From: Ed G. <ed...@gr...> - 2009-08-28 17:00:53
|
I installed dk-milter (and dkim-milter) and configured it as best I could figure out. I'm using the package from c-corp.net for Centos/EL5. When I use /bin/mail on the smtp server, (which runs sendmail, I believe) I get a DomainKeys Pass, but when I send my mail via port 25, I get DomainKeys Fail. My dk-filter daemon is running with these options: /usr/sbin/dk-filter \ -u root \ -p inet:10035@localhost \ -d xxx.com \ -s /etc/mail/domainkeys/xxx.com.priv \ -S sm \ -b sv \ -c nofws \ -C bad=r,dns=t,int=t,no=a,miss=r \ -h \ -l \ -D \ -i /etc/mail/domainkeys/allowed-hosts \ -I /etc/mail/domainkeys/allowed-hosts \ -P /var/run/dk-filter0.pid My sendmail.mc has this: INPUT_MAIL_FILTER(`dk-filter', `S=inet:10035@localhost') My DomainKey header (as received at a Yahoo Mail account) shows this: X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 admin001.xxx.com n7RM69hr004614 DomainKey-Signature: a=rsa-sha1; s=sm; d=xxx.com; c=nofws; q=dns; b=xvb4Olk0ORGHbSSF5sFTc+o4cn5A2FWGvLyN/W3jNdPJFJaO6WhBngU/P/HSjdaEH wsr+ZtvxUXzEIYfqadEaDPvpKN3xbzLaoD04qlf1Ovn2DrSrKgtV7GIpkQV0k1rExDa 5jAxAsfosQvFBcMDmE9aZNR5Ov9jSyrLuzsC/qw= and my Authentication-Results show this: Authentication-Results: mta197.mail.ac4.yahoo.com from=xxx.com; domainkeys=fail (bad sig); from=xxx.com; dkim=pass (ok) My dkim settings are as follows: /usr/sbin/dkim-filter \ -u root \ -p inet:10036@localhost -d xxx.com \ -k /etc/mail/domainkeys/xxx.com.priv \ -s sm -b s \ -c simple \ -S rsa-sha1 \ -C bad=r,dns=t,int=t,no=a,miss=r \ -h \ -l \ -D \ -i /etc/mail/domainkeys/allowed-hosts \ -P /var/run/dkim-filter0.pid Sendmail.mc has: INPUT_MAIL_FILTER(`dk-milter', `S=inet:10036@localhost') and my received header includes: X-DKIM: Sendmail DKIM Filter v2.2.1 admin001.xxx.com n7RM69hr004614 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=xxx.com; s=sm; t=1251410772; bh=eysLlgSsWNRcmr0vbz36DTJcnFk=; h=X-DomainKeys: DomainKey-Signature:From:To:Subject; b=IgKChg+V8wvoWydVCMI3kMsUybf GdyS8Rjd25DI4nPlzQiccDkDzJ+dNhFyGrKeiv/jMUFhD58NlAgLnN1xpLgR8+8vTyo k071LEPCDmmrgHpo2mmOIw7MOpc+4F4dwXIuRVCbQWbfof6Qi8VqO9X+CDjQbxj6WL5 /LIgxpmJHY= As shown above the Authentication Results shows DKIM pass. Does anybody know what I'm doing wrong? </edg> |
From: Mike M. <mi...@ma...> - 2009-08-28 18:16:58
|
On Fri, Aug 28, 2009 at 10:00:27AM -0700, Ed Greenberg <ed...@gr...> wrote: > X-DomainKeys: Sendmail DomainKeys Filter v0.4.1 admin001.xxx.com > n7RM69hr004614 There is a newer dk-milter available, but I don't think that's the problem... > DomainKey-Signature: a=rsa-sha1; s=sm; d=xxx.com; c=nofws; q=dns; > b=xvb4Olk0ORGHbSSF5sFTc+o4cn5A2FWGvLyN/W3jNdPJFJaO6WhBngU/P/HSjdaEH > wsr+ZtvxUXzEIYfqadEaDPvpKN3xbzLaoD04qlf1Ovn2DrSrKgtV7GIpkQV0k1rExDa > 5jAxAsfosQvFBcMDmE9aZNR5Ov9jSyrLuzsC/qw= > > > and my Authentication-Results show this: > Authentication-Results: mta197.mail.ac4.yahoo.com from=xxx.com; > domainkeys=fail (bad sig); from=xxx.com; dkim=pass (ok) [...] > DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=xxx.com; s=sm; > t=1251410772; bh=eysLlgSsWNRcmr0vbz36DTJcnFk=; h=X-DomainKeys: > DomainKey-Signature:From:To:Subject; b=IgKChg+V8wvoWydVCMI3kMsUybf > GdyS8Rjd25DI4nPlzQiccDkDzJ+dNhFyGrKeiv/jMUFhD58NlAgLnN1xpLgR8+8vTyo > k071LEPCDmmrgHpo2mmOIw7MOpc+4F4dwXIuRVCbQWbfof6Qi8VqO9X+CDjQbxj6WL5 > /LIgxpmJHY= DKIM explicity lists the headers signed by default; DomainKeys does not. As such, any headers added by your MTA can cause breakage, because the receiver doesn't know those added headers weren't part of the signature. If this is indeed the problem, then running dk-filter with -H should resolve it. That will cause the filter to list the headers in an h= list, much as your dkim-filter does. -- Mike Markley <mi...@ma...> Insufficient facts always invite danger. - Spock, "Space Seed", stardate 3141.9 |
From: Ed G. <ed...@gr...> - 2009-08-28 20:08:11
|
Mike Markley wrote: > > DKIM explicity lists the headers signed by default; DomainKeys does not. > As such, any headers added by your MTA can cause breakage, because the > receiver doesn't know those added headers weren't part of the signature. > > If this is indeed the problem, then running dk-filter with -H should > resolve it. That will cause the filter to list the headers in an h= > list, much as your dkim-filter does. > > Got it first try. Good troubleshooting! Thanks. |