Opendkim not signing based on List-Post header

trusteddomainproject / OpenDKIM

Other

97 stars 52 forks source link

Opendkim not signing based on List-Post header #182

Closed msapiro closed 1 year ago

msapiro commented 1 year ago

I have just moved lists.mailman3.org from the prior server running opendkim 2.9.1-1 on Ubuntu 14.04.6 to a new server running opendkim 2.11.0~beta2-1 on Ubuntu 20.04.6. My opendkim.conf and keys, KeyTable, SigningTable and TrustedHosts are (or were initially) unchanged from the prior server. In opendkim.conf I had

SenderHeaders           List-Post,Sender,From

I also tried

SenderHeaders           List-Post,From

and other variants. My signing table has

*@mailman3.org default._domainkey.mailman3.org
*@*.mailman3.org default._domainkey.mailman3.org

The issue is mail which is From: *@mailman3.org is properly signed but mail From: other domains with

List-Post: <mailto:*@mailman3.org>

is not signed. On the prior server it was. I don't think the difference is the opendkim version as I have another server running opendkim 2.11.0~beta2-1 on Ubuntu 20.04.6. and it does properly sign based on List-Post:

andreasschulze commented 1 year ago

SenderHeader is an optional feature only available if activate at compiletime. Check opendkim -V. There is a section 'Active code options:' It should mention '_FFR_SENDER_MACRO'

If the feature isn't activated, you can't select the input for the signingtable by a SenderHeader. Only the 5322.From Header is used...

msapiro commented 1 year ago

Thanks for your reply. I checked and opendkim -V does report _FFR_SENDER_MACRO. This is the entire output:

$ opendkim -V
opendkim: OpenDKIM Filter v2.11.0
    Compiled with OpenSSL 1.1.1f  31 Mar 2020
    SMFI_VERSION 0x1000001
    libmilter version 1.0.1
    Supported signing algorithms:
        rsa-sha1
        rsa-sha256
        ed25519-sha256
    Supported canonicalization algorithms:
        relaxed
        simple
    Active code options:
        QUERY_CACHE
        USE_DB
        USE_LDAP
        USE_LUA
        USE_ODBX
        USE_UNBOUND
        _FFR_ATPS
        _FFR_RBL
        _FFR_REPLACE_RULES
        _FFR_SENDER_MACRO
        _FFR_STATS
        _FFR_VBR
    libopendkim 2.11.0: atps query_cache

I have worked around this issue by running multiple instances of opendkim listening on different ports and I have configured Mailman to send to Postfix on port 10025 which contains -o smtpd_milters=inet:127.0.0.1:8891 in master.cf and the opendkim milter listening on port 8891 is configured with Mode s to sign only rather than Mode sv to sign and verify.

This workaround is working for me so I am closing this issue even though I still don't understand why the original configuration with one opendkim instance with Mode sv configured in Postfix main.cf didn't work.