From: Steven M J. <sm...@cr...> - 2004-10-19 17:05:02
|
sgr...@bo... wrote: . > No matter what I do I always get the following error: > > dk-filter[23982]: i9I9JNs9025960 external host borgnet.net > attempted to send as borgnet.net > > And no header is inserted. Since nobody else has responded, I'll do my best to screw things up further... You don't mention anything about your configuration. Is the dk-filter running on a DMZ/gateway MTA, and the message is originating on an internal host? If this is the case, or something similar, have you told the filter that this and other internal hosts are to have their messages signed rather than checked using the -i flag? In my case the filter runs on a gateway machine, and aside from the other options is given the -i flag with a file that tells it to sign mail coming from any internal host, as noted by the IP address. Here's an example of what's in the file: 6 hup% cat /etc/mail/dk/internalnet 198.133.223.0/24 7 hup% So basically anything coming from this private net will be signed and passed on, provided sendmail is otherwise configured to do so (access map, etc). Good luck. If that doesn't do it, tell us something about the topology of the machines involved, and exactly what flags the dk-filter is being started with. --Steve. |
From: Steven M J. <sm...@cr...> - 2004-10-19 19:20:43
|
Scott Grayban writes: . > In the dk-filter-list I have: > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private Okay. From the man page, I think you can only have host identifiers in the file used as an argument to -i. Those can be FQDNs, domains/subdomains, CIDR blocks or indivdual IP addresses. See the example in my previous message. You definitely do not want to list private keys here, if that's what those filenames represent. I haven't tried to make it work with signing for multiple domains at this stage, so I can't speak from experience if that's what you're trying to do. I'd suggest that you put the addresses or a CIDR block in the file /etc/mail/dk-filter-ilist and see if you can get it working for both hosts under the single domain borgnet.us as a first step, then take it from there. Also, I'm assuming in all this that dk-filter runs on the .17 box (which can connect to/from the outside), and that the .21 box relays outbound through .17. Hope this helps, --Steve. |
From: Steven M J. <sm...@cr...> - 2004-10-19 22:44:32
|
> Well I finally got my key for borgnet.net to work and it passed with > dk...@bl... Speaking of which, there's an autoresponder at sa...@cr... that will give you an actual verbose report of which sender auth schemes it was able to verify. This is where I tested the code, it may go away in future. It's currently being reviewed to be put up permanently at sendmail.net. (Disclaimer: I'm a Sendmail employee in sheep's clothing.) It's using dk-milter and sid-milter, both at v0.2.2 It was useful as a quick test for GMail when they turned on DK signing. Enjoy, --Steve. Steve Jones ...!crash.com!smj Arlington, Mass. CRASH!! Computing (any spambots parse bang paths?) "Chaos will ensue if the variable i is altered..." -- SysV Programmers Guide |
From: Scott G. <sgr...@bo...> - 2004-10-19 23:18:55
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 October 2004 3:44 pm, Steven M Jones wrote:=20 > > Well I finally got my key for borgnet.net to work and it passed with > > dk...@bl... > > Speaking of which, there's an autoresponder at sa...@cr... > that will give you an actual verbose report of which sender auth > schemes it was able to verify. This is where I tested the code, it > may go away in future. It's currently being reviewed to be put up > permanently at sendmail.net. (Disclaimer: I'm a Sendmail employee > in sheep's clothing.)=A0 It's using dk-milter and sid-milter, both > at v0.2.2 > > It was useful as a quick test for GMail when they turned on DK > signing. > > Enjoy, > --Steve. Ahhhhh bloody hell........ I swear this is so confusing. That email address said the keys dont match. Authentication System: Domain Keys =20 Result: DK signature confirmed BAD Description: Signature verification failed, message may hav= e=20 been tampered with or corrupted Reporting host: gate.crash.com =20 More information: http://antispam.yahoo.com/domainkeys Sendmail milter: http://www.sendmail.net/dk-milter Authentication System: Sender ID =20 Result: SID data NOT confirmed Description: Published data is inconclusive. Sending domain= =20 may not be using SID Reporting host: gate.crash.com =20 More information: http://www.microsoft.com/senderid Sendmail milter: http://www.sendmail.net/sid-milter Authentication System: Sender Permitted From (SPF) Result: SPF data NOT confirmed Description: Published data is inconclusive. Sending domain= =20 may not be using SPF Reporting host: gate.crash.com =20 More information: http://spf.pobox.com/ Authentication System: Domain Keys =20 Result: DK signature confirmed BAD Description: Signature verification failed, message may hav= e=20 been tampered with or corrupted Reporting host: gate.crash.com =20 More information: http://antispam.yahoo.com/domainkeys Sendmail milter: http://www.sendmail.net/dk-milter Authentication System: Sender ID =20 Result: SID data NOT confirmed Description: Published data is inconclusive. Sending domain= =20 may not be using SID Reporting host: gate.crash.com =20 More information: http://www.microsoft.com/senderid Sendmail milter: http://www.sendmail.net/sid-milter Authentication System: Sender Permitted From (SPF) Result: SPF data NOT confirmed Description: Published data is inconclusive. Sending domain= =20 may not be using SPF Reporting host: gate.crash.com =20 More information: http://spf.pobox.com/ Crap I'm about to offer to pay to have setup since the documentation is=20 lacking in help setting this up. =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdaDclM9CP0XdpywRAqpDAJ9OMqjzwezSTvHgZpjcBVgXPjxBsQCeIXOU VYZvT2K3vuESrY9+FQg3xh0=3D =3DFGl9 =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 23:00:56
|
On Tue, 19 Oct 2004, Steven M Jones wrote: > > Well I finally got my key for borgnet.net to work and it passed with > > dk...@bl... > > Speaking of which, there's an autoresponder at sa...@cr... > that will give you an actual verbose report of which sender auth > schemes it was able to verify. sa...@se... is also available. |
From: Scott G. <sgr...@bo...> - 2004-10-19 18:48:09
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have 1 box setup as a getway for incoming/outgoing email also and this is= =20 how dk-filter is started. dk-filter -l -d borgnet.us,borgnet.net,gawth.org -i /etc/mail/dk-filter-ili= st=20 =2D -p /var/run/dk-filter.sock=20 =2D -s /root/dk-milter-0.2.2/dk-filter/borgnet.us.private -S borgnet.us -A In the dk-filter-list I have: /root/dk-milter-0.2.2/dk-filter/gawth.org.private /root/dk-milter-0.2.2/dk-filter/borgnet.net.private =46or the other 2 domains that are on that box also. In my sendmail.cf I have: Other INPUT_MAIL_FILTER(`dk-filter', `S=3D/var/run/dk-filter.sock') Which is placed after all milters I use. Now mail is sent from both 63.230.134.17 63.230.134.21 But only .17 is open to the outside and .21 is filtered for internal use. I'm thinking I have missed a step someplace here. Scott On Tuesday 19 October 2004 10:04 am, Steven M Jones wrote:=20 > sgr...@bo... wrote: > . > > > No matter what I do I always get the following error: > > > > dk-filter[23982]: i9I9JNs9025960 external host borgnet.net > > attempted to send as borgnet.net > > > > And no header is inserted. > > Since nobody else has responded, I'll do my best to screw > things up further... > > You don't mention anything about your configuration. Is the > dk-filter running on a DMZ/gateway MTA, and the message is > originating on an internal host? If this is the case, or > something similar, have you told the filter that this and > other internal hosts are to have their messages signed > rather than checked using the -i flag? > > In my case the filter runs on a gateway machine, and aside > from the other options is given the -i flag with a file > that tells it to sign mail coming from any internal host, > as noted by the IP address. Here's an example of what's in > the file: > > 6 hup% cat /etc/mail/dk/internalnet > 198.133.223.0/24 > 7 hup% > > So basically anything coming from this private net will > be signed and passed on, provided sendmail is otherwise > configured to do so (access map, etc). > > Good luck. If that doesn't do it, tell us something about > the topology of the machines involved, and exactly what > flags the dk-filter is being started with. > > --Steve. > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mo= re > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss =2D --=20 ***************************************************************************= ***** The information transmitted in this message and attachments (if any) is intended only for the person or entity to which it is addressed. =20 The message may contain confidential and/or privileged material. =20 Any review, retransmission, dissemination or other use of, or taking=20 of any action in reliance upon this information, by persons or entities other than the intended recipient is prohibited. =20 If you have received this in error, please contact the sender and delete th= is e-mail and associated material from any computer. The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in this e-mail and any attached files, with the permission of the sender. This message has been scanned for viruses. ******************************************************************** pub 1024D/45DDA72C 2004-07-20 Scott Grayban <sgr...@bo...> Primary key fingerprint: A188 33CC 5A09 FEAA 0AF9 A92B 94CF 423F 45DD A72C =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdWFNlM9CP0XdpywRAglwAJ9ejEdcBd3Fxw+7sbPDJGm+5DvoBwCggtRG T2MA31tlMpLplhCH1/PSP7Q=3D =3DJIhJ =2D----END PGP SIGNATURE----- |
From: Nate I. <dk-...@ko...> - 2004-10-19 19:47:11
|
> On Tue, Oct 19, 2004 at 11:47:35AM -0700, Scott Grayban wrote: > In the dk-filter-list I have: > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private That file should contain a list of internal hosts whose mail should be signed rather than verified. The private key file is specified with the -s option. My understanding is that supporting multiple domains on the same system using different key pairs would require running more than one instance of the milter. - Nate Itkin |
From: Scott G. <sgr...@bo...> - 2004-10-19 20:30:50
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 October 2004 12:46 pm, Nate Itkin wrote:=20 > > On Tue, Oct 19, 2004 at 11:47:35AM -0700, Scott Grayban wrote: > > In the dk-filter-list I have: > > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private > > That file should contain a list of internal hosts whose mail should be > signed rather than verified. The private key file is specified with the = =2Ds > option. > > My understanding is that supporting multiple domains on the same system > using different key pairs would require running more than one instance of > the milter. > > - Nate Itkin Uhh wait a second...... It seems that is possible but how would you setup t= he=20 keypath and selector if you have multiple domains? They say -d plus the domain(s) you want to sign for....... (5) Start dk-filter. You will need at least the "-p" option. The current recommended set of command line options is: -l -p SOCKETSPEC -d DOMAIN -s KEYPATH -S SELECTOR ...where SOCKETSPEC is the socket you told sendmail to use above, DOMAIN is the domain or set of domains for which you want to sign mail, KEYPATH is the path to the private key file you generated, and SELECTOR is the selector name you picked. You can tack "-f" on there if you want it to run in the foreground instead of in the background as a daemon. So now I have this when starting dk-filter: dk-filter -l -d borgnet.us,borgnet.net,gawth.org -i /etc/mail/dk-filter-ili= st=20 =2D -p /var/run/dk-filter.sock=20 =2D -s /root/dk-milter-0.2.2/dk-filter/borgnet.us.private -S borgnet.us -A Notice the -d DOMAINS Now I got the keys to work right on .17 IF I send from there but it doesnt= =20 work right if I send from .21 even though I now have 63.230.134.16/29 in=20 my /etc/mail/dk-filter-ilist. =46rustrating............. Scott =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdXlalM9CP0XdpywRAu/oAJ400ydo2iw3yRB8Oh4lIvMTLr/n8ACfVoOb x8s3PiEKW0ty5GrD5NiR/ig=3D =3Dx2Et =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 22:57:10
|
On Tue, 19 Oct 2004, Nate Itkin wrote: > My understanding is that supporting multiple domains on the same system > using different key pairs would require running more than one instance > of the milter. There is untested code (FFR, "For Future Release") in dk-milter to support this. You have to compile it with special flags, and use a command line flag, and it changes the semantics of "-s", but the code is there and available for you to try if you like. |
From: Scott G. <sgr...@bo...> - 2004-10-19 20:15:31
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 October 2004 12:46 pm, Nate Itkin wrote:=20 > > On Tue, Oct 19, 2004 at 11:47:35AM -0700, Scott Grayban wrote: > > In the dk-filter-list I have: > > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private > > That file should contain a list of internal hosts whose mail should be > signed rather than verified. The private key file is specified with the = =2Ds > option. > > My understanding is that supporting multiple domains on the same system > using different key pairs would require running more than one instance of > the milter. > hmm so I would need to start another milter but how would that affect the k= eys=20 then? Wouldn't one milter try to fight the other? Wish one of the coders would respond to this. Scott =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFBdXXOlM9CP0XdpywRAnUsAJ9RCJfUMPKOXiDLNpJbWTNKZi0i4QCWNIVP jROBLegYSYxII95KUxAkIg=3D=3D =3Dl+e0 =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 21:40:18
|
On Tue, 19 Oct 2004, Scott Grayban wrote: > Wish one of the coders would respond to this. Sorry, I've been on vacation. I'm getting caught up now. Standby... |
From: Thom O'C. <th...@se...> - 2004-10-19 20:37:25
|
On Tue, 19 Oct 2004, Scott Grayban wrote: > On Tuesday 19 October 2004 12:46 pm, Nate Itkin wrote: > > > > On Tue, Oct 19, 2004 at 11:47:35AM -0700, Scott Grayban wrote: > > > In the dk-filter-list I have: > > > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > > > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private > > > > That file should contain a list of internal hosts whose mail should be > > signed rather than verified. The private key file is specified with the -s > > option. > > > > My understanding is that supporting multiple domains on the same system > > using different key pairs would require running more than one instance of > > the milter. > > > hmm so I would need to start another milter but how would that affect the keys > then? Wouldn't one milter try to fight the other? Starting in 0.1.14, there is a an FFR added to dk-filter to support multiple keys. If you build with FFR_MULTIPLE_KEYS: APPENDDEF(`confENVDEF', `-D_FFR_MULTIPLE_KEYS') Then (according to the FEATURES file): MULTIPLE_KEYS Adds a new command line option "-k", which changes interpretation of the "-s" to be a list of user@host patterns with matching filenames indicating which key to use to sign messages. (dk-filter) From this point, I haven't seen multiple keys in action yet. The source looks like you should be referencing a keyfile with "-s <keyfile>", which then uses some filename magic to find its appropriate signing key. I'll see if I can find Murray and sew up the loose ends. Looks like more of a documentation problem than anything, as there is lots of code in there supporting multiple keys. -t ----------------------------------------------------------- / __ | Thom O'Connor | Principal Consultant / / \ | th...@se... | Sendmail, Inc. \__/ / | PGP KeyID: 41278A44 | The Full Power of Email / | main: (510) 594-5400 | support: (877) 4-SENDMAIL |
From: Scott G. <sgr...@bo...> - 2004-10-19 20:53:07
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ahhhhh I got it !!!! Have to really !!! look at dk-filter/Makefile.m4 to see what you want to=20 enable. The README should really stress that file to enable what you want. Now lets see if I can get this to work. On Tuesday 19 October 2004 1:34 pm, Thom O'Connor wrote:=20 > On Tue, 19 Oct 2004, Scott Grayban wrote: > > On Tuesday 19 October 2004 12:46 pm, Nate Itkin wrote: > > > > On Tue, Oct 19, 2004 at 11:47:35AM -0700, Scott Grayban wrote: > > > > In the dk-filter-list I have: > > > > /root/dk-milter-0.2.2/dk-filter/gawth.org.private > > > > /root/dk-milter-0.2.2/dk-filter/borgnet.net.private > > > > > > That file should contain a list of internal hosts whose mail should be > > > signed rather than verified. The private key file is specified with > > > the -s option. > > > > > > My understanding is that supporting multiple domains on the same syst= em > > > using different key pairs would require running more than one instance > > > of the milter. > > > > hmm so I would need to start another milter but how would that affect t= he > > keys then? Wouldn't one milter try to fight the other? > > Starting in 0.1.14, there is a an FFR added to dk-filter to support > multiple keys. If you build with FFR_MULTIPLE_KEYS: > > APPENDDEF(`confENVDEF', `-D_FFR_MULTIPLE_KEYS') > > Then (according to the FEATURES file): > > MULTIPLE_KEYS Adds a new command line option "-k", which changes > interpretation of the "-s" to be a list of user@host > patterns with matching filenames indicating which key > to use to sign messages. (dk-filter) > > >From this point, I haven't seen multiple keys in action yet. The source > > looks like you should be referencing a keyfile with "-s <keyfile>", which > then uses some filename magic to find its appropriate signing key. > > I'll see if I can find Murray and sew up the loose ends. Looks like > more of a documentation problem than anything, as there is lots of > code in there supporting multiple keys. > > -t > > ----------------------------------------------------------- > / __ | Thom O'Connor | Principal Consultant > / / \ | th...@se... | Sendmail, Inc. > \__/ / | PGP KeyID: 41278A44 | The Full Power of Email > / | main: (510) 594-5400 | support: (877) 4-SENDMAIL > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out mo= re > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss =2D --=20 ***************************************************************************= ***** The information transmitted in this message and attachments (if any) is intended only for the person or entity to which it is addressed. =20 The message may contain confidential and/or privileged material. =20 Any review, retransmission, dissemination or other use of, or taking=20 of any action in reliance upon this information, by persons or entities other than the intended recipient is prohibited. =20 If you have received this in error, please contact the sender and delete th= is e-mail and associated material from any computer. The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in this e-mail and any attached files, with the permission of the sender. This message has been scanned for viruses. ******************************************************************** pub 1024D/45DDA72C 2004-07-20 Scott Grayban <sgr...@bo...> Primary key fingerprint: A188 33CC 5A09 FEAA 0AF9 A92B 94CF 423F 45DD A72C =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQFBdX6slM9CP0XdpywRAk2iAJ4mGtybSigK4spUykDLHUrXp4+vRQCWPzdS zor8NKmCPJ1qXeEkH3IrsA=3D=3D =3Dl+C8 =2D----END PGP SIGNATURE----- |
From: Thom O'C. <th...@se...> - 2004-10-20 20:42:04
|
On Tue, 19 Oct 2004, Thom O'Connor wrote: > Starting in 0.1.14, there is a an FFR added to dk-filter to support > multiple keys. If you build with FFR_MULTIPLE_KEYS: > > APPENDDEF(`confENVDEF', `-D_FFR_MULTIPLE_KEYS') > > Then (according to the FEATURES file): > > MULTIPLE_KEYS Adds a new command line option "-k", which changes > interpretation of the "-s" to be a list of user@host > patterns with matching filenames indicating which key > to use to sign messages. (dk-filter) Here's an update on using multiple keys with the dk-filter. The usage is according to the following: - Use the "-k" option to load a key set instead of a single key - Use the "-s file" option to load _a file_ which contains a list of user@host patterns with matching filenames indicating which key to use to sign messages, *and the name of the filename used must be equal to the key* Therefore, here is an example: Startup command: /usr/bin/dk-filter -A -l -d example0.com,example1.com \ -i /etc/mail/dk-filter-internal-list \ -p /var/sendmail/dk-filter/dk-filter.sock \ -k -s /var/sendmail/dk-filter/keyset-list Where the file /var/sendmail/dk-filter/keyset-list would look like the following: *@example0.com:/var/sendmail/dk-filter/EXAMPLE0-2004 *@example1.com:/var/sendmail/dk-filter/EXAMPLE1-2004 In this example, your DomainKeys selector for the domain example0.com would be EXAMPLE0-2004, and the selector for example1.com would be EXAMPLE1-2004. It is critical to note that the filename must be (will be) equal to the selector. Note that this is untested (at least by me). But this is the way it is supposed to work. Good luck, please let us know how it goes. -t ----------------------------------------------------------- / __ | Thom O'Connor | Principal Consultant / / \ | th...@se... | Sendmail, Inc. \__/ / | PGP KeyID: 41278A44 | The Full Power of Email / | main: (510) 594-5400 | support: (877) 4-SENDMAIL |
From: Scott G. <sgr...@bo...> - 2004-10-19 21:22:16
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 19 October 2004 1:34 pm, Thom O'Connor wrote:=20 > Starting in 0.1.14, there is a an FFR added to dk-filter to support > multiple keys. If you build with FFR_MULTIPLE_KEYS: > > APPENDDEF(`confENVDEF', `-D_FFR_MULTIPLE_KEYS') > > Then (according to the FEATURES file): > > MULTIPLE_KEYS Adds a new command line option "-k", which changes > interpretation of the "-s" to be a list of user@host > patterns with matching filenames indicating which key > to use to sign messages. (dk-filter) > > >From this point, I haven't seen multiple keys in action yet. The source > > looks like you should be referencing a keyfile with "-s <keyfile>", which > then uses some filename magic to find its appropriate signing key. > > I'll see if I can find Murray and sew up the loose ends. Looks like > more of a documentation problem than anything, as there is lots of > code in there supporting multiple keys. > > -t Well I finally got my key for borgnet.net to work and it passed with=20 dk...@bl... Authentication-Results: borgnet.net; domainkeys=3Dpass Now how do I get it to work with multiple domains right? There should really be some better documentation with some examples for tha= t=20 list for domains it checks. I think this a great project but lack of good docs is going to discourage m= ost=20 uses. Scott=20 =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdYWFlM9CP0XdpywRAvxKAJ9fS167p2xHoWCon5VYCSD4NHZdIgCfREOF dUU2Tn8hNfT7HEOALDQnRhU=3D =3D9ODK =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 23:00:27
|
On Tue, 19 Oct 2004, Scott Grayban wrote: > Now how do I get it to work with multiple domains right? > > There should really be some better documentation with some examples for > that list for domains it checks. Multi-domain service isn't supported in the current version, so there's no real documentation for it yet. This is mostly because I haven't exercised the code to my own satisfaction. If you use it for a while and it seems to be working, please let me know. I'm more likely to make it production code and write documentation for it if I trust it's working properly and is robust, and external testing is a big help in that regard. In any case, when I actually release that as live code, the documentation covering it will be much more thorough. |
From: Scott G. <sgr...@bo...> - 2004-10-20 23:09:31
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well I did that and and sent a test email to sa...@cr... to check it Still will not work right. I am assuming the keys listed in the key-list file should be the private ke= ys. I am will to pay a dk-filter coder to bloody set this up. I'm really at a l= oss=20 on this. Scott On Wednesday 20 October 2004 1:39 pm, Thom O'Connor wrote:=20 > Here's an update on using multiple keys with the dk-filter. > > The usage is according to the following: > > =A0- Use the "-k" option to load a key set instead of a single key > =A0- Use the "-s file" option to load _a file_ which contains a list of > =A0 =A0user@host patterns with matching filenames indicating which key > =A0 =A0to use to sign messages, *and the name of the filename used must > =A0 =A0be equal to the key* > > Therefore, here is an example: > > Startup command: > > =A0 /usr/bin/dk-filter -A -l -d example0.com,example1.com \ > =A0 =A0 =A0 =A0-i /etc/mail/dk-filter-internal-list \ > =A0 =A0 =A0 =A0-p /var/sendmail/dk-filter/dk-filter.sock \ > =A0 =A0 =A0 =A0-k -s /var/sendmail/dk-filter/keyset-list > > =A0 Where the file /var/sendmail/dk-filter/keyset-list would look like > =A0 the following: > > =A0 =A0 =A0*@example0.com:/var/sendmail/dk-filter/EXAMPLE0-2004 > =A0 =A0 =A0*@example1.com:/var/sendmail/dk-filter/EXAMPLE1-2004 > > =A0 In this example, your DomainKeys selector for the domain example0.com > =A0 would be EXAMPLE0-2004, and the selector for example1.com would be > =A0 EXAMPLE1-2004. It is critical to note that the filename must be (will > =A0 be) equal to the selector. > > Note that this is untested (at least by me). But this is the way it > is supposed to work. > > Good luck, please let us know how it goes. =2D --=20 ***************************************************************************= ***** The information transmitted in this message and attachments (if any) is intended only for the person or entity to which it is addressed. =20 The message may contain confidential and/or privileged material. =20 Any review, retransmission, dissemination or other use of, or taking=20 of any action in reliance upon this information, by persons or entities other than the intended recipient is prohibited. =20 If you have received this in error, please contact the sender and delete th= is e-mail and associated material from any computer. The intended recipient of this e-mail may only use, reproduce, disclose or distribute the information contained in this e-mail and any attached files, with the permission of the sender. This message has been scanned for viruses. ******************************************************************** pub 1024D/45DDA72C 2004-07-20 Scott Grayban <sgr...@bo...> Primary key fingerprint: A188 33CC 5A09 FEAA 0AF9 A92B 94CF 423F 45DD A72C =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdvAZlM9CP0XdpywRAtVIAKCBj1bAXIR0qIKymuQr3cftpFFihgCdGP/G 1xAPv8YYyV99Ozu9zasDKl0=3D =3Db6W5 =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 23:21:41
|
On Wed, 20 Oct 2004, Scott Grayban wrote: > Well I did that and and sent a test email to sa...@cr... to check > it > > Still will not work right. Does dk...@bl... or sa...@se... work? > I am assuming the keys listed in the key-list file should be the private > keys. Correct. > I am will to pay a dk-filter coder to bloody set this up. I'm really at > a loss on this. I'm sure that won't be necessary... Is the only problem the verification of messages? Does the order of entries in the key-list file make a difference? Can you re-post your command line arguments and config files? |
From: Scott G. <sgr...@bo...> - 2004-10-21 00:38:07
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 20 October 2004 4:21 pm, Murray S. Kucherawy wrote:=20 > Does dk...@bl... or sa...@se... work? sa...@se... isn't working. borgnet sendmail[3485]: i9L0VE7j003386: to=3D<sa...@se...>,=20 ctladdr=3D<sgr...@bo...> (501/501), delay=3D00:04:42, xdelay=3D00:0= 0:01,=20 mailer=3Desmtp, pri=3D211880, relay=3Dsendmail.net. [209.246.26.21], dsn=3D= 4.0.0,=20 stat=3DDeferred: 451 4.3.2 Please try again later =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdwTWlM9CP0XdpywRAiqZAJ9Li/y+okwwvBonICtnv2ZK93KYzQCfe2O3 bch6tgJkH2av0lB8MKQ4kss=3D =3DzEQ2 =2D----END PGP SIGNATURE----- |
From: Scott G. <sgr...@bo...> - 2004-10-20 23:56:55
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Command line is: dk-filter -l -d borgnet.us,borgnet.net,gawth.org -i /etc/mail/dk-filter-ili= st=20 =2D -p /var/run/dk-filter.sock -k -s /etc/mail/dk-filter-keys -A /etc/mail/dk-filter-ilist contains: 63.230.134.16/29 --------- which is my network /etc/mail/dk-filter-keys contains: *@gawth.org:/root/dk-milter-0.2.2/dk-filter/gawth.org.private *@borgnet.us:/root/dk-milter-0.2.2/dk-filter/borgnet.us.private *@borgnet.net:/root/dk-milter-0.2.2/dk-filter/borgnet.net.private On Wednesday 20 October 2004 4:21 pm, Murray S. Kucherawy wrote:=20 > On Wed, 20 Oct 2004, Scott Grayban wrote: > > Well I did that and and sent a test email to sa...@cr... to check > > it > > > > Still will not work right. > > Does dk...@bl... or sa...@se... work? > > > I am assuming the keys listed in the key-list file should be the private > > keys. > > Correct. > > > I am will to pay a dk-filter coder to bloody set this up. I'm really at > > a loss on this. > > I'm sure that won't be necessary... > > Is the only problem the verification of messages? > > Does the order of entries in the key-list file make a difference? > > Can you re-post your command line arguments and config files? > =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdvs7lM9CP0XdpywRAgElAJ49Ohw4LTdUHib01O3G/JzMfLCanACfdql8 A3powNLyx5JXxFRxoFDjuKg=3D =3D9nG/ =2D----END PGP SIGNATURE----- |
From: Murray S. K. <ms...@se...> - 2004-10-20 23:59:21
|
And is it adding signatures to messages (even if they are incorrect)? Do they verify against only some sources but not all, or against none of them? |
From: Scott G. <sgr...@bo...> - 2004-10-21 00:27:34
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 DomainKey-Signature: a=3Drsa-sha1; s=3Dborgnet.us.private; d=3Dborgnet.us; = c=3Dsimple;=20 q=3Ddns; b=3Dpwcbb05MYRCtR89mkS411CEeK5uc1HV9ihzFkydAFmGS5XJDWKYGewIW2VOME86= db 0oATngpbZyWl+ZtkV4wNA=3D=3D From: Scott Grayban <sgr...@bo...> Organization: borgnet.us Adds them just no idea why or what I am doing wrong. On Wednesday 20 October 2004 4:59 pm, Murray S. Kucherawy wrote:=20 > And is it adding signatures to messages (even if they are incorrect)? > > Do they verify against only some sources but not all, or against none of > them? OOOO hold on here I am seeing something odd with the dns requests for the k= eys Since I went to multi domains and its using a list now its checking the key= =20 list name=20 E.G.; s=3Dborgnet.us.private then it checks the dns using: query: borgnet.us.private._domainkey.borgnet.us IN TXT -E Now thats odd..... Shouldn't only check for _domainkey.borgnet.us ?? Since thats the FQDN ? =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdwJrlM9CP0XdpywRAv9tAJ4j8IGVH3NM58H/fPBPHLWmyakYvgCdFqmN TGKD9cmHfXKoyYXk3QKxMWY=3D =3DcgYw =2D----END PGP SIGNATURE----- |
From: Thom O'C. <th...@se...> - 2004-10-21 00:30:35
|
On Wed, 20 Oct 2004, Scott Grayban wrote: > /etc/mail/dk-filter-keys contains: > > *@gawth.org:/root/dk-milter-0.2.2/dk-filter/gawth.org.private > *@borgnet.us:/root/dk-milter-0.2.2/dk-filter/borgnet.us.private > *@borgnet.net:/root/dk-milter-0.2.2/dk-filter/borgnet.net.private According to the notes I wrote up earlier, I think the above indicates that the selector for your domains are as follows: gawth.org: gawth.org.private borgnet.us: borgnet.us.private borgnet.net: borgnet.net.private However, I don't see any TXT records at those locations: # dig TXT gawth.org.private._domainkey.gawth.org <snip> status: NXDOMAIN <snip> I'm guessing that your selector usage is a little off. -t |
From: Scott G. <sgr...@bo...> - 2004-10-21 01:45:56
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 20 October 2004 5:27 pm, Thom O'Connor wrote:=20 > On Wed, 20 Oct 2004, Scott Grayban wrote: > > /etc/mail/dk-filter-keys contains: > > > > *@gawth.org:/root/dk-milter-0.2.2/dk-filter/gawth.org.private > > *@borgnet.us:/root/dk-milter-0.2.2/dk-filter/borgnet.us.private > > *@borgnet.net:/root/dk-milter-0.2.2/dk-filter/borgnet.net.private > > According to the notes I wrote up earlier, I think the above indicates > that the selector for your domains are as follows: > > gawth.org: gawth.org.private > borgnet.us: borgnet.us.private > borgnet.net: borgnet.net.private > > However, I don't see any TXT records at those locations: > > # dig TXT gawth.org.private._domainkey.gawth.org > <snip> > status: NXDOMAIN > <snip> > > I'm guessing that your selector usage is a little off. Yes and I fixed that but I have a suggestion as far as the dns checking it= =20 does. I propose we change the way the docs explain how dns lookups work: The docs should say "What ever -s is that is what the first part of the dom= ain=20 keys should be." Since the multi-domains seems to be working on sending correctly but the=20 incoming seems to be a bit broke at this time. We should explain that -s blah is really -s blah._domainkey.domain.com when= it=20 checks the dns for the keys. That isn't explained even if using just 1 domain. And on another note the gentxt.csh program should also generate a comment t= hat=20 contains just "domainkey for domain.com" Scott =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBdxTQlM9CP0XdpywRAp5PAJ9JXMFABodSXJau0R6XnvunopUf9QCdGipx GcMxfFxWuYuAdsGRwQokBHk=3D =3D6KKJ =2D----END PGP SIGNATURE----- |
From: SM <sm...@re...> - 2004-10-21 03:14:59
|
Hi Scott, At 18:45 20-10-2004, Scott Grayban wrote: >I propose we change the way the docs explain how dns lookups work: > >The docs should say "What ever -s is that is what the first part of the >domain >keys should be." If the selector is "test" and the domain is "example.com", the public-key will be retrieved from test._domainkey.example.com. Please refer to draft-delany-domainkeys-base-01.txt for an explanation about selectors. Regards, -sm |