OpenDKIM milter not signing relayed mail

Solution 1:

In Postfix make sure /etc/postfix/main.conf contains:

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} {auth_type}

This will ensure that mail coming from authenticated users will be signed by OpenDKIM. As per documentation:

A message will be verified unless it conforms to the signing criteria, which are: (1) the domain on the From: address (if present) must be listed by the -d command line switch or the Domain configuration file setting, and (2) (a) the client connecting to the MTA must have authenticated, or (b) the client connecting to the MTA must be listed in the file referenced by the InternalHosts configuration file setting (or be in the default list for that option), or (c) the client must be connected to a daemon port named by the MTAs configuration file setting, or (d) the MTA must have set one or more macros matching the criteria set by the MacroList configuration file setting.

For (a) above, the test is whether or not the MTA macro "{auth_type}" is set and contains any non-empty value. This means the MTA must pass the value of that macro to the filter before or during the end-of-header (EOH) phase in order for its value to be tested.