From: Murray S. K. <ms...@se...> - 2008-05-28 16:40:06
|
Please restrict feedback about Beta releases to the dkim-milter-beta list. On Wed, 28 May 2008, System Support wrote: > 1) The sample .config file does not have the new options, although the > help file does. Fixed; will appear in the next Beta. > 3) DontSignMailTo does not seem to be working as hoped. > > have something like: > DontSignMailTo re...@sp...,pos...@ot... > > As requested, mail is Forwarded to those sites, and looking at the > headers what needs to be matched is the 'Resent-to' header. There was a bug in the way the recipient list was walked when looking for matches. A fix for this appears in the next Beta (later today; I typically do a Beta release each day if there's been a change since the previous one). However, I just saw that in a passing review of the relevant code. In fact, your requirement may be more difficult than I thought to deal with. The milter component of both postfix and sendmail operates when the mail arrives via SMTP. If mail lands on your machine addressed to X but is automatically forwarded to Y, the filter never sees the forwarding operation; it only sees X as the recipient. This is because the filter sees exactly the SMTP conversation with the client injecting the message; aliasing and forwarding happen after that and are not part of milter. Thus, if that's the order in which things are happening on your system, then there's not much the filter can do to solve this problem because DontSignMailTo can't work here because the filter is never told that Y is the ultimate recipient. What's adding the Resent-To: header here? Is it already on the message when it arrives, or is it postfix adding it as a result of an alias or .forward file? Matching DontSignMailTo on a header field instead of an envelope recipient is more challenging because parsing those headers looking for matches can be quite a chore; there can be more than one such header, and there can be more than one address per header, and isolating them for matching can be a challenge in itself. |
From: Murray S. K. <ms...@se...> - 2008-05-28 18:10:11
|
On Wed, 28 May 2008, System Support wrote: >> What's adding the Resent-To: header here? Is it already on the message >> when it arrives, or is it postfix adding it as a result of an alias or >> forward file? > > Already there - added by the mail client. So the forwarding actually happens in the mail client? That's odd, and so now I'm a little confused. Hopefully you can clarify for me. If so, maybe we can salvage the idea. As I understand it, your mail arrives thus: From: X To: Y Resent-To: Z [other headers] Who are the SMTP sender and recipient(s)? |
From: System S. <su...@mi...> - 2008-05-28 19:28:53
|
On 28 May 2008 at 11:09, Murray S. Kucherawy wrote: > So the forwarding actually happens in the mail client? That's odd, and so > now I'm a little confused. Hopefully you can clarify for me. If so, > maybe we can salvage the idea. A little more information may help. The mail client has a filter that inspects the X-Spam headers + other stuff and puts matching mail in a 'potential spam' folder. Every now and again I review the folder. particually annoying stuff I tag and it is forwarded on to the the spam lists + my local bayesian scanner + the spamassassin learn function. > > As I understand it, your mail arrives thus: > > From: X > To: Y > Resent-To: Z > [other headers] Yes > > Who are the SMTP sender and recipient(s)? I believe that they are postmaster (at) microtechniques.com and mboxreport (at) microtechniuqes.com Originally there were multiple recipients, but I changed the script to send separate e-mails with only one recipient each. Here are the headers from a sample message (addresses mangled slightly) X-PM-Identity: Forward Resent-from: "postmaster" <postmaster @ microtechniques.com> Resent-to: mboxreport @ microtechniques.com Resent-date: Wed, 28 May 2008 15:02:58 -0400 Return-Path: <dhughes @ MicroTechniques.com> X-Original-To: dhughes @ microtechniques.com Delivered-To: dhughes @ microtechniques.com Received: from 127.0.0.1 (localhost [127.0.0.1]) by mail.MicroTechniques.com (Falcon mail server) with SMTP id 379CECD4D3 for <dhughes @ microtechniques.com>; Wed, 28 May 2008 15:01:55 - 0400 (EDT) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on Falcon.Net1.MicroTechniques.com X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=ALL_TRUSTED,BAYES_00, MISSING_MID,TO_MALFORMED autolearn=ham version=3.2.3 Received: from mailo.MicroTechniques.com (Plover.Net1.MicroTechniques.com [10.168.xx.xx]) by maili.MicroTechniques.com (Falcon mail server) with ESMTP id 52D1DCD98F for <dhughes @ microtechniques.com>; Wed, 28 May 2008 15:01:54 - 0400 (EDT) Received: from [10.168.xx.xx] (xx.Microtechniques.com [10.168.xx.xx]) by mailo.MicroTechniques.com (Falcon mail server) with ESMTP id 36D03CD4D3 for <dhughes @ microtechniques.com>; Wed, 28 May 2008 15:01:54 - 0400 (EDT) X-DKIM: Sendmail DKIM Filter v2.6.0.Beta0 mailo.MicroTechniques.com 36D03CD4D3 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=MicroTechniques.com; s=MT_email; t=1212001314; bh=mHeouLbIxahfAMD4g/vM2Tc3QfVjF34kUAp1EV x85ZM=; h=Resent-from:Resent-to:Resent-date:From:To:Subject: MIME-Version:Content-type:Content-transfer-encoding:Date: Resent-Message-Id; b=iNPgMT10LOGaxg6F7Xr14wbevL+F8vL5MUG7gSVXsxdGo PdGHf4LCbMo5bXfb2vXG723tFzhVRG+qm7ZH0+epd9g3tgdbs0tN/mTTzJCqgO78bRx EADizq2Vnly5K0ZGzs7/bl/5xQnfoKJPkqaP6werCVHa4Lrdq7PZ4oiaeXw= X-cs: R X-CS-Version: 1.0 From: Don Hughes <dhughes @ microtechniques.com> X-RS-ID: <Default> X-RS-Flags: 0,0,1,1,0,0,0 X-RS-Sigset: -1 To: TestList @ maili.MicroTechniques.com Subject: Budget MIME-Version: 1.0 Date: Tue, 20 May 2008 10:04:57 -0500 Resent-Message-Id: <200...@ma...> X-Antivirus: AVG for E-mail 8.0.100 [269.24.1/1469] ...don support (at) microtechniques.com |
From: Murray S. K. <ms...@se...> - 2008-05-29 18:06:59
|
On Wed, 28 May 2008, System Support wrote: >> As I understand it, your mail arrives thus: >> >> From: X >> To: Y >> Resent-To: Z >> [other headers] > > Yes > >> >> Who are the SMTP sender and recipient(s)? > > I believe that they are postmaster (at) microtechniques.com and > mboxreport (at) microtechniuqes.com OK, so since it keys on the envelope, let's try matching that. If you set: DontSignMailTo mboxreport@* ...does it do what you need? |
From: System S. <su...@mi...> - 2008-06-06 13:03:25
|
While examining my logs I found the following messages. I have not seen them in the past and I am not sure of their importance: 1) This sequence shows 'verification successful' and then 'bad signature' seems a contradiction. Jun 5 21:47:26 Falcon postfix/smtpd[11797]: AEFF8CD61A: client=yw-out- 2324.google.com[74.125.46.28] Jun 5 21:47:26 Falcon postfix/cleanup[11801]: AEFF8CD61A: message- id=<484...@dh...> Jun 5 21:47:26 Falcon dkim-filter[3409]: AEFF8CD61A: dk_eoh() returned status 1 Jun 5 21:47:26 Falcon dkim-filter[3409]: AEFF8CD61A DKIM verification successful Jun 5 21:47:26 Falcon dkim-filter[3409]: AEFF8CD61A SSL error:04077068:rsa routines:RSA_verify:bad signature Jun 5 21:47:26 Falcon postfix/qmgr[3612]: AEFF8CD61A: from=<wpnyus+caf_=forwarded=mic...@gm...>, size=6896, nrcpt=1 (queue active) Jun 5 21:47:27 Falcon postfix/pipe[11802]: AEFF8CD61A: to=<for...@mi...>, relay=spamfilter, delay=1.2, delays=0.67/0.01/0/0.53, dsn=2.0.0, status=sent (delivered via spamfilter service) Jun 5 21:47:27 Falcon postfix/qmgr[3612]: AEFF8CD61A: removed 2) This seems to indicate that hotpop has a configuration issue. However, the reject shows a 4xx error. If it is a hotpop error, how do I report it. Jun 5 13:42:06 Falcon postfix/smtpd[5323]: 44522CD61A: client=smtp- out.hotpop.com[38.113.3.61] Jun 5 13:42:06 Falcon postfix/cleanup[5337]: 44522CD61A: message- id=<f1a...@ma.... au> Jun 5 13:42:07 Falcon dkim-filter[3409]: 44522CD61A dk_eom() returned status 5: no sender header found below signature Jun 5 13:42:07 Falcon dkim-filter[3409]: 44522CD61A: key retrieval failed Jun 5 13:42:07 Falcon postfix/cleanup[5337]: 44522CD61A: milter- reject: END-OF-MESSAGE from smtp-out.hotpop.com[38.113.3.61]: 4.7.1 Service unavailable - try again later; from=<qwc...@su...> to=<for...@mi...> proto=ESMTP helo=<smtp-out.hotpop.com> 3) This just looks like a dice error. How do it report it? I tried e- mail to pos...@di... to no effect. Jun 6 03:57:51 Falcon postfix/smtpd[16807]: 6331ECD61A: client=mailbox3.dice.com[65.198.147.3] Jun 6 03:57:54 Falcon postfix/cleanup[16818]: 6331ECD61A: message- id=<200...@vi...> Jun 6 03:57:55 Falcon dkim-filter[3409]: 6331ECD61A: bad signature data Jun 6 03:57:55 Falcon postfix/cleanup[16818]: 6331ECD61A: milter- reject: END-OF-MESSAGE from mailbox3.dice.com[65.198.147.3]: 5.7.0 bad DKIM signature data; from=<jo...@di...> to=<jo...@mi...> proto=ESMTP helo=<mailbox3.dice.com> ...don support (at) microtechniques.com |
From: Murray S. K. <ms...@se...> - 2008-06-06 17:27:49
|
On Fri, 6 Jun 2008, System Support wrote: > 1) This sequence shows 'verification successful' and then 'bad > signature' seems a contradiction. Based on the log entries, you're verifying both DomainKeys and DKIM. It looks like one succeeded while the other did not. I'd have to see a copy of a message which causes this to be more precise. > 2) This seems to indicate that hotpop has a configuration issue. > However, the reject shows a 4xx error. If it is a hotpop error, how do > I report it. The DomainKeys signature you tried to verify wasn't properly added to the arriving message. Unlike DKIM, the position of the DomainKeys header is significant, and they appear to have gotten it wrong. > 3) This just looks like a dice error. How do it report it? I tried e- > mail to pos...@di... to no effect. That's what I would try. I wouldn't know what else to suggest. |