From: Zbigniew S. <z.s...@lc...> - 2008-04-28 12:21:52
Attachments:
smime.p7s
|
Hello, I am editing dkim-filter.conf and came across this option ## KeyList filename ## ## Specifies the path to the list of keys and signing domains to be applied ## by the signing filter. The entries in this file should be of the form: ## ## pattern:domain:keypath ## ## ...where "pattern" is a pattern of user@host to match, with "*" being Do I understand correctly the following to mean that any sender in a given domain will get their email signed by an appropriate key? *:domain.tld:/var/db/domainkeys/domain.tld.key.pem *:domain2.tld:/var/db/domainkeys/domain2.tld.key.pem A sender in domain.tld will have the email signed by domain.tld.key.pem And a sender in domain2.tld will have the email signed by domain2.tld.key.pem Is my thinking correct? If not, how should this be set up? Many thanks! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-28 14:42:42
|
Hello, At 05:21 28-04-2008, Zbigniew Szalbot wrote: >## pattern:domain:keypath >## >## ...where "pattern" is a pattern of user@host to match, with "*" being > >Do I understand correctly the following to mean that any sender in a >given domain will get their email signed by an appropriate key? > >*:domain.tld:/var/db/domainkeys/domain.tld.key.pem >*:domain2.tld:/var/db/domainkeys/domain2.tld.key.pem > >A sender in domain.tld will have the email signed by domain.tld.key.pem >And a sender in domain2.tld will have the email signed by domain2.tld.key.pem The * in the first column will match all addresses. The format is sender-pattern:signing-domain:keypath: *@example.com:example.com:/var/db/domainkeys/key1.pem *@example.net:example.net:/var/db/domainkeys/examplenet.pem In the above, a different key is used for each domain. The selector used in the signature will be the filename portion of keypath. The ".pem" file extension can be omitted as it will be appended when the keypath is read. Regards, -sm |
From: Zbigniew S. <z.s...@lc...> - 2008-04-28 14:45:08
Attachments:
smime.p7s
|
Hello, SM pisze: >>*:domain.tld:/var/db/domainkeys/domain.tld.key.pem >>*:domain2.tld:/var/db/domainkeys/domain2.tld.key.pem >> >>A sender in domain.tld will have the email signed by domain.tld.key.pem >>And a sender in domain2.tld will have the email signed by domain2.tld.key.pem > > The * in the first column will match all addresses. The format is > sender-pattern:signing-domain:keypath: > > *@example.com:example.com:/var/db/domainkeys/key1.pem > *@example.net:example.net:/var/db/domainkeys/examplenet.pem > > In the above, a different key is used for each domain. The selector used in > the signature will be the filename portion of keypath. The ".pem" > file extension can be omitted as it will be appended when the keypath is read. I think I have made a mistake but I have realized it after sending the email. Shouldn't the KeyList file name actually contain the keys without absolute path? *@example.com:example.com:key1.pem *@example.net:example.net:examplenet.pem Thanks for the correction, anyway! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-28 15:14:42
|
At 07:44 28-04-2008, Zbigniew Szalbot wrote: >I think I have made a mistake but I have realized it after sending >the email. Shouldn't the KeyList file name actually contain the keys >without absolute path? > >*@example.com:example.com:key1.pem >*@example.net:example.net:examplenet.pem The third column is the keypath. It should be an absolute path to the key file. Regards, -sm |
From: Zbigniew S. <z.s...@lc...> - 2008-04-29 07:42:57
Attachments:
smime.p7s
|
Hello again, SM pisze: > At 07:44 28-04-2008, Zbigniew Szalbot wrote: >>I think I have made a mistake but I have realized it after sending >>the email. Shouldn't the KeyList file name actually contain the keys >>without absolute path? >> >>*@example.com:example.com:key1.pem >>*@example.net:example.net:examplenet.pem I am partly successful with the setup but I have two questions. This setup is purely for testing purposes before I implement sth similar one a production machine. 1/ startup with -d example.com I have edited /usr/local/etc/mail/dkim-filter.conf and /etc/rc.conf $ grep dkim /etc/rc.conf milterdkim_enable="YES" milterdkim_uid='dkimfilter' milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" When I start the milter, I get: Apr 29 09:26:05 szalbot dkim-filter[6267]: Sendmail DKIM Filter v2.5.2 starting (args: -b sv -c simple/simple -m MSA -l -p local:/var/run/milterdkim/filter -u dkimfilter -P /var/run/milterdkim/pid -x /usr/local/etc/mail/dkim-filter.conf -d example.com) Now I am a bit confused as to why it starts with -d example.com $ grep example.com /usr/local/etc/mail/dkim-filter.conf reveals nothing so I am in the dark here. 2/ only one domain gets signed The keylist file contains the following entries $ cat /var/db/domainkeys/keylist *@szalbot.homedns.org:szalbot.homedns.org:/var/db/domainkeys/szalbot.key.pem *@domszalbot.dyndns.org:domszalbot.dyndns.org:/var/db/domainkeys/domszalbot.key.pem When I send email from szalbot.homedns.org domain, they get signed. When I do it from domszalbot.dyndns.org domain, mails are not signed. I'd be happy to debug it but not sure where to start. Thanks for any idea! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-29 09:00:34
|
Hello, At 00:42 29-04-2008, Zbigniew Szalbot wrote: >This setup is purely for testing purposes before I implement sth >similar one a production machine. > >1/ startup with -d example.com > >I have edited /usr/local/etc/mail/dkim-filter.conf and /etc/rc.conf > >$ grep dkim /etc/rc.conf >milterdkim_enable="YES" >milterdkim_uid='dkimfilter' >milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > >When I start the milter, I get: > >Apr 29 09:26:05 szalbot dkim-filter[6267]: Sendmail DKIM Filter >v2.5.2 starting (args: -b sv -c simple/simple -m MSA -l -p >local:/var/run/milterdkim/filter -u dkimfilter -P >/var/run/milterdkim/pid -x /usr/local/etc/mail/dkim-filter.conf -d example.com) > >Now I am a bit confused as to why it starts with -d example.com The milter startup script that comes with the FreeBSD port uses example.com as the default setting for milterdkim_domain. Set milterdkim_domain as one of your domains to get around that. >2/ only one domain gets signed > >The keylist file contains the following entries >$ cat /var/db/domainkeys/keylist >*@szalbot.homedns.org:szalbot.homedns.org:/var/db/domainkeys/szalbot.key.pem >*@domszalbot.dyndns.org:domszalbot.dyndns.org:/var/db/domainkeys/domszalbot.key.pem > >When I send email from szalbot.homedns.org domain, they get signed. >When I do it from domszalbot.dyndns.org domain, mails are not >signed. I'd be happy to debug it but not sure where to start. In your dkim-filter.conf file, set the domains to be signed as follows: Domain szalbot.homedns.org,domszalbot.dyndns.org You could define the domains with the milterdkim_domain setting. Emails sent through the MSA port or using SMTP AUTH will be signed if the email address matches the signing domains as defined by the keylist. The following setting logs why the message gets signed or verified. LogWhy Yes You can debug by reviewing your maillog. If your emails are not being DKIM-signed, post an extract of the maillog showing an email being submitted. Regards, -sm |
From: Zbigniew S. <z.s...@lc...> - 2008-04-29 10:44:36
Attachments:
smime.p7s
|
Hello, SM pisze: > In your dkim-filter.conf file, set the domains to be signed as follows: > > Domain szalbot.homedns.org,domszalbot.dyndns.org This is what I had. > > You could define the domains with the milterdkim_domain setting. > > Emails sent through the MSA port or using SMTP AUTH will be signed if > the email address matches the signing domains as defined by the keylist. > > The following setting logs why the message gets signed or verified. > LogWhy Yes I am not sure why no logging is enabled even though I set it on. $ cat /usr/local/etc/mail/dkim-filter.conf |grep -v "#" AutoRestart Yes AutoRestartCount 5 Domain szalbot.homedns.org,domszalbot.dyndns.org KeyList /var/db/domainkeys/keylist Mode s PidFile /var/run/milterdkim/signer.pid RemoveOldSignatures Yes SignatureAlgorithm rsa-sha1 Socket inet:4445@127.0.0.1 Syslog Yes LogWhy Yes SyslogFacility mail SyslogSuccess yes X-Header Yes Apr 29 12:31:42 szalbot postfix/pickup[12503]: 27F0A28463: uid=80 from=<ad...@do...> Apr 29 12:31:42 szalbot postfix/cleanup[12991]: 27F0A28463: message-id=<84f9826d6a9af974b2e9c7340d12c076@localhost> Apr 29 12:31:42 szalbot postfix/qmgr[5609]: 27F0A28463: from=<ad...@do...>, size=649, nrcpt=1 (queue active) Apr 29 12:31:42 szalbot dovecot: IMAP(zbi...@sz...): Disconnected: Logged out Apr 29 12:31:42 szalbot postfix/smtpd[12997]: connect from localhost[127.0.0.1] Apr 29 12:31:42 szalbot postfix/smtpd[12997]: CD7A828466: client=localhost[127.0.0.1] Apr 29 12:31:42 szalbot postfix/cleanup[12991]: CD7A828466: message-id=<84f9826d6a9af974b2e9c7340d12c076@localhost> Apr 29 12:31:42 szalbot postfix/qmgr[5609]: CD7A828466: from=<ad...@do...>, size=1086, nrcpt=1 (queue active) Apr 29 12:31:42 szalbot postfix/smtpd[12997]: disconnect from localhost[127.0.0.1] Apr 29 12:31:43 szalbot postfix/smtp[12994]: 27F0A28463: to=<zsz...@lc...>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.9, delays=0.11/0.05/0.01/0.73, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=04206-08, from MTA: 250 2.0.0 Ok: queued as CD7A828466) Apr 29 12:31:43 szalbot postfix/qmgr[5609]: 27F0A28463: removed Apr 29 12:31:43 szalbot dovecot: imap-login: Login: user=<zbi...@sz...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS Apr 29 12:31:43 szalbot dovecot: IMAP(zbi...@sz...): Disconnected: Logged out Apr 29 12:31:43 szalbot postfix/smtp[12998]: certificate verification failed for tau6.ceti.pl[62.121.128.16]:25: untrusted issuer /C=PL/ST=Malopolska/L=Krakow/O=CETI/OU=CETI/CN=CETI/emailAddress=hos...@ce... Apr 29 12:31:44 szalbot dovecot: imap-login: Login: user=<zbi...@sz...>, method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, TLS Apr 29 12:31:44 szalbot dovecot: IMAP(zbi...@sz...): Disconnected: Logged out Apr 29 12:31:45 szalbot postfix/smtp[12998]: CD7A828466: to=<zsz...@lc...>, relay=tau6.ceti.pl[62.121.128.16]:25, delay=2.9, delays=0.12/0.11/0.39/2.3, dsn=2.0.0, status=sent (250 Ok: queued as 9EFA438015) Apr 29 12:31:45 szalbot postfix/qmgr[5609]: CD7A828466: removed Many thanks for further suggestions. BTW - in the meantime I upgraded to dkim-milter-2.5.3, so the above tests were done with this version. -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-29 14:59:37
|
Hello, At 03:44 29-04-2008, Zbigniew Szalbot wrote: >I am not sure why no logging is enabled even though I set it on. > > >$ cat /usr/local/etc/mail/dkim-filter.conf |grep -v "#" >AutoRestart Yes >AutoRestartCount 5 >Domain szalbot.homedns.org,domszalbot.dyndns.org >KeyList /var/db/domainkeys/keylist >Mode s >PidFile /var/run/milterdkim/signer.pid >RemoveOldSignatures Yes >SignatureAlgorithm rsa-sha1 Is there a reason you are using rsa-sha1 instead of rsa-sha256? >Socket inet:4445@127.0.0.1 >Syslog Yes >LogWhy Yes >SyslogFacility mail > SyslogSuccess yes >X-Header Yes That enables logging. >Apr 29 12:31:42 szalbot postfix/pickup[12503]: 27F0A28463: uid=80 >from=<ad...@do...> The milter is not being called when that email is submitted as the submission was not done through SMTP. That's why you don't see any dkim-filter related entries in the log. If the email is submitted through SMTP to localhost, it will be signed. If you have a mail client running on that computer, configure it to connect to localhost to send mail. If you are submitting the email from another computer, you should use SMTP AUTH for the email to be signed. If the email is processed by dkim-filter, it will have a X-DKIM header even if idoesn't get signed. >BTW - in the meantime I upgraded to dkim-milter-2.5.3, so the above >tests were done with this version. The latest version in the FreeBSD ports tree is 2.5.5. Regards, -sm |
From: Hirohisa Y. <um...@gm...> - 2008-04-29 09:13:00
|
Hi. At Tue, 29 Apr 2008 09:42:42 +0200, Zbigniew Szalbot wrote: > Hello again, > > SM pisze: > > > At 07:44 28-04-2008, Zbigniew Szalbot wrote: > >> I think I have made a mistake but I have realized it after sending > >> the email. Shouldn't the KeyList file name actually contain the > >> keys without absolute path? > >> > >>*@example.com:example.com:key1.pem > >>*@example.net:example.net:examplenet.pem > > I am partly successful with the setup but I have two questions. > > This setup is purely for testing purposes before I implement sth > similar one a production machine. > > 1/ startup with -d example.com > > I have edited /usr/local/etc/mail/dkim-filter.conf and /etc/rc.conf > > $ grep dkim /etc/rc.conf > milterdkim_enable="YES" > milterdkim_uid='dkimfilter' > milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > > When I start the milter, I get: > > Apr 29 09:26:05 szalbot dkim-filter[6267]: Sendmail DKIM Filter v2.5.2 > starting (args: -b sv -c simple/simple -m MSA -l -p > local:/var/run/milterdkim/filter -u dkimfilter -P > /var/run/milterdkim/pid -x /usr/local/etc/mail/dkim-filter.conf -d > example.com) > > Now I am a bit confused as to why it starts with -d example.com > > $ grep example.com /usr/local/etc/mail/dkim-filter.conf > > reveals nothing so I am in the dark here. Startup script provided with FreeBSD dkim-milter port prior to 2.5.3 forces example.com when no milderdkim_domain is set in /etc/rc.conf (or /etc/.rc.conf.d/milterdkim). I changed the default value to blank in 2.5.5, and updating using the port system you'll get this solved. Regards, -- Hirohisa Yamaguchi um...@gm... |
From: Zbigniew S. <z.s...@lc...> - 2008-04-29 15:34:29
Attachments:
smime.p7s
|
Hello again, SM pisze: >>SignatureAlgorithm rsa-sha1 > > Is there a reason you are using rsa-sha1 instead of rsa-sha256? Actually no. Is rsa-sha256 preferred? >> SyslogSuccess yes >>X-Header Yes > > That enables logging. Yes, but no logging is taking place. See below. > The milter is not being called when that email is submitted as the > submission was not done through SMTP. That's why you don't see any > dkim-filter related entries in the log. If the email is submitted > through SMTP to localhost, it will be signed. I am not sure. Emails sent exactly the same way (from a local webclient) for the szalbot.homedns.org domain do get signed. Here's an example: Return-Path: <zbi...@sz...> X-Original-To: zsz...@lc... Delivered-To: lc...@ta... Received: from lists.lc-words.com (cxw210.internetdsl.tpnet.pl [83.19.156.210]) by tau6.ceti.pl (Postfix) with ESMTP id AACA838003 for <zsz...@lc...>; Tue, 29 Apr 2008 17:27:16 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by lists.lc-words.com (Postfix) with ESMTP id 507A428460 for <zsz...@lc...>; Tue, 29 Apr 2008 17:27:15 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=szalbot.homedns.org; s=szalbot; t=1209482835; bh=RncHNkkRgpHaoq2sZDSLD5ey4Pc=; h=To: Subject:MIME-Version:Date:From:Message-ID:Content-Type: Content-Transfer-Encoding; b=WFHCN5PJux3NZd/7oJynGZhrLR1fVF0u4RwEf sBKBfq7E3KgPCaeLV66jO7E7QefxGQBMz7gAn+JljX8SjJ1tKG0AwFU5YPhQESBEUBA qINOYLY3QW2F2hS60g1vAmoLK29KgdQK3sMOATUpjrXmUPHmYmye97PpjmMRx41I+U0 = Received: from lists.lc-words.com ([127.0.0.1]) by localhost (szalbot.homedns.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 15032-04 for <zsz...@lc...>; Tue, 29 Apr 2008 17:27:14 +0200 (CEST) Received: by lists.lc-words.com (Postfix, from userid 80) id 9BE922845F; Tue, 29 Apr 2008 17:27:14 +0200 (CEST) To: zsz...@lc... Subject: test X-PHP-Script: szalbot.homedns.org/roundcube/index.php for 77.253.140.37 MIME-Version: 1.0 Date: Tue, 29 Apr 2008 17:27:14 +0200 From: Zbigniew Szalbot <zbi...@sz...> Message-ID: <78cec5890a31b9f42d44175b25e054e1@localhost> X-Sender: zbi...@sz... Received: from 77-253-140-37.adsl.inetia.pl [77.253.140.37] with HTTP/1.1 (POST); Tue, 29 Apr 2008 17:27:14 +0200 User-Agent: RoundCube Webmail Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Virus-Status: No X-Virus-Checker-Version: clamassassin 1.2.4 >>BTW - in the meantime I upgraded to dkim-milter-2.5.3, so the above >>tests were done with this version. > > The latest version in the FreeBSD ports tree is 2.5.5. Thanks! Have just upgraded to 2.5.5! Apr 29 17:30:23 szalbot dkim-filter[46781]: Sendmail DKIM Filter v2.5.5 starting (args: -l -p local:/var/run/milterdkim/filter -u dkimfilter -P /var/run/milterdkim/pid -x /usr/local/etc/mail/dkim-filter.conf) -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-29 17:24:57
|
Hello, At 08:33 29-04-2008, Zbigniew Szalbot wrote: >I am not sure. Emails sent exactly the same way (from a local >webclient) for the szalbot.homedns.org domain do get signed. Here's an example: What does the logs show for that example? Do you have ad...@do... as the email address in the From: header for the email that is not being signed? Regards, -sm |
From: Murray S. K. <ms...@se...> - 2008-04-29 18:43:29
|
On Tue, 29 Apr 2008, Zbigniew Szalbot wrote: > Actually no. Is rsa-sha256 preferred? The specs require it unless you have a good reason to force rsa-sha1. See RFC4871 section 3.3. > Yes, but no logging is taking place. See below. If you turn on logging with Syslog, the log information is sent to your syslog daemon generally using nothing lower than "info" level. The logging facility is "mail" by default, but your configuration file can change it. Once you have that working, the output of LogWhy will tell you why mail is or isn't getting signed. > I am not sure. Emails sent exactly the same way (from a local webclient) > for the szalbot.homedns.org domain do get signed. Here's an example: That's possibly the interesting point. If sent from a local webclient (which perhaps invokes sendmail via command line), the injection source will be 127.0.0.1. If you route mail through the filter from other points, those sources aren't trusted by default. You have to tell the filter it's okay to sign mail from those places as well, otherwise the filter would sign any mail it sees that claims to come from your domain, opening a hole for signing forgeries. Check the dkim-filter(8) man page for the "-i" switch, or the dkim-filter.conf(5) man page for the InternalHosts setting. |
From: Zbigniew S. <z.s...@lc...> - 2008-04-30 12:59:08
Attachments:
smime.p7s
|
Hello again, SM pisze: > Hello, > At 08:33 29-04-2008, Zbigniew Szalbot wrote: >>I am not sure. Emails sent exactly the same way (from a local >>webclient) for the szalbot.homedns.org domain do get signed. Here's an example: > > What does the logs show for that example? To sum up $ cat /usr/local/etc/mail/dkim-filter.conf |grep -v "#" AutoRestart Yes AutoRestartCount 5 Domain szalbot.homedns.org,domszalbot.dyndns.org KeyList /var/db/domainkeys/keylist Mode s PidFile /var/run/milterdkim/signer.pid RemoveOldSignatures Yes SignatureAlgorithm rsa-sha1 Socket inet:4445@127.0.0.1 Syslog Yes LogWhy Yes SyslogFacility mail SyslogSuccess yes X-Header Yes I am doing a test with a local webmail client (will later repeat with a remote one, which authenticates). First test is from szalbot.homedns.org domain which gets signed. maillog snippet: Apr 30 14:45:37 szalbot postfix/pickup[78960]: E23632845F: uid=80 from=<zbi...@sz...> Apr 30 14:45:37 szalbot postfix/cleanup[79811]: E23632845F: message-id=<0bd0873bbd3c4d684bf65e1f18906eda@localhost> Apr 30 14:45:37 szalbot postfix/qmgr[13956]: E23632845F: from=<zbi...@sz...>, size=669, nrcpt=1 (queue active) Apr 30 14:45:38 szalbot postfix/smtp[79814]: E23632845F: to=<pos...@li...>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.98, delays=0.13/0.05/0.01/0.79, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=57513-10, from MTA: 250 2.0.0 Ok: queued as 7F70C28460) Apr 30 14:45:38 szalbot postfix/qmgr[13956]: E23632845F: removed Apr 30 14:45:38 szalbot postfix/local[79820]: 7F70C28460: to=<pos...@li...>, relay=local, delay=0.45, delays=0.26/0.09/0/0.1, dsn=2.0.0, status=sent (forwarded as D410228461) Apr 30 14:45:38 szalbot postfix/qmgr[13956]: 7F70C28460: removed and email headers: Return-Path: <zbi...@sz...> X-Original-To: pos...@li... Delivered-To: zbi...@sz... Received: by lists.lc-words.com (Postfix) id D410228461; Wed, 30 Apr 2008 14:45:38 +0200 (CEST) Delivered-To: pos...@li... Received: from localhost (localhost [127.0.0.1]) by lists.lc-words.com (Postfix) with ESMTP id 7F70C28460 for <pos...@li...>; Wed, 30 Apr 2008 14:45:38 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/simple; d=szalbot.homedns.org; s=szalbot; t=1209559538; bh=RncHNkkRgpHaoq2sZDSLD5ey4Pc=; h=To: Subject:MIME-Version:Date:From:Message-ID:Content-Type: Content-Transfer-Encoding; b=hhx3ZDCW9Biln+NrlIMp0YzTjB273ARRgCYnf irzLqGN+jnujHCYGaBXVLdDeBVTiKigxqbgF8VJieuSc78vLno6Mp6UVzP7ibQ5TS7V yp+Bmflbm1emKEsyir4RHLwSATCKwXAmQYD1BEtzIyKmZb4Ixw/VdxLmqwswYJLOaqc = Received: from lists.lc-words.com ([127.0.0.1]) by localhost (szalbot.homedns.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 57513-10 for <pos...@li...>; Wed, 30 Apr 2008 14:45:38 +0200 (CEST) Received: by lists.lc-words.com (Postfix, from userid 80) id E23632845F; Wed, 30 Apr 2008 14:45:37 +0200 (CEST) To: pos...@li... Subject: test X-PHP-Script: szalbot.homedns.org/roundcube/index.php for 192.168.11.1 MIME-Version: 1.0 Date: Wed, 30 Apr 2008 14:45:37 +0200 From: Zbigniew Szalbot <zbi...@sz...> Message-ID: <0bd0873bbd3c4d684bf65e1f18906eda@localhost> X-Sender: zbi...@sz... Received: from 192.168.11.1 [192.168.11.1] with HTTP/1.1 (POST); Wed, 30 Apr 2008 14:45:37 +0200 User-Agent: RoundCube Webmail Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit test ********* Now I am trying the same setting with domszalbot.dyndns.org account maillog snippet: Apr 30 14:48:21 szalbot postfix/pickup[78960]: 5B7632845F: uid=80 from=<te...@do...> Apr 30 14:48:21 szalbot postfix/cleanup[79911]: 5B7632845F: message-id=<1a4eb479b3d3e283b4c8f304d195e410@localhost> Apr 30 14:48:21 szalbot postfix/qmgr[13956]: 5B7632845F: from=<te...@do...>, size=648, nrcpt=1 (queue active) Apr 30 14:48:22 szalbot postfix/smtp[79914]: 5B7632845F: to=<pos...@li...>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.81, delays=0.15/0.06/0.01/0.6, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=57892-09, from MTA: 250 2.0.0 Ok: queued as DBB5E28460) Apr 30 14:48:22 szalbot postfix/qmgr[13956]: 5B7632845F: removed Apr 30 14:48:22 szalbot postfix/local[79918]: DBB5E28460: to=<pos...@li...>, relay=local, delay=0.25, delays=0.15/0.08/0/0.02, dsn=2.0.0, status=sent (forwarded as 2134428461) Apr 30 14:48:22 szalbot postfix/qmgr[13956]: DBB5E28460: removed and email headers Return-Path: <te...@do...> X-Original-To: pos...@li... Delivered-To: zbi...@sz... Received: by lists.lc-words.com (Postfix) id 2134428461; Wed, 30 Apr 2008 14:48:22 +0200 (CEST) Delivered-To: pos...@li... Received: from localhost (localhost [127.0.0.1]) by lists.lc-words.com (Postfix) with ESMTP id DBB5E28460 for <pos...@li...>; Wed, 30 Apr 2008 14:48:21 +0200 (CEST) Received: from lists.lc-words.com ([127.0.0.1]) by localhost (szalbot.homedns.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 57892-09 for <pos...@li...>; Wed, 30 Apr 2008 14:48:21 +0200 (CEST) Received: by lists.lc-words.com (Postfix, from userid 80) id 5B7632845F; Wed, 30 Apr 2008 14:48:21 +0200 (CEST) To: pos...@li... Subject: test X-PHP-Script: szalbot.homedns.org/roundcube/index.php for 192.168.11.1 MIME-Version: 1.0 Date: Wed, 30 Apr 2008 14:48:21 +0200 From: <te...@do...> Message-ID: <1a4eb479b3d3e283b4c8f304d195e410@localhost> X-Sender: te...@do... Received: from 192.168.11.1 [192.168.11.1] with HTTP/1.1 (POST); Wed, 30 Apr 2008 14:48:21 +0200 User-Agent: RoundCube Webmail Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit test ********* I do not know why 1/ dkim-filter does not log anything in maillog 2/ the second domain is not signed $ pkg_info -Ix dkim-milter dkim-milter-2.5.5 Domainkeys Identified Mail (DKIM) milter I will repeat the test with a remote client. However, many thanks for your help! -- Zbigniew Szalbot www.lc-words.com |
From: Zbigniew S. <z.s...@lc...> - 2008-04-30 13:15:10
Attachments:
smime.p7s
|
Hello, Zbigniew Szalbot pisze: > Hello again, > > SM pisze: > >> Hello, >> At 08:33 29-04-2008, Zbigniew Szalbot wrote: >>>I am not sure. Emails sent exactly the same way (from a local >>>webclient) for the szalbot.homedns.org domain do get signed. Here's an example: >> >> What does the logs show for that example? > > To sum up > $ cat /usr/local/etc/mail/dkim-filter.conf |grep -v "#" > AutoRestart Yes > AutoRestartCount 5 > Domain szalbot.homedns.org,domszalbot.dyndns.org > KeyList /var/db/domainkeys/keylist > Mode s > PidFile /var/run/milterdkim/signer.pid > RemoveOldSignatures Yes > SignatureAlgorithm rsa-sha1 > Socket inet:4445@127.0.0.1 > Syslog Yes > LogWhy Yes > SyslogFacility mail > SyslogSuccess yes > X-Header Yes > > I am doing a test with a local webmail client (will later repeat with a I did repeat the test message with authenticated sender. I got (Authenticated sender: te...@do...) in headers. Other than that, the result was the same. Thanks! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-30 16:31:23
|
Hello, At 05:58 30-04-2008, Zbigniew Szalbot wrote: >I am doing a test with a local webmail client (will later repeat >with a remote one, which authenticates). > >First test is from szalbot.homedns.org domain which gets signed. Although the email gets signed, the maillog snippet does not show any dkim-filter extries. The relevant log related settings in your dkim-fiter.conf file are correct. >Now I am trying the same setting with domszalbot.dyndns.org account [snip] >and email headers > > >Return-Path: <te...@do...> >X-Original-To: pos...@li... >Delivered-To: zbi...@sz... >Received: by lists.lc-words.com (Postfix) > id 2134428461; Wed, 30 Apr 2008 14:48:22 +0200 (CEST) >Delivered-To: pos...@li... >Received: from localhost (localhost [127.0.0.1]) > by lists.lc-words.com (Postfix) with ESMTP id DBB5E28460 > for <pos...@li...>; Wed, 30 Apr 2008 > 14:48:21 +0200 (CEST) >Received: from lists.lc-words.com ([127.0.0.1]) > by localhost (szalbot.homedns.org [127.0.0.1]) (amavisd-maia, port 10024) > with ESMTP id 57892-09 for <pos...@li...>; > Wed, 30 Apr 2008 14:48:21 +0200 (CEST) >Received: by lists.lc-words.com (Postfix, from userid 80) > id 5B7632845F; Wed, 30 Apr 2008 14:48:21 +0200 (CEST) >To: pos...@li... >Subject: test >X-PHP-Script: szalbot.homedns.org/roundcube/index.php for 192.168.11.1 >MIME-Version: 1.0 >Date: Wed, 30 Apr 2008 14:48:21 +0200 >From: <te...@do...> The From: header is correct. At 06:14 30-04-2008, Zbigniew Szalbot wrote: >I did repeat the test message with authenticated sender. I got >(Authenticated sender: te...@do...) in headers. Other >than that, the result was the same. It looks like dkim-fiter is not configured to sign for that domain then. 1. In your dkim-filter.conf file, define the userid under which dkim-filter should run and enable the X-header: UserID mailnull X-Header Yes 2. Stop dkim-filter 3. Log in as root and start dkim-filter with the following parameters: dkim-filter -x /usr/local/etc/dkim-filter.conf 4. Send an email to test whether it's being signed. See whether there are any dkim-filter entries in your maillog. There should be one when the milter is started. There should also be some entries as the email gets signed. See whether there is a X-DKIM header in the emails. Regards, -sm |
From: Zbigniew S. <z.s...@lc...> - 2008-04-30 17:47:00
Attachments:
smime.p7s
|
Hello, SM pisze: > 1. In your dkim-filter.conf file, define the userid under which > dkim-filter should run and enable the X-header: > > UserID mailnull > > X-Header Yes I have added UserID mailnull > 4. Send an email to test whether it's being signed. It IS being signed! > > See whether there are any dkim-filter entries in your maillog. There > should be one when the milter is started. There should also be some > entries as the email gets signed. See whether there is a X-DKIM > header in the emails. I got: Apr 30 19:07:12 szalbot dkim-filter[9455]: can't write pid to /var/run/milterdkim/signer.pid: No such file or directory Apr 30 19:07:12 szalbot dkim-filter[9456]: Sendmail DKIM Filter v2.5.5 starting (args: -x /usr/local/etc/mail/dkim-filter.conf) Apr 30 19:11:22 szalbot dkim-filter[9456]: 7DADF28461 "DKIM-Signature" header added Strange thing is that when I now start dkim-filter (/usr/local/etc/rc.d/milter-dkim start), connection on port 4445 are refused. $ telnet localhost 4445 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host However, when I start like this: /usr/local/libexec/dkim-filter -x /usr/local/etc/mail/dkim-filter.conf connections are accepted. $ ps ax |grep dkim 835 ?? Is 0:00.00 /usr/local/libexec/dkim-filter -l -p local:/var/run/m 837 ?? I 0:00.02 /usr/local/libexec/dkim-filter -l -p local:/var/run/m 1407 ?? Ss 0:00.00 /usr/local/libexec/dkim-filter -x /usr/local/etc/mail 1408 ?? S 0:00.01 /usr/local/libexec/dkim-filter -x /usr/local/etc/mail Thanks! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-04-30 20:37:00
|
Hello, At 10:46 30-04-2008, Zbigniew Szalbot wrote: >Apr 30 19:07:12 szalbot dkim-filter[9455]: can't write pid to >/var/run/milterdkim/signer.pid: No such file or directory See whether the directory exists. >Apr 30 19:07:12 szalbot dkim-filter[9456]: Sendmail DKIM Filter >v2.5.5 starting (args: -x /usr/local/etc/mail/dkim-filter.conf) > >Apr 30 19:11:22 szalbot dkim-filter[9456]: 7DADF28461 >"DKIM-Signature" header added That shows that the email was signed. >Strange thing is that when I now start dkim-filter >(/usr/local/etc/rc.d/milter-dkim start), connection on port 4445 are refused. That startup script is using a local socket instead of having dkim-filter listen on that port. >However, when I start like this: >/usr/local/libexec/dkim-filter -x /usr/local/etc/mail/dkim-filter.conf >connections are accepted. > >$ ps ax |grep dkim > 835 ?? Is 0:00.00 /usr/local/libexec/dkim-filter -l -p > local:/var/run/m > 837 ?? I 0:00.02 /usr/local/libexec/dkim-filter -l -p > local:/var/run/m > 1407 ?? Ss 0:00.00 /usr/local/libexec/dkim-filter -x > /usr/local/etc/mail > 1408 ?? S 0:00.01 /usr/local/libexec/dkim-filter -x > /usr/local/etc/mail You only need to run dkim-filter once. Terminate the existing dkim-filter processes before running the milter. I suggest reading the FreeBSD startup script if you want to use it to start dkim-filter. Regards, -sm |
From: Zbigniew S. <z.s...@lc...> - 2008-05-01 08:39:26
Attachments:
smime.p7s
|
Hi there, SM pisze: > Hello, > At 10:46 30-04-2008, Zbigniew Szalbot wrote: >>Apr 30 19:07:12 szalbot dkim-filter[9455]: can't write pid to >>/var/run/milterdkim/signer.pid: No such file or directory > > See whether the directory exists. Yes, it does. >>Strange thing is that when I now start dkim-filter >>(/usr/local/etc/rc.d/milter-dkim start), connection on port 4445 are refused. > > That startup script is using a local socket instead of having > dkim-filter listen on that port. But why would it do that if the config file specifies Socket inet:4445@127.0.0.1 and I have milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" in /etc/rc.conf > You only need to run dkim-filter once. Terminate the existing > dkim-filter processes before running the milter. I suggest reading > the FreeBSD startup script if you want to use it to start dkim-filter. OK. I will do but I thought it was by default ready to be used. Thanks for all your input! -- Zbigniew Szalbot www.lc-words.com |
From: SM <sm...@re...> - 2008-05-01 15:18:24
|
Hello, At 01:38 01-05-2008, Zbigniew Szalbot wrote: >But why would it do that if the config file specifies >Socket inet:4445@127.0.0.1 Your script passes the connection parameter from the command line. >OK. I will do but I thought it was by default ready to be used. It is ready to be used by default as long as your configuration and usage are along the lines set by the author of the package. Regards, -sm |
From: Murray S. K. <ms...@se...> - 2008-05-01 16:41:30
|
On Thu, 1 May 2008, Zbigniew Szalbot wrote: >>> Apr 30 19:07:12 szalbot dkim-filter[9455]: can't write pid to >>> /var/run/milterdkim/signer.pid: No such file or directory >> >> See whether the directory exists. > > Yes, it does. The only reason fopen() would report this error (ENOENT) would be if that direcetory is missing. >> That startup script is using a local socket instead of having dkim-filter >> listen on that port. > > But why would it do that if the config file specifies > Socket inet:4445@127.0.0.1B > > and I have > milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > in /etc/rc.conf If there's a "-p" on the command line, that overrides your configuration file setting. |
From: Zbigniew S. <z.s...@lc...> - 2008-05-02 14:52:44
Attachments:
smime.p7s
|
Hi there, Murray S. Kucherawy pisze: >>> That startup script is using a local socket instead of having dkim-filter >>> listen on that port. >> >> But why would it do that if the config file specifies >> Socket inet:4445@127.0.0.1B >> >> and I have >> milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" >> in /etc/rc.conf > > If there's a "-p" on the command line, that overrides your configuration > file setting. I am confused. How should then dkim-filter be started? 1/ by calling /usr/local/libexec/dkim-filter -x /usr/local/etc/mail/dkim-filter.conf? I would have to add a cron job to make sure it is started when system reboots? 2/ by setting /etc/rc.conf entry? I already have: milterdkim_enable="YES" milterdkim_uid='mailnull' milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" As you can see there is no -p switch but this way of starting milter does not cause it to sign all domains configured in the conf file. -- Zbigniew Szalbot www.lc-words.com |
From: Zbigniew S. <z.s...@lc...> - 2008-05-02 08:07:54
Attachments:
smime.p7s
|
Hi there, Murray S. Kucherawy pisze: >>> That startup script is using a local socket instead of having dkim-filter >>> listen on that port. >> >> But why would it do that if the config file specifies >> Socket inet:4445@127.0.0.1B >> >> and I have >> milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" >> in /etc/rc.conf > > If there's a "-p" on the command line, that overrides your configuration > file setting. I am confused. How should then dkim-filter be started? 1/ by calling /usr/local/libexec/dkim-filter -x /usr/local/etc/mail/dkim-filter.conf? I would have to add a cron job to make sure it is started when system reboots? 2/ by setting /etc/rc.conf entry? I already have: milterdkim_enable="YES" milterdkim_uid='mailnull' milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" As you can see there is no -p switch but when the filter starts, the -p switch is used as can be seen from the maillog. Also, with this way of starting I cannot telnet to port 4445. I guess I would like to know what settings to use in /etc/rc.conf to make sure the filter reads all config from /usr/local/etc/mail/dkim-filter.conf file. The three settings displayed above seem not to suffice. Your advice is greatly appreciated. Thanks! -- Zbigniew Szalbot www.lc-words.com |
From: Murray S. K. <ms...@se...> - 2008-05-02 17:09:01
|
On Fri, 2 May 2008, Zbigniew Szalbot wrote: > I am confused. How should then dkim-filter be started? > > 1/ by calling /usr/local/libexec/dkim-filter -x > /usr/local/etc/mail/dkim-filter.conf? > I would have to add a cron job to make sure it is started when system > reboots? You shouldn't use cron to start things on boot. That's what the /etc/rc* scripts are for. > 2/ by setting /etc/rc.conf entry? I already have: > milterdkim_enable="YES" > milterdkim_uid='mailnull' > milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > As you can see there is no -p switch but when the filter starts, the -p > switch is used as can be seen from the maillog. Also, with this way of > starting I cannot telnet to port 4445. The script which controls dkim-milter is adding a "-p" to the command line. I can see it in the files that come down when you install the port. The variable you need to set in /etc/rc.conf to change it appears to be "milterdkim_socket". > I guess I would like to know what settings to use in /etc/rc.conf to > make sure the filter reads all config from > /usr/local/etc/mail/dkim-filter.conf file. The three settings displayed > above seem not to suffice. It looks to me like the following have command-line overrides in the port's start script: -u (UserID) controlled by "milterdkim_uid" -p (Socket) controlled by "milterdkim_socket" -x controlled by "milterdkim_cfgfile" -d (Domain) controlled by "milterdkim_domain" -s (Selector) controlled by "milterdkim_selector" There's also a "milterdkim_flags" which contains a bunch of other things also provided to the filter on the command line. The default is "-b sv -c simiple/simple -m MSA", which means Modes, Canonicalization and MTA also have command line overrides. If you want to control those you'll have to set that variable to the empty string in /etc/rc.conf. The port maintainer is on this list; perhaps he/she could comment further. |
From: や. <um...@gm...> - 2008-05-02 09:47:51
|
Hi. On Fri, May 2, 2008 at 5:07 PM, Zbigniew Szalbot <z.s...@lc...> wrote: > Hi there, > > > > That startup script is using a local socket instead of having dkim-filter listen on that port. > > > > > > > But why would it do that if the config file specifies > > > Socket inet:4445@127.0.0.1B > > > > > > and I have > > > milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > > > in /etc/rc.conf > > > > > If there's a "-p" on the command line, that overrides your configuration file setting. > I am confused. How should then dkim-filter be started? > 1/ by calling /usr/local/libexec/dkim-filter -x > /usr/local/etc/mail/dkim-filter.conf? > I would have to add a cron job to make sure it is started when system > reboots? No, you don't have to. > 2/ by setting /etc/rc.conf entry? I already have: > milterdkim_enable="YES" > milterdkim_uid='mailnull' > > milterdkim_cfgfile="/usr/local/etc/mail/dkim-filter.conf" > As you can see there is no -p switch but when the filter starts, the -p > switch is used as can be seen from the maillog. Also, with this way of > starting I cannot telnet to port 4445. Just add a line sth like below: milterdkim_socket="inet:4445@127.0.0.1" > I guess I would like to know what settings to use in /etc/rc.conf to make > sure the filter reads all config from /usr/local/etc/mail/dkim-filter.conf > file. The three settings displayed above seem not to suffice. When I wrote the startup stcript for dkim-milter port in FreeBSD, there was not config file for the milter. So, I put some values for mandatory options (e.g. socket, domain) as default. I'll change the default value for milterdkim_cfgfile to blank by next update. :) Regards, -- Hirohisa Yamaguchi um...@gm... |
From: Zbigniew S. <z.s...@lc...> - 2008-05-02 09:59:58
Attachments:
smime.p7s
|
Hello, やまきゅう pisze: > Just add a line sth like below: > milterdkim_socket="inet:4445@127.0.0.1" Thank you for your patience with me! All works now as expected. Again, thanks for all the input! -- Zbigniew Szalbot www.lc-words.com |