From: Victor M. <vv...@tu...> - 2012-02-07 08:18:31
|
Hi! Fritz Borgstedt: > Disable the feature. To All: Disable DoMSGIDsig ( Do Message-ID Signing ) -- [ as minimum, IMHO] is not super-Ok solution To Nikola Lazic: 1) Why OpenDKIM? Why not DKIM feature in ASSP v2.X ( and may be in 1.9X/1.8X) ? 0) == I send a message from server a.com as a@a.com to b@b.com. b.com has ASSP running and a.com is in localDomains. The *incoming* emails Message-ID is modified by ASSP on b.com and as such passed to the MTA. == I.e.: b.com has "a.com" is in localDomains? Add no-LAN servers to "local*" is not-Super-Ok solution itself -- use WhiteDomain and/or WhiteList and/or see later about noProcessing == b.com is a.com's MX == May be best place a.com to npaddresses.txt / No Processing Addresses* / (noProcessing) to ASSP files on b.com servers ? Or IP adresses of a.com to noProcessingIPs ( No Processing IPs*) ? ipnp.txt ? 2) Try set MSGIDpreTag ( Message-ID pre-Tag for MSGID-TAG-generation ) on a.com a-la MSGIDpreTag:=seca on b.com a-la MSGIDpreTag:=secb and use DKIM check/sign feature[s] in ASSP v2.X ( and [may be] turn Off DKIM in check MTA and/or disable OpenDKIM ) Best regards, Victor Miasnikov Blog: http://vvm.blog.tut.by/ P.S. . . . P.P.S. ----- Original Message ----- From: "Nikola Lazic" To: "'For Users of ASSP'" Sent: Wednesday, January 11, 2012 10:18 PM Subject: Re: [Assp-user] DKIM and Messsage-ID Change 1.9.1.8 > Disable the feature [Do Message-ID Signing (DoMSGIDsig)]. Will do. Thanks! -- ----- Original Message ----- From: "Fritz Borgstedt" To: "For Users of ASSP" Sent: Wednesday, January 11, 2012 7:25 PM Subject: Re: [Assp-user] DKIM and Messsage-ID Change 1.9.1.8 > For Users of ASSP {ZZZZZZZZZZZZ} schreibt: >>It's coming from a different machine, but a.com is in b.com's >>localDomains. >>b.com is a.com's MX, but b.com generates and send out mail on it's >>own. > > > Disable the feature. > > Modifying of Message-IDs is done for "local" mails. > That a mail claims to be from one of the local domains does not > make it local. Messages from "Local Domains" are called "local" > provided they come from IP's in "Accept All > Mail", "relayPort" or are authenticated. ----- Original Message ----- From: "Nikola Lazic" To: assp-user lists Sent: Tuesday, January 10, 2012 7:19 PM Subject: [Assp-user] DKIM and Messsage-ID Change 1.9.1.8 In some instances ASSP 1.9.1.8(1.1.01) will change the original message's Message-ID header by prefixing it with "assp." followed by an alphanumeric string. I think this happens when a message is received from a host listed in localDomains. I'm not sure what the purpose of the Message-ID modification is. If the message has been signed using DomainKeys and Message-ID is a header included in the signature (recommended by RFC 4871 and default for OpenDKIM) the Message-ID change will invalidate the signature. An error message in the sendmail mail log will be created: Jan 9 15:51:27 domain.com sendmail[10092]: [ID 801593 mail.info] q09KpRVM010092: Milter insert (1): header: Authentication-Results: domain.com; dkim=fail (verification failed)\n\theader.i=@other.domain.com header.b=ut6J4Ex+;\n\tdkim-adsp=unknown Jan 9 15:51:27 domain.com opendkim[2943]: [ID 632817 mail.info] q09KpRVM010092: s=mail d=other.domain.com SSL error:04077068:rsa routines:RSA_verify:bad signature Jan 9 15:51:27 domain.com opendkim[2943]: [ID 614597 mail.notice] q09KpRVM010092: bad signature data A solution is to exclude Message-ID from the signature. In opendkim.conf: OmitHeaders Message-ID. Is there a way to modify ASSP so this doesn't happen? Nikola Lazic |