Thanks again Todd and sorry about the obfuscate.

Not really happy with domaincontrol.com, their webmanagement sucks, pops up occasional errors and it's terrible slow. Maybe planning moving my domains. Will see how it will work with opendkim.

I think that I will implement opendkim today and remove dkim-filter. Will try to find some good how-to (ubuntu 10.04 postfix/opendkim) with support for peerlist... I think that's how it's called the Internalhosts there.

Thanks


From: Todd Lyons <tlyons@ivenue.com>
To: "alforreca_2000@yahoo.com" <alforreca_2000@yahoo.com>; dkim-milter general discussion <dkim-milter-discuss@lists.sourceforge.net>
Sent: Mon, 27 September, 2010 16:06:22
Subject: Re: [dkim-milter-discuss] [SPAM] Help would be appreciated bad sig + hardfail ?!

On Mon, Sep 27, 2010 at 12:30 AM, alforreca_2000@yahoo.com
<alforreca_2000@yahoo.com> wrote:
> Thanks Todd,
> In fact everywhere it says example.com should say zaaam.com. I edited the
> email and replaced all zaaam by example.
> The problem is not there :(

Ok, but I'll mention that when you obfuscate things like that, you
make it impossible for us to diagnose and see the real problem.  If
you're obfuscating in the future, please announce it so that we will
know to overlook that.

Hmmm, postfix, don't really have any experience with milters and
postfix, so you'll have to ask others for more help.

One thing that I do see that is really weird is this:

CentOS48[root@smtp4 mail]# dig +trace -t txt mail._domainkey.zaaam.com
2>&1 | grep mail._domainkey | grep -v txt
mail._domainkey.zaaam.com. 0    IN    NS    WlVRXnlaUoaZ._domainkey.zaaam.com.

CentOS48[root@smtp4 mail]# dig +trace -t txt mail._domainkey.zaaam.com
2>&1 | grep mail._domainkey | grep -v txt
mail._domainkey.zaaam.com. 0    IN    NS    OZQZRVjdXoPK._domainkey.zaaam.com.

CentOS48[root@smtp4 mail]# dig +trace -t txt mail._domainkey.zaaam.com
2>&1 | grep mail._domainkey | grep -v txt
mail._domainkey.zaaam.com. 0    IN    NS    UcimUfdKNjjV._domainkey.zaaam.com.

CentOS48[root@smtp4 mail]# dig +trace -t txt mail._domainkey.zaaam.com
2>&1 | grep mail._domainkey | grep -v txt
mail._domainkey.zaaam.com. 0    IN    NS    TkdiOKUSSeim._domainkey.zaaam.com.

I'm not saying that's what is wrong, but it sure is very odd.  If I
query your two nameservers directly, I get the same strange results:

CentOS48[root@smtp4 mail]# dig -t txt mail._domainkey.zaaam.com
@ns25.domaincontrol.com

; <<>> DiG 9.2.4 <<>> -t txt mail._domainkey.zaaam.com @ns25.domaincontrol.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4691
;; flags: qr cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail._domainkey.zaaam.com.    IN    TXT

;; AUTHORITY SECTION:
mail._domainkey.zaaam.com. 0    IN    NS    VYYiMQkZLYfc._domainkey.zaaam.com.

I am going to guess that something in the DNS query that dkim-filter
is doing is triggering the weird result above.  This will probably
require packet dumps of dns lookups going to your dns servers (or what
dns lookups are coming from the mail server attempting to verify the
signature).  Overall, it looks like something in DNS is configured
incorrectly at domaincontrol.com, or you are somehow unearthing a bug
in their dns software.

Googling, I found this:
  http://www.mail-archive.com/bind-users@lists.isc.org/msg06399.html
...which may not be related.

> Should I remove dkim and install Opendkim then?

I think you should consider using opendkim, yes, because it's a newer
version with another year of development and improvements.  You'll
also find more people with milter/postfix experience and actual
operation.  However, I will also advise that if dkim-filter does not
generate signatures that verify, that you will likely have the same
problem with opendkim until you figure out what's wrong.
--
Regards...      Todd
I seek the truth...it is only persistence in self-delusion and
ignorance that does harm.  -- Marcus Aurealius