Hi Murray,

Thank you very much for your time to reply. I have done a bit more investigation and signing POP before SMTP definitely doesn't appear to function as expected.

I performed the following test showing the unhashed popauth.db and syslog output. My POP client is a Win XP laptop (in Thailand) using Thunderbird on a DSL line connecting to my mailserver in the US.

1. Start dkim-filter

POP Client IP:
    124.157.238.182
POP before SMTP email to sa-test:
    Result: DKIM signature confirmed GOOD
popauth.db:
    124.157.238.182 1237901201
syslog:
    ...dkim-filter[22156]: Sendmail DKIM Filter v2.8.2 starting (args: -x /etc/mail/dkim-filter.conf)
    ...dkim-filter[22156]: n2L4qCus007868 no MTA name match
    ...dkim-filter[22156]: n2L4qCus007868 mode select: signing
    ...dkim-filter[22156]: n2L4qCus007868 "DKIM-Signature" header added

In previous test I found as long as I keep this IP my POP mail is signed.


2. Restart DSL connection to get new IP (this simulates the almost daily problem of service dropouts with Thai ISPs), 10 minutes later send another test mail.

POP Client IP:
    58.147.46.31
POP before SMTP email to sa-test: 
    Result: (no result present)
popauth.db:
    58.147.46.31    1237901985
syslog:
    ...dkim-filter[22156]: n2ODfe8S032583 no MTA name match
    ...dkim-filter[22156]: n2ODfe8S032583 external host mx-ll-58.147.46-31.dynamic.tttmaxnet.com attempted to send as templeofthai.com
    ...dkim-filter[22156]: n2ODfe8S032583 not internal
    ...dkim-filter[22156]: n2ODfe8S032583 not authenticated
    ...dkim-filter[22156]: n2ODfe8S032583 not POP authenticated
    ...dkim-filter[22156]: n2ODfe8S032583 mode select: verifying
    ...dkim-filter[22156]: n2ODfe8S032583: no signature data

In previous tests I found it did not matter how long I waited before trying again, POP mail  was verified and not signed. I sent many, many test emails and the longest time I waited 48hrs and it still refused to sign. Assigning new IP addresses and waiting also failed to sign mail even though  the IP  appeared  in  the popauth.db.

3. Keeping same IP address, restart DKIM,

POP Client IP:
    58.147.46.31
popauth.db:
    58.147.46.31    1237901985
POP before SMTP email to sa-test: 
    Result: DKIM signature confirmed GOOD
popauth.db:
    58.147.46.31    1237901985
syslog:
    ...dkim-filter[22426]: n2ODloGV030056 no MTA name match
    ...dkim-filter[22426]: n2ODloGV030056 mode select: signing
    ...dkim-filter[22426]: n2ODloGV030056 "DKIM-Signature" header added

Restart  DKIM and it works for the new IP in the popauth.db

I can provide my dkim conf file if necessary. I don't want to resort to restarting DKIM on a cron.

What could possibly be wrong? If not a dkim problem could it be sendmail (8.13.1) or perhaps the Berkley DB?

Thank you,

Rob Barty

Murray S. Kucherawy wrote:
On Fri, 20 Mar 2009, Robert Barty wrote:
  
If the POP client then reboots and is given a new IP address filter does 
not sign the mail.

The log shows:

   Mar 20 06:42:41 mydomain dkim-filter[31928]: n2KAgdkN003974 not POP
authenticated
    

This is expected behaviour.  When you login via POP, your POP server 
updates the authentication database with the IP address from which you 
logged in.  That's the database dkim-filter will query when it's deciding 
whether or not to sign something.  If your POP client gets assigned a new 
IP address for whatever reason, the new IP address is (presumably) not in 
the database, and so the above condition occurs and the mail won't be 
signed.

The database would be updated again when you log in to the POP server to 
retrieve mail.  Presumably that's not happening.

  
If I restart the dkim filter it works again (signs mail from the POP 
client with the new IP address).
    

The filter doesn't maintain any state about the POP database, so 
restarting it doesn't change anything.  The database is queried for every 
message passing through the filter.

  
It seems the filter reads the my popauth.db file only once and never 
reads it again to refresh the list of POP client IP addresses.
    

No, that's not the case.

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss