From: Greig D. <g.d...@gl...> - 2009-05-19 16:07:39
|
Hi, We are running Postfix with dkim-filter and dk-filter (v 1.0.1). Both run on INET ports (8891 & 8892 respectively). We send mail for multiple domains and each domain has a different private key (each stored within it's own file). The files are generated from a database every 15 minutes. The following shell script runs every 15 mins to restart the filters (and Postfix too, but I've removed that bit): #!/bin/sh killall dk-filter killall dkim-filter sleep 15 /usr/sbin/dkim-filter -x /etc/dkim.conf /usr/bin/dk-filter -l -H -k -p inet:8892@localhost -c nofws -b s -u dkim -d /mailfiles/dkim/authdomains -s /mailfiles/dkim/keylist-dk -i /etc/dkim-hosts This seems to work and I can see dkim-filter and dk-milter running, but messages sometimes fail and I see the following in my Postfix logs: May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): resource unavailable: PEM_read_bio_PrivateKey() failed May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL error:0906D066:PEM routines:PEM_read_bio:bad end line Restarting the dk-filter sometimes fixes the problem and the message will send, but other times multiple restarts (of dk-filter) are needed before it goes through. From some quick searches I see that the error is coming from OpenSSL rather than dk-filter itself and is something to do with reading the private keys. I suspect it has something to do with the fact are private keys are being updated (although this is nearly always with exactly the same content as the key would rarely, if ever, change) and the restarting of the services. The dkim-filter has no problems and it reads the same private key files. I don't normally post to lists as I try hard to resolve these things by myself, but I am kind of stuck now. My questions really are: 1. Any ideas why I am getting these errors and why sometimes it works sometimes it doesn't? 2. Do I need to be restarting the filters every time the keys/files are updated with new domains or will they pick them up automatically? 3. Do the filters need to be restarted when Postfix is restarted? Finally, sorry for the long email! |
From: SM <sm...@re...> - 2009-05-19 18:30:12
|
At 08:50 19-05-2009, Greig Daines wrote: >We are running Postfix with dkim-filter and dk-filter (v 1.0.1). The latest version of dk-filter is 1.0.2. >We send mail for multiple domains and each domain has a different >private key (each stored within it's own file). The files are generated >from a database every 15 minutes. Are you generating the private key every 15 minutes? >The following shell script runs every 15 mins to restart the filters >(and Postfix too, but I've removed that bit): dkim-filter can read the configuration without having to do a full restart. >This seems to work and I can see dkim-filter and dk-milter running, but >messages sometimes fail and I see the following in my Postfix logs: > >May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): >resource unavailable: PEM_read_bio_PrivateKey() failed >May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL >error:0906D066:PEM routines:PEM_read_bio:bad end line Verify the private key file. > From some quick searches I see that the error is coming from OpenSSL >rather than dk-filter itself and is something to do with reading the >private keys. I suspect it has something to do with the fact are >private keys are being updated (although this is nearly always with >exactly the same content as the key would rarely, if ever, change) and >the restarting of the services. The error is OpenSSL related. It has to do with reading the private key. >I don't normally post to lists as I try hard to resolve these things by >myself, but I am kind of stuck now. My questions really are: > >1. Any ideas why I am getting these errors and why sometimes it works >sometimes it doesn't? Try not updating the private key like you do and see whether you still get these errors. >2. Do I need to be restarting the filters every time the keys/files are >updated with new domains or will they pick them up automatically? You have to restart dk-filter. For dkim-filter, you don't need a full restart. >3. Do the filters need to be restarted when Postfix is restarted? No. >Finally, sorry for the long email! You are excused. :-) Regards, -sm |
From: Greig D. <g.d...@gl...> - 2009-05-20 12:42:14
|
Thanks. I am going to see how it goes upgrading the version and not updating the keys to see if that helps. SM wrote: > At 08:50 19-05-2009, Greig Daines wrote: > >> We are running Postfix with dkim-filter and dk-filter (v 1.0.1). >> > > The latest version of dk-filter is 1.0.2. > > >> We send mail for multiple domains and each domain has a different >> private key (each stored within it's own file). The files are generated >> > >from a database every 15 minutes. > > Are you generating the private key every 15 minutes? > > >> The following shell script runs every 15 mins to restart the filters >> (and Postfix too, but I've removed that bit): >> > > dkim-filter can read the configuration without having to do a full restart. > > >> This seems to work and I can see dkim-filter and dk-milter running, but >> messages sometimes fail and I see the following in my Postfix logs: >> >> May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA: dk_getsig(): >> resource unavailable: PEM_read_bio_PrivateKey() failed >> May 19 15:54:01 mta1 dk-filter[13734]: 9816817E8EA SSL >> error:0906D066:PEM routines:PEM_read_bio:bad end line >> > > Verify the private key file. > > >> From some quick searches I see that the error is coming from OpenSSL >> rather than dk-filter itself and is something to do with reading the >> private keys. I suspect it has something to do with the fact are >> private keys are being updated (although this is nearly always with >> exactly the same content as the key would rarely, if ever, change) and >> the restarting of the services. >> > > The error is OpenSSL related. It has to do with reading the private key. > > >> I don't normally post to lists as I try hard to resolve these things by >> myself, but I am kind of stuck now. My questions really are: >> >> 1. Any ideas why I am getting these errors and why sometimes it works >> sometimes it doesn't? >> > > Try not updating the private key like you do and see whether you > still get these errors. > > >> 2. Do I need to be restarting the filters every time the keys/files are >> updated with new domains or will they pick them up automatically? >> > > You have to restart dk-filter. For dkim-filter, you don't need a full restart. > > >> 3. Do the filters need to be restarted when Postfix is restarted? >> > > No. > > >> Finally, sorry for the long email! >> > > You are excused. :-) > > Regards, > -sm > > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > > |