0

We have developers who like to do things their own way, regardless of advice given. One of these is to send emails with completely bogus sender-addresses

I'd like to get OpenDKIM to reject or drop emails that it can't sign - is this possible?

Jan  4 21:30:25 smtp2 opendkim: 12345: no signing table match for '[email protected]'
Jan  4 21:30:25 smtp2 opendkim: 12345: no signature data

There are no configuration options that seem relevant other than SendReports yes which generates a new email back to the sender while continuing to send the unsigned original.

I've explored Canonicalization but that's unrelated.

Question: Can OpenDKIM stop delivery of an email that it can't sign ?

Improve this question
3
  • The best I can get is for sendmail to reject an email if opendkim is not running, by following ibm.com/docs/en/aix/… and appending a , F=R in the S= section. This isn't what I wanted.
    – Criggie
    Commented Jan 11 at 23:08
  • 2
    It's not the job of the DKIM signer to stop mails from being sent, that's the job of the MTA. If you are using sendmail, sendmail is the right place to reject the mails.
    – Gerald Schneider
    Commented Jan 15 at 6:09
  • @GeraldSchneider excellent point - I've been going at this the wrong way. Could you post that as an answer so this can have a target for closure ?
    – Criggie
    Commented Jan 15 at 10:24

1 Answer 1

Reset to default
1
+100

the only job of the DKIM signer (in your case OpenDKIM) is to sign outgoing emails with the configured signign keys. It is not responsible for transporting the mails, that is the job of your installed mail transport agent (MTA).

If you are using sendmail, sendmail needs to be configured to accept only authenticated connections and reject mails from connections that are not authenticated.

Improve this answer
1
  • Thank you for refocusing me on the real problem - I was clearly distracted by OpenDKIM's warning messages, when the MTA is what needs to do the hard work here.
    – Criggie
    Commented Jan 15 at 10:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .