From: sid m. <sid...@ya...> - 2007-09-16 06:30:31
|
From: SM <sm@re...> - 2007-09-14 22:19 > You can run two MTAs, one that does the masquerading, then pass the > message to the second MTA which does the DKIM signing. Is it the only solution available ? Are there any way to edit sendmail.cf, to patch sendmail milters, or to patch dkim-milter ? From: Murray S. Kucherawy <msk@se...> - 2007-09-15 21:32 > Not currently. I have a patch to cause dkim-filter to canonicalize the > mail after rewriting certain strings so as to replicate what MASQUERADE_AS > would do. I can provide that patch if you want to try it, but it's still > experimental. We use the sendmai.cf including, FEATURE(masquerade_envelope)dnl FEATURE(allmasquerade)dnl MASQUERADE_AS(hoge.com)dnll MASQUERADE_EXCEPTION(`ml.hoge.com')dnl FEATURE(`always_add_domain')dnl Can I use your patch for these features ? --------------------------------- Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online. |
From: sid m. <sid...@ya...> - 2007-09-18 05:46:39
|
Thank you for the explanation and patch. Since the patch uses the regexp, it seems using the patch may be beyond my skill. Sorry for bothering you. At 07:09 07/09/18, Murray S. Kucherawy wrote: >On Sun, 16 Sep 2007, Murray S. Kucherawy wrote: > > As I stated, I have such a patch available for dkim-milter but I'm not > > really done with it yet. Thus, it's experimental only, but I can make > > it available if you want it. > >It's available via SourceForge now, patch #1796697. Please read all of >the comments in the patch report as they contain instructions for use and >other caveats. > >------------------------------------------------------------------------- >This SF.net email is sponsored by: Microsoft >Defy all challenges. Microsoft(R) Visual Studio 2005. >http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >_______________________________________________ >dkim-milter-discuss mailing list >dki...@li... >https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss ____________________________________________________________________________________ Luggage? GPS? Comic books? Check out fitting gifts for grads at Yahoo! Search http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz |
From: sid m. <sid...@ya...> - 2007-09-19 23:51:57
|
Thank you for the e-mail. I did make /etc/mail/dkim-filter.ReplaceRules and used tabs. The problem I have seems to be related to 'Signing OK, but no verification' matter (http://www.mail-archive.com/dki...@li.../msg00012.html) .. At 02:21 07/09/20, Murray S. Kucherawy wrote: >On Tue, 18 Sep 2007, sid milter wrote: > > ReplaceRules > > > > @hostname\.hoge\.com @hoge\.com > > ^Message-Id:\(.*\)@hoge\.com\(.*\) Message-Id:\1@hostname\.hoge\.com\2 > > > > did not work. I may have made other mistakes in installing. > >You need this in your dkim-filter.conf: > > ReplaceRules /path/to/file > >...and this in /path/to/file: > > @hostname\.hoge\.com @hoge.com > ^Message-Id:\(.*\)@hoge\.com\(.*\) > Message-Id:\1@hostname\.hoge\.com\2 > >...with tabs separating the pattern from the new string. > >I just tried that very configuration with a test message that contained >this header: > > From: Murray S. Kucherawy <ms...@ho...> > >In the canonicalized form of the headers, I saw this: > > From: Murray S. Kucherawy <ms...@ho...><CRLF> > >...which is correct. The Message-Id: one worked as well. > >Note though that matching of the patterns is case-sensitive for now, so >"Message-Id:" won't match "Message-ID:" for example. Ultimately I'll have >to split the matching of the header name out from the rest of the value >since header matching should be case-insensitive, but the rest should >not. > >------------------------------------------------------------------------- >This SF.net email is sponsored by: Microsoft >Defy all challenges. Microsoft(R) Visual Studio 2005. >http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >_______________________________________________ >dkim-milter-discuss mailing list >dki...@li... >https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss ____________________________________________________________________________________ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it's updated for today's economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow |
From: Murray S. K. <ms...@se...> - 2007-09-19 23:57:28
|
On Wed, 19 Sep 2007, sid milter wrote: > Thank you for the e-mail. I did make > /etc/mail/dkim-filter.ReplaceRules and > used tabs. The problem I have seems to be related to > 'Signing OK, but > no verification' matter > (http://www.mail-archive.com/dki...@li.../msg00012.html) > .. ReplaceRules is only meant to be used when signing since that's really when MASQUERADE_AS matters, although the way it's currently implemented it will apply to both. What are the symptoms you're seeing in the logs, verification attempts, etc.? |
From: sid m. <sid...@ya...> - 2007-09-20 01:31:37
|
No error logging. But sa-test@sendmail..net replies Authentication System: DomainKeys Identified Mail Result: DKIM signature NOT confirmed Description: Signature verification failed; signature is missing or key could not be found At 08:57 07/09/20, Murray S. Kucherawy wrote: >On Wed, 19 Sep 2007, sid milter wrote: > > Thank you for the e-mail. I did make > > /etc/mail/dkim-filter.ReplaceRules and > > used tabs. The problem I have seems to be related to > > 'Signing OK, but > > no verification' matter > > > (http://www.mail-archive.com/dki...@li.../msg00012.html) > > .. > >ReplaceRules is only meant to be used when signing since that's really >when MASQUERADE_AS matters, although the way it's currently implemented it >will apply to both. > >What are the symptoms you're seeing in the logs, verification >attempts, etc.? > >------------------------------------------------------------------------- >This SF.net email is sponsored by: Microsoft >Defy all challenges. Microsoft(R) Visual Studio 2005. >http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >_______________________________________________ >dkim-milter-discuss mailing list >dki...@li... >https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss ____________________________________________________________________________________ Check out the hottest 2008 models today at Yahoo! Autos. http://autos.yahoo.com/new_cars.html |
From: Murray S. K. <ms...@se...> - 2007-09-20 16:04:57
|
On Wed, 19 Sep 2007, sid milter wrote: > No error logging. But sa-test@sendmail..net replies > > Authentication System: DomainKeys Identified > Mail > Result: DKIM signature NOT > confirmed > Description: Signature verification > failed; > signature is missing or key could not be found What are your command line options and/or configuration file contents? |
From: sid m. <sid...@ya...> - 2007-09-21 01:27:22
|
conf file looks like: $ diff dkim-filter.conf.sample dkim-filter.conf 77c77,78 < Domain example.com --- > # Domain example.com > Domain hoge.com 92c93,94 < KeyFile /var/db/dkim/example.private --- > # KeyFile /var/db/dkim/example.private > KeyFile /var/db/dkim/hosname.key.pem 150a153 > MTA MTA,TLSMTA,MSA 233c236,237 < Selector my-selector-name --- > # Selector my-selector-name > Selector hostname 270c274,275 < Socket inet:port@localhost --- > # Socket inet:port@localhost > Socket inet:8892@localhost 277a283 > SubDomains yes 284a291 > Syslog yes 299a307 > UserID smmsp 307a316,317 > > ReplaceRules /etc/mail/dkim-filter.ReplaceRules At 01:04 07/09/21, Murray S. Kucherawy wrote: >On Wed, 19 Sep 2007, sid milter wrote: > > No error logging. But sa-test@sendmail..net replies > > > > Authentication System: DomainKeys Identified > > Mail > > Result: DKIM signature NOT > > confirmed > > Description: Signature verification > > failed; > > signature is missing or key could not be found > >What are your command line options and/or configuration file contents? > >------------------------------------------------------------------------- >This SF.net email is sponsored by: Microsoft >Defy all challenges. Microsoft(R) Visual Studio 2005. >http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ >_______________________________________________ >dkim-milter-discuss mailing list >dki...@li... >https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss ____________________________________________________________________________________ Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 |
From: Murray S. K. <ms...@se...> - 2007-09-21 23:18:59
|
On Thu, 20 Sep 2007, sid milter wrote: > conf file looks like: > [...] Well, that looks right. I'd have to see the headers as they arrive into the filter to figure out why it's not signing. As you have it, hoge.com (since it's listed in Domains) and *.hoge.com (since SubDomains is "yes") should all get signed. |
From: sid m. <sid...@ya...> - 2007-10-20 01:51:06
|
It begin to be confirmed again on OpenSSL 0.9.8g. released today without ReplaceRules. > DKIM signature confirmed GOOD I don't know the reason. Thank you anyway. > On , 20 Sep 2007, sid milter wrote: > > conf file looks like: > > [...] > > Well, that looks right. I'd have to see the headers as they arrive into > the filter to figure out why it's not signing. As you have it, hoge.com > (since it's listed in Domains) and *.hoge.com (since SubDomains is > "yes") should all get signed. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com |
From: Dave I. <dav...@en...> - 2007-10-24 13:11:33
|
The target system for my dkim-filter installation is a Red Hat EL4 system, which includes openssl 0.9.7. Since I want support for SHA256, I will have to use openssl 0.9.8 or better. I see two options (1) Install the latest openssl on the system, in a location separate from the existing openssl installation, and compile dkim-filter in such a way that it points to the 0.9.8 installation. (2) Link dkim-filter statically with openssl 0.9.8, so that I don't have to install another instance of openssl on the target system. I'd rather not do (1), for reasons of convenience which I will not go into right now.=20 That leaves me with option (2). Is it possible to statically link with openssl? How would I do this? Thanks Dave I |
From: SM <sm...@re...> - 2007-10-24 20:24:32
|
Hi David, At 06:11 24-10-2007, Dave Isaacs wrote: >The target system for my dkim-filter installation is a Red Hat EL4 >system, which includes openssl 0.9.7. > >Since I want support for SHA256, I will have to use openssl 0.9.8 or >better. I see two options > >(1) Install the latest openssl on the system, in a location separate >from the existing openssl installation, and compile dkim-filter in such >a way that it points to the 0.9.8 installation. > >(2) Link dkim-filter statically with openssl 0.9.8, so that I don't have >to install another instance of openssl on the target system. You still have to install openssl 0.9.8. >I'd rather not do (1), for reasons of convenience which I will not go >into right now. > >That leaves me with option (2). Is it possible to statically link with >openssl? How would I do this? Yes. In site.config.m4, define the path to the OpenSSL 0.9.8 incluude and lib directories. Regards, -sm |
From: Dave I. <dav...@en...> - 2007-10-25 10:50:09
|
>>(2) Link dkim-filter statically with openssl 0.9.8, so that I don't=20 >>have to install another instance of openssl on the target system. >You still have to install openssl 0.9.8. Why would I still have to install 0.9.8 on the target system if I statically linked the dkim-milter? Thanks Dave I=20 -----Original Message----- From: dki...@li... [mailto:dki...@li...] On Behalf Of SM Sent: Wednesday, October 24, 2007 12:03 PM To: dki...@li... Subject: Re: [dkim-milter-discuss] Statically link with openssl Hi David, At 06:11 24-10-2007, Dave Isaacs wrote: >The target system for my dkim-filter installation is a Red Hat EL4=20 >system, which includes openssl 0.9.7. > >Since I want support for SHA256, I will have to use openssl 0.9.8 or=20 >better. I see two options > >(1) Install the latest openssl on the system, in a location separate=20 >from the existing openssl installation, and compile dkim-filter in such >a way that it points to the 0.9.8 installation. > >(2) Link dkim-filter statically with openssl 0.9.8, so that I don't=20 >have to install another instance of openssl on the target system. You still have to install openssl 0.9.8. >I'd rather not do (1), for reasons of convenience which I will not go=20 >into right now. > >That leaves me with option (2). Is it possible to statically link with=20 >openssl? How would I do this? Yes. In site.config.m4, define the path to the OpenSSL 0.9.8 incluude and lib directories. Regards, -sm=20 ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ dkim-milter-discuss mailing list dki...@li... https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss |
From: SM <sm...@re...> - 2007-10-25 14:22:12
|
At 03:49 25-10-2007, Dave Isaacs wrote: >Why would I still have to install 0.9.8 on the target system if I >statically linked the dkim-milter? I should have read that part more carefully. If the milter is statically linked, you don't have to install 0penSSL on the target system. Regards, -sm |
From: Dave I. <dav...@en...> - 2007-10-25 15:43:19
|
Whew! Thanks for restabilizing the foundations of my universe ;-)=20 Anyhoo, I've managed to statically link the dkim-filter with OpenSSL 0.9.8g. The assistance from the mailing list is appreciated! :-) Dave I -----Original Message----- From: dki...@li... [mailto:dki...@li...] On Behalf Of SM Sent: Thursday, October 25, 2007 10:21 AM To: dki...@li... Subject: Re: [dkim-milter-discuss] Statically link with openssl At 03:49 25-10-2007, Dave Isaacs wrote: >Why would I still have to install 0.9.8 on the target system if I=20 >statically linked the dkim-milter? I should have read that part more carefully. If the milter is statically linked, you don't have to install 0penSSL on the target system. Regards, -sm=20 ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ dkim-milter-discuss mailing list dki...@li... https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss |
From: Tony E. <to...@he...> - 2007-10-24 17:42:41
|
Dave Isaacs skrev, on 24-10-2007 15:11: > The target system for my dkim-filter installation is a Red Hat EL4 > system, which includes openssl 0.9.7. > > Since I want support for SHA256, I will have to use openssl 0.9.8 or > better. I see two options > > (1) Install the latest openssl on the system, in a location separate > from the existing openssl installation, and compile dkim-filter in such > a way that it points to the 0.9.8 installation. > > (2) Link dkim-filter statically with openssl 0.9.8, so that I don't have > to install another instance of openssl on the target system. > > I'd rather not do (1), for reasons of convenience which I will not go > into right now. > > That leaves me with option (2). Is it possible to statically link with > openssl? How would I do this? There's one more option, that I've done with all my rigs - since RHEL4 is definitely yesterday's: 3: upgrade/reinstall RHEL5/CentOS5/Fedora FC >= FC6. Really, RHAS4 is, of date, definitely passé. Much good stuff just doesn't work on it any longer - or if it does, simply by botching source to /usr/local, you name it. People making *structural* changes, such as installing upgrades of (openssl|Cyrus SASL|Oracle BDB|more stuff) without doing it by using good rpms are simply heaping coals upon their heads. Yes, I've many years experience, it was all botching. Best, --Tonni -- Tony Earnshaw Email: tonni at hetnet dot nl |
From: Mike M. <mi...@ma...> - 2007-10-25 01:08:31
|
On Wed, Oct 24, 2007 at 07:41:45PM +0200, Tony Earnshaw <to...@he...> wrote: > There's one more option, that I've done with all my rigs - since RHEL4 > is definitely yesterday's: > > 3: upgrade/reinstall RHEL5/CentOS5/Fedora FC >= FC6. > > Really, RHAS4 is, of date, definitely passé. Much good stuff just > doesn't work on it any longer - or if it does, simply by botching source > to /usr/local, you name it. While running the latest stable and supported release is just good practice, this isn't an option for everyone. It turns out that in organizations large enough for administration tasks to be divided across teams, "passé" matters far less than properly testing and certifying something in the company's own unique environment and ensuring that the tools and processes to support it are in place. To the OP: I do suggest statically linking. I'm responsible for an environment processing a significant amount of email through a dkim-filter running on RHEL <5 and statically linked against OpenSSL 0.9.8, and it works flawlessly. -- Mike Markley <mi...@ma...> |
From: Murray S. K. <ms...@se...> - 2007-09-16 22:18:13
|
On Sat, 15 Sep 2007, sid milter wrote: >> You can run two MTAs, one that does the masquerading, then pass the >> message to the second MTA which does the DKIM signing. > > Is it the only solution available? Currently, yes. > Are there any way to edit sendmail.cf, Yes, turn off masquerading. The issue is that the data which get signed and the data which get sent are not congruent. Clearly though that is in conflict with your needs. > to patch sendmail milters, As in patch libmilter? The problem is not in milter's scope, so no. You'd have to patch (actually, rework a large part of) the MTA. > or to patch dkim-milter ? As I stated, I have such a patch available for dkim-milter but I'm not really done with it yet. Thus, it's experimental only, but I can make it available if you want it. > We use the sendmai.cf including, > > FEATURE(masquerade_envelope)dnl > FEATURE(allmasquerade)dnl > MASQUERADE_AS(hoge.com)dnll > MASQUERADE_EXCEPTION(`ml.hoge.com')dnl > FEATURE(`always_add_domain')dnl > > Can I use your patch for these features ? I have to re-read what always_add_domain does as my patch may not cover that case, but it does cover the others. I'll post it someplace in the next few days. -MSK |
From: Murray S. K. <ms...@se...> - 2007-09-17 22:09:43
|
On Sun, 16 Sep 2007, Murray S. Kucherawy wrote: > As I stated, I have such a patch available for dkim-milter but I'm not > really done with it yet. Thus, it's experimental only, but I can make > it available if you want it. It's available via SourceForge now, patch #1796697. Please read all of the comments in the patch report as they contain instructions for use and other caveats. |