4

According to http://opendkim.org/opendkim.conf.5.html, the ExternalIgnoredHosts and InternalHosts options support the same format as the PeerList option as follows:

The set should contain on each line a hostname, domain name (e.g. ".example.com"), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. "192.168.1.0/24").

IP addresses and subnets are being correctly identified as internal hosts but all hostnames and domains are not being picked up.

Here is /etc/opendkim.conf

LogWhy              yes
Syslog              yes
SyslogSuccess       yes
UMask               002
UserID              opendkim:opendkim

KeyTable            refile:/etc/opendkim/key.table
SigningTable        refile:/etc/opendkim/signing.table

ExternalIgnoreList  refile:/etc/opendkim/trusted.hosts
InternalHosts       refile:/etc/opendkim/trusted.hosts

AutoRestart         yes
AutoRestartRate     10/1M
Background          yes
Canonicalization    relaxed/simple
DNSTimeout          5
Mode                sv
Nameservers         192.168.100.1,192.168.100.2
OversignHeaders     From
SignatureAlgorithm  rsa-sha256
SubDomains          no

Socket              local:/var/spool/postfix/opendkim/opendkim.sock
PidFile             /run/opendkim/opendkim.pid

And /etc/opendkim/trusted.hosts

127.0.0.1
::1
localhost
mailserver                # mail server hostname
192.168.100.50            # test server
webserver.domain.local    # web server
.domain.local             # entire local domain
*.testdomain.local        # entire local test domain

And main.cf milter options:

milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen}
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters

Mail from 192.168.100.50 is signed as expected:

mailserver postfix/qmgr[5406]: 59CA920E11: removed
mailserver postfix/smtpd[5412]: connect from testserver.mydomain.com[192.168.100.50]
mailserver postfix/smtpd[5412]: 41BD520E11: client=testserver.mydomain.com[192.168.100.50]
mailserver postfix/cleanup[5436]: 41BD520E11: message-id=<>
mailserver opendkim[5427]: 41BD520E11: DKIM-Signature field added (s=default, d=contoso.com)
mailserver postfix/qmgr[5406]: 41BD520E11: from=<testing@contoso.com>, size=371, nrcpt=1 (queue active)
mailserver postfix/smtp[5437]: 41BD520E11: to=<notreal@gmail.com>, relay=ASPMX.L.GOOGLE.COM[173.194.76.27]:25, delay=0.4, delays=0.01/0/0.13/0.26, dsn=2.0.0, status=sent (250 2.0.0 OK  1610364907 k20si14443742wrc.23 - gsmtp)
mailserver postfix/qmgr[5406]: 41BD520E11: removed

But mail from webserver.domain.local is not picked up as being internal despite the name of the client being resolved:

mailserver postfix/smtpd[5846]: connect from webserver.domain.local[192.168.100.51]
mailserver postfix/smtpd[5846]: 4F00620E11: client=webserver.domain.local[192.168.100.51]
mailserver postfix/cleanup[5850]: 4F00620E11: message-id=<>
mailserver opendkim[5840]: 4F00620E11: webserver.domain.local [192.168.100.51] not internal
mailserver opendkim[5840]: 4F00620E11: not authenticated
mailserver opendkim[5840]: 4F00620E11: no signature data
mailserver postfix/qmgr[5821]: 4F00620E11: from=<testing@contoso.com>, size=371, nrcpt=1 (queue active)
mailserver postfix/smtp[5851]: 4F00620E11: to=<notreal@gmail.com>, relay=ASPMX.L.GOOGLE.COM[74.125.133.27]:25, delay=0.83, delays=0.01/0/0.43/0.39, dsn=2.0.0, status=sent (250 2.0.0 OK  1610365309 g124si15021166wma.170 - gsmtp)
mailserver postfix/qmgr[5821]: 4F00620E11: removed

Am I missing something relating to how hostnames are resolved or something more fundamental with how this functionality is implemented? I have also tried domain combinations of *.domain.local and .domain.local in /etc/opendkim/trusted.hosts with no success.

Any and all help would be gratefully received.

Version numbers:

~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.4 LTS
Release:        18.04
Codename:       bionic

~$ postconf mail_version
mail_version = 3.3.0

opendkim -V
~$ opendkim -V
opendkim: OpenDKIM Filter v2.11.0
        Compiled with OpenSSL 1.1.1  11 Sep 2018
        SMFI_VERSION 0x1000001
        libmilter version 1.0.1
        Supported signing algorithms:
                rsa-sha1
                rsa-sha256
        Supported canonicalization algorithms:
                relaxed
                simple
        Active code options:
                POLL
                QUERY_CACHE
                USE_DB
                USE_LDAP
                USE_LUA
                USE_ODBX
                USE_UNBOUND
                _FFR_ATPS
                _FFR_RBL
                _FFR_REPLACE_RULES
                _FFR_SENDER_MACRO
                _FFR_STATS
                _FFR_VBR
        libopendkim 2.11.0: atps query_cache
Bunny
  • 91
  • 1
  • 6
  • Are `.local` domains being handled by mDNS? – hardillb Jan 11 '21 at 11:55
  • DNS is hosted on Windows Server 2019 domain controllers. I can resolve from the command line, postfix appears to be resolved client names, and opendkim can reach the TXT records on the domain controllers via use of the `Nameservers` option. – Bunny Jan 11 '21 at 11:59
  • Is there a reverse DNS record for 192.168.100.51, not sure but it might be trying to confirm the hostname using the PTR record. Trying to check the code now – Dobromir Velev Jan 11 '21 at 12:54
  • @DobromirVelev A reverse lookup zone exists I can successfully perform a reverse lookup from the mail server, but that was a good shout of something to check. – Bunny Jan 11 '21 at 14:00
  • Just found this https://serverfault.com/questions/830979/opendkim-milter-not-signing-relayed-mail - is {client_name} enabled in the milter config – Dobromir Velev Jan 11 '21 at 14:23
  • @DobromirVelev Sadly I already have that and I've updated the post with related main.cf contents. – Bunny Jan 11 '21 at 15:07
  • I've been browsing the source of opendkim and it looks like it gets the hostname correctly - the one in the log is the one being checked. I'm guessing now - but it might be possible the comment "#web server" might be breaking it, since there are no checks for comments in the refile section. Can you try removing the comment and put a newline after webserver.domain.local – Dobromir Velev Jan 11 '21 at 16:00
  • I was actually wrong there - there are checks for comments and trailing whitespace, so it is probably not the case – Dobromir Velev Jan 11 '21 at 16:06
  • @DobromirVelev Thank you for taking the time to check the source code and for helping. The comments are only a recent addition for humans as we'll need to use IP addresses for hosts. I've also tried just the hostname as well as the FQDN with no success. It's very peculiar as I can see in the log I provided that postfix is indeed passing the client name to opendkim but it doesn't appear to be matching it against the strings in `/etc/opendkim/trusted.hosts' but IP addresses are matched without issue. – Bunny Jan 11 '21 at 16:43
  • Amazingly I've got it work! What I didn't show in the `/etc/opendkim/trusted.hosts` in the original post was `*.adifferentdomain.com` at the very end of the file which was there for previous testing for that domain. It turns out that the asterisks goes on to break *all* string lookups within the file but leaves the IP addressing working as intended. This feels like a bug which I'll report. Both the full FQDN and domain in the format of `.domain.tld` now work as expected. @DobromirVelev, thank you for your help. – Bunny Jan 11 '21 at 17:02
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/118347/discussion-between-bunny-and-dobromir-velev). – Bunny Jan 12 '21 at 00:14

1 Answers1

5

This was resolved by removing the leading asterisks from a domain wildcard in /etc/opendkim/trusted.hosts. The asterisks being there not only stopped the domain wildcard from working but also stopped all other string entries in the file from working, although IP addresses were not affected.

IP addresses work but strings do not:

127.0.0.1
::1
localhost
mailserver                # mail server hostname
192.168.100.50            # test server
webserver.domain.local    # web server
.domain.local             # entire local domain
*.testdomain.local        # entire local test domain

IP addresses and strings both work:

127.0.0.1
::1
localhost
mailserver                # mail server hostname
192.168.100.50            # test server
webserver.domain.local    # web server
.domain.local             # entire local domain
.testdomain.local         # entire local test domain
Bunny
  • 91
  • 1
  • 6