OpenDKIM ignoring hostnames and domains in trusted hosts file
According to http://opendkim.org/opendkim.conf.5.html, the ExternalIgnoredHosts
and InternalHosts
options support the same format as the PeerList
option as follows:
The set should contain on each line a hostname, domain name (e.g. ".example.com"), IP address, an IPv6 address (including an IPv4 mapped address), or a CIDR-style IP specification (e.g. "192.168.1.0/24").
IP addresses and subnets are being correctly identified as internal hosts but all hostnames and domains are not being picked up.
Here is /etc/opendkim.conf
LogWhy yes
Syslog yes
SyslogSuccess yes
UMask 002
UserID opendkim:opendkim
KeyTable refile:/etc/opendkim/key.table
SigningTable refile:/etc/opendkim/signing.table
ExternalIgnoreList refile:/etc/opendkim/trusted.hosts
InternalHosts refile:/etc/opendkim/trusted.hosts
AutoRestart yes
AutoRestartRate 10/1M
Background yes
Canonicalization relaxed/simple
DNSTimeout 5
Mode sv
Nameservers 192.168.100.1,192.168.100.2
OversignHeaders From
SignatureAlgorithm rsa-sha256
SubDomains no
Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
And /etc/opendkim/trusted.hosts
127.0.0.1
::1
localhost
mailserver # mail server hostname
192.168.100.50 # test server
webserver.domain.local # web server
.domain.local # entire local domain
*.testdomain.local # entire local test domain
And main.cf
milter options:
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_type} {auth_authen}
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = $smtpd_milters
Mail from 192.168.100.50
is signed as expected:
mailserver postfix/qmgr[5406]: 59CA920E11: removed
mailserver postfix/smtpd[5412]: connect from testserver.mydomain.com[192.168.100.50]
mailserver postfix/smtpd[5412]: 41BD520E11: client=testserver.mydomain.com[192.168.100.50]
mailserver postfix/cleanup[5436]: 41BD520E11: message-id=<>
mailserver opendkim[5427]: 41BD520E11: DKIM-Signature field added (s=default, d=contoso.com)
mailserver postfix/qmgr[5406]: 41BD520E11: from=<[email protected]>, size=371, nrcpt=1 (queue active)
mailserver postfix/smtp[5437]: 41BD520E11: to=<[email protected]>, relay=ASPMX.L.GOOGLE.COM[173.194.76.27]:25, delay=0.4, delays=0.01/0/0.13/0.26, dsn=2.0.0, status=sent (250 2.0.0 OK 1610364907 k20si14443742wrc.23 - gsmtp)
mailserver postfix/qmgr[5406]: 41BD520E11: removed
But mail from webserver.domain.local
is not picked up as being internal despite the name of the client being resolved:
mailserver postfix/smtpd[5846]: connect from webserver.domain.local[192.168.100.51]
mailserver postfix/smtpd[5846]: 4F00620E11: client=webserver.domain.local[192.168.100.51]
mailserver postfix/cleanup[5850]: 4F00620E11: message-id=<>
mailserver opendkim[5840]: 4F00620E11: webserver.domain.local [192.168.100.51] not internal
mailserver opendkim[5840]: 4F00620E11: not authenticated
mailserver opendkim[5840]: 4F00620E11: no signature data
mailserver postfix/qmgr[5821]: 4F00620E11: from=<[email protected]>, size=371, nrcpt=1 (queue active)
mailserver postfix/smtp[5851]: 4F00620E11: to=<[email protected]>, relay=ASPMX.L.GOOGLE.COM[74.125.133.27]:25, delay=0.83, delays=0.01/0/0.43/0.39, dsn=2.0.0, status=sent (250 2.0.0 OK 1610365309 g124si15021166wma.170 - gsmtp)
mailserver postfix/qmgr[5821]: 4F00620E11: removed
Am I missing something relating to how hostnames are resolved or something more fundamental with how this functionality is implemented? I have also tried domain combinations of *.domain.local
and .domain.local
in /etc/opendkim/trusted.hosts
with no success.
Any and all help would be gratefully received.
Version numbers:
~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
~$ postconf mail_version
mail_version = 3.3.0
opendkim -V
~$ opendkim -V
opendkim: OpenDKIM Filter v2.11.0
Compiled with OpenSSL 1.1.1 11 Sep 2018
SMFI_VERSION 0x1000001
libmilter version 1.0.1
Supported signing algorithms:
rsa-sha1
rsa-sha256
Supported canonicalization algorithms:
relaxed
simple
Active code options:
POLL
QUERY_CACHE
USE_DB
USE_LDAP
USE_LUA
USE_ODBX
USE_UNBOUND
_FFR_ATPS
_FFR_RBL
_FFR_REPLACE_RULES
_FFR_SENDER_MACRO
_FFR_STATS
_FFR_VBR
libopendkim 2.11.0: atps query_cache
Solution 1:
This was resolved by removing the leading asterisks from a domain wildcard in /etc/opendkim/trusted.hosts
. The asterisks being there not only stopped the domain wildcard from working but also stopped all other string entries in the file from working, although IP addresses were not affected.
IP addresses work but strings do not:
127.0.0.1
::1
localhost
mailserver # mail server hostname
192.168.100.50 # test server
webserver.domain.local # web server
.domain.local # entire local domain
*.testdomain.local # entire local test domain
IP addresses and strings both work:
127.0.0.1
::1
localhost
mailserver # mail server hostname
192.168.100.50 # test server
webserver.domain.local # web server
.domain.local # entire local domain
.testdomain.local # entire local test domain