From: Willem K. <w.k...@gm...> - 2011-08-05 12:57:07
|
Hi there, I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed. Thanks -- ------------ Willem Kossen |
From: Rolf E. S. <R.E...@so...> - 2011-08-05 20:53:26
|
Hi, Willem, On 8/5/11 2:57 PM, Willem Kossen wrote: > Hi there, > > I have succesfully implemented dkim signing in my mailserver, but it > only works when mail is delivered to it via smtp. A lot of mail > however comes in via sendmail executable for instance because of > websites, webmail or applications sending out notices. I want that > mail to be signed as well. Is it possible at all (like in postfix > non-smtpd filters) or in any other way? in fact, i would like all > outgoing mail to be signed. I'm not sure about the exact Sendmail configuration options you will need, but in general the following is important to keep in mind. To minimize DKIM signature corruption, it is important to sign at the final step before delivery of the mail to a remote SMTP server. This is true for both mail that is to be signed and originates locally (via a web application or a command line script), as well as for mail you receive via SMTP which you have to sign before delivering it to its destination (e.g. the Internet). Having said that, you will want to look for a Sendmail configuration that allows you to invoke the milter right before (or from within) the _outbound_ SMTP connection. You may have to define the milter in your ClientPortOptions setting, I'm not sure. Or switch to Postfix ;-) BTW: I wonder whether you implemented DKIM signing using the dkim-milter milter software or using OpenDKIM? As you post your question on the dkim-milter-discuss list I suppose the former is true. I'd recommend to forget about dkim-milter and start using openDKIM (http://www.opendkim.org/) as dkim-milter is no longer maintained and it's author dropped dkim-milter development and continued the dkim-milter work as the opendkim project. Regards, /rolf |
From: Murray S. K. <ms...@cl...> - 2011-08-06 07:40:37
|
First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years. I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard. You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding. Good luck, -MSK From: Willem Kossen [mailto:w.k...@gm...] Sent: Friday, August 05, 2011 5:57 AM To: dki...@li... Subject: [dkim-milter-discuss] sendmail non-smtpd possible? Hi there, I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed. Thanks -- ------------ Willem Kossen |
From: Willem K. <w.k...@gm...> - 2011-08-08 11:09:11
|
Thanks for both your responses. I made the switch, which was next to painless, but that didn't solve my problem, in fact, it seems stranger than I thought at first. echo test | mail so...@ex... --> no signing echo test | sendmail so...@ex... --> no signing squirrelmail on same host sending a mail --> no signing changed squirrelmail config to use smtp, --> no signing (?) telnet to mailserver from other host on smtp port --> no signing??? telnet from server itself on smtp --> no signing ??? and now thunderbird using this server as smtp --> no signing /?????? sendEmail -s localhost -f bl...@ex... -t so...@ex... -u test -m test -v --> yes, signed now i can understand that the from addresses are different in some cases, but even with direct telnet to smtp, when i use from-domains listed in opendkim.conf Domain statement, no luck. It's probably something simple I'm missing, but I'm sure missing it... any pointers? (sendEmail is a commandline tool for sending mail over smtp which I use a lot) Kind regards, Willem Kossen On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <ms...@cl...>wrote: > First, as Rolf said, you should switch to opendkim. This package has been > unmaintained for over two years.**** > > ** ** > > I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), > and it signed a message I sent using the sendmail shell interface rather > than SMTP. Since that means sendmail does provide milter service to mail > that’s piped in, you should be able to get dkim-milter to do it too unless > there was a bug in it in this regard.**** > > ** ** > > You can always use LogWhy to track down why your mail isn’t being signed. > It might have something to do with a domain name mismatch in the mail you’re > feeding.**** > > ** ** > > Good luck,**** > > -MSK**** > > ** ** > > *From:* Willem Kossen [mailto:w.k...@gm...] > *Sent:* Friday, August 05, 2011 5:57 AM > *To:* dki...@li... > *Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?**** > > ** ** > > Hi there,**** > > ** ** > > I have succesfully implemented dkim signing in my mailserver, but it only > works when mail is delivered to it via smtp. A lot of mail however comes in > via sendmail executable for instance because of websites, webmail or > applications sending out notices. I want that mail to be signed as well. Is > it possible at all (like in postfix non-smtpd filters) or in any other way? > in fact, i would like all outgoing mail to be signed.**** > > ** ** > > Thanks**** > > > -- > ------------ > Willem Kossen**** > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > dkim-milter-discuss mailing list > dki...@li... > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss > > -- ------------ Willem Kossen w.k...@gm... |
From: Willem K. <w.k...@gm...> - 2011-08-08 12:15:57
|
Ah, I think i figured it out... what happens in many cases is that mail originates from user@localhost.localdomain. I didn't tell opendkim to sign mail from that domain. Still the mail ends up as @wkossen.nl in the recipients mailbox, but sendmail didn't know that at the time the mail was delivered to it. during input, it was localhost.localdomain. therefor no signing. Now I told opendkim in the config file that the domain localhost.localdomain should be signed and it worked. and squirrelmail delivered mail as user@localhost (no localdomain) I added that domain too. this is far from ideal, a bit of a hack, but I guess it works. thanks for the help On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <ms...@cl...>wrote: > First, as Rolf said, you should switch to opendkim. This package has been > unmaintained for over two years.**** > > ** ** > > I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), > and it signed a message I sent using the sendmail shell interface rather > than SMTP. Since that means sendmail does provide milter service to mail > that’s piped in, you should be able to get dkim-milter to do it too unless > there was a bug in it in this regard.**** > > ** ** > > You can always use LogWhy to track down why your mail isn’t being signed. > It might have something to do with a domain name mismatch in the mail you’re > feeding.**** > > ** ** > > Good luck,**** > > -MSK**** > > ** ** > > *From:* Willem Kossen [mailto:w.k...@gm...] > *Sent:* Friday, August 05, 2011 5:57 AM > *To:* dki...@li... > *Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?**** > > ** ** > > Hi there,**** > > ** ** > > I have succesfully implemented dkim signing in my mailserver, but it only > works when mail is delivered to it via smtp. A lot of mail however comes in > via sendmail executable for instance because of websites, webmail or > applications sending out notices. I want that mail to be signed as well. Is > it possible at all (like in postfix non-smtpd filters) or in any other way? > in fact, i would like all outgoing mail to be signed.**** > > ** ** > > Thanks**** > > > -- > ------------ > Willem Kossen**** > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > dkim-milter-discuss mailing list > dki...@li... > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss > > -- ------------ Willem Kossen w.k...@gm... |
From: Murray S. K. <ms...@cl...> - 2011-08-08 17:34:51
|
(Since you installed OpenDKIM instead, I'll Cc: that list and we should move this discussion over there.) There are rewrite rules in the sendmail configuration that change the From: field (features called "masquerade" and "genericstable"). That's why it appears to be delivered with the From: field you expect. The problem is that those changes are made only after the filter has seen them, which is why you have to tell opendkim to sign for "localhost.localdomain" because that's what the filter sees. In fact, you might want to check that the signatures are being validated, because they probably are failing since the data are essentially being changed in transit. You will probably need either the "replace rules" feature to deal with this, or you'll need to arrange that your mail is generated with the final domain name in there and not "localhost.localdomain" to get it verifying properly. From: Willem Kossen [mailto:w.k...@gm...] Sent: Monday, August 08, 2011 5:16 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] sendmail non-smtpd possible? Ah, I think i figured it out... what happens in many cases is that mail originates from user@localhost.localdomain. I didn't tell opendkim to sign mail from that domain. Still the mail ends up as @wkossen.nl<http://wkossen.nl> in the recipients mailbox, but sendmail didn't know that at the time the mail was delivered to it. during input, it was localhost.localdomain. therefor no signing. Now I told opendkim in the config file that the domain localhost.localdomain should be signed and it worked. and squirrelmail delivered mail as user@localhost (no localdomain) I added that domain too. this is far from ideal, a bit of a hack, but I guess it works. thanks for the help On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <ms...@cl...<mailto:ms...@cl...>> wrote: First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years. I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard. You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding. Good luck, -MSK From: Willem Kossen [mailto:w.k...@gm...<mailto:w.k...@gm...>] Sent: Friday, August 05, 2011 5:57 AM To: dki...@li...<mailto:dki...@li...> Subject: [dkim-milter-discuss] sendmail non-smtpd possible? Hi there, I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed. Thanks -- ------------ Willem Kossen ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ dkim-milter-discuss mailing list dki...@li...<mailto:dki...@li...> https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss -- ------------ Willem Kossen w.k...@gm...<mailto:w.k...@gm...> |
From: Willem K. <w.k...@gm...> - 2011-08-09 13:16:31
|
I checked, the keys seem to validate (although I don't really understand how) I used the autoresponder checking e-mail addresses on some sites. I don't think I have feature masquerade activated in sendmail, but I'll check. In fact it is a bit of a problem to tell daemons on ux to not use localhost.localdomain. I solved that for squirrelmail by editing the userprofile to show the correct reply-to address. On Mon, Aug 8, 2011 at 7:34 PM, Murray S. Kucherawy <ms...@cl...>wrote: > (Since you installed OpenDKIM instead, I’ll Cc: that list and we should > move this discussion over there.)**** > > ** ** > > There are rewrite rules in the sendmail configuration that change the From: > field (features called “masquerade” and “genericstable”). That’s why it > appears to be delivered with the From: field you expect. The problem is > that those changes are made only after the filter has seen them, which is > why you have to tell opendkim to sign for “localhost.localdomain” because > that’s what the filter sees.**** > > ** ** > > In fact, you might want to check that the signatures are being validated, > because they probably are failing since the data are essentially being > changed in transit.**** > > ** ** > > You will probably need either the “replace rules” feature to deal with > this, or you’ll need to arrange that your mail is generated with the final > domain name in there and not “localhost.localdomain” to get it verifying > properly.**** > > ** ** > > *From:* Willem Kossen [mailto:w.k...@gm...] > *Sent:* Monday, August 08, 2011 5:16 AM > *To:* dkim-milter general discussion > *Subject:* Re: [dkim-milter-discuss] sendmail non-smtpd possible?**** > > ** ** > > Ah, I think i figured it out...**** > > what happens in many cases is that mail originates from > user@localhost.localdomain. I didn't tell opendkim to sign mail from that > domain. Still the mail ends up as @wkossen.nl in the recipients mailbox, > but sendmail didn't know that at the time the mail was delivered to it. > during input, it was localhost.localdomain. therefor no signing. Now I told > opendkim in the config file that the domain localhost.localdomain should be > signed and it worked.**** > > ** ** > > and squirrelmail delivered mail as user@localhost (no localdomain) I added > that domain too. this is far from ideal, a bit of a hack, but I guess it > works.**** > > ** ** > > thanks for the help**** > > On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <ms...@cl...> > wrote:**** > > First, as Rolf said, you should switch to opendkim. This package has been > unmaintained for over two years.**** > > **** > > I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), > and it signed a message I sent using the sendmail shell interface rather > than SMTP. Since that means sendmail does provide milter service to mail > that’s piped in, you should be able to get dkim-milter to do it too unless > there was a bug in it in this regard.**** > > **** > > You can always use LogWhy to track down why your mail isn’t being signed. > It might have something to do with a domain name mismatch in the mail you’re > feeding.**** > > **** > > Good luck,**** > > -MSK**** > > **** > > *From:* Willem Kossen [mailto:w.k...@gm...] > *Sent:* Friday, August 05, 2011 5:57 AM > *To:* dki...@li... > *Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?**** > > **** > > Hi there,**** > > **** > > I have succesfully implemented dkim signing in my mailserver, but it only > works when mail is delivered to it via smtp. A lot of mail however comes in > via sendmail executable for instance because of websites, webmail or > applications sending out notices. I want that mail to be signed as well. Is > it possible at all (like in postfix non-smtpd filters) or in any other way? > in fact, i would like all outgoing mail to be signed.**** > > **** > > Thanks**** > > > -- > ------------ > Willem Kossen**** > > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > dkim-milter-discuss mailing list > dki...@li... > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss**** > > > > > -- > ------------ > Willem Kossen > w.k...@gm...**** > > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos & much more. Register early & save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > dkim-milter-discuss mailing list > dki...@li... > https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss > > -- ------------ Willem Kossen w.k...@gm... |