From: Andy C. <li...@ox...> - 2009-03-12 11:20:49
|
I am not sure if this is a DK issue or a sendmail issue so apologies in advance if this is not the right forum to ask this question. I have two servers: our main email server and our main web server. Currently, I have the email server set up to send mail sent from our office IP, locally (via PHP for instance) or via webmail and to DK sign it. This works fine. I also have the web server set up to send mail sent locally via PHP and again the DK signing works fine. Both servers are running the same version of RHEL4 and have the same patches. The mail server is using dk-milter-0.6.0 and the web server is using dk-milter-1.0.0 - I set dk-milter up on the web server a while after I had it running OK on the mail server; obviously, I need to update dk-milter on the mail server. Both servers have the same command-line options set for dk-milter (bar their individual hostnames). Now here's the problem. Today, I decided I'd like to configure the web server to accept SMTP connections from our office IP and relay mail out with DK signing. I reconfigured the firewall and configured sendmail to listen for external connections and relay mail from our IP. But when I tested sending a mail from the web server, it didn't sign it. The headers on the email as received said: DomainKey-Status: no signature, and my sendmail log said: Milter insert (1): header: Authentication-Results: unknown-host; domainkeys fail (no signature) I have compared the sendmail.cf files, and searched in the /etc/mail dir but I can't see for the life of me what I need to change. I'm guessing there's some configuration setting in sendmail that I need to change. Can anyone point me in the right direction? Thanks Andy |
From: SM <sm...@re...> - 2009-03-12 14:07:22
|
At 04:21 12-03-2009, Andy Clyde wrote: >I am not sure if this is a DK issue or a sendmail issue so apologies in >advance if this is not the right forum to ask this question. It's both. >Now here's the problem. Today, I decided I'd like to configure the web >server to accept SMTP connections from our office IP and relay mail out >with DK signing. I reconfigured the firewall and configured sendmail to >listen for external connections and relay mail from our IP. But when I >tested sending a mail from the web server, it didn't sign it. The >headers on the email as received said: >DomainKey-Status: no signature, >and my sendmail log said: >Milter insert (1): header: Authentication-Results: unknown-host; >domainkeys fail (no signature) Sendmail cannot determine the hostname. You can fix that by setting a correct hostname for the server or else use the following settings in your .mc file for sendmail: Dmexample.com define(`confDOMAIN_NAME', `$w.$m')dnl You need to tell dk-milter how to identify messages that should be signed instead of being verified. The default setting is to sign messages from localhost. if you start dk-filter with the -m MSA parameter, it should sign message submitted through port 587. If you still don't see any signature, verify what daemon name you have set for that port in your sendmail .mc file. >I have compared the sendmail.cf files, and searched in the /etc/mail dir >but I can't see for the life of me what I need to change. I'm guessing >there's some configuration setting in sendmail that I need to change. It's a networking issue. man hostname Regards, -sm |
From: Andy C. <li...@ox...> - 2009-03-12 15:49:38
|
SM wrote: > At 04:21 12-03-2009, Andy Clyde wrote: >> I am not sure if this is a DK issue or a sendmail issue so apologies in >> advance if this is not the right forum to ask this question. > > It's both. > >> Now here's the problem. Today, I decided I'd like to configure the web >> server to accept SMTP connections from our office IP and relay mail out >> with DK signing. I reconfigured the firewall and configured sendmail to >> listen for external connections and relay mail from our IP. But when I >> tested sending a mail from the web server, it didn't sign it. The >> headers on the email as received said: >> DomainKey-Status: no signature, >> and my sendmail log said: >> Milter insert (1): header: Authentication-Results: unknown-host; >> domainkeys fail (no signature) > > Sendmail cannot determine the hostname. You can fix that by setting > a correct hostname for the server or else use the following settings > in your .mc file for sendmail: > > Dmexample.com > define(`confDOMAIN_NAME', `$w.$m')dnl Thanks, that got rid of the unknown-host error. > > You need to tell dk-milter how to identify messages that should be > signed instead of being verified. The default setting is to sign > messages from localhost. if you start dk-filter with the -m MSA > parameter, it should sign message submitted through port 587. If you > still don't see any signature, verify what daemon name you have set > for that port in your sendmail .mc file. Hmmm, I haven't done that on our other server and that seems to work fine. As I said before the dk-filter commandline options are identical apart from the hostname. > >> I have compared the sendmail.cf files, and searched in the /etc/mail dir >> but I can't see for the life of me what I need to change. I'm guessing >> there's some configuration setting in sendmail that I need to change. > > It's a networking issue. man hostname > hostname was showing the correct result, the .mc fix you gave above sorted the hostname issue. A new error has popped up now (actually it was there before but hadn't spotted it). dk-filter[24460]: external host my-office-ip-address attempted to send as mydomain.com It looks like dk-filter reporting this but is this because there is no SMTP AUTH set up in sendmail? I have our office IP set up in the sendmail access file but no other authentication (port 25 is closed to everything except localhost and my office IP). I can't remember setting up dk-filter to trust our office IP and I can't see anywhere I might be able to do so in dk-filter. Thanks Andy |
From: SM <sm...@re...> - 2009-03-12 17:17:49
|
At 08:50 12-03-2009, Andy Clyde wrote: >Hmmm, I haven't done that on our other server and that seems to work >fine. As I said before the dk-filter commandline options are identical >apart from the hostname. I don't know what command line options you are using. >hostname was showing the correct result, the .mc fix you gave above >sorted the hostname issue. It might be a hosts (man hosts) issue. Anyway, you have a fix that works. >A new error has popped up now (actually it was there before but hadn't >spotted it). >dk-filter[24460]: external host my-office-ip-address attempted to send >as mydomain.com That is an informational message and not an error. >It looks like dk-filter reporting this but is this because there is no >SMTP AUTH set up in sendmail? I have our office IP set up in the >sendmail access file but no other authentication (port 25 is closed to >everything except localhost and my office IP). I can't remember setting >up dk-filter to trust our office IP and I can't see anywhere I might be >able to do so in dk-filter. If you use SMTP AUTH for the message submission, dk-filter would work in signing mode. You can use the -i filename parameter and add your office IP address in the file. Regards, -sm |
From: Andy C. <li...@ox...> - 2009-03-13 09:23:48
|
SM wrote: > At 08:50 12-03-2009, Andy Clyde wrote: > >> It looks like dk-filter reporting this but is this because there is no >> SMTP AUTH set up in sendmail? I have our office IP set up in the >> sendmail access file but no other authentication (port 25 is closed to >> everything except localhost and my office IP). I can't remember setting >> up dk-filter to trust our office IP and I can't see anywhere I might be >> able to do so in dk-filter. > > If you use SMTP AUTH for the message submission, dk-filter would work > in signing mode. You can use the -i filename parameter and add your > office IP address in the file. > Genius. That works perfectly. I have to say this is one of the friendliest and most helpful lists I've been on! Thanks Andy |
From: Murray S. K. <ms...@se...> - 2009-03-12 17:11:55
|
On Thu, 12 Mar 2009, SM wrote: > Sendmail cannot determine the hostname. You can fix that by setting > a correct hostname for the server or else use the following settings > in your .mc file for sendmail: > > Dmexample.com > define(`confDOMAIN_NAME', `$w.$m')dnl You might also not be passing the hostname macro ($j) from the MTA to the filter. You need to include it in the set of macros the MTA sends to filters. Normally this is done for you by the "m4" configuration stuff. You can verify this by checking that you have a line which reads something like this in your sendmail.cf: O Milter.macros.connect=j, _, {daemon_name}, {if_name}, {if_addr} The "j" is the important one for this particular issue. > You need to tell dk-milter how to identify messages that should be > signed instead of being verified. The default setting is to sign > messages from localhost. if you start dk-filter with the -m MSA > parameter, it should sign message submitted through port 587. If you > still don't see any signature, verify what daemon name you have set > for that port in your sendmail .mc file. You could also list your internal hosts by network using the "-i" command line option. Check the man page for details. |