Boy that was a mouthful…
Ok, I will provide any additional information that you guys will require, but here is the "weird" issue I am seeing.
Have an established network for a major company, Exchange server, 2 Sendmail servers handling inbound/outbound mail traffic. OpenDKIM running on both servers, verifying and signing inbound/outbound mail. Have one maillist server, Sendmail/Majordomo running on Solaris 10 server. It is old, but functioning properly, but becoming old and failing occasionally. So, I went ahead and built a new CentOS 6.0 server, with Sendmail and Majordomo configured. The server is obviously a different name than it predecessor, but will be renamed when put into service.
My issue is a weird one: the "new" maillist server functions fine, it accepts emails sent to firstname.lastname@example.org
and distributes them accordingly. Everything seems fine except that upon inspection of the headers of the sent emails, the DOMAINKEY-SIGNATURE is missing. Yahoo.com shows it as a bad SIG and it is, because when viewing the outbound mail log, that portion of the process is just skipped for this server. Now the twist. If I use Mailx from the same server, sending to email@example.com
, Sendmail/Majordomo distribute the emails and the outbound mailserver signs the emails fine, OpenDKIM and DOMAINKEY-Signature and Yahoo is happy. The emails I am testing with are sent internally from my Outlook, attached to an Exchange mail server.
Outlook -> mailserver1 -> OLD maillistserver/sendmail -> mailserver2 -> the world. PASS
Outlook -> mailserver1 -> NEW maillistserver/sendmail -> mailserver2 -> the world. FAIL
NEW maillistserver/Sendmail -> mailserver2 -> the world. PASS
Now I have checked every setting possible, comparing the old maillist server to the new. There are some small differences because of the versions of software used, but I have matched almost everything perfectly. I have combed through the incoming/outgoing mailservers for any mention of the old mailserver or some rule that would explain this.
I have looked at the OpenDKIM config files and local-host-names file on both mail servers and everything is fine.
All I can think of is that either:
1.) The new maillist server should be stripping the original DKIM authorization off or parsing the headers before passing it on to mailserver2 (but I have looked at the Sendmail/Majordomo config files every which way and see no differences between old and new)
2.) the outgoing mailserver2 (that is doing the final DKIM signature) is handling the emails differently from the old list server.
Same "new" maillist server. Log file from outgoing mail server. Sent from Outlook account to firstname.lastname@example.org
May 23 10:42:39 mail sendmail: r4NEgc0n008157: Milter insert (1): header: X-DKIM: OpenDKIM Filter v2.4.2 mail.domain.org r4NEgc0n008157
May 23 10:42:39 mail sendmail: r4NEgc0n008157: milter=dk-domain, action=eoh, accepted
May 23 10:42:39 mail sendmail: r4NEgc0n008157: milter=dk-domain2, action=eoh, accepted
May 23 10:42:39 mail sendmail: r4NEgc0n008157: milter=dk-domain3, action=eoh, accepted
Passed right by dk-domain and never applied the domainkey-signature.
Sent using Mailx from server.domain.org to email@example.com
May 23 11:14:18 mail sendmail: r4NFEGmH009657: Milter insert (1): header: X-DKIM: OpenDKIM Filter v2.4.2 mail.domain.org r4NFEGmH009657
May 23 11:14:18 mail sendmail: r4NFEGmH009657: Milter insert (1): header: DomainKey-Signature: a=rsa-sha1; s=mail; d=domain.org; c=nofws; q=dns;\n\th=x-dkim: from:date:to:subject:user-agent:content-type:content-transfer-encodingbla bla bla bla bla
May 23 11:14:18 mail sendmail: r4NFEGmH009657: milter=dk-domain2, action=eoh, accepted
May 23 11:14:18 mail sendmail: r4NFEGmH009657: milter=dk-domain3, action=eoh, accepted
I would appreciate anyone's thoughts or ideas on what to look into for this. Like I have said, I have been staring at this for a week now and nothing is obvious. I know it probably has to do with the headers applied once it leaves Outlook/Exchange and them needing to be parsed or cleaned up, but there is nothing obvious on either mail server nor the old maillist server that is handling this.