At 21:22 15-07-2006, Jim Popovitch wrote:
>I've been using dk-milter with Mailman for a while now, things have been
>going good. Tonight I brought up a new Mailman system and took down the
>old one. Email from the old Mailman system had been pointing to the
>same smtp gateway as the new system uses. My problem is that Mailman's
>email from the new system fails signature tests. DNS is the same,
Can you send me a test email off-list?
At 01:19 16-07-2006, Jim Popovitch wrote:
>Some more info:
>dk-filter runs on a mail gateway/queue with 2 interfaces 10.10.1.1 and a
>args: -l -bs -p inet:8891@... -c simple -d example.com -s
>/etc/dkfilter/dk1.key.pem -S dk1 -u dkfilter -m local -f -I
>"external-hosts" contains both the name and IP address of the host
>relaying mail through this gateway.
>"local" is the sendmail daemon of which there are these three daemon
>options in sendmail.mc:
>DAEMON_OPTIONS(`Name=private, Addr=10.11.1.1 Port=25')
>DAEMON_OPTIONS(`Name=public, Addr=WW.XX.YY.ZZ Port=25')
>DAEMON_OPTIONS(`Name=local, Addr=127.0.0.1, Port=25')
>as well as:
>If I use "-m local" no emails are signed. If I use "-l private" I get a
>log entry that says bad sig (even though the sig is good and has been
>for months, it just moved to a new host). If I use "-l public" no
>emails are signed. The crazy thing is that when the old Mailman
>install, on a off-site host, sent email directly to the gateway (over
>it's public IP) it was properly signed and delivered. Now that email is
>coming into the gateway via it's private interface I can't seem to get
>it to sign correctly.
Was mailman sending the mail through localhost (local) when you
tested with "-m local"?
>Just to be clear, using this setup:
> Internet -> MX -RFC1918-> Mailman -RFC1918-> SMTP-Gateway -> Internet
> where should dk-filter exist in order to sign outgoing email?
It's better to verify at the boundary (MX) and sign at SMTP Gateway.