From: Don L. <dk...@th...> - 2009-06-08 20:23:29
|
I hope I am not asking a common question; I've not yet found anything which quite addresses the issue I'm seeing. With a eye toward more proper identification of my mail server to the outside world, I though to start implementing Domain Keys. To that end, I read up on the subject (for example, http://www.jkurtzman.com/blog/2008/06/setting-up-domainkeys-on-centos) and then got to work. First, the basic info: CentOS 5.3 Sendmail 8.13.8-2.el5 dk-milter 1.0.0 saslauthd 2.1.22 with: getpwent kerberos5 pam rimap shadow ldap I followed the instructions on the blog post referenced above, saslauthd is running, and yet I'm not getting anything in my headers to indicate that I'm signing the messages. Clearly I've missed something; does anyone have any suggestions on where to look? Are there log files I'm not seeing which could help? Thank you, in advance, -Don Levey |
From: SM <sm...@re...> - 2009-06-08 21:59:06
|
At 12:53 08-06-2009, Don Levey wrote: >I followed the instructions on the blog post referenced above, saslauthd >is running, and yet I'm not getting anything in my headers to indicate >that I'm signing the messages. Clearly I've missed something; does >anyone have any suggestions on where to look? Are there log files I'm >not seeing which could help? Read the mail log and verify whether the message submitted used SMTP AUTH. You can use the -m MSA switch where MSA is name of the daemon for the submission port. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 00:58:02
|
SM wrote: > At 12:53 08-06-2009, Don Levey wrote: >> I followed the instructions on the blog post referenced above, saslauthd >> is running, and yet I'm not getting anything in my headers to indicate >> that I'm signing the messages. Clearly I've missed something; does >> anyone have any suggestions on where to look? Are there log files I'm >> not seeing which could help? > > Read the mail log and verify whether the message submitted used SMTP > AUTH. You can use the -m MSA switch where MSA is name of the daemon > for the submission port. > That seems to be the problem is the problem. My sendmail.mc file didn't contain this line: DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl because I was getting a port conflict for some reason. I just re-enabled it, and the header lines seem to be added now. Of course, I'm not sure what the next problem is; I sent a test-message to Yahoo and see the following in their header: Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 Here's the header line it adds: DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc (there are wrapping problems here). I am perhaps unclear on the concept - if I'm smart-hosting through my ISP, I should still be able to do this, no? Assuming that I can, I have three separate TXT records in DNS: dungeon.the-leveys.us (my mail server) _domainkey.the-leveys.us ) based upon the blog post dungeon._domainkey.the-leveys.us ) referenced previously Have I messed this up? Thanks again, -Don Levey |
From: SM <sm...@re...> - 2009-06-09 05:18:03
|
At 17:56 08-06-2009, Don Levey wrote: >it, and the header lines seem to be added now. Of course, I'm not sure >what the next problem is; I sent a test-message to Yahoo and see the >following in their header: > >Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; >domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) >Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) >(207.172.157.102) > by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 The domainkeys error says "no key". >Here's the header line it adds: >DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; >q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C > OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc > >(there are wrapping problems here). > >I am perhaps unclear on the concept - if I'm smart-hosting through my >ISP, I should still be able to do this, no? Assuming that I can, I have >three separate TXT records in DNS: > >dungeon.the-leveys.us (my mail server) >_domainkey.the-leveys.us ) based upon the blog post >dungeon._domainkey.the-leveys.us ) referenced previously Your selector is at "dungeon". According to your DomainKey signature, it's at "mail". Create a DNS TXT RR at dungeon._domainkey.the-leveys.us for Domainkeys or set the selector to "dungeon" when you sign the message with dk-milter. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 12:54:13
|
SM wrote: > At 17:56 08-06-2009, Don Levey wrote: >> it, and the header lines seem to be added now. Of course, I'm not sure >> what the next problem is; I sent a test-message to Yahoo and see the >> following in their header: >> >> Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; >> domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) >> Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) >> (207.172.157.102) >> by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 > > The domainkeys error says "no key". > >> Here's the header line it adds: >> DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; >> q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C >> OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc >> >> (there are wrapping problems here). >> >> I am perhaps unclear on the concept - if I'm smart-hosting through my >> ISP, I should still be able to do this, no? Assuming that I can, I have >> three separate TXT records in DNS: >> >> dungeon.the-leveys.us (my mail server) >> _domainkey.the-leveys.us ) based upon the blog post >> dungeon._domainkey.the-leveys.us ) referenced previously > > Your selector is at "dungeon". According to your DomainKey > signature, it's at "mail". Create a DNS TXT RR at > dungeon._domainkey.the-leveys.us for Domainkeys or set the selector > to "dungeon" when you sign the message with dk-milter. > OK, I changed the "-s" parameter, but I still get the same message: Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 ... DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; b=8uVLqanp3Ptv9K4fW7fy1PDRGMoxnOOOYMjXtPYhPyr/QfNgFqBhe2iNDOFq74a4v f2zCmAjmWHjHp0ZQiCd/CskvxtMYblKUepUkqUMeJzSrJhoA+RlrtWpOJ8RJhrd What's interesting is that I'm not seeing the signature from mail sent from my work desktop (putside my LAN), only internal machines. I would imagine that this is a function of the external domain clients list. I've got my company's domain in there (and, also, the FQDN of the gateway machine), so I'm not sure what's up there. Be that as it may, now that I've reset the selector to "dungeon", why isn't the signature seen as valid? Thank you for your help, -Don |
From: SM <sm...@re...> - 2009-06-09 14:56:10
|
At 05:26 09-06-2009, Don Levey wrote: >Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; >domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) >Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) > by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 The domainkeys verification failed as the signature was bad. Are you using sendmail masquerading? >What's interesting is that I'm not seeing the signature from mail sent >from my work desktop (putside my LAN), only internal machines. I would >imagine that this is a function of the external domain clients list. >I've got my company's domain in there (and, also, the FQDN of the >gateway machine), so I'm not sure what's up there. If you are submitting mail on the MSA port or you are using SMTP AUTH, the message will be domainkeys signed. Please post the log extract for a case where you are not seeing the signature. >Be that as it may, now that I've reset the selector to "dungeon", why >isn't the signature seen as valid? The email headers or body may have been modified after they were domainkeys signed. There is an autoresponder listed at http://www.elandsys.com/resources/sendmail/domainkeys.html When you send a test message, you get a copy of the original message you sent in the reply. If you get a bad signature, post the original headers. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 15:32:17
|
SM wrote: > At 05:26 09-06-2009, Don Levey wrote: >> Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; >> domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) >> Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) >> by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 > > The domainkeys verification failed as the signature was bad. Are you > using sendmail masquerading? > No, not explicitly - however, I am using HIDDENDOMAIN: define(`HIDDENDOMAIN', `the-leveys.us')dnl to avoid sending out my individual hostnames. However, disabling this line doesn't seem to affect the verification. The one MASQUERADE directive (MASQUERADE_AS) has been disabled for a while. >> What's interesting is that I'm not seeing the signature from mail sent >>from my work desktop (putside my LAN), only internal machines. I would >> imagine that this is a function of the external domain clients list. >> I've got my company's domain in there (and, also, the FQDN of the >> gateway machine), so I'm not sure what's up there. > > If you are submitting mail on the MSA port or you are using SMTP > AUTH, the message will be domainkeys signed. Please post the log > extract for a case where you are not seeing the signature. > Here's the maillog extract for a message sent from my desktop at work, that is not signed: Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: from=<do...@th...>, size=826, class=0, nrcpts=2, msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, relay=gateway.example.com [nnn.nnn.nnn.nnn] Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: Milter change (add): header: X-Virus-Status: Clean Jun 9 11:18:45 dungeon spamd[2527]: spamd: connection from dungeon.the-leveys.us [127.0.0.1] at port 52020 Jun 9 11:18:45 dungeon spamd[2527]: spamd: processing message <4A2...@th...> for spamassassin:515 Jun 9 11:18:49 dungeon spamd[2527]: spamd: clean message (-4.9/5.0) for spamassassin:515 in 3.8 seconds, 1264 bytes. Jun 9 11:18:49 dungeon spamd[2527]: spamd: result: . -4 - BAYES_00,WEIRD_PORT scantime=3.8,size=1264,user=spamassassin,uid=515,required_score=5.0,rhost=dungeon.the-leveys.us,raddr=127.0.0.1,rport=52020,mid=<4A2...@th...>,bayes=0.000000,autolearn=no Jun 9 11:18:49 dungeon sendmail[22094]: n59FIiTJ022094: Milter add: header: X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,WEIRD_PORT\n\tautolearn=no version=3.2.5 Jun 9 11:18:49 dungeon sendmail[22094]: n59FIiTJ022094: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on\n\tdungeon.the-leveys.us Jun 9 11:18:49 dungeon spamd[3100]: prefork: child states: II Jun 9 11:18:49 dungeon sendmail[22109]: n59FIiTJ022094: to=<vwi...@ya...>,<dl...@ex...>, ctladdr=<do...@th...> (500/500), delay=00:00:05, xdelay=00:00:00, mailer=relay, pri=150826, relay=smtp.mail.rcn.net. [207.172.4.99], dsn=2.0.0, stat=Sent (ok: Message 764369333 accepted) My MUA is Thunderbird; it's set to "Use TLS if available". I'm using similar settings for Thunderbird at home, which *does* sign. Before I had built the external network file and pointed to it using "-I" I was getting the "external host attempted to send" errors in maillog; they don't happen anymore. >> Be that as it may, now that I've reset the selector to "dungeon", why >> isn't the signature seen as valid? > > The email headers or body may have been modified after they were > domainkeys signed. There is an autoresponder listed at > http://www.elandsys.com/resources/sendmail/domainkeys.html When you > send a test message, you get a copy of the original message you sent > in the reply. If you get a bad signature, post the original headers. > I've sent a message from my home LAN - I get the following results: DomainKeys Signature validation: fail (testing) DomainKeys Policy: "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" DomainKeys Selector: dungeon "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" They look the same to me, so clearly either I'm not looking at the right thing or there's more involved... Here is the header that is returned to me: Original message: Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP id n59FQ5OC021623 for <aut...@dk...>; Tue, 9 Jun 2009 08:26:12 -0700 (PDT) Authentication-Results: ns1.qubic.net; sender-id=none header.from=do...@th...; spf=none smtp.mfrom=do...@th... Authentication-Results: ns1.qubic.net; domainkeys=fail (testing) header.from=do...@th... Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:26:05 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.5-GA) with ESMTP id PYN25223; Tue, 9 Jun 2009 11:25:08 -0400 (EDT) Received: from 209-6-81-65.c3-0.frm-ubr2.sbo-frm.ma.cable.rcn.com (HELO dungeon.the-leveys.us) ([209.6.81.65]) by smtp01.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:25:08 -0400 Received: from dauphin.the-leveys.us ([192.168.1.100]) by dungeon.the-leveys.us (8.13.8/8.13.8) with ESMTP id n59FP0bY022254 for <aut...@dk...>; Tue, 9 Jun 2009 11:25:02 -0400 DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; b=buTEXMDKuxczS+lsIBBUWHhDsp+duu9rlAWMpjfElFYIsZNkUvLs10m7JHYPaEWkM LCObt5P9P85EFksY9b3m1STlNw6V3AjQATe/eQargXtho871zaRmaoMnfufJ65T Message-ID: <4A2...@th...> Date: Tue, 09 Jun 2009 11:25:00 -0400 From: Don Levey <do...@th...> User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: aut...@dk... Subject: DK Test #21 X-Enigmail-Version: 0.95.7 OpenPGP: id=52ADF3CD; url=http://www.the-leveys.us:6080/keys/don-dsakey.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us X-Virus-Status: Clean X-Spam-Status: No, score=-6.7 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on dungeon.the-leveys.us X-Junkmail-Status: score=10/50, host=mr02.lnh.mail.rcn.net X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A010207.4A2E7F0C.01CC,ss=1,fgs=0, ip=207.172.4.11, so=2009-03-06 19:59:02, dmn=5.7.1/2009-05-14, mode=single engine X-Junkmail-IWF: false -Don |
From: SM <sm...@re...> - 2009-06-09 17:25:08
|
Hi Don, At 08:31 09-06-2009, Don Levey wrote: >Here's the maillog extract for a message sent from my desktop at work, >that is not signed: > >Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: >from=<do...@th...>, size=826, class=0, nrcpts=2, >msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, >relay=gateway.example.com [nnn.nnn.nnn.nnn] The daemon name is MTA2. You can specify that mails to that daemon (-m) should be signed. >My MUA is Thunderbird; it's set to "Use TLS if available". I'm using >similar settings for Thunderbird at home, which *does* sign. Before I >had built the external network file and pointed to it using "-I" I was >getting the "external host attempted to send" errors in maillog; they >don't happen anymore. That's most likely the problem. Sendmail modifies the headers injected by Thunderbird and that invalidates the signature. Can you test with another mail client? >I've sent a message from my home LAN - I get the following results: > >DomainKeys Signature validation: fail (testing) >DomainKeys Policy: "k=rsa; t=y; >p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" > >DomainKeys Selector: dungeon >"k=rsa; t=y; >p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" > >They look the same to me, so clearly either I'm not looking at the right >thing or there's more involved... > >Here is the header that is returned to me: > >Original message: >Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net >[207.172.157.102]) > by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP > id n59FQ5OC021623 > for <aut...@dk...>; Tue, 9 Jun 2009 > 08:26:12 -0700 (PDT) >Authentication-Results: ns1.qubic.net; sender-id=none >header.from=do...@th...; spf=none smtp.mfrom=do...@th... >Authentication-Results: ns1.qubic.net; domainkeys=fail (testing) >header.from=do...@th... >Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) > by smtp02.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:26:05 -0400 >Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net >[207.172.4.11]) > by mr02.lnh.mail.rcn.net (MOS 3.10.5-GA) > with ESMTP id PYN25223; > Tue, 9 Jun 2009 11:25:08 -0400 (EDT) >Received: from 209-6-81-65.c3-0.frm-ubr2.sbo-frm.ma.cable.rcn.com (HELO >dungeon.the-leveys.us) ([209.6.81.65]) > by smtp01.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:25:08 -0400 >Received: from dauphin.the-leveys.us ([192.168.1.100]) > by dungeon.the-leveys.us (8.13.8/8.13.8) with ESMTP id n59FP0bY022254 > for <aut...@dk...>; Tue, 9 Jun 2009 11:25:02 -0400 >DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; > b=buTEXMDKuxczS+lsIBBUWHhDsp+duu9rlAWMpjfElFYIsZNkUvLs10m7JHYPaEWkM > LCObt5P9P85EFksY9b3m1STlNw6V3AjQATe/eQargXtho871zaRmaoMnfufJ65T >Message-ID: <4A2...@th...> >Date: Tue, 09 Jun 2009 11:25:00 -0400 >From: Don Levey <do...@th...> >User-Agent: Thunderbird 2.0.0.19 (X11/20090105) >MIME-Version: 1.0 >To: aut...@dk... >Subject: DK Test #21 >X-Enigmail-Version: 0.95.7 >OpenPGP: id=52ADF3CD; > url=http://www.the-leveys.us:6080/keys/don-dsakey.asc >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 7bit >X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us >X-Virus-Status: Clean >X-Spam-Status: No, score=-6.7 required=5.0 tests=ALL_TRUSTED,BAYES_00 > autolearn=ham version=3.2.5 >X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > dungeon.the-leveys.us >X-Junkmail-Status: score=10/50, host=mr02.lnh.mail.rcn.net >X-Junkmail-SD-Raw: score=unknown, > refid=str=0001.0A010207.4A2E7F0C.01CC,ss=1,fgs=0, > ip=207.172.4.11, > so=2009-03-06 19:59:02, > dmn=5.7.1/2009-05-14, > mode=single engine >X-Junkmail-IWF: false There were several X- headers added by clamav-milter and SpamAssassin after the message was signed. Your smarthost (mr02.lnh.mail.rcn.net) also adds some X- headers. The only way around that is for you to sign specific headers only. See the -H option in the dk-filter manual. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 17:42:34
|
SM wrote: > Hi Don, > At 08:31 09-06-2009, Don Levey wrote: >> Here's the maillog extract for a message sent from my desktop at work, >> that is not signed: >> >> Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: >> from=<do...@th...>, size=826, class=0, nrcpts=2, >> msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, >> relay=gateway.example.com [nnn.nnn.nnn.nnn] > > The daemon name is MTA2. You can specify that mails to that daemon > (-m) should be signed. > >> My MUA is Thunderbird; it's set to "Use TLS if available". I'm using >> similar settings for Thunderbird at home, which *does* sign. Before I >> had built the external network file and pointed to it using "-I" I was >> getting the "external host attempted to send" errors in maillog; they >> don't happen anymore. > > That's most likely the problem. Sendmail modifies the headers > injected by Thunderbird and that invalidates the signature. Can you > test with another mail client? > > ... > There were several X- headers added by clamav-milter and SpamAssassin > after the message was signed. Your smarthost (mr02.lnh.mail.rcn.net) > also adds some X- headers. The only way around that is for you to > sign specific headers only. See the -H option in the dk-filter manual. > That did it! The -m option got my external client to sign properly, and the -H option allowed the headers to be rewritten so that the signature will verify. Thank you *very* much for your help and patience! -Don |
From: Don L. <dk...@th...> - 2009-06-09 15:58:32
|
SM wrote: > At 05:26 09-06-2009, Don Levey wrote: > > >> What's interesting is that I'm not seeing the signature from mail sent >>from my work desktop (putside my LAN), only internal machines. I would >> imagine that this is a function of the external domain clients list. >> I've got my company's domain in there (and, also, the FQDN of the >> gateway machine), so I'm not sure what's up there. > > If you are submitting mail on the MSA port or you are using SMTP > AUTH, the message will be domainkeys signed. Please post the log > extract for a case where you are not seeing the signature. > I had thought, by the way, that the external file was the problem, so I removed it, set up the list of domains and pointed to it via -d and -D. No luck - but what you said got me thinking: Our firewall here at work does indeed block port 25, but passes port 26, so I have sendmail listening on both ports. This may be a "Duh" moment, but I suppose I should tell either sendmail or dk-filter to explicitly process those messages too? -Don |
From: SM <sm...@re...> - 2009-06-09 17:28:58
|
At 08:57 09-06-2009, Don Levey wrote: >I had thought, by the way, that the external file was the problem, so I >removed it, set up the list of domains and pointed to it via -d and -D. > No luck - but what you said got me thinking: See my previous message. >Our firewall here at work does indeed block port 25, but passes port 26, >so I have sendmail listening on both ports. This may be a "Duh" moment, >but I suppose I should tell either sendmail or dk-filter to explicitly >process those messages too? dk-filter has to identify which messages should be signed. You can tell it to sign all messages for the daemon on port 26. Regards, -sm |