I added three subnets for some new servers that are sending mail, but openDkim failed to recognize them as internal.
The subnets were added in CIDR form, like 192.168.0.1/24 and the same for .2 and .3.
I have other subnets added that works this way, but these subnets did.
I read the docs on InternalHosts (and by reference, PeerList) and decided to try to add the domain, and to my confusion that worked.
The servers are not in DNS so i guess openDKIM parses the from address in header of mail to look up the domain?
This is not explained in detail in the docs (at least not that i could find), and i was not able to understand the source code.
And it doesnt really explain why it wont recognize the new ip ranges as internal either..
So i guess what im claiming is that the ip range (cidr notation) doesnt always work, or i did something wrong and i dont understand what.
Details:
Debian 11
opendkim: OpenDKIM Filter v2.11.0
Compiled with OpenSSL 1.1.1w 11 Sep 2023
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Postfix 3.5.25
opendkim.conf:
Syslog yes
SyslogSuccess yes
LogWhy yes
UMask 002
OversignHeaders From
KeyTable refile:/etc/opendkim/KeyTable
SigningTable refile:/etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
SignatureAlgorithm rsa-sha256
AutoRestart Yes
UserID opendkim:opendkim
Socket inet:8891@localhost
Canonicalization relaxed/relaxed
(example)TrustedHosts:
127.0.0.1
mailserver.mydomain.com
10.10.1.0/24
domain.com
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
myotherdomain.com <-- This is the domain in the from adress in header
postfix conf:
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
mail_version = 3.6
compatibility_level = 3
example mail not signed:
Oct 17 08:00:19 mailserver postfix/smtpd[1755174]: A6A1F2403AC: client=unknown[192.168.3.5]
Oct 17 08:00:19 mailserver postfix/cleanup[1755771]: A6A1F2403AC: message-id=<12315156.98430485.ZG4tLTU3YWEzMDZ1jadfjOWwFJJAFNb44GI0LTEyYTNmN2M3N2ViNw==@myotherdomain.com>
Oct 17 08:00:19 mailserver opendkim[2432314]: A6A1F2403AC: [192.168.3.5] [192.168.3.5] not internal
Oct 17 08:00:19 mailserver opendkim[2432314]: A6A1F2403AC: not authenticated
Oct 17 08:00:19 mailserver opendkim[2432314]: A6A1F2403AC: no signature data
Oct 17 08:00:19 mailserver postfix/qmgr[753745]: A6A1F2403AC: from=<news@myotherdomain.com>, size=160728, nrcpt=1 (queue active)
I added three subnets for some new servers that are sending mail, but openDkim failed to recognize them as internal.
The subnets were added in CIDR form, like 192.168.0.1/24 and the same for .2 and .3.
I have other subnets added that works this way, but these subnets did.
I read the docs on InternalHosts (and by reference, PeerList) and decided to try to add the domain, and to my confusion that worked.
The servers are not in DNS so i guess openDKIM parses the from address in header of mail to look up the domain?
This is not explained in detail in the docs (at least not that i could find), and i was not able to understand the source code.
And it doesnt really explain why it wont recognize the new ip ranges as internal either..
So i guess what im claiming is that the ip range (cidr notation) doesnt always work, or i did something wrong and i dont understand what.
Details:
opendkim.conf:
(example)TrustedHosts:
postfix conf:
example mail not signed: