From: Tony E. <ter...@ba...> - 2006-11-15 07:06:27
|
Hi list, This has probably been aired before, if so, sorry. This site is gradually going through the painful step of implementing=20 both dkim-filter and dk-filter (painful because we don't run our own DNS=20 server and we're having to educate our Dutch ISP, xs4all). I use the two=20 test sites sa...@se... and aut...@dk....=20 Both judge validity of dkim-filter and dk-filter; however, the sendmail=20 test reports invalid signatures, while the elandsys.com test reports=20 success and valid signatures. Any comments? I can't make the DNS entries better than they are and I'm=20 sure our messages are being signed correctly. Versions: dkim-milter=20 0.5.2 and dk-milter 0.4.1 under Postfix 2.3.4, all installed as rpms on=20 Red Hat RHAS4. Thanks! --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: Tony E. <ter...@ba...> - 2006-11-15 07:12:40
|
Tony Earnshaw wrote: > This has probably been aired before, if so, sorry. >=20 > This site is gradually going through the painful step of implementing=20 > both dkim-filter and dk-filter (painful because we don't run our own DN= S=20 > server and we're having to educate our Dutch ISP, xs4all). I use the tw= o=20 > test sites sa...@se... and aut...@dk....=20 > Both judge validity of dkim-filter and dk-filter; however, the sendmail= =20 > test reports invalid signatures, while the elandsys.com test reports=20 > success and valid signatures. >=20 > Any comments? I can't make the DNS entries better than they are and I'm= =20 > sure our messages are being signed correctly. Versions: dkim-milter=20 > 0.5.2 and dk-milter 0.4.1 under Postfix 2.3.4, all installed as rpms on= =20 > Red Hat RHAS4. Hmmm ... I don't see any signatures on this message or from anyone on=20 this list ... --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: SM <sm...@re...> - 2006-11-15 11:38:53
|
Hi Tony, At 23:12 14-11-2006, Tony Earnshaw wrote: >Hmmm ... I don't see any signatures on this message or from anyone on >this list ... Because this is a naughty list. :) Regards, -sm P.S. message cc. as this list removes signatures. |
From: Jim P. <ji...@ya...> - 2006-11-15 07:28:10
|
On Wed, 2006-11-15 at 08:06 +0100, Tony Earnshaw wrote: > Hi list, > > This has probably been aired before, if so, sorry. > > This site is gradually going through the painful step of implementing > both dkim-filter and dk-filter (painful because we don't run our own DNS > server and we're having to educate our Dutch ISP, xs4all). I use the two > test sites sa...@se... and aut...@dk.... > Both judge validity of dkim-filter and dk-filter; however, the sendmail > test reports invalid signatures, while the elandsys.com test reports > success and valid signatures. sa...@se... is broken. -Jim P. |
From: Tony E. <ter...@ba...> - 2006-11-15 09:16:38
|
Jim Popovitch wrote: >> This has probably been aired before, if so, sorry. >> >> This site is gradually going through the painful step of implementing=20 >> both dkim-filter and dk-filter (painful because we don't run our own D= NS=20 >> server and we're having to educate our Dutch ISP, xs4all). I use the t= wo=20 >> test sites sa...@se... and aut...@dk....=20 >> Both judge validity of dkim-filter and dk-filter; however, the sendmai= l=20 >> test reports invalid signatures, while the elandsys.com test reports=20 >> success and valid signatures. >=20 > sa...@se... is broken. No, that's not it. Ben Lutz replied off list and wrote that footers=20 break dk/dkim (see footer below). So I removed my footer, resubmitted a=20 test and dkim was verified (dk wasn't). If footers break dk/dkim, whats the point of dk/dkim? Apparently both=20 sendmail.net and dk.elandsys.com are running Sendmail=20 8.14.0.Alpha2/8.14.0.Alpha2 and Ben says that the milter API's broken.=20 Could that be it? --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: Tony E. <ter...@ba...> - 2006-11-15 09:25:40
|
Tony Earnshaw wrote: [...] > No, that's not it. Ben Lutz Ben Lentz --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: SM <sm...@re...> - 2006-11-15 11:55:56
|
Hi Tony, At 01:16 15-11-2006, Tony Earnshaw wrote: >No, that's not it. Ben Lutz replied off list and wrote that footers >break dk/dkim (see footer below). So I removed my footer, resubmitted a >test and dkim was verified (dk wasn't). Maybe he was referring to the footers added by this mailing list and not the footer in your message. >If footers break dk/dkim, whats the point of dk/dkim? Apparently both Any change to the message content after it has been signed will break the signature. If a mailing list adds footers, it should sign the message. >sendmail.net and dk.elandsys.com are running Sendmail >8.14.0.Alpha2/8.14.0.Alpha2 and Ben says that the milter API's broken. >Could that be it? There is a change in the milter API behavior in sendmail 8.14.x. The DK/DKIM milters running on sendmail.net may not be taking the change into account. That would explain the signature validation failing. Regards, -sm |
From: Ben L. <bl...@ch...> - 2006-11-15 13:02:41
|
> Hi Tony, > At 01:16 15-11-2006, Tony Earnshaw wrote: > =20 >> No, that's not it. Ben Lutz replied off list and wrote that footers >> break dk/dkim (see footer below). So I removed my footer, resubmitted = a >> test and dkim was verified (dk wasn't). >> =20 > > Maybe he was referring to the footers added by this mailing list and=20 > not the footer in your message. > =20 Yes, exactly. The body of the message cannot be "tampered" with if you=20 expect these things to verify. All mail must be delivered intact,=20 without modification. > =20 >> If footers break dk/dkim, whats the point of dk/dkim? Apparently both >> =20 > > Any change to the message content after it has been signed will break=20 > the signature. If a mailing list adds footers, it should sign the mess= age. > > =20 >> sendmail.net and dk.elandsys.com are running Sendmail >> 8.14.0.Alpha2/8.14.0.Alpha2 and Ben says that the milter API's broken. >> Could that be it? >> =20 > > There is a change in the milter API behavior in sendmail 8.14.x. The=20 > DK/DKIM milters running on sendmail.net may not be taking the change=20 > into account. That would explain the signature validation failing. > =20 I wrote: > Note, too, that the sa-test should be able to verify your signatures,=20 > but you won't be able to verify it's response... it's been broken=20 > since sendmail.net went to sendmail-8.14.0-Alpha2, which apparently=20 > has a different milter API that doesn't work with dk-milter or=20 > dkim-milter yet. But, sa...@se... should be able to verify.=20 And I neglected to mention that elandsys.com *is* running=20 sendmail-8.14.0-Alpha2 but appears to have both working. Tony wrote me two messages off-list. The first one had a footer: > N=E5r trollmor har lagt sine ellve sm=E5 troll > og bundet dem fast i halen. > Da synger hun sagte for ellve sm=E5 troll > de vakreste ord hun kjenner. > > Ai ai ai ai buff, > ai ai ai aia buff, > ai ai ai aia buff buff, > ai ai ai aia buff.=20 And didn't verify. The second message (which did not have the above=20 footer) verified fine for both DomainKey and DKIM. I would think the solution would be to sign the message after the footer=20 had been added (if you wish to keep it) so that it could be verified on=20 the receiver's end. > Regards, > -sm=20 > > > -----------------------------------------------------------------------= -- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share= your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D= DEVDEV > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > =20 |
From: Tony E. <ter...@ba...> - 2006-11-15 14:31:19
|
Ben Lentz wrote: [...] > Tony wrote me two messages off-list. The first one had a footer: >> N=E5r trollmor har lagt sine ellve sm=E5 troll >> og bundet dem fast i halen. >> Da synger hun sagte for ellve sm=E5 troll >> de vakreste ord hun kjenner. >> >> Ai ai ai ai buff, >> ai ai ai aia buff, >> ai ai ai aia buff buff, >> ai ai ai aia buff.=20 > And didn't verify. The second message (which did not have the above=20 > footer) verified fine for both DomainKey and DKIM. >=20 > I would think the solution would be to sign the message after the foote= r=20 > had been added (if you wish to keep it) so that it could be verified on= =20 > the receiver's end. But that footer's been added by my MUA, Thunderbird 1.5.0 before the=20 message got to our MTA. Although the MTA's Postfix and not Sendmail, it=20 doesn't do any milter activity apart from calling the milters. I'll do=20 some experimenting with a short footer and leaving the two dashes out (I=20 know, it's illogical, but I'd like to find out). --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: Ben L. <bl...@ch...> - 2006-11-15 14:36:47
|
> Ben Lentz wrote: > > [...] > > =20 >> Tony wrote me two messages off-list. The first one had a footer: >> =20 >>> N=E5r trollmor har lagt sine ellve sm=E5 troll >>> og bundet dem fast i halen. >>> Da synger hun sagte for ellve sm=E5 troll >>> de vakreste ord hun kjenner. >>> >>> Ai ai ai ai buff, >>> ai ai ai aia buff, >>> ai ai ai aia buff buff, >>> ai ai ai aia buff.=20 >>> =20 >> And didn't verify. The second message (which did not have the above=20 >> footer) verified fine for both DomainKey and DKIM. >> >> I would think the solution would be to sign the message after the foot= er=20 >> had been added (if you wish to keep it) so that it could be verified o= n=20 >> the receiver's end. >> =20 > > But that footer's been added by my MUA, Thunderbird 1.5.0 before the=20 > message got to our MTA. Although the MTA's Postfix and not Sendmail, it= =20 > doesn't do any milter activity apart from calling the milters. I'll do=20 > some experimenting with a short footer and leaving the two dashes out (= I=20 > know, it's illogical, but I'd like to find out). > =20 I see. You're right, that should've been fine. Perhaps the '=E5' characte= r? > --Tonni > > =20 |
From: Tony E. <ter...@ba...> - 2006-11-15 14:41:18
|
Tony Earnshaw wrote: > Ben Lentz wrote: >=20 > [...] >=20 >> Tony wrote me two messages off-list. The first one had a footer: >>> N=E5r trollmor har lagt sine ellve sm=E5 troll >>> og bundet dem fast i halen. >>> Da synger hun sagte for ellve sm=E5 troll >>> de vakreste ord hun kjenner. >>> >>> Ai ai ai ai buff, >>> ai ai ai aia buff, >>> ai ai ai aia buff buff, >>> ai ai ai aia buff.=20 >> And didn't verify. The second message (which did not have the above=20 >> footer) verified fine for both DomainKey and DKIM. >> >> I would think the solution would be to sign the message after the foot= er=20 >> had been added (if you wish to keep it) so that it could be verified o= n=20 >> the receiver's end. >=20 > But that footer's been added by my MUA, Thunderbird 1.5.0 before the=20 > message got to our MTA. Although the MTA's Postfix and not Sendmail, it= =20 > doesn't do any milter activity apart from calling the milters. I'll do=20 > some experimenting with a short footer and leaving the two dashes out (= I=20 > know, it's illogical, but I'd like to find out). Hmmm ... it doesn't seem to like encoded Scandinavian letters: Fail: N=3DE5r trollmor har lagt sine ellve sm=3DE5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=3DE5 troll de vakreste ord hun kjenner. Pass: Nar trollmor har lagt sine ellve sma troll og bundet dem fast i halen. Da synger hun sagte for ellve sma troll de vakreste ord hun kjenner. Not very good for those writing in German, Norwegian etc, I'd have=20 thought. We'd get by in Holland, as long as people don't accent their=20 letters (Dutch can use =E9, =E8, =EB). Definitely kills both dk-filter an= d=20 dkim-filter for us, though. --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: Tony E. <ter...@ba...> - 2006-11-15 14:59:54
|
Tony Earnshaw wrote: [...] > Hmmm ... it doesn't seem to like encoded Scandinavian letters: >=20 > Fail: > N=3DE5r trollmor har lagt sine ellve sm=3DE5 troll > og bundet dem fast i halen. > Da synger hun sagte for ellve sm=3DE5 troll > de vakreste ord hun kjenner. >=20 > Pass: > Nar trollmor har lagt sine ellve sma troll > og bundet dem fast i halen. > Da synger hun sagte for ellve sma troll > de vakreste ord hun kjenner. >=20 > Not very good for those writing in German, Norwegian etc, I'd have=20 > thought. We'd get by in Holland, as long as people don't accent their=20 > letters (Dutch can use =E9, =E8, =EB). Definitely kills both dk-filter = and=20 > dkim-filter for us, though. This might be a Postfix problem, I'll take it up on the Postfix ML. --Tonni --=20 Tonni Earnshaw tonni@ barlaeus.nl N=E5r trollmor har lagt sine ellve sm=E5 troll og bundet dem fast i halen. Da synger hun sagte for ellve sm=E5 troll de vakreste ord hun kjenner. Ai ai ai ai buff, ai ai ai aia buff, ai ai ai aia buff buff, ai ai ai aia buff. |
From: Ben L. <bl...@ch...> - 2006-11-15 15:16:31
|
> Tony Earnshaw wrote: > [...] > > =20 >> Hmmm ... it doesn't seem to like encoded Scandinavian letters: >> >> Fail: >> N=3DE5r trollmor har lagt sine ellve sm=3DE5 troll >> og bundet dem fast i halen. >> Da synger hun sagte for ellve sm=3DE5 troll >> de vakreste ord hun kjenner. >> >> Pass: >> Nar trollmor har lagt sine ellve sma troll >> og bundet dem fast i halen. >> Da synger hun sagte for ellve sma troll >> de vakreste ord hun kjenner. >> >> Not very good for those writing in German, Norwegian etc, I'd have=20 >> thought. We'd get by in Holland, as long as people don't accent their=20 >> letters (Dutch can use =E9, =E8, =EB). Definitely kills both dk-filter= and=20 >> dkim-filter for us, though. >> =20 > > This might be a Postfix problem, I'll take it up on the Postfix ML. > =20 Could be. I just sent these characters through a third party system,=20 using Thunderbird as an MUA and sendmail as the MTA(s) and it verified=20 fine for both DomainKey and DKIM. > --Tonni > > =20 |
From: Tony E. <ter...@ba...> - 2006-11-16 09:23:10
|
Ben Lentz wrote: >> Tony Earnshaw wrote: >> [...] >> >> >>> Hmmm ... it doesn't seem to like encoded Scandinavian letters: >>> >>> Fail: >>> N=E5r trollmor har lagt sine ellve sm=E5 troll >>> og bundet dem fast i halen. >>> Da synger hun sagte for ellve sm=E5 troll >>> de vakreste ord hun kjenner. >>> >>> Pass: >>> Nar trollmor har lagt sine ellve sma troll >>> og bundet dem fast i halen. >>> Da synger hun sagte for ellve sma troll >>> de vakreste ord hun kjenner. >>> >>> Not very good for those writing in German, Norwegian etc, I'd have >>> thought. We'd get by in Holland, as long as people don't accent their >>> letters (Dutch can use é, è, ë). Definitely kills both dk-filter and >>> dkim-filter for us, though. >>> >> This might be a Postfix problem, I'll take it up on the Postfix ML. >> > > Could be. I just sent these characters through a third party system, > using Thunderbird as an MUA and sendmail as the MTA(s) and it verified > fine for both DomainKey and DKIM. Ok, solved for DKIM but both sa...@se... and aut...@dk... still fail Domainkeys - so we'll stick to DKIM for the time being. For Postfix people and posterity: It was my fault. Postfix was converting 8-bit straight mime to 7-bit format-flowed. This was because I'd commented out a parameter in the final smtpd delivery listener (in contrast to Sendmail, Postfix is built up of a number of modules; it's possible to have many differently configured smtpd listeners, we run 3 that do different things). In main.cf there is no milter-relevant stuff. In master.cf we now have: :10026 inet n - n - - smtpd -o stuff -o milter_default_action=accept -o milter_macro_daemon_name=ORIGINATING -o disable_mime_output_conversion=yes (I'd commented this out, since it was already an smtp parameter) -o smtpd_milters=inet:localhost:10004 (the port on which dkim-milter runs) smtp unix - - n - - smtp -o stuff -o smtp_discard_ehlo_keywords=silent-discard,8bitmime -o disable_mime_output_conversion=yes (as per the documentation) ps auxwww|grep dkim: milter 14548 0.0 0.0 46392 1316 ? Ssl Nov15 0:03 /usr/bin/dkim-filter -l -p inet:10004 -d barlaeus.nl -k /etc/certs/dkim-milter/mail2.private.pem -s mail2 -u milter -C bad=a,dns=t -m ORIGINATING -D -h -b s -c relaxed/simple So now I'm more or less happy, Scandinavian letters are now left as they are in 8-bit mime. I'd like to have dk-filter working, though. Many thanks to all who took an interest, including Mark Martinec and Noel Jones (Postfix ML). --Tonni -- Tonni Earnshaw tonni @ barlaeus.nl |
From: SM <sm...@re...> - 2006-11-15 15:07:29
|
Hi Tony, At 06:41 15-11-2006, Tony Earnshaw wrote: >Hmmm ... it doesn't seem to like encoded Scandinavian letters: [snip] >Not very good for those writing in German, Norwegian etc, I'd have >thought. We'd get by in Holland, as long as people don't accent their >letters (Dutch can use =E9, =E8, =EB). Definitely kills both dk-filter and >dkim-filter for us, though. That doesn't sound like a dk-filter or=20 dkim-filter problem. Can you send me an email off-list? Regards, -sm=20 |
From: Murray S. K. <ms...@se...> - 2006-11-15 19:26:41
|
Jim Popovitch wrote: > sa...@se... is broken. It is? I just tried it by sending mail from my home machine and the sa-test server successfully verified the message. I then downgraded to 0.5.1 and repeated the test, which also passed. Strangely though, the replies aren't verifying when they arrive. I'll have to look into that. If there have been reports of problems since the past patch, I probably missed them. I've been assigned to other projects since then. I'm hoping to get back to work on these filters pretty soon. |
From: Murray S. K. <ms...@se...> - 2006-11-15 20:35:23
|
Murray S. Kucherawy wrote: > Strangely though, the replies aren't verifying when they arrive. I'll have to > look into that. It looks like the system administrator for sendmail.net upgraded the MTA there to 8.14.0.Alpha1, which among other things includes a change in how headers are handled when talking to filters. This is what's breaking the signatures on replies from that domain. I'll have to work on a new version of dkim-milter and dk-milter that can handle that change, and probably at the same time rework stuff in preparation for "milter v2" which is also included in 8.14.x. So replies from sa...@se... will not validate until I get that issue resolved. This actually applies to all mail sent through dkim-filter using 8.14.x MTAs. However, it should be able to validate if you're using relaxed/* canonicalizations (sendmail.net is using simple/simple). -MSK |