# Sendmail/Majordomo/OpenDKIM



## allnyguy (May 23, 2013)

Ok, I will provide any additional information that you guys will require, but here is the "weird" issue I am seeing.

Have an established network for a major company, Exchange server, 2 Sendmail servers handling inbound/outbound mail traffic. OpenDKIM running on both servers, verifying and signing inbound/outbound mail. Have one maillist server, Sendmail/Majordomo running on Solaris 10 server. It is old, but functioning properly, but becoming old and failing occasionally. So, I went ahead and built a new CentOS 6.0 server, with Sendmail and Majordomo configured. The server is obviously a different name than it predecessor, but will be renamed when put into service.

My issue is a weird one: the "new" maillist server functions fine, it accepts emails sent to test@server.domain.org and distributes them accordingly. Everything seems fine except that upon inspection of the headers of the sent emails, the DOMAINKEY-SIGNATURE is missing. Yahoo.com shows it as a bad SIG and it is, because when viewing the outbound mail log, that portion of the process is just skipped for this server. Now the twist. If I use Mailx from the same server, sending to test@server.domain.org, Sendmail/Majordomo distribute the emails and the outbound mailserver signs the emails fine, OpenDKIM and DOMAINKEY-Signature and Yahoo is happy. The emails I am testing with are sent internally from my Outlook, attached to an Exchange mail server.

Mail flow:
Outlook -> mailserver1 -> OLD maillistserver/sendmail -> mailserver2 -> the world. PASS

Outlook -> mailserver1 -> NEW maillistserver/sendmail -> mailserver2 -> the world. FAIL

NEW maillistserver/Sendmail -> mailserver2 -> the world. PASS

Now I have checked every setting possible, comparing the old maillist server to the new. There are some small differences because of the versions of software used, but I have matched almost everything perfectly. I have combed through the incoming/outgoing mailservers for any mention of the old mailserver or some rule that would explain this.

I have looked at the OpenDKIM config files and local-host-names file on both mail servers and everything is fine.


All I can think of is that either:

the new maillist server should be stripping the original DKIM authorization off or parsing the headers before passing it on to mailserver2 (but I have looked at the Sendmail/Majordomo config files every which way and see no differences between old and new);
the incoming mailserver1 is doing something to the headers for the emails being sent to the old maillist server.

Quick example:

Same "new" maillist server. Log file from outgoing mail server. Sent from Outlook account to test@server.domain.org

```
May 23 10:42:39 mail sendmail[8157]: r4NEgc0n008157: Milter insert (1): header: X-DKIM:  OpenDKIM Filter v2.4.2 mail.domain.org r4NEgc0n008157
[B][color="red"]May 23 10:42:39 mail sendmail[8157]: r4NEgc0n008157: milter=dk-domain, action=eoh, accepted[/color][/B]
May 23 10:42:39 mail sendmail[8157]: r4NEgc0n008157: milter=dk-domain2, action=eoh, accepted
May 23 10:42:39 mail sendmail[8157]: r4NEgc0n008157: milter=dk-domain3, action=eoh, accepted
```
Passed right by dk-domain and never applied the domainkey-signature.

Sent using Mailx from server.domain.org to test@server.domain.org.

```
May 23 11:14:18 mail sendmail[9657]: r4NFEGmH009657: Milter insert (1): header: X-DKIM:  OpenDKIM Filter v2.4.2 mail.domain.org r4NFEGmH009657
[B][color="Red"]May 23 11:14:18 mail sendmail[9657]: r4NFEGmH009657: Milter insert (1): header: DomainKey-Signature:  a=rsa-sha1; s=mail; d=domain.org; c=nofws; q=dns;\n\th=x-dkim: from:date:to:subject:user-agent:content-type:content-transfer-encodingbla bla bla bla bla[/color][/B]
May 23 11:14:18 mail sendmail[9657]: r4NFEGmH009657: milter=dk-domain2, action=eoh, accepted
May 23 11:14:18 mail sendmail[9657]: r4NFEGmH009657: milter=dk-domain3, action=eoh, accepted
```

I would appreciate anyone's thoughts or ideas on what to look into for this. Like I have said, I have been staring at this for a week now and nothing is obvious. I know it probably has to do with the headers applied once it leaves Outlook/Exchange and them needing to be parsed or cleaned up, but there is nothing obvious on either mail server nor the old maillist server that is handling this.

Thanks.

(PS: The server is not named server nor is the domain domain.org, just cleaning it up for security, LOL, but I guess you knew that.)


----------



## ShelLuser (May 24, 2013)

Sort of an intriguing problem but even so, no offence intended, I think you may be better off asking this question on a CentOS forum or perhaps even a specific OpenDKIM related forum (assumption on my part since it seems DKIM related). The reason should be obvious: we claim to know something about FreeBSD but not so much CentOS or Solaris perse.

As such, if I tell you to check for a config file in /usr/local/etc you probably won't find it on CentOS (it's somewhat specific for FreeBSD), and I probably won't have a clue what the CentOS counterpart could be.

Having that out of the way; I can't help wonder if the temporary name is an influencing factor here. If the temporary name differs where the domain is concerned and thus you're basically sending e-mail from domain1 to domain2 (where it gets signed) and that is then sent on I can imagine, but depending on configuration, that this could fail. It could also explain why local generated mail does work.

The reason I'm thinking in this way is partly due to the logfile which specifically mentions a _domain-key signature_. However, keep in mind that this is a bit of guessing on my part.


----------

