to workaround: I must
add in search 'o=*'.

>> opendkim[25959]: 3pMVKK6y5HzDc: signing table references unknown key ''
>> postfix/cleanup[26327]: 3pMVKK6y5HzDc: milter-reject: END-OF-MESSAGE
>> from[xx.xx.xx.xx]: 4.7.1 Service unavailable - try again
>> later; from=<> to=<> proto=ESMTP
>> helo=<[xx.xx.xx.xx]>
> that mean the signingtable lookup give a result, but there is not
> keytable entry.
> You must construct a ldap query that give no result if message should
> not be signed.

Just my desire. If an entry doesn't contains the result attribute should
not be signed. Opendkim instead return a '' when signingtable lookup
gives a result that doesn't contain the result attribute. For me it's a
BUG. But before to fill a bug I would ask your opinions. Anyway, I
workaround this issue adding a "result_attribute=*".

It should also be useful that if a signing selector is found in
signingtable, but not in keytable, opendkim should return a warning
instead of errors.

> you may use opendkim -Q to verify your ldapfilter:
> # opendkim -Q

Very useful. Thank you.

Thanks again,
best regards
Received on Mon Dec 21 2015 - 08:18:40 PST

This archive was generated by hypermail 2.3.0 : Mon Dec 21 2015 - 08:27:01 PST