From: Jim P. <ji...@ya...> - 2006-07-16 04:22:21
|
I've been using dk-milter with Mailman for a while now, things have been going good. Tonight I brought up a new Mailman system and took down the old one. Email from the old Mailman system had been pointing to the same smtp gateway as the new system uses. My problem is that Mailman's email from the new system fails signature tests. DNS is the same, although with the new Mailman system there are a few more received headers as the email is passed through various "sanitizing" systems _before_ hitting Mailman. But, the outgoing smtp gateway, where dk-milter exists and signs emails, still is the same. The only change was adding the IP address of the new Mailman system to the dk-filter internal host (-i) list. What in the heck could be wrong? -Jim P. |
From: Jim P. <ji...@ya...> - 2006-07-16 08:20:09
|
Some more info: dk-filter runs on a mail gateway/queue with 2 interfaces 10.10.1.1 and a public IP. args: -l -bs -p inet:8891@localhost -c simple -d example.com -s /etc/dkfilter/dk1.key.pem -S dk1 -u dkfilter -m local -f -I /etc/dkfilter/external-hosts "external-hosts" contains both the name and IP address of the host relaying mail through this gateway. "local" is the sendmail daemon of which there are these three daemon options in sendmail.mc: DAEMON_OPTIONS(`Name=private, Addr=10.11.1.1 Port=25') DAEMON_OPTIONS(`Name=public, Addr=WW.XX.YY.ZZ Port=25') DAEMON_OPTIONS(`Name=local, Addr=127.0.0.1, Port=25') as well as: FEATURE(no_default_msa) If I use "-m local" no emails are signed. If I use "-l private" I get a log entry that says bad sig (even though the sig is good and has been for months, it just moved to a new host). If I use "-l public" no emails are signed. The crazy thing is that when the old Mailman install, on a off-site host, sent email directly to the gateway (over it's public IP) it was properly signed and delivered. Now that email is coming into the gateway via it's private interface I can't seem to get it to sign correctly. Just to be clear, using this setup: Internet -> MX -RFC1918-> Mailman -RFC1918-> SMTP-Gateway -> Internet where should dk-filter exist in order to sign outgoing email? -Jim P. Jim Popovitch wrote: > I've been using dk-milter with Mailman for a while now, things have been > going good. Tonight I brought up a new Mailman system and took down the > old one. Email from the old Mailman system had been pointing to the > same smtp gateway as the new system uses. My problem is that Mailman's > email from the new system fails signature tests. DNS is the same, > although with the new Mailman system there are a few more received > headers as the email is passed through various "sanitizing" systems > _before_ hitting Mailman. But, the outgoing smtp gateway, where > dk-milter exists and signs emails, still is the same. The only change > was adding the IP address of the new Mailman system to the dk-filter > internal host (-i) list. What in the heck could be wrong? > > -Jim P. > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > dk-milter-discuss mailing list > dk-...@li... > https://lists.sourceforge.net/lists/listinfo/dk-milter-discuss > |
From: SM <sm...@re...> - 2006-07-16 14:00:10
|
Hi Jim, At 21:22 15-07-2006, Jim Popovitch wrote: >I've been using dk-milter with Mailman for a while now, things have been >going good. Tonight I brought up a new Mailman system and took down the >old one. Email from the old Mailman system had been pointing to the >same smtp gateway as the new system uses. My problem is that Mailman's >email from the new system fails signature tests. DNS is the same, Can you send me a test email off-list? At 01:19 16-07-2006, Jim Popovitch wrote: >Some more info: > >dk-filter runs on a mail gateway/queue with 2 interfaces 10.10.1.1 and a >public IP. > >args: -l -bs -p inet:8891@localhost -c simple -d example.com -s >/etc/dkfilter/dk1.key.pem -S dk1 -u dkfilter -m local -f -I >/etc/dkfilter/external-hosts > >"external-hosts" contains both the name and IP address of the host >relaying mail through this gateway. > >"local" is the sendmail daemon of which there are these three daemon >options in sendmail.mc: >DAEMON_OPTIONS(`Name=private, Addr=10.11.1.1 Port=25') >DAEMON_OPTIONS(`Name=public, Addr=WW.XX.YY.ZZ Port=25') >DAEMON_OPTIONS(`Name=local, Addr=127.0.0.1, Port=25') >as well as: >FEATURE(no_default_msa) > >If I use "-m local" no emails are signed. If I use "-l private" I get a >log entry that says bad sig (even though the sig is good and has been >for months, it just moved to a new host). If I use "-l public" no >emails are signed. The crazy thing is that when the old Mailman >install, on a off-site host, sent email directly to the gateway (over >it's public IP) it was properly signed and delivered. Now that email is >coming into the gateway via it's private interface I can't seem to get >it to sign correctly. Was mailman sending the mail through localhost (local) when you tested with "-m local"? >Just to be clear, using this setup: > > Internet -> MX -RFC1918-> Mailman -RFC1918-> SMTP-Gateway -> Internet > > where should dk-filter exist in order to sign outgoing email? It's better to verify at the boundary (MX) and sign at SMTP Gateway. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-07-19 04:29:46
|
SM wrote: > Can you send me a test email off-list? done. ;-) > Was mailman sending the mail through localhost (local) when you > tested with "-m local"? Well, that's an interesting question. This gets back to my earlier confusion about when/how and email is signed. In my present case (where there are 3 interfaces, lo, eth0, eth1) email comes into the SMTP gateway on eth0 (a private lan) and is queued by Sendmail. Then the email is distributed to the recipients from the queue via eth1 (a publicly available interface). What I don't understand is where in that process should dk-filter sign the email, and how is that configured? If just using "-m", and only on outbound emails (using Sendmail's INPUT_MAIL_FILTER) then -m should be set to "public" as that is the DAEMON_OPTIONS name of the public interface. If dk-filter is signing the email when it is delivered to the SMTP gateway, then -m should be "private" as that is the DAEMON_OPTIONS name of the private/internal interface. HOWEVER, since sendmail receives from eth0 and simply stores in the queue for queue runners to process, there is probably some Sendmail communication over lo (aka DAMEON_OPTIONS name: local). So, -m depends on just where the signing should occur. Ideally dk-filter would only sign outbound emails leaving through the public interface. -Jim P. |
From: SM <sm...@re...> - 2006-07-19 05:05:46
|
Hi Jim, At 21:29 18-07-2006, Jim Popovitch wrote: >Well, that's an interesting question. This gets back to my earlier >confusion about when/how and email is signed. In my present case (where >there are 3 interfaces, lo, eth0, eth1) email comes into the SMTP >gateway on eth0 (a private lan) and is queued by Sendmail. Then the >email is distributed to the recipients from the queue via eth1 (a >publicly available interface). What I don't understand is where in that >process should dk-filter sign the email, and how is that configured? If There are different methods to tell dk-milter when to sign mail. One of them is to list the IP addresses for which mail should be signed. This is generally localhost and a list of your internal hosts. The second method is to specify the daemon name. If you are receiving mail through the public interface, then you should not configure dk-milter to sign mail going through the MTA daemon (public in your case). I noticed that you are using Thunderbird to send mail. There is a known issue with sendmail which causes DK signature to fail. Regards, -sm |
From: Jim P. <ji...@ya...> - 2006-07-19 05:23:35
|
SM wrote: > If you are receiving mail through the public interface, then you > should not configure dk-milter to sign mail going through the MTA > daemon (public in your case). So... dk-filter signs email on it's way into a system, not out of? In my case (this is a SMTP gateway) it is only outbound email, so no email arrives via "public". Email only arrives via "private" where it is solely queued by the sendmail daemon. Queue runner daemons pick up email from the queues and deliver it over the "public" interface. > I noticed that you are using Thunderbird to send mail. There is a > known issue with sendmail which causes DK signature to fail. Where can I learn more about this? ;-) -Jim P. |
From: SM <sm...@re...> - 2006-07-19 06:00:09
|
Hi Jim, At 22:23 18-07-2006, Jim Popovitch wrote: >So... dk-filter signs email on it's way into a system, not out of? In >my case (this is a SMTP gateway) it is only outbound email, so no email >arrives via "public". Email only arrives via "private" where it is >solely queued by the sendmail daemon. Queue runner daemons pick up >email from the queues and deliver it over the "public" interface. If no email arrives via "public", then you don't need sendmail listening on that interface. You can configure dk-milter in signing mode only so that it signs all mail. dk-filter signs mail going through the sendmail daemon. You called that "into the system". :) >Where can I learn more about this? ;-) I don't have a reference as the sf.net search engine is not working. There may be a discussion in the mailing list archive about this issue. Regards, -sm |
From: SM <sm...@re...> - 2006-07-19 07:14:11
|
Hi Jim, Your DK signature verifies correctly now. The issue was because of a "Return-Path" header being signed at your end. For the record, the fix is to use the -o parameter to ignore that header when DK signing the message. Regards, -sm |