You can subscribe to this list here.
2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(18) |
Jul
(144) |
Aug
(11) |
Sep
(17) |
Oct
(72) |
Nov
(87) |
Dec
(31) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2005 |
Jan
(4) |
Feb
(12) |
Mar
(20) |
Apr
(50) |
May
(4) |
Jun
(6) |
Jul
(3) |
Aug
(56) |
Sep
|
Oct
(87) |
Nov
(3) |
Dec
(4) |
2006 |
Jan
(4) |
Feb
(34) |
Mar
(14) |
Apr
(8) |
May
(48) |
Jun
(49) |
Jul
(38) |
Aug
(2) |
Sep
(15) |
Oct
(11) |
Nov
(28) |
Dec
(20) |
2007 |
Jan
(2) |
Feb
(15) |
Mar
(33) |
Apr
(1) |
May
(31) |
Jun
(9) |
Jul
|
Aug
|
Sep
(6) |
Oct
(6) |
Nov
(12) |
Dec
|
2008 |
Jan
(4) |
Feb
(21) |
Mar
(21) |
Apr
(8) |
May
(20) |
Jun
(10) |
Jul
(10) |
Aug
(7) |
Sep
|
Oct
|
Nov
(6) |
Dec
(11) |
2009 |
Jan
(47) |
Feb
(3) |
Mar
(23) |
Apr
|
May
(10) |
Jun
(11) |
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Sharma, A. <ash...@hp...> - 2011-05-16 14:00:12
|
Adding DKIM mailing list guys to suggest some help. -----Original Message----- From: Sharma, Ashish Sent: Wednesday, May 11, 2011 5:31 PM To: sid...@li... Cc: Varghese, Daniel Subject: [sid-milter-discuss] Sender-ID validation via Blackberry failing Hi, I have a Postfix mail receiving server, on this I am using sid-milter (found at http://sourceforge.net/projects/sid-milter/ got from http://www.postfix.org/addon.html) tool to validate senderID and SPF. Here the problem is for mail servers that implement Sender-ID, mail servers that are implementing sender-ID and having their mails sent via Blackberry are having their sender-ID (sender-id=neutral) not getting verified on my postfix end. Following are the mail headers that I am receiving: >From SRS0=nRLNv7=UW=aol.com=xx...@sr... Mon Jan 24 11:05:10 2011 Return-Path: <SRS0=nRLNv7=UW=aol.com=xxx...@sr...> X-Original-To: cp...@de... Delivered-To: cp...@de... Received: from localhost (localhost [127.0.0.1]) by dev1.cpgtest.ostinet.net (Postfix) with ESMTP id C94AA2828C for <cp...@de...>; Mon, 24 Jan 2011 11:05:10 -0500 (EST) Authentication-Results: dev1.cpgtest.ostinet.net; sender-id=neutral header.from=xxx...@ao...; spf=pass smtp.mfrom=SRS0=nRLNv7=UW=aol.com=xxx...@sr... X-DKIM: OpenDKIM Filter v2.1.3 dev1.cpgtest.ostinet.net D5DEA2815D Authentication-Results: dev1.cpgtest.ostinet.net; dkim=none (no signature); dkim-adsp=none Received: from b27.c7.bise7.blackberry ([192.168.0.127]) by srs.bis7.eu.blackberry.com (8.13.7 TEAMON/8.13.7) with ESMTP id p0OFtGaw021900 for cp...@de...; Mon, 24 Jan 2011 16:05:09 GMT X-rim-org-msg-ref-id: 300123690 Message-ID: <300...@b2...se7.blackberry> Content-Transfer-Encoding: base64 Reply-To: xxx...@ao... X-Priority: Normal References: <160...@b2...se7.blackberry> In-Reply-To: <160...@b2...se7.blackberry> Sensitivity: Normal Importance: Normal Subject: Re: Test from aol To: cp...@de... From: xxx...@ao... Date: Mon, 24 Jan 2011 16:05:51 +0000 Content-Type: text/plain; charset="Windows-1252" MIME-Version: 1.0 Status: RO Can anybody tell me what needs to be done at my end to get sender-ID for mails sent via Blackberry to be verified and passed correctly. Also as can be seen Blackberry implements SRS (Sender Rewrite Scheme): Authentication-Results: dev1.cpgtest.ostinet.net; sender-id=neutral header.from=xxx...@ao...; spf=pass smtp.mfrom=SRS0=nRLNv7=UW=aol.com=xxx...@sr... so as per my understanding Sender-ID validation should in this case work flawless as Sender Rewrite Scheme(SRS) makes sure SPF passes if a mail forwarder has implemented SRS as per information available at the links http://www.openspf.org/SRS and http://www.libsrs2.org/srs/srs.pdf If the above information is correct, then why sid-milter is behaving as experienced, is it a bug? Thanks Ashish Sharma ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ sid-milter-discuss mailing list sid...@li... https://lists.sourceforge.net/lists/listinfo/sid-milter-discuss |
From: Christopher H. <dha...@gm...> - 2011-04-21 18:37:51
|
Hello All, I'm running a CentOS5 box and after a yum update and ensuing reboot, dkim-milter failed to start. ### root@server1> service dkim-milter restart Shutting down DomainKeys Identified Mail Milter: [FAILED] Starting DomainKeys Identified Mail Milter (dkim-filter): dkim-filter: //dk: open(): No such file or directory dkim-filter: /etc/mail/dkim-milter/dkim-filter.conf: key load from /etc/mail/dkim-milter/keys/keylist failed [FAILED] Nor could I run it directly: root@server1> /usr/sbin/dkim-filter -x /etc/mail/dkim-milter/dkim-filter.conf -P /var/run/dkim-milter/dkim-milter.pid -p inet:10036@localhost -bsv dkim-filter: /etc/mail/dkim-milter/dk: open(): No such file or directory dkim-filter: /etc/mail/dkim-milter/dkim-filter.conf: key load from /etc/mail/dkim-milter/keys/keylist failed I added "-k /etc/mail/dkim-milter/keys/dk" and it ran fine. root@server1> less /etc/sysconfig/dkim-milter # To sign only, use -bs # #EXTRA_FLAGS=-bs #SOCKET=inet:10036@localhost # This seemed to have no effect KEYFILE="/etc/mail/dkim-milter/keys/dk" egrep -v "#|^$" /etc/mail/dkim-milter/dkim-filter.conf AutoRestart Yes # Note that adding this line had no discernable effect KeyFile /etc/mail/dkim-milter/keys/dk KeyList /etc/mail/dkim-milter/keys/keylist Mode s Selector dk Socket inet:10036@localhost Syslog Yes SyslogFacility mail SyslogSuccess Yes UserID dkim-milter:dkim-milter X-Header Yes root@server1> uname -a Linux server1 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:56 EDT 2011 i686 i686 i386 GNU/Linux root@server1> tail -n50 /var/log/yum.log .... Apr 19 12:31:33 Updated: tzdata-2011d-3.el5.i386 Apr 19 12:32:14 Updated: glibc-common-2.5-58.el5_6.2.i386 Apr 19 12:32:19 Updated: nash-5.1.19.6-68.el5_6.1.i386 Apr 19 12:32:23 Updated: kernel-headers-2.6.18-238.9.1.el5.i386 Apr 19 12:32:34 Updated: glibc-2.5-58.el5_6.2.i686 Apr 19 12:32:35 Updated: openssh-4.3p2-72.el5_6.3.i386 Apr 19 12:32:36 Updated: mkinitrd-5.1.19.6-68.el5_6.1.i386 Apr 19 12:32:36 Updated: openssh-server-4.3p2-72.el5_6.3.i386 Apr 19 12:32:58 Installed: kernel-2.6.18-238.9.1.el5.i686 Apr 19 12:32:58 Updated: 12:dhclient-3.0.5-23.el5_6.4.i386 Apr 19 12:32:59 Updated: openssh-clients-4.3p2-72.el5_6.3.i386 Apr 21 08:49:35 Installed: tree-1.5.0-4.i386 root@server1> yum list installed | grep -e 'postfix\|sendmail\|dkim' dkim-milter.i386 2.8.3-4.el5 postfix.i386 2:2.6.2-2.jtl.el5 postfix-perl-scripts.i386 2:2.6.2-2.jtl.el5 sendmail.i386 8.13.8-8.el5 any ideas why this would be? Cheers, Chris |
From: Sharma, A. <ash...@hp...> - 2010-06-09 11:01:11
|
Hi, I have a postfix mail receiving server, on this I need to deploy dk-milter in verification mode only. I have launched dk-milter with following command: ./dk-filter -u postfix -p inet:10020@localhost -l -R -b v -h My postfix 'main.cf' config file setting for this milter is as follows: #Milter support for smtpd mail smtpd_milters = inet:localhost:10020 But my mails are not getting received and the maillog show the following error: Jun 9 06:57:19 ip-10-194-99-63 postfix/smtpd[2898]: connect from mail-vw0-f48.google.com[209.85.212.48] Jun 9 06:57:19 ip-10-194-99-63 postfix/smtpd[2898]: 7E44510021F: client=mail-vw0-f48.google.com[209.85.212.48] Jun 9 06:57:19 ip-10-194-99-63 postfix/cleanup[2901]: 7E44510021F: message-id=<AAN...@ma...> Jun 9 06:57:19 ip-10-194-99-63 dk-filter[2916]: 7E44510021F: dk_eom(): resource unavailable: d2i_PUBKEY_bio() failed Jun 9 06:57:19 ip-10-194-99-63 dk-filter[2916]: 7E44510021F SSL error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data Jun 9 06:57:19 ip-10-194-99-63 postfix/cleanup[2901]: 7E44510021F: milter-reject: END-OF-MESSAGE from mail-vw0-f48.google.com[209.85.212.48]: 4.7.1 Service unavailable - try again later; from=<ash...@gm...> to=<cp...@de...> proto=ESMTP helo=<mail-vw0-f48.google.com> Jun 9 06:57:19 ip-10-194-99-63 postfix/smtpd[2898]: disconnect from mail-vw0-f48.google.com[209.85.212.48] Please help Thanks in advance Ashish Sharma |
From: SM <sm...@re...> - 2009-08-31 16:41:41
|
At 08:34 31-08-2009, David Brooks wrote: >We have a client that is failing dkim authentication at Yahoo. I >suspect that it is because their i= tag value contains a wildcard >character, i=@*.example.net; > >Is it legal syntax to use wildcards in the i= tag? Thanks. You sent your message to the wrong mailing list. The i= tag cannot contain a wildcard character. Regards, -sm |
From: David B. <dav...@re...> - 2009-08-31 15:35:02
|
Hello, We have a client that is failing dkim authentication at Yahoo. I suspect that it is because their i= tag value contains a wildcard character, i=@*.example.net; Is it legal syntax to use wildcards in the i= tag? Thanks. David Brooks |
From: Ed G. <ed...@gr...> - 2009-08-28 20:08:11
|
Mike Markley wrote: > > DKIM explicity lists the headers signed by default; DomainKeys does not. > As such, any headers added by your MTA can cause breakage, because the > receiver doesn't know those added headers weren't part of the signature. > > If this is indeed the problem, then running dk-filter with -H should > resolve it. That will cause the filter to list the headers in an h= > list, much as your dkim-filter does. > > Got it first try. Good troubleshooting! Thanks. |
From: Mike M. <mi...@ma...> - 2009-08-28 18:16:58
|
On Fri, Aug 28, 2009 at 10:00:27AM -0700, Ed Greenberg <ed...@gr...> wrote: > X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 admin001.xxx.com > n7RM69hr004614 There is a newer dk-milter available, but I don't think that's the problem... > DomainKey-Signature: a=rsa-sha1; s=sm; d=xxx.com; c=nofws; q=dns; > b=xvb4Olk0ORGHbSSF5sFTc+o4cn5A2FWGvLyN/W3jNdPJFJaO6WhBngU/P/HSjdaEH > wsr+ZtvxUXzEIYfqadEaDPvpKN3xbzLaoD04qlf1Ovn2DrSrKgtV7GIpkQV0k1rExDa > 5jAxAsfosQvFBcMDmE9aZNR5Ov9jSyrLuzsC/qw= > > > and my Authentication-Results show this: > Authentication-Results: mta197.mail.ac4.yahoo.com from=xxx.com; > domainkeys=fail (bad sig); from=xxx.com; dkim=pass (ok) [...] > DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=xxx.com; s=sm; > t=1251410772; bh=eysLlgSsWNRcmr0vbz36DTJcnFk=; h=X-DomainKeys: > DomainKey-Signature:From:To:Subject; b=IgKChg+V8wvoWydVCMI3kMsUybf > GdyS8Rjd25DI4nPlzQiccDkDzJ+dNhFyGrKeiv/jMUFhD58NlAgLnN1xpLgR8+8vTyo > k071LEPCDmmrgHpo2mmOIw7MOpc+4F4dwXIuRVCbQWbfof6Qi8VqO9X+CDjQbxj6WL5 > /LIgxpmJHY= DKIM explicity lists the headers signed by default; DomainKeys does not. As such, any headers added by your MTA can cause breakage, because the receiver doesn't know those added headers weren't part of the signature. If this is indeed the problem, then running dk-filter with -H should resolve it. That will cause the filter to list the headers in an h= list, much as your dkim-filter does. -- Mike Markley <mi...@ma...> Insufficient facts always invite danger. - Spock, "Space Seed", stardate 3141.9 |
From: Ed G. <ed...@gr...> - 2009-08-28 17:00:53
|
I installed dk-milter (and dkim-milter) and configured it as best I could figure out. I'm using the package from c-corp.net for Centos/EL5. When I use /bin/mail on the smtp server, (which runs sendmail, I believe) I get a DomainKeys Pass, but when I send my mail via port 25, I get DomainKeys Fail. My dk-filter daemon is running with these options: /usr/sbin/dk-filter \ -u root \ -p inet:10035@localhost \ -d xxx.com \ -s /etc/mail/domainkeys/xxx.com.priv \ -S sm \ -b sv \ -c nofws \ -C bad=r,dns=t,int=t,no=a,miss=r \ -h \ -l \ -D \ -i /etc/mail/domainkeys/allowed-hosts \ -I /etc/mail/domainkeys/allowed-hosts \ -P /var/run/dk-filter0.pid My sendmail.mc has this: INPUT_MAIL_FILTER(`dk-filter', `S=inet:10035@localhost') My DomainKey header (as received at a Yahoo Mail account) shows this: X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 admin001.xxx.com n7RM69hr004614 DomainKey-Signature: a=rsa-sha1; s=sm; d=xxx.com; c=nofws; q=dns; b=xvb4Olk0ORGHbSSF5sFTc+o4cn5A2FWGvLyN/W3jNdPJFJaO6WhBngU/P/HSjdaEH wsr+ZtvxUXzEIYfqadEaDPvpKN3xbzLaoD04qlf1Ovn2DrSrKgtV7GIpkQV0k1rExDa 5jAxAsfosQvFBcMDmE9aZNR5Ov9jSyrLuzsC/qw= and my Authentication-Results show this: Authentication-Results: mta197.mail.ac4.yahoo.com from=xxx.com; domainkeys=fail (bad sig); from=xxx.com; dkim=pass (ok) My dkim settings are as follows: /usr/sbin/dkim-filter \ -u root \ -p inet:10036@localhost -d xxx.com \ -k /etc/mail/domainkeys/xxx.com.priv \ -s sm -b s \ -c simple \ -S rsa-sha1 \ -C bad=r,dns=t,int=t,no=a,miss=r \ -h \ -l \ -D \ -i /etc/mail/domainkeys/allowed-hosts \ -P /var/run/dkim-filter0.pid Sendmail.mc has: INPUT_MAIL_FILTER(`dk-milter', `S=inet:10036@localhost') and my received header includes: X-DKIM: Sendmail DKIM Filter v2.2.1 admin001.xxx.com n7RM69hr004614 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=xxx.com; s=sm; t=1251410772; bh=eysLlgSsWNRcmr0vbz36DTJcnFk=; h=X-DomainKeys: DomainKey-Signature:From:To:Subject; b=IgKChg+V8wvoWydVCMI3kMsUybf GdyS8Rjd25DI4nPlzQiccDkDzJ+dNhFyGrKeiv/jMUFhD58NlAgLnN1xpLgR8+8vTyo k071LEPCDmmrgHpo2mmOIw7MOpc+4F4dwXIuRVCbQWbfof6Qi8VqO9X+CDjQbxj6WL5 /LIgxpmJHY= As shown above the Authentication Results shows DKIM pass. Does anybody know what I'm doing wrong? </edg> |
From: Don L. <dk...@th...> - 2009-06-09 17:42:34
|
SM wrote: > Hi Don, > At 08:31 09-06-2009, Don Levey wrote: >> Here's the maillog extract for a message sent from my desktop at work, >> that is not signed: >> >> Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: >> from=<do...@th...>, size=826, class=0, nrcpts=2, >> msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, >> relay=gateway.example.com [nnn.nnn.nnn.nnn] > > The daemon name is MTA2. You can specify that mails to that daemon > (-m) should be signed. > >> My MUA is Thunderbird; it's set to "Use TLS if available". I'm using >> similar settings for Thunderbird at home, which *does* sign. Before I >> had built the external network file and pointed to it using "-I" I was >> getting the "external host attempted to send" errors in maillog; they >> don't happen anymore. > > That's most likely the problem. Sendmail modifies the headers > injected by Thunderbird and that invalidates the signature. Can you > test with another mail client? > > ... > There were several X- headers added by clamav-milter and SpamAssassin > after the message was signed. Your smarthost (mr02.lnh.mail.rcn.net) > also adds some X- headers. The only way around that is for you to > sign specific headers only. See the -H option in the dk-filter manual. > That did it! The -m option got my external client to sign properly, and the -H option allowed the headers to be rewritten so that the signature will verify. Thank you *very* much for your help and patience! -Don |
From: SM <sm...@re...> - 2009-06-09 17:28:58
|
At 08:57 09-06-2009, Don Levey wrote: >I had thought, by the way, that the external file was the problem, so I >removed it, set up the list of domains and pointed to it via -d and -D. > No luck - but what you said got me thinking: See my previous message. >Our firewall here at work does indeed block port 25, but passes port 26, >so I have sendmail listening on both ports. This may be a "Duh" moment, >but I suppose I should tell either sendmail or dk-filter to explicitly >process those messages too? dk-filter has to identify which messages should be signed. You can tell it to sign all messages for the daemon on port 26. Regards, -sm |
From: SM <sm...@re...> - 2009-06-09 17:25:08
|
Hi Don, At 08:31 09-06-2009, Don Levey wrote: >Here's the maillog extract for a message sent from my desktop at work, >that is not signed: > >Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: >from=<do...@th...>, size=826, class=0, nrcpts=2, >msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, >relay=gateway.example.com [nnn.nnn.nnn.nnn] The daemon name is MTA2. You can specify that mails to that daemon (-m) should be signed. >My MUA is Thunderbird; it's set to "Use TLS if available". I'm using >similar settings for Thunderbird at home, which *does* sign. Before I >had built the external network file and pointed to it using "-I" I was >getting the "external host attempted to send" errors in maillog; they >don't happen anymore. That's most likely the problem. Sendmail modifies the headers injected by Thunderbird and that invalidates the signature. Can you test with another mail client? >I've sent a message from my home LAN - I get the following results: > >DomainKeys Signature validation: fail (testing) >DomainKeys Policy: "k=rsa; t=y; >p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" > >DomainKeys Selector: dungeon >"k=rsa; t=y; >p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" > >They look the same to me, so clearly either I'm not looking at the right >thing or there's more involved... > >Here is the header that is returned to me: > >Original message: >Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net >[207.172.157.102]) > by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP > id n59FQ5OC021623 > for <aut...@dk...>; Tue, 9 Jun 2009 > 08:26:12 -0700 (PDT) >Authentication-Results: ns1.qubic.net; sender-id=none >header.from=do...@th...; spf=none smtp.mfrom=do...@th... >Authentication-Results: ns1.qubic.net; domainkeys=fail (testing) >header.from=do...@th... >Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) > by smtp02.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:26:05 -0400 >Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net >[207.172.4.11]) > by mr02.lnh.mail.rcn.net (MOS 3.10.5-GA) > with ESMTP id PYN25223; > Tue, 9 Jun 2009 11:25:08 -0400 (EDT) >Received: from 209-6-81-65.c3-0.frm-ubr2.sbo-frm.ma.cable.rcn.com (HELO >dungeon.the-leveys.us) ([209.6.81.65]) > by smtp01.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:25:08 -0400 >Received: from dauphin.the-leveys.us ([192.168.1.100]) > by dungeon.the-leveys.us (8.13.8/8.13.8) with ESMTP id n59FP0bY022254 > for <aut...@dk...>; Tue, 9 Jun 2009 11:25:02 -0400 >DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; > b=buTEXMDKuxczS+lsIBBUWHhDsp+duu9rlAWMpjfElFYIsZNkUvLs10m7JHYPaEWkM > LCObt5P9P85EFksY9b3m1STlNw6V3AjQATe/eQargXtho871zaRmaoMnfufJ65T >Message-ID: <4A2...@th...> >Date: Tue, 09 Jun 2009 11:25:00 -0400 >From: Don Levey <do...@th...> >User-Agent: Thunderbird 2.0.0.19 (X11/20090105) >MIME-Version: 1.0 >To: aut...@dk... >Subject: DK Test #21 >X-Enigmail-Version: 0.95.7 >OpenPGP: id=52ADF3CD; > url=http://www.the-leveys.us:6080/keys/don-dsakey.asc >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 7bit >X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us >X-Virus-Status: Clean >X-Spam-Status: No, score=-6.7 required=5.0 tests=ALL_TRUSTED,BAYES_00 > autolearn=ham version=3.2.5 >X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on > dungeon.the-leveys.us >X-Junkmail-Status: score=10/50, host=mr02.lnh.mail.rcn.net >X-Junkmail-SD-Raw: score=unknown, > refid=str=0001.0A010207.4A2E7F0C.01CC,ss=1,fgs=0, > ip=207.172.4.11, > so=2009-03-06 19:59:02, > dmn=5.7.1/2009-05-14, > mode=single engine >X-Junkmail-IWF: false There were several X- headers added by clamav-milter and SpamAssassin after the message was signed. Your smarthost (mr02.lnh.mail.rcn.net) also adds some X- headers. The only way around that is for you to sign specific headers only. See the -H option in the dk-filter manual. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 15:58:32
|
SM wrote: > At 05:26 09-06-2009, Don Levey wrote: > > >> What's interesting is that I'm not seeing the signature from mail sent >>from my work desktop (putside my LAN), only internal machines. I would >> imagine that this is a function of the external domain clients list. >> I've got my company's domain in there (and, also, the FQDN of the >> gateway machine), so I'm not sure what's up there. > > If you are submitting mail on the MSA port or you are using SMTP > AUTH, the message will be domainkeys signed. Please post the log > extract for a case where you are not seeing the signature. > I had thought, by the way, that the external file was the problem, so I removed it, set up the list of domains and pointed to it via -d and -D. No luck - but what you said got me thinking: Our firewall here at work does indeed block port 25, but passes port 26, so I have sendmail listening on both ports. This may be a "Duh" moment, but I suppose I should tell either sendmail or dk-filter to explicitly process those messages too? -Don |
From: Don L. <dk...@th...> - 2009-06-09 15:32:17
|
SM wrote: > At 05:26 09-06-2009, Don Levey wrote: >> Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; >> domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) >> Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) >> by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 > > The domainkeys verification failed as the signature was bad. Are you > using sendmail masquerading? > No, not explicitly - however, I am using HIDDENDOMAIN: define(`HIDDENDOMAIN', `the-leveys.us')dnl to avoid sending out my individual hostnames. However, disabling this line doesn't seem to affect the verification. The one MASQUERADE directive (MASQUERADE_AS) has been disabled for a while. >> What's interesting is that I'm not seeing the signature from mail sent >>from my work desktop (putside my LAN), only internal machines. I would >> imagine that this is a function of the external domain clients list. >> I've got my company's domain in there (and, also, the FQDN of the >> gateway machine), so I'm not sure what's up there. > > If you are submitting mail on the MSA port or you are using SMTP > AUTH, the message will be domainkeys signed. Please post the log > extract for a case where you are not seeing the signature. > Here's the maillog extract for a message sent from my desktop at work, that is not signed: Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: from=<do...@th...>, size=826, class=0, nrcpts=2, msgid=<4A2...@th...>, proto=ESMTP, daemon=MTA2, relay=gateway.example.com [nnn.nnn.nnn.nnn] Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us Jun 9 11:18:45 dungeon sendmail[22094]: n59FIiTJ022094: Milter change (add): header: X-Virus-Status: Clean Jun 9 11:18:45 dungeon spamd[2527]: spamd: connection from dungeon.the-leveys.us [127.0.0.1] at port 52020 Jun 9 11:18:45 dungeon spamd[2527]: spamd: processing message <4A2...@th...> for spamassassin:515 Jun 9 11:18:49 dungeon spamd[2527]: spamd: clean message (-4.9/5.0) for spamassassin:515 in 3.8 seconds, 1264 bytes. Jun 9 11:18:49 dungeon spamd[2527]: spamd: result: . -4 - BAYES_00,WEIRD_PORT scantime=3.8,size=1264,user=spamassassin,uid=515,required_score=5.0,rhost=dungeon.the-leveys.us,raddr=127.0.0.1,rport=52020,mid=<4A2...@th...>,bayes=0.000000,autolearn=no Jun 9 11:18:49 dungeon sendmail[22094]: n59FIiTJ022094: Milter add: header: X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,WEIRD_PORT\n\tautolearn=no version=3.2.5 Jun 9 11:18:49 dungeon sendmail[22094]: n59FIiTJ022094: Milter add: header: X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on\n\tdungeon.the-leveys.us Jun 9 11:18:49 dungeon spamd[3100]: prefork: child states: II Jun 9 11:18:49 dungeon sendmail[22109]: n59FIiTJ022094: to=<vwi...@ya...>,<dl...@ex...>, ctladdr=<do...@th...> (500/500), delay=00:00:05, xdelay=00:00:00, mailer=relay, pri=150826, relay=smtp.mail.rcn.net. [207.172.4.99], dsn=2.0.0, stat=Sent (ok: Message 764369333 accepted) My MUA is Thunderbird; it's set to "Use TLS if available". I'm using similar settings for Thunderbird at home, which *does* sign. Before I had built the external network file and pointed to it using "-I" I was getting the "external host attempted to send" errors in maillog; they don't happen anymore. >> Be that as it may, now that I've reset the selector to "dungeon", why >> isn't the signature seen as valid? > > The email headers or body may have been modified after they were > domainkeys signed. There is an autoresponder listed at > http://www.elandsys.com/resources/sendmail/domainkeys.html When you > send a test message, you get a copy of the original message you sent > in the reply. If you get a bad signature, post the original headers. > I've sent a message from my home LAN - I get the following results: DomainKeys Signature validation: fail (testing) DomainKeys Policy: "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" DomainKeys Selector: dungeon "k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAPfKGBbWizfKJh5Yyu//HR7L04wbpoYsR8aAqM5uvL1Xz0LnJZUWZKfF9eif27PM0UpYucwcTMy1Lx8ljWDuxq9ov6S0lbve246AZi4R7TNEVxrLef5R2jZlYbw3X8H5aQIDAQAB" They look the same to me, so clearly either I'm not looking at the right thing or there's more involved... Here is the header that is returned to me: Original message: Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by ns1.qubic.net (8.14.4.Alpha0/8.14.4.Alpha0) with ESMTP id n59FQ5OC021623 for <aut...@dk...>; Tue, 9 Jun 2009 08:26:12 -0700 (PDT) Authentication-Results: ns1.qubic.net; sender-id=none header.from=do...@th...; spf=none smtp.mfrom=do...@th... Authentication-Results: ns1.qubic.net; domainkeys=fail (testing) header.from=do...@th... Received: from mr02.lnh.mail.rcn.net ([207.172.157.22]) by smtp02.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:26:05 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr02.lnh.mail.rcn.net (MOS 3.10.5-GA) with ESMTP id PYN25223; Tue, 9 Jun 2009 11:25:08 -0400 (EDT) Received: from 209-6-81-65.c3-0.frm-ubr2.sbo-frm.ma.cable.rcn.com (HELO dungeon.the-leveys.us) ([209.6.81.65]) by smtp01.lnh.mail.rcn.net with ESMTP; 09 Jun 2009 11:25:08 -0400 Received: from dauphin.the-leveys.us ([192.168.1.100]) by dungeon.the-leveys.us (8.13.8/8.13.8) with ESMTP id n59FP0bY022254 for <aut...@dk...>; Tue, 9 Jun 2009 11:25:02 -0400 DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; b=buTEXMDKuxczS+lsIBBUWHhDsp+duu9rlAWMpjfElFYIsZNkUvLs10m7JHYPaEWkM LCObt5P9P85EFksY9b3m1STlNw6V3AjQATe/eQargXtho871zaRmaoMnfufJ65T Message-ID: <4A2...@th...> Date: Tue, 09 Jun 2009 11:25:00 -0400 From: Don Levey <do...@th...> User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: aut...@dk... Subject: DK Test #21 X-Enigmail-Version: 0.95.7 OpenPGP: id=52ADF3CD; url=http://www.the-leveys.us:6080/keys/don-dsakey.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.95.1 at dungeon.the-leveys.us X-Virus-Status: Clean X-Spam-Status: No, score=-6.7 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on dungeon.the-leveys.us X-Junkmail-Status: score=10/50, host=mr02.lnh.mail.rcn.net X-Junkmail-SD-Raw: score=unknown, refid=str=0001.0A010207.4A2E7F0C.01CC,ss=1,fgs=0, ip=207.172.4.11, so=2009-03-06 19:59:02, dmn=5.7.1/2009-05-14, mode=single engine X-Junkmail-IWF: false -Don |
From: SM <sm...@re...> - 2009-06-09 14:56:10
|
At 05:26 09-06-2009, Don Levey wrote: >Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; >domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) >Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) > by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 The domainkeys verification failed as the signature was bad. Are you using sendmail masquerading? >What's interesting is that I'm not seeing the signature from mail sent >from my work desktop (putside my LAN), only internal machines. I would >imagine that this is a function of the external domain clients list. >I've got my company's domain in there (and, also, the FQDN of the >gateway machine), so I'm not sure what's up there. If you are submitting mail on the MSA port or you are using SMTP AUTH, the message will be domainkeys signed. Please post the log extract for a case where you are not seeing the signature. >Be that as it may, now that I've reset the selector to "dungeon", why >isn't the signature seen as valid? The email headers or body may have been modified after they were domainkeys signed. There is an autoresponder listed at http://www.elandsys.com/resources/sendmail/domainkeys.html When you send a test message, you get a copy of the original message you sent in the reply. If you get a bad signature, post the original headers. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 12:54:13
|
SM wrote: > At 17:56 08-06-2009, Don Levey wrote: >> it, and the header lines seem to be added now. Of course, I'm not sure >> what the next problem is; I sent a test-message to Yahoo and see the >> following in their header: >> >> Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; >> domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) >> Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) >> (207.172.157.102) >> by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 > > The domainkeys error says "no key". > >> Here's the header line it adds: >> DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; >> q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C >> OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc >> >> (there are wrapping problems here). >> >> I am perhaps unclear on the concept - if I'm smart-hosting through my >> ISP, I should still be able to do this, no? Assuming that I can, I have >> three separate TXT records in DNS: >> >> dungeon.the-leveys.us (my mail server) >> _domainkey.the-leveys.us ) based upon the blog post >> dungeon._domainkey.the-leveys.us ) referenced previously > > Your selector is at "dungeon". According to your DomainKey > signature, it's at "mail". Create a DNS TXT RR at > dungeon._domainkey.the-leveys.us for Domainkeys or set the selector > to "dungeon" when you sign the message with dk-milter. > OK, I changed the "-s" parameter, but I still get the same message: Authentication-Results: mta196.mail.sp2.yahoo.com from=the-leveys.us; domainkeys=fail (bad sig); from=the-leveys.us; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) by mta196.mail.sp2.yahoo.com with SMTP; Tue, 09 Jun 2009 04:00:59 -0700 ... DomainKey-Signature: a=rsa-sha1; s=dungeon; d=the-leveys.us; c=nofws; q=dns; b=8uVLqanp3Ptv9K4fW7fy1PDRGMoxnOOOYMjXtPYhPyr/QfNgFqBhe2iNDOFq74a4v f2zCmAjmWHjHp0ZQiCd/CskvxtMYblKUepUkqUMeJzSrJhoA+RlrtWpOJ8RJhrd What's interesting is that I'm not seeing the signature from mail sent from my work desktop (putside my LAN), only internal machines. I would imagine that this is a function of the external domain clients list. I've got my company's domain in there (and, also, the FQDN of the gateway machine), so I'm not sure what's up there. Be that as it may, now that I've reset the selector to "dungeon", why isn't the signature seen as valid? Thank you for your help, -Don |
From: SM <sm...@re...> - 2009-06-09 05:18:03
|
At 17:56 08-06-2009, Don Levey wrote: >it, and the header lines seem to be added now. Of course, I'm not sure >what the next problem is; I sent a test-message to Yahoo and see the >following in their header: > >Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; >domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) >Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) >(207.172.157.102) > by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 The domainkeys error says "no key". >Here's the header line it adds: >DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; >q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C > OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc > >(there are wrapping problems here). > >I am perhaps unclear on the concept - if I'm smart-hosting through my >ISP, I should still be able to do this, no? Assuming that I can, I have >three separate TXT records in DNS: > >dungeon.the-leveys.us (my mail server) >_domainkey.the-leveys.us ) based upon the blog post >dungeon._domainkey.the-leveys.us ) referenced previously Your selector is at "dungeon". According to your DomainKey signature, it's at "mail". Create a DNS TXT RR at dungeon._domainkey.the-leveys.us for Domainkeys or set the selector to "dungeon" when you sign the message with dk-milter. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-09 00:58:02
|
SM wrote: > At 12:53 08-06-2009, Don Levey wrote: >> I followed the instructions on the blog post referenced above, saslauthd >> is running, and yet I'm not getting anything in my headers to indicate >> that I'm signing the messages. Clearly I've missed something; does >> anyone have any suggestions on where to look? Are there log files I'm >> not seeing which could help? > > Read the mail log and verify whether the message submitted used SMTP > AUTH. You can use the -m MSA switch where MSA is name of the daemon > for the submission port. > That seems to be the problem is the problem. My sendmail.mc file didn't contain this line: DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl because I was getting a port conflict for some reason. I just re-enabled it, and the header lines seem to be added now. Of course, I'm not sure what the next problem is; I sent a test-message to Yahoo and see the following in their header: Authentication-Results: mta475.mail.mud.yahoo.com from=the-leveys.us; domainkeys=permerror (no key); from=the-leveys.us; dkim=neutral (no sig) Received: from 207.172.157.102 (EHLO smtp02.lnh.mail.rcn.net) (207.172.157.102) by mta475.mail.mud.yahoo.com with SMTP; Mon, 08 Jun 2009 17:46:29 -0700 Here's the header line it adds: DomainKey-Signature: a=rsa-sha1; s=mail; d=the-leveys.us; c=nofws; q=dns; b=NB+2z8hli2A/oyfWzN8zNEi1aWgGsf+kK3/j4dGoZiiGUnGqTJAltZ2wajSVisD0C OLrZsKK92fyLUcwIoNRWxpQQn3MnbyRV6z5Zbdff74s7OJBLNg+E4aLXedVUAWc (there are wrapping problems here). I am perhaps unclear on the concept - if I'm smart-hosting through my ISP, I should still be able to do this, no? Assuming that I can, I have three separate TXT records in DNS: dungeon.the-leveys.us (my mail server) _domainkey.the-leveys.us ) based upon the blog post dungeon._domainkey.the-leveys.us ) referenced previously Have I messed this up? Thanks again, -Don Levey |
From: SM <sm...@re...> - 2009-06-08 21:59:06
|
At 12:53 08-06-2009, Don Levey wrote: >I followed the instructions on the blog post referenced above, saslauthd >is running, and yet I'm not getting anything in my headers to indicate >that I'm signing the messages. Clearly I've missed something; does >anyone have any suggestions on where to look? Are there log files I'm >not seeing which could help? Read the mail log and verify whether the message submitted used SMTP AUTH. You can use the -m MSA switch where MSA is name of the daemon for the submission port. Regards, -sm |
From: Don L. <dk...@th...> - 2009-06-08 20:23:29
|
I hope I am not asking a common question; I've not yet found anything which quite addresses the issue I'm seeing. With a eye toward more proper identification of my mail server to the outside world, I though to start implementing Domain Keys. To that end, I read up on the subject (for example, http://www.jkurtzman.com/blog/2008/06/setting-up-domainkeys-on-centos) and then got to work. First, the basic info: CentOS 5.3 Sendmail 8.13.8-2.el5 dk-milter 1.0.0 saslauthd 2.1.22 with: getpwent kerberos5 pam rimap shadow ldap I followed the instructions on the blog post referenced above, saslauthd is running, and yet I'm not getting anything in my headers to indicate that I'm signing the messages. Clearly I've missed something; does anyone have any suggestions on where to look? Are there log files I'm not seeing which could help? Thank you, in advance, -Don Levey |
From: Greig D. <g.d...@gl...> - 2009-05-20 12:42:14
|
Thanks. I am going to see how it goes upgrading the version and not updating the keys to see if that helps. SM wrote: > At 08:50 19-05-2009, Greig Daines wrote: > >> We are running Postfix with dkim-filter and dk-filter (v 1.0.1). >> > > The latest version of dk-filter is 1.0.2. > > >> We send mail for multiple domains and each domain has a different >> private key (each stored within it's own file). The files are generated >> > >from a database every 15 minutes. > > Are you generating the private key every 15 minutes? > > >> The following shell script runs every 15 mins to restart the filters >> (and Postfix too, but I've removed that bit): >> > > dkim-filter can read the configuration without having to do a full restart. > > >> This seems to work and I can see dkim-filter and dk-milter running, but >> messages sometimes fail and I see the following in my Postfix logs: >> >> May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): >> resource unavailable: PEM_read_bio_PrivateKey() failed >> May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL >> error:0906D066:PEM routines:PEM_read_bio:bad end line >> > > Verify the private key file. > > >> From some quick searches I see that the error is coming from OpenSSL >> rather than dk-filter itself and is something to do with reading the >> private keys. I suspect it has something to do with the fact are >> private keys are being updated (although this is nearly always with >> exactly the same content as the key would rarely, if ever, change) and >> the restarting of the services. >> > > The error is OpenSSL related. It has to do with reading the private key. > > >> I don't normally post to lists as I try hard to resolve these things by >> myself, but I am kind of stuck now. My questions really are: >> >> 1. Any ideas why I am getting these errors and why sometimes it works >> sometimes it doesn't? >> > > Try not updating the private key like you do and see whether you > still get these errors. > > >> 2. Do I need to be restarting the filters every time the keys/files are >> updated with new domains or will they pick them up automatically? >> > > You have to restart dk-filter. For dkim-filter, you don't need a full restart. > > >> 3. Do the filters need to be restarted when Postfix is restarted? >> > > No. > > >> Finally, sorry for the long email! >> > > You are excused. :-) > > Regards, > -sm > > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > > |
From: SM <sm...@re...> - 2009-05-19 18:30:12
|
At 08:50 19-05-2009, Greig Daines wrote: >We are running Postfix with dkim-filter and dk-filter (v 1.0.1). The latest version of dk-filter is 1.0.2. >We send mail for multiple domains and each domain has a different >private key (each stored within it's own file). The files are generated >from a database every 15 minutes. Are you generating the private key every 15 minutes? >The following shell script runs every 15 mins to restart the filters >(and Postfix too, but I've removed that bit): dkim-filter can read the configuration without having to do a full restart. >This seems to work and I can see dkim-filter and dk-milter running, but >messages sometimes fail and I see the following in my Postfix logs: > >May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): >resource unavailable: PEM_read_bio_PrivateKey() failed >May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL >error:0906D066:PEM routines:PEM_read_bio:bad end line Verify the private key file. > From some quick searches I see that the error is coming from OpenSSL >rather than dk-filter itself and is something to do with reading the >private keys. I suspect it has something to do with the fact are >private keys are being updated (although this is nearly always with >exactly the same content as the key would rarely, if ever, change) and >the restarting of the services. The error is OpenSSL related. It has to do with reading the private key. >I don't normally post to lists as I try hard to resolve these things by >myself, but I am kind of stuck now. My questions really are: > >1. Any ideas why I am getting these errors and why sometimes it works >sometimes it doesn't? Try not updating the private key like you do and see whether you still get these errors. >2. Do I need to be restarting the filters every time the keys/files are >updated with new domains or will they pick them up automatically? You have to restart dk-filter. For dkim-filter, you don't need a full restart. >3. Do the filters need to be restarted when Postfix is restarted? No. >Finally, sorry for the long email! You are excused. :-) Regards, -sm |
From: Greig D. <g.d...@gl...> - 2009-05-19 16:07:39
|
Hi, We are running Postfix with dkim-filter and dk-filter (v 1.0.1). Both run on INET ports (8891 & 8892 respectively). We send mail for multiple domains and each domain has a different private key (each stored within it's own file). The files are generated from a database every 15 minutes. The following shell script runs every 15 mins to restart the filters (and Postfix too, but I've removed that bit): #!/bin/sh killall dk-filter killall dkim-filter sleep 15 /usr/sbin/dkim-filter -x /etc/dkim.conf /usr/bin/dk-filter -l -H -k -p inet:8892@localhost -c nofws -b s -u dkim -d /mailfiles/dkim/authdomains -s /mailfiles/dkim/keylist-dk -i /etc/dkim-hosts This seems to work and I can see dkim-filter and dk-milter running, but messages sometimes fail and I see the following in my Postfix logs: May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): resource unavailable: PEM_read_bio_PrivateKey() failed May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL error:0906D066:PEM routines:PEM_read_bio:bad end line Restarting the dk-filter sometimes fixes the problem and the message will send, but other times multiple restarts (of dk-filter) are needed before it goes through. From some quick searches I see that the error is coming from OpenSSL rather than dk-filter itself and is something to do with reading the private keys. I suspect it has something to do with the fact are private keys are being updated (although this is nearly always with exactly the same content as the key would rarely, if ever, change) and the restarting of the services. The dkim-filter has no problems and it reads the same private key files. I don't normally post to lists as I try hard to resolve these things by myself, but I am kind of stuck now. My questions really are: 1. Any ideas why I am getting these errors and why sometimes it works sometimes it doesn't? 2. Do I need to be restarting the filters every time the keys/files are updated with new domains or will they pick them up automatically? 3. Do the filters need to be restarted when Postfix is restarted? Finally, sorry for the long email! |
From: RPN <ken...@do...> - 2009-05-18 15:02:47
|
--- ms...@se... wrote: From: "Murray S. Kucherawy" <ms...@se...> To: ken...@do..., General discussion and usage issues <dk-...@li...> Subject: Re: DK-milter 1.0.2 and yahoogroups.com Date: Mon, 18 May 2009 07:55:52 -0700 (PDT) Thanks to you and Jim for taking the time to reply and to you in particular for the detailed answers. It is appreciated. On Mon, 18 May 2009, RPN wrote: > I do have two more related questions. (SNIP) _____________________________________________________________ http://mail.dogomania.com - Free email for dog enthusiasts. |
From: Murray S. K. <ms...@se...> - 2009-05-18 14:55:59
|
On Mon, 18 May 2009, RPN wrote: > I do have two more related questions. > > When I start dk-milter, I use the -H option to indicate which headers to > include in the check. If yahoogroups.com had done that, would it have > prevented this? If so, would it not be an option that could be "on" by > default to avoid these problems? It might add a little more overhead, > but it might work better with less failures for legitimate mail. It depends on what the modifications are that break the signature. If it's the addition of headers below the position of the signature, then yes, adding the header list in the signature would certainly help. A change to an existing header or to the body would still be an issue. > Is there any way of configuring dk-milter so that it adds why there was > a failure to the header? A simple "domainkeys=fail" leaves a lot to be > desired when trying to figure out where the problem is. No, because there's no way to reconstruct the block of data the signing agent saw for comparison. At the signer, the program takes the message as input, generates a hash of the input, and then encrypts the hash with the private key. The output of that is the signature that then gets placed on the message prior to transit. At the verifier, the very same process is done except that the hash, the signature and the public key (retrieved from DNS) are fed to a single algorithm. The question asked of the algorithm is "Do these all line up?" and the answer that comes out is either a "yes" or a "no". Since the hash is just a blob of data of fixed size, there's no way to backtrack from that point to figure out what went wrong. With DKIM, at least, it's possible to discern whether the body or header was modified because they are hashed separately. DKIM also has the ability to include a copy of the original header for comparison; that way, one can determine which header fields were modified and how. |
From: Murray S. K. <ms...@se...> - 2009-05-18 07:01:51
|
On Sun, 17 May 2009, RPN wrote: > I also assume since all the “dig” responses from domains that I can > verify mail from do not have the key spit in two parts, that this is the > source of the problem. No, the key is reassembled (via simple concatenation) by the DK library. > Can anyone verify that and offer a solution? Is it inherent in 1.02 or > have I configured something wrong? Is the problem something else. As someone else mentioned, Yahoo! Groups modifies the message as it gets relayed (by adding headers or a message footer or something of the kind), which invalidates the signature. It doesn't re-sign the message after modification. This guarantees a failure. You're right, this has been a known issue for some time. |