From: Jim P. <ji...@ya...> - 2006-09-25 21:40:37
|
(repost, this time to the list instead of dk-milter-discuss-bounces. :-) ) I have a dk-milter system that also has a local account used to generate system status alerts. Emails are delivered locally to sendmail which masqs the local internal domain and rewrites the true domain. dk-milter doesn't sign these messages even though the true domain is listed as a signing domain. If I add the local internal domain, to the signed domains list, the signed emails fail due to bad sig. Also, the internal domain is not a sub domain of the true domain. Is there anything I can do to dk-milter or sendmail so that locally generated emails, on the dk-milter host, will be signed? Tia, -Jim P. |
From: SM <sm...@re...> - 2006-09-26 05:44:28
|
Hi Jim, At 14:40 25-09-2006, Jim Popovitch wrote: >I have a dk-milter system that also has a local account used to generate >system status alerts. Emails are delivered locally to sendmail which >masqs the local internal domain and rewrites the true domain. dk-milter >doesn't sign these messages even though the true domain is listed as a DK-milter sees the headers before the masquerading is performed. The local internal domain is not listed as a signing domain here. >signing domain. If I add the local internal domain, to the signed >domains list, the signed emails fail due to bad sig. Also, the internal >domain is not a sub domain of the true domain. The headers are rewritten by sendmail after the email was signed by dk-milter. That is why the signature verification fails. >Is there anything I can do to dk-milter or sendmail so that locally >generated emails, on the dk-milter host, will be signed? That would require two sendmail instances, one to do the masquerading and the other one the signing. The masquerading instance should use the sendmail running DK-milter in signing mode as a smarthost. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-09-26 06:07:31
|
On Mon, 2006-09-25 at 22:43 -0700, SM wrote: > That would require two sendmail instances, one to do the masquerading > and the other one the signing. The masquerading instance should use > the sendmail running DK-milter in signing mode as a smarthost. Thank you SM. -Jim P. |
From: Jim P. <ji...@ya...> - 2006-09-26 22:16:07
|
On Mon, 2006-09-25 at 22:43 -0700, SM wrote: > That would require two sendmail instances, one to do the masquerading > and the other one the signing. The masquerading instance should use > the sendmail running DK-milter in signing mode as a smarthost. I tested this today and it looks like it is a greater pain to setup than it is worth. This system already has an inbound MX (postfix) that handles virtual domains for Mailman, as well as a second MTA (sendmail) for outbound delivery from Mailman. I simply refuse, due to common sense, to setup a 3rd MTA on the same box just to sign emails. Why is DK'ing so complex and difficult? Why can't dk-filter work on the outbound side of an MTA and only sign emails based on the final headers of the email? -Jim P. |
From: SM <sm...@re...> - 2006-09-27 04:08:05
|
Hi Jim, At 15:16 26-09-2006, Jim Popovitch wrote: >On Mon, 2006-09-25 at 22:43 -0700, SM wrote: >sense, to setup a 3rd MTA on the same box just to sign emails. Why is >DK'ing so complex and difficult? Why can't dk-filter work on the >outbound side of an MTA and only sign emails based on the final headers >of the email? Because dk-filter is a milter and it only sees what sendmail sends it. You could set the correct sender's address when injecting the mail to skip the masquerading. See the -f parameter in the sendmail manual. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-09-27 04:14:45
|
On Tue, 2006-09-26 at 21:07 -0700, SM wrote: > Hi Jim, > At 15:16 26-09-2006, Jim Popovitch wrote: > >On Mon, 2006-09-25 at 22:43 -0700, SM wrote: > >sense, to setup a 3rd MTA on the same box just to sign emails. Why is > >DK'ing so complex and difficult? Why can't dk-filter work on the > >outbound side of an MTA and only sign emails based on the final headers > >of the email? > > Because dk-filter is a milter and it only sees what sendmail sends it. > > You could set the correct sender's address when injecting the mail to > skip the masquerading. See the -f parameter in the sendmail manual. I did try using -f, but that adds another header to sendmail which I think (not sure) breaks dk as tests then started reporting bad sig. I'm about ready to give up on dk as nobody seems to be using it seriously (i.e. non-test mode) and everybody accepts email from you as long as you have dk DNS entries regardless of whether the emails are signed (shame on them). -Jim P. |
From: Ben L. <BL...@ch...> - 2006-09-26 23:11:48
|
On Mon, 2006-09-25 at 22:43 -0700, SM wrote: >> That would require two sendmail instances, one to do the masquerading >> and the other one the signing. The masquerading instance should use >> the sendmail running DK-milter in signing mode as a smarthost. >> > > I tested this today and it looks like it is a greater pain to setup than > it is worth. This system already has an inbound MX (postfix) that > handles virtual domains for Mailman, as well as a second MTA (sendmail) > for outbound delivery from Mailman. I simply refuse, due to common > sense, to setup a 3rd MTA on the same box just to sign emails. Why is > DK'ing so complex and difficult? Why can't dk-filter work on the > outbound side of an MTA and only sign emails based on the final headers > of the email? > > -Jim P. > Third MTA? > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > |
From: Jim P. <ji...@ya...> - 2006-09-26 23:21:13
|
On Tue, 2006-09-26 at 19:10 -0400, Ben Lentz wrote: > On Mon, 2006-09-25 at 22:43 -0700, SM wrote: > >> That would require two sendmail instances, one to do the masquerading > >> and the other one the signing. The masquerading instance should use > >> the sendmail running DK-milter in signing mode as a smarthost. > >> > > > > I tested this today and it looks like it is a greater pain to setup than > > it is worth. This system already has an inbound MX (postfix) that > > handles virtual domains for Mailman, as well as a second MTA (sendmail) > > for outbound delivery from Mailman. I simply refuse, due to common > > sense, to setup a 3rd MTA on the same box just to sign emails. Why is > > DK'ing so complex and difficult? Why can't dk-filter work on the > > outbound side of an MTA and only sign emails based on the final headers > > of the email? > > > > -Jim P. > > > Third MTA? Yes, a third. I was recommended to me that in order to sign emails, originating from the local host (using an internal domain name), that there needed to be an intermediate MTA to masq the internal domain into an external domain before the locally generated email could be passed to the MTA that does the signing. Since my 1st MTA is the inbound MX (spam filtering/greylisting/virtualization/etc), I don't want it to deal with local emails when their already is a 2nd MTA specifically for outbound external delivery. However if the emails sent to the 2nd MTA need masquerading, then it causes dk-milter/filter to sign the wrong headers (because it looks at the incoming headers not the outgoing) thus the need for an intermediate masquerading MTA somewhere in the middle. Yuck! When you sign a bank check, do you fill it out properly first and then sign it or do you sign it first then properly populate all the "headers"? :-) (i couldn't resist) -Jim P. |
From: Murray S. K. <ms...@se...> - 2006-10-05 19:07:56
|
Just back from vacation, so sorry for the delay... Jim Popovitch wrote: > I have a dk-milter system that also has a local account used to generate > system status alerts. Emails are delivered locally to sendmail which > masqs the local internal domain and rewrites the true domain. dk-milter > doesn't sign these messages even though the true domain is listed as a > signing domain. If I add the local internal domain, to the signed > domains list, the signed emails fail due to bad sig. Also, the internal > domain is not a sub domain of the true domain. > > Is there anything I can do to dk-milter or sendmail so that locally > generated emails, on the dk-milter host, will be signed? The issue is that milter, which is the protocol by which the MTA talks to dk-filter, is applied prior to the masquerading. Thus, the From: header is signed as injected, then sendmail rewrites it to use your masquerade domain, which immediately invalidates the signature. You basically have two options: (1) arrange that the alert generator writes its e-mails with a From: header such that sendmail won't rewrite it (i.e. with the masqueraded domain), or (2) run dk-filter on another MTA down the line which will receive the message after masquerading has happened and sign it there. You can actually run two MTAs on the same host, one which is SMART_HOSTed to the other, and have the second one do the signing. Not the most fun setup to manage, but it works. |