feat: use daemon_name for OpenDKIM sign-verify decision instead of IP#784
Merged
feat: use daemon_name for OpenDKIM sign-verify decision instead of IP#784
Conversation
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
link2xt
changed the title
Contributor
Author
|
If this does not fail I tested in #783 that the test works. |
link2xt
commented
Dec 18, 2025
| MTA ORIGINATING | ||
|
|
||
| # No hosts are treated as internal, ORIGINATING daemon name should be set explicitly. | ||
| InternalHosts - |
Contributor
Author
There was a problem hiding this comment.
This - is used in some OpenDKIM tests:
https://github.com/trusteddomainproject/OpenDKIM/blob/master/opendkim/tests/t-sign-ss-macro.conf#L9
link2xt
commented
Dec 18, 2025
| -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
| -o smtpd_recipient_restrictions= | ||
| -o smtpd_relay_restrictions=permit_sasl_authenticated,reject | ||
| -o milter_macro_daemon_name=ORIGINATING |
Contributor
Author
There was a problem hiding this comment.
This is unused because there is no milter.
link2xt
commented
Dec 18, 2025
| -o smtpd_recipient_restrictions= | ||
| -o smtpd_relay_restrictions=permit_sasl_authenticated,reject | ||
| -o smtpd_client_connection_count_limit=1000 | ||
| -o milter_macro_daemon_name=ORIGINATING |
Contributor
Author
There was a problem hiding this comment.
This was also unused, it's just a cleanup.
feld
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Failure
feld
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
Contributor
Author
|
This is supposed to work: http://www.trusteddomain.org/pipermail/opendmarc-users/2013-June/000153.html Here is the source code where |
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
Contributor
Author
|
Seems the problem is that all the OUTGOING stuff works, but final.lua runs even for outgoing messages and this does not work anymore: relay/cmdeploy/src/cmdeploy/opendkim/final.lua Lines 1 to 5 in 7191329 We should not use |
link2xt
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
link2xt
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
link2xt
force-pushed
the
link2xt/opendkim-macros
branch
from
51a95c6 to
906c255
Compare
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Error
link2xt
had a problem deploying
to
staging-ipv4.testrun.org
GitHub Actions
Error
On FreeBSD 127.0.0.2 is not assigned to any interface by default,
so 127.0.0.2 source address hack cannot be used to make OpenDKIM
verify the signature instead of signing.
This change sets InternalHosts to `-` so no IP addresses
make OpenDKIM sign the message. Instead of IP address,
OpenDKIM in the outgoing pipeline is explicitly told
to sign messages by setting `{daemon_name}` macro to `ORIGINATING`.
link2xt
force-pushed
the
link2xt/opendkim-macros
branch
from
906c255 to
34ce54a
Compare
link2xt
temporarily deployed
to
staging-ipv4.testrun.org
GitHub Actions
Inactive
link2xt
had a problem deploying
to
staging2.testrun.org
GitHub Actions
Failure
link2xt
temporarily deployed
to
staging2.testrun.org
GitHub Actions
Inactive
link2xt
changed the title
missytake
approved these changes
Dec 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On FreeBSD 127.0.0.2 is not assigned to any interface by default,
so 127.0.0.2 source address hack cannot be used to make OpenDKIM
verify the signature instead of signing.
This change sets InternalHosts to
-so no IP addressesmake OpenDKIM sign the message. Instead of IP address,
OpenDKIM in the outgoing pipeline is explicitly told
to sign messages by setting
{daemon_name}macro toORIGINATING.This is a replacement for #778