From: SM <sm...@re...> - 2008-01-04 17:41:12
|
Hi Andrew, At 02:42 04-01-2008, Andrew Haveland-Robinson wrote: >I wanted to use DKIM with Sendmail on Fedora 7. Easy, I thought, just do the >following: > >1. yum install dkim-filter (+dependencies) >2. create keys >3. edit a couple of template files >4. update dns txt records >5 /etc/init.d/named reload >5 /etc/init.d/dkim-filter start >6 /etc/init.d/sendmail (or MailScanner) restart > >Max 30 mins work. It's usually less than 30 minutes work if your system has the prerequisites, i.e. sendmail 8.13.x built with MILTER support, the milter library and OpenSSL version 0.9.8 or later. I think that Tony has a RPM for dkim-milter. I'm not sure whether it's for x86_64. >However, life is rarely so simple. >yum search dkim didn't find anything. > >So, based on what I could find, I ended up here. Downloaded dkim-filter >2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff. >I just want to install, configure and run the thing! The latest version of dkim-milter is 2.4.2. Dkim-milter can work out of the box. It's useful to know the DKIM specifications if you want to turn the knobs. >Anyway. I thought compilation would be straightforward, but no. More >unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied >to devtools/Site/site.config.m4 and hoped to make some intelligent decisions >on what options to enable. > > # ./Build >... > >Making all in: > >/etc/mail/dkim/dkim-milter-2.4.1/dkim-filter > >Configuration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2, > rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized > >Using M4=/usr/bin/m4 > >Creating > /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter > using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux > >Making dependencies in > /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter > >make[1]: Entering directory > `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter' > >rm -f sm_os.h > >ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h > >cc -M -I. -I../../include -I../libdkim/ -D_REENTRANT config.c > dkim-ar.c dkim-filter.c stats.c test.c > util.c dkim-testkey.c dkim-testssp.c >> Makefile > >In file included from config.h:23, > > from config.c:20: > >dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory You don't have the libmilter library installed. [snip] >I started the script with >/etc/init.d/dkim-filter start >and it worked, eg: > >Jan 4 10:58:10 gaia dkim-filter[6033]: Sendmail DKIM Filter > v2.4.1 starting (args: -x /etc/mail/dkim.conf) > >It even adds signatures to my messages (hopefully to this one), but silently >crashes regularly without any indication on processing a simple locally >generated mail from a perl script and/or/exor from logwatch or virus >notification from MailScanner. eg: > >DKIMDEBUG=ct : > >Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: > from=<ab...@ha...>, size=1780, class=0, nrcpts=1, > msgid=<200...@ga...>, proto=ESMTP, > daemon=MTA, relay=localhost [127.0.0.1] > >Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 header > >Jan 3 02:57:18 gaia last message repeated 6 times > >Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh > >Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: > milter_sys_read(dkim-filter): cmd read returned 0, expecting 5 > >Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter > (dkim-filter): to error state > >Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: > to=<ab...@rr...>, delay=00:00:00, mailer=esmtp, pri=31780, stat=queued What's the output of dkim-filter -V ? >I have spent the last couple of days trying to solve this >The only relevant information I found was Jim Hermann's useful message and >thread last month >http://www.mail-archive.com/dki...@li.../msg00409.html > >I'm disappointed, disillusioned and frustrated in trying to nail jelly to a >wall... This doesn't say anything useful at all! > >milter_sys_read(dkim-filter): cmd read returned 0, expecting 5 The problem was identified at http://www.mail-archive.com/dki...@li.../msg00424.html You may be experiencing a different problem even if the syslog line in that post is similar to yours. >It only seems to happen by locally generated mail, sometimes it even seemed >as if having a Reply-To: field influenced its crash frequency, but without >real diagnostic tools, skills and a lot of time, I can't solve it. I'm an >experienced sysadmin, not a C programmer! Programmers should try to make all >our lives easier! :-) Dkim-filter crashed while it attempted to sign an email. The programmers try to make your life easier by trying to figure out what's going on from the information you provided. :-) >I want to get this working reliably and dependably on a few production >systems, and know what options to compile with and what settings to use for >Fedora, but I'm now stumped. The "default" build options and the site.config.m4.dist sample should be enough to get dkim-milter working. You do need to adjust the OpenSSL settings before compiling. >When it does work, another gripe is this padding too short error, which may >or may not be a reason for the verification failure: > >Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL > error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding > too short; error:04077068:rsa routines:RSA_verify:bad signature > >Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data > >Jan 4 08:14:35 gaia sendmail[10080]: m047EY6O010080: Milter > insert (1): header: Authentication-Results: gaia.haveland.com; > dkim=neutral (verification failed) header.i=@gmail.com > >How can a gmail signature fail verification? What did it fail on? What is >the "i" in "header.i" ? Why should a gmail signature pass verification? :-) For the record, it does if the data in the message body is not modified after DKIM signing. >It was a mysql mailing list, so perhaps other headers got in the way, but >this isn't what I would call a robust solution! Omitheaders command in >dkim.conf seems to be a blanket fudge. The mysql mailing list appends a footer to each message and that invalidates the DKIM signature, hence the verification failure. The "header" refers to the message header and the "i" is the DKIM identity. OmitHeaders specifies which message headers should not be signed. You can leave that setting blank usually. Regards, -sm |