Domainkey Configuration

Discussion in 'Installation/Configuration' started by ndorphine, Apr 25, 2007.

  1. ndorphine

    ndorphine New Member

    For the past couple of days I've been trying in vain to setup domainkey filtering with postfix. I've followed the tutorial at and have been through john longs ( example numerous times but my mails simply aren't being signed. In my postfix log I get the following

    Apr 25 17:34:53 stgsrv postfix/smtpd[7392]: connect from localhost.localdomain[]
    Apr 25 17:34:53 stgsrv postfix/smtpd[7389]: NOQUEUE: client=localhost.localdomain[]
    Apr 25 17:34:53 stgsrv postfix/smtpd[7392]: 3843F9C451: client=localhost.localdomain[]
    Apr 25 17:34:53 stgsrv[29557]: DomainKeys verification - neutral (no signature; no policy for; 
    The mails get sent t but without being signed.
    I've followed both examples closely and read around fairly extensively, This is driving me nuts.

    my looks like this
    smtp      inet  n       -       n       -       -       smtpd
            -o smtpd_proxy_filter=
            -o smtpd_client_connection_count_limit=10 inet n  -       n       -        -      smtpd
        -o smtpd_authorized_xforward_hosts=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o smtpd_data_restrictions=
        -o mynetworks=
        -o receive_override_options=no_unknown_recipient_checks
    pickup    fifo  n       -       n       60      1       pickup
            -o content_filter=dksign:
    for inbound filter and like this
    submission  inet  n     -       n       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_sasl_auth_enable=yes
        -o content_filter=dksign:[]:10027
        -o receive_override_options=no_address_mappings
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    # specify the location of the DomainKeys signing filter
    dksign    unix  -       -       n       -       10      smtp
        -o smtp_send_xforward_command=yes
        -o smtp_discard_ehlo_keywords=8bitmime
    # service for accepting messages FROM the DomainKeys signing filter
    # inet  n  -      n       -       10      smtpd
        -o smtpd_use_tls=no
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_helo_restrictions=
        -o smtpd_client_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=
        -o smtpd_authorized_xforward_hosts=
    For the outbound filter

    All the mails are generated by a Rails app on the localhost.
    Fedora Core 6
    Postfix 2.4
    dkfilter 0.11

    If there's another surefire way to sign with domainkeys let me know :)
  2. ethanlifka

    ethanlifka New Member

    same issue

    I too am having the same problem, but I did get the policy to verify.

    for the policy make sure you have a TXT entry in your dns for the policy with your TXT entry for the key.

    e.g. IN TXT "t=y; o=~; n="

    restart dns then wait for dns to update.

    you can check it locally
    # dig TXT

    Remote CMD check
    > set type=txt

    but I still get a "no signature" even though my key is verified and pass, but yahoo " DomainKeys verification - neutral (no signature; domain testing);"
    Last edited: Dec 29, 2008
  3. ethanlifka

    ethanlifka New Member

    Solved my issue.

    I missed the part about port 587. In order to have email signed you need to change the outbound port from 25(default) to 587. In Outlook I went to my account properties Advanced Tab. (for each account). I now that it can be a hassel to have all you clients change this in outlook, but domainkeys cannot sign and verify on the same port. In Webmail I changed the smtp.class.php and phpmailer.class.php to use port 587 instead of 25. This important if your users will be using your server side email programs such as talaen or squirrelmail. My classes for talaen were in /webmail/inc/.

    Although I recently changed from dkfilter to DKIM and still holds true for DKIM.

Share This Page