#174 forwarding loop result in permerror


Whenever you are sending mail to an external host that will in the end resend it back to you (a common use case being mailing-lists or any kind of redirections), opendkim will generate a somehow false permerror "verification error: multiple keys found".

In fact what happens is that while the mail is sent and signed successfully, when it returns back to you, opendkim will see that as an illegal attempt at getting the mail signed (while it has already been signed) and generate a 'external host other.server.example.net attempted to send as opendkim.enabled.example.net' log warning. Furthermore, it will mark the message as non-Authenticated (while it is).

You can obviously override this behaviour using ExternalIgnoreHost, but that requires that it contains any kind of mailing list you may be sending to...

Expected behaviour would be to implicitly trust an already signed mail and to set Authentication-Results to pass with no error in the log.


  • pad

    pad - 2013-07-30

    Hum, in fact it was a misconfiguration on my part that caused the A-R permfail.

    However, the error message "external host other.server.example.net attempted to send as opendkim.enabled.example.net" is still a bug in my opinion.

  • Murray S. Kucherawy

    • status: open --> pending
  • Murray S. Kucherawy

    "multiple keys found" is a DNS problem. It means a query was issued for a public key but more than one reply came back from the DNS. Unless the two keys returned are identical, it's random whether the verification will succeed. Rather than deliver unstable results, libopendkim reports that as an error.

    In the case of the returned message, the "non-Authenticated" means the client was non-authenticated, not the message; that is, the client didn't connect using SMTP AUTH. That's almost certainly correct.

    As for getting rid of the ExternalIgnoreHost warning, you can just set that to "*" to suppress this warning completely. The warning is generated as the filter is trying to decide whether the message should be signed or verified, but it does not yet know if the signature(s) on the message validate. Thus, it can't suppress this warning automatically based on the presence of a valid signature, because it won't know that until much later.

    It could be that this warning is not as useful as it used to be. You might suggest on opendkim-users that we consider removing it altogether, or defaulting it to "off" or something.

  • Murray S. Kucherawy

    • status: pending --> closed-out-of-date

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks