Back to DKIMproxy support page.
Here are some frequently asked questions, with answers.
The most common reason for messages not getting signed is that your outbound mail is not going through DKIMproxy. If you use the setup recommended on this site, you will need to configure your mail client (e.g. Thunderbird, etc.) to use port 587 to submit mail. This is a change from the usual default of port 25.
See the next question if your mail client uses the sendmail command-line interface (rather than SMTP) to submit mail.
If your mail is going through DKIMproxy, then check your mail log file for an explanation. DKIMproxy will write to the log file for every message it relays.
Email submitted using Postfix sendmail on the same server as dkimproxy will not get signed unless you add the content_filter option to the pickup interface in master.cf.
pickup fifo n - n 60 1 pickup
-o content_filter=dksign:[127.0.0.1]:10027
Your outgoing mail is going through the DKIMproxy verifier (dkimproxy.in) instead of the DKIMproxy signer (dkimproxy.out). Messages are verified or signed depending on which Postfix port you submit the mail on. If you followed my instructions, Postfix port 25 mail gets verified (this is the port other MTAs use to send mail to you) and Postfix port 587 mail gets signed. Most email clients (e.g. Thunderbird) default to port 25, so you should change that to port 587. (Port 587 is the standard mail submission port according to RFC 2476.)
Yes. In your master.cf, look at the example for using the submission port, and add those same parameters to the smtp service. This will configure Postfix to reject incoming mail, so only use this fix if you really only send mail with your server. E.g. you might have...
smtp inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Postfix is trying to use TLS (encryption) when sending email through the content filter. This won't work. You'll need to configure your post-dksign-smtpd server to not announce TLS support, or configure your pre-dksign-smtp client to not use TLS.
This example shows how to configure the post-dksign-smtpd server to not announce TLS support.
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet n - n - 10 smtpd
-o smtpd_use_tls=no
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
You are running dkimproxy.in and/or dkimproxy.out, and you connect to the listening port, but the connection is terminated immediately. Furthermore, you get the following output from dkimproxy:
./dkimproxy.in: socket connect failure: Connection refused
(On some platforms, the error is socket connect failure: Invalid argument.)
The filter is unable to connect to its "destination" port. Normally, Postfix should be listening on this port. Make sure you have added the appropriate entries to master.cf for the listening port and have restarted Postfix.
Last updated: 2008-07-17