From: Lucas B. <luc...@gm...> - 2008-05-28 13:46:21
|
Hi Folks: First of all, I'm dkim-milter newbie... I'm starting evaluating it. Well, I'd like to know if '-t' switch tests which action will be issued by dkim-milter. I'm running: # dkim-filter -t mbox -v -l -W -C 'no=r' dkim-filter: mbox: mlfi_eom() returned SMFIS_ACCEPT dkim-filter: mbox: message not signed mbox is a non-signed mail. The odd thing is that when I runs dkim-filter as a daemon talking with my MTA (through a unix domain socket) but using -C 'no=r', the mail is accepted to deliver... Am I messing things up? Thanks in advance Lucas Brasilino |
From: Murray S. K. <ms...@se...> - 2008-05-28 16:18:12
|
On Wed, 28 May 2008, Lucas Brasilino wrote: > Am I messing things up? Nope, apparently I am. :-) I've reproduced your problem and I can see what's going on. I'll get a fix in for the next release. |
From: Lucas B. <luc...@gm...> - 2008-05-28 17:31:14
|
Hi! >> Am I messing things up? > > Nope, apparently I am. :-) > > I've reproduced your problem and I can see what's going on. I'll get a > fix in for the next release. Thanks for your reply. Getting further in my tests, I've set two MTA's where I'm sending mail from valido.com to meudominio.com (dummy domains, just like foor and bar ones :) ). dkim-filter in valido.com is started as: dkim-filter -p local:/var/spool/postfix/dkim-filter/dkim-filter.sock -u postfix -b sv -s default -k /etc/dkim-milter/default.private -d valido.com -l -W -A -C 'bad=r,dns=r,int=r,no=r,miss=r' And added public key in TXT RR: # dig +short default._domainkey.valido.com TXT "v=DKIM1\; g=*\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD2bH4BYtSzlfvdBi5aoH+6ooD6UzvSWAtP2HHMNnKMGyxfh25QkBUXE3dQhHQIg3IDfSA7g4YcJlsESO4Bso79rbd2I1UXAoTBW0E58cTeHChxvmAqZfu/E/S+imCsLtZvQdOitii9owPs2p2FctosO8XiJVFBLBsLJPJTASwz5QIDAQAB" In meudominio.com I've started dkim-filter as: dkim-filter -p local:/var/spool/postfix/dkim-filter/dkim-filter.sock -u postfix -b sv -s 2008 -k /var/db/dkim/2008.key.pem -d meudominio.com -l -W -A -C 'bad=r,dns=r,int=r,no=r,miss=r' but when I send a mail from a third MTA (spammer.com) to meudominio.com, with no signature and pretends to be valido.com, dkim-filter in meudominio.com says that: May 28 08:05:44 servidoremail postfix/cleanup[4881]: D9E3DD458: message-id=<200...@ma...> May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) no signing domain match for `valido.com' May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) no signing subdomain match for `valido.com' May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) no signing keylist match for `dic...@va...' May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) not internal May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) not authenticated May 28 08:05:44 servidoremail dkim-filter[4327]: (unknown-jobid) mode select: verifying May 28 08:06:04 servidoremail postfix/qmgr[4871]: D9E3DD458: from=<dic...@va...>, size=992, nrcpt=1 (queue active) May 28 08:06:04 servidoremail postfix/smtpd[4877]: disconnect from unknown[192.168.0.7] May 28 08:06:04 servidoremail postfix/local[4882]: D9E3DD458: to=<ro...@me...>, relay=local, delay=20, delays=20/0/0/0.02, dsn=2.0.0, status=sent (delivered to maildir) And delivery the mail!! Again... is it a issue or am I messing things up? By the way: I' ve compiled dkim-filter 2.5.5 from sources. Thanks a lot in advance Regards Lucas Brasilino |
From: Murray S. K. <ms...@se...> - 2008-05-28 17:34:08
|
On Wed, 28 May 2008, Lucas Brasilino wrote: > And delivery the mail!! Again... is it a issue or am I messing things > up? Why should it do anything different? Apart from the problem you already reported (which I opened as a bug on SourceForge if you wish to track it), you haven't asked the filter to do anything special with that mail. |
From: Lucas B. <luc...@gm...> - 2008-05-28 18:07:29
|
Hi Murray: > On Wed, 28 May 2008, Lucas Brasilino wrote: >> And delivery the mail!! Again... is it a issue or am I messing things >> up? > > Why should it do anything different? > > Apart from the problem you already reported (which I opened as a bug on > SourceForge if you wish to track it), you haven't asked the filter to do > anything special with that mail. Well.. as I said.. I'm a dkim/dkim-milter newbie :) So.. as I'm using -C 'no=r', and dkim-filter manpage says that: '...nosignature (no) no signature was present on the message...' and '...reject (r) reject the message....' So I'd guessed that it should reject an non-signed mail.... As your answer, I'm wrong :) So... where I'm wrong and where can I find a better docs about dkim-milter ?? I've read a lot around... but things stills cloudy.... thanks a lot Lucas Brasilino |
From: Murray S. K. <ms...@se...> - 2008-05-28 18:11:24
|
On Wed, 28 May 2008, Lucas Brasilino wrote: > Well.. as I said.. I'm a dkim/dkim-milter newbie :) So.. as I'm > using -C 'no=r', and dkim-filter manpage says that: > > '...nosignature (no) no signature was present on the message...' and > '...reject (r) reject the message....' > > So I'd guessed that it should reject an non-signed mail.... Right, but there's a bug in "no=r" that hasn't been addressed yet, which you pointed out in your first message. So now I'm confused. How was your second example different from the first one? |
From: Lucas B. <luc...@gm...> - 2008-05-28 18:20:43
|
Hi! >> >> So I'd guessed that it should reject an non-signed mail.... > > Right, but there's a bug in "no=r" that hasn't been addressed yet, which > you pointed out in your first message. > > So now I'm confused. How was your second example different from the first > one? Yes, it is. The first one I've just ran dkim-filter testing a mail in a local file (mbox file)... the second one I've ran as a daemon talking to postfix through a unix domain socket, and I've posted the logs of the receiving MTA. Regards Lucas Brasilino |
From: Murray S. K. <ms...@se...> - 2008-05-28 18:25:56
|
On Wed, 28 May 2008, Lucas Brasilino wrote: > Yes, it is. The first one I've just ran dkim-filter testing a mail in a > local file (mbox file)... the second one I've ran as a daemon talking to > postfix through a unix domain socket, and I've posted the logs of the > receiving MTA. Ah, I understand. In fact all you're doing is running the simulation ("-t") and live modes (without "-t") but really testing the same feature in each case. "no=r" is definitely broken. I'm aiming to have it fixed in a near-future release. Unfortunately doing the fix cleanly is a little complicated so it may not make it into 2.6.0 (which is already in Beta), but I'll try. If your goal is to reject any mail that's not DKIM-signed, you'll need to wait for the fix. On the other hand, if you want to reject mail that wasn't DKIM-signed but should've been according to the sending domain's policy, that feature is available in the current code (check out the "ASPDiscard" configuration file item). -MSK |
From: Lucas B. <luc...@gm...> - 2008-05-28 18:36:33
|
Hi! > > Ah, I understand. In fact all you're doing is running the simulation > ("-t") and live modes (without "-t") but really testing the same feature > in each case. Yep :) > "no=r" is definitely broken. I'm aiming to have it fixed in a near-future > release. Unfortunately doing the fix cleanly is a little complicated so > it may not make it into 2.6.0 (which is already in Beta), but I'll try. Ok. > If your goal is to reject any mail that's not DKIM-signed, you'll need to > wait for the fix. On the other hand, if you want to reject mail that > wasn't DKIM-signed but should've been according to the sending domain's > policy, that feature is available in the current code (check out the > "ASPDiscard" configuration file item). Hmmm that's type of rejection it's also great for my tests. I gonna try it out and, if I got some doubt, I gonna bother you again :) Thanks a lot for your help! Lucas Brasilino |
From: Murray S. K. <ms...@se...> - 2008-05-29 17:51:39
|
A patch for this will be available in the 2.6.0 release (now in Beta). If you want this feature sooner, let me know and I'll see about making a patch to 2.5.5. Or, you can try the Beta release. |
From: Lucas B. <luc...@gm...> - 2008-05-29 19:47:28
|
> A patch for this will be available in the 2.6.0 release (now in Beta). If > you want this feature sooner, let me know and I'll see about making a > patch to 2.5.5. > > Or, you can try the Beta release. Great.. thanks. I'll take a loot at beta release. regards Lucas Brasilino |
From: Lucas B. <luc...@gm...> - 2008-05-30 03:30:11
|
Hi: I've got a problem when compiling dkim-filter 2.6.0beta1: cc -o dkim-filter -lpthread -L/usr/lib -L/usr/lib config.o dkim-ar.o dkim-arf.o dkim-db.o dkim-filter.o stats.o test.o util.o -lmilter /usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libdkim/libdkim.a /usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libsm/libsm.a -lresolv -lcrypt -lnsl -ldl -lssl -lcrypto /usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libdkim/libdkim.a(dkim-test.o): In function `dkim_test_key': dkim-test.c:(.text+0x27c): undefined reference to `dkim_process_set' dkim-test.c:(.text+0x296): undefined reference to `dkim_siglist_setup' collect2: ld returned 1 exit status make[1]: ** [dkim-filter] Erro 1 make[1]: Saindo do diretório `/usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/dkim-filter' make: ** [all] Erro 2 My packages: cc -v Using built-in specs. Target: i586-mandriva-linux-gnu Configured with: ../configure --prefix=/usr --libexecdir=/usr/lib --with-slibdir=/lib --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --enable-languages=c,c++,ada,fortran,objc,obj-c++,java --host=i586-mandriva-linux-gnu --with-cpu=generic --with-system-zlib --enable-long-long --enable-__cxa_atexit --enable-clocale=gnu --disable-libunwind-exceptions --enable-java-awt=gtk --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --enable-gtk-cairo --enable-ssp --disable-libssp Thread model: posix gcc version 4.1.1 20060724 (prerelease) (4.1.1-3mdk) GlibC 2.4.4 GNU make 3.81 GNU m4 1.4.4 # egrep -v '^dnl.*|^$' devtools/Site/site.config.m4 APPENDDEF(`confINCDIRS', `-I/usr/include/openssl ') APPENDDEF(`confLIBDIRS', `-L/usr/lib ') APPENDDEF(`bld_dkim_filter_INCDIRS', `-I/usr/include/milter') APPENDDEF(`bld_dkim_filter_LIBDIRS', `-L/usr/lib') thanks a lot in advance Lucas Brasilino 2008/5/29, Lucas Brasilino <luc...@gm...>: >> A patch for this will be available in the 2.6.0 release (now in Beta). If >> >> you want this feature sooner, let me know and I'll see about making a >> patch to 2.5.5. >> >> Or, you can try the Beta release. > > Great.. thanks. I'll take a loot at beta release. > > regards > Lucas Brasilino > |
From: Murray S. K. <ms...@se...> - 2008-05-30 17:36:58
|
Please limit discussion of Beta issues to the dkim-milter-beta list. On Fri, 30 May 2008, Lucas Brasilino wrote: > I've got a problem when compiling dkim-filter 2.6.0beta1: > [...] A patch for this was posted to dkim-milter-beta. |
From: SM <sm...@re...> - 2008-05-30 05:12:40
|
Hi Lucas, At 20:30 29-05-2008, Lucas Brasilino wrote: >I've got a problem when compiling dkim-filter 2.6.0beta1: > >cc -o dkim-filter -lpthread -L/usr/lib -L/usr/lib config.o dkim-ar.o >dkim-arf.o dkim-db.o dkim-filter.o stats.o test.o util.o -lmilter > >/usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libdkim/libdkim.a >/usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libsm/libsm.a > -lresolv -lcrypt -lnsl -ldl -lssl -lcrypto >/usr/local/src/dkim-milter-2.6.0.Beta1/obj.Linux.2.6.17-5mdv.i686/libdkim/libdkim.a(dkim-test.o): >In function `dkim_test_key': >dkim-test.c:(.text+0x27c): undefined reference to `dkim_process_set' This compilation error will be fixed in the next Beta. Regards, -sm |
From: Lucas B. <luc...@gm...> - 2008-05-30 05:24:26
|
> Hi Lucas, Hi! > ... > This compilation error will be fixed in the next Beta. Ok, thanks. Regards Lucas Brasilino |