# Dovecot emails not signed by DKIM



## Mayhem30 (Nov 11, 2017)

I'm using mail/opendkim to sign all emails for my domain. It's working correctly when any email is sent directly form the server (PHPMailer, WordPress, Forum, etc).

However when I try to send email from home (using my domains mailbox), anything dovecot handles does not get signed when the email is delivered (using Postfix).

Any idea where I can start troubleshooting this?


----------



## ShelLuser (Nov 11, 2017)

Dovecot doesn't send e-mail, it only allows you to retrieve that from your mailboxes, your MTA handles all that.

I'd say start by checking your logfiles. See what your MTA is doing with the e-mails. Is it possible that only locally generated e-mail (here's looking at /usr/sbin/sendmail) gets handled and remote gets ignored?


----------



## Mayhem30 (Nov 11, 2017)

Ah that's right, my mistake. When connecting through Postfix at home to send emails, the emails are not getting signed.

The mail log doesn't show anything out of the ordinary.

```
From home (not signed)

Nov 11 13:29:14 localhost postfix/smtpd[74492]: connect from me.some.isp.com[11.22.33.44]
Nov 11 13:29:14 localhost postfix/smtpd[74492]: ED9BA45CDFE: client=me.some.isp.com[11.22.33.44]
Nov 11 13:29:15 localhost postfix/cleanup[74495]: ED9BA45CDFE: message-id=<232E5C68288D4A79BAEB7F8913FD619C@HOME>
Nov 11 13:29:15 localhost postfix/qmgr[73739]: ED9BA45CDFE: from=<me@example.com>, size=1364, nrcpt=1 (queue active)
Nov 11 13:29:15 localhost postfix/smtpd[74492]: disconnect from me.some.isp.com[11.22.33.44] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 11 13:29:15 localhost postfix/smtp[74496]: ED9BA45CDFE: to=<you@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.199.26]:25, delay=0.55, delays=0.34/0.01/0.1/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1510435756 u128si5764224oib.144 - gsmtp)
Nov 11 13:29:15 localhost postfix/qmgr[73739]: ED9BA45CDFE: removed


localhost (signed email)

Nov 11 13:30:28 localhost postfix/smtpd[74492]: connect from localhost[127.0.0.1]
Nov 11 13:30:28 localhost postfix/smtpd[74492]: 4426C45CDFF: client=localhost[127.0.0.1]
Nov 11 13:30:28 localhost postfix/cleanup[74495]: 4426C45CDFF: message-id=<yZeC3PEWrVwanHGc4PJ5WIUhmvGdZpWdGvCkshQzI@www.domain.com>
Nov 11 13:30:28 localhost postfix/qmgr[73739]: 4426C45CDFF: from=<me@example.com>, size=667, nrcpt=1 (queue active)
Nov 11 13:30:28 localhost postfix/smtpd[74492]: disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 11 13:30:28 localhost postfix/smtp[74496]: 4426C45CDFF: to=<you@gmail.com>, relay=gmail-smtp-in.l.google.com[173.194.199.26]:25, delay=0.38, delays=0.22/0/0.06/0.09, dsn=2.0.0, status=sent (250 2.0.0 OK 1510435830 v13si3442254oif.174 - gsmtp)
Nov 11 13:30:28 localhost postfix/qmgr[73739]: 4426C45CDFF: removed
```


----------



## ShelLuser (Nov 11, 2017)

Actually those logs show a lot. They show that Postfix doesn't do a thing with signing (or other external activities), so that most likely explains the cause. So how did you configure all this?

My theory at this point is that you only set up local filtering, maybe messing with the sendmail program or such. You should know though because you configured it 

Anyway, the solution to all this is to move the whole signing / filtering process onto Postfix so that it can take care of all that. Being unfamiliar with Opendkim my best guess is to look into transport filtering, see transport(5) for that. This might be a good read.


----------



## derekschrock (Nov 11, 2017)

In postfix do you have non_smtpd_milters and/or smtpd_milters set?

Sounds like just non_smtpd_milters is set which allows the sendmail like applications listed above to processed by opendkim.


----------



## Mayhem30 (Nov 12, 2017)

ShelLuser said:


> Actually those logs show a lot. They show that Postfix doesn't do a thing with signing (or other external activities), so that most likely explains the cause. So how did you configure all this?



I use smtpd_milters / non_smtpd_milters set in main.cf. I don't use sendmail, I have Postfix running on my server. 



derekschrock said:


> In postfix do you have non_smtpd_milters and/or smtpd_milters set?



Yes, I sure do :

```
smtpd_milters = inet:localhost:10028
non_smtpd_milters = inet:localhost:10028
```


----------



## Mayhem30 (Nov 12, 2017)

I see that logging is not enabled by default. I enabled it and now see this when my email doesn't get signed :

```
Nov 11 17:48:33 localhost opendkim[84752]: 6A13445CF3B: me.some.isp.com[11.22.33.44] not internal
Nov 11 17:48:33 localhost opendkim[84752]: 6A13445CF3B: not authenticated
```


----------



## Mayhem30 (Nov 12, 2017)

Any ideas how to "authenticate" so my emails do get signed by OpenDKIM?


----------



## ShelLuser (Nov 12, 2017)

Whoops, and I misread your post, silly me..  I thought you had found a solution.

Anyway, I'd keep an eye out for this bug report. And could this post be of any use?  Or this, it also seems to hint at a bug.

Note: I have no idea because I don't use Opendkim myself, but still hope those links could be of some use.


----------



## gkontos (Nov 12, 2017)

You need to add your public IP in TrustedHosts


----------



## DutchDaemon (Nov 12, 2017)

I have this in my opendkim.conf:


```
InternalHosts           /usr/local/etc/mail/relayhosts
```

The latter contains the relaying IPs/networks.

That is with Sendmail, but should be generic.


----------



## Mayhem30 (Nov 12, 2017)

I managed to find a solution that didn't require me to add my public IP address.

In /usr/local/etc/postfix/main.cf add :

```
milter_mail_macros = i {mail_addr}
```
In /usr/local/etc/mail/opendkim.conf add:

```
MacroList               mail_addr=user@domain.com
```
Now all my emails from user@domain.com are now being signed. Also, you can use all sorts of macros to identify whether you want OpenDKIM to sign the emails or not.

The list can be found here : http://www.postfix.org/MILTER_README.html (Sendmail macro emulation)


----------

