Re: [courier-users] zdkimfilter
Hi Lucio, On Mon 05/Oct/2015 17:53:50 +0200 Lucio Crusca wrote: > > I'm trying to add DKIM signatures to outgoing messages. I've followed this > guide [1], but my feeling is that nothing is happening, as far as DKIM is > concerned. You should see a DKIM-Signature on outgoing mail, e.g. if you send to yourself. > How do I test my setup? There are a number of autoresponders: sa-t...@sendmail.net check-a...@verifier.port25.com autorespond+d...@dk.elandsys.com t...@dkimtest.jason.long.name dkt...@exhalus.net dkim-t...@altn.com dkt...@blackops.org In addition, you may test using Gmail and Yahoo! accounts, and the following three web sites: http://www.brandonchecketts.com/emailtest.php http://www.appmaildev.com/en/dkim/ http://9vx.org/~dho/dkim_validate.php > Are there any logs that tell me what zdkimfilter is doing? Logging goes through courierlogger (via stderr pipe), so you should see it in your mail log. You may adjust verbosity (see man zdkimfilter.conf). > 1. http://www.tana.it/sw/zdkimfilter/v-0.5.shtml#setup Some points in that guide are obsolete. Specifically, "stats" are gone, the "dkim-reputation" site is dead, there is an additional "ALLOW_EXCLUSIVE" setting (also mentioned in that man page). Most changes are about verifying, though. Signing should be quite straightforward. Hth Ale -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter
Hello, I'm trying to add DKIM signatures to outgoing messages. I've followed this guide [1], but my feeling is that nothing is happening, as far as DKIM is concerned. How do I test my setup? Are there any logs that tell me what zdkimfilter is doing? 1. http://www.tana.it/sw/zdkimfilter/v-0.5.shtml#setup -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 1.5 with DMARC support
RFC 7489 was published last month. Using zdkimfilter 1.5 it is easy to meet DMARC minimum implementation requirements --section 8 of the RFC. That section stresses the ability to send and receive reports, which is the most noteworthy addition with respect to ADSP. It makes mail servers of different domains interact with one another. Now, I'm not so clever as to tell exactly what should be memorized and for how long, but I'm more and more convinced that a database of peers is necessary for SMTP to operate sensibly. Personally, I BCC outgoing DMARC reports to myself, and read them using the XSLT at http://www.tana.it/sw/dmarc-xsl/. When I get the feeling that only phishes fail DMARC check, I enable DMARC for that domain. ADSP can be enabled per domain too, in the new version. In the other cases, when DMARC fails amiss, I'm comforted that remote domains hear my voice, however statistically irrelevant it may be. For incoming reports, there is no way to publish per-domain policies, so there's not much to decide. I'm open to suggestions. Version 1.5 also fixes a couple of issues, long From:, garbled logs. There are some additional requirements, see release notes. Feel like giving it a try? http://www.tana.it/sw/zdkimfilter/ Ale -- BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT Develop your own process in accordance with the BPMN 2 standard Learn Process modeling best practices with Bonita BPM through live exercises http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_ source=Sourceforge_BPM_Camp_5_6_15utm_medium=emailutm_campaign=VA_SF ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 1.3
The new version can interoperate better with other filters, as it can reject/drop based on a header added by another filter, or install with a different name so that another filter can reject/drop based on DKIM verification. See more detail at http://www.tana.it/sw/zdkimfilter/ Still no DMARC options. DMARC is such a mess that it makes DKIM look stable in comparison. It hinges on the Public Suffix List, which is an admirable endeavor but certainly not a precisely defined, algorithmic determination. And it is still unable to tell mailing lists apart, of course. Merry holidays Ale -- Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter dkim=fail while SpamAssassin says DKIM=pass
On Fri 26/Jul/2013 22:08:58 +0200 Anders wrote: By chance I compared the dkim=fail against what SpamAssassin said: == courier log Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: verified: dkim=fail (id=@dkim-reputation.org, body hash mismatch, stat=1) rep=0 == SpamAssassin log Jul 26 21:45:43 e350 spamd[19824]: spamd: processing message 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org for mail:8 Jul 26 21:45:47 e350 spamd[19824]: spamd: clean message (1.8/5.0) for mail:8 in 3.8 seconds, 14419 bytes. Jul 26 21:45:47 e350 spamd[19824]: spamd: result: . 1 - BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE scantime=3.8,size=14419,user=mail,uid=8,required_score=5.0,rhost=e350.lan.lechevalier.se,raddr=127.0.0.1,rport=48478,mid=5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org,bayes=0.499952,autolearn=no That's an unusual result. It might happen that a message gets corrupted, an subsequent verifications fail. The other way around is very unlikely. What does body hash mismatch mean? Perhaps there are some headers not checked by SA but are checked with zdkimfilter? The body hash is SHA-1 of the body, ignoring empty lines at the end of it (simple hashing algorithm). Zdkimfilter assumes Unix-style line endings and reinserts CR chars at line ends. Spamassassin is run through pythonfilter-1.8. I believe pythonfilter might be run first as it is doing greyfiltering. Does it alter the body? Are the added headers from SpamAssassin the culprit? Nope. The signed header fields are those indicated by the h= tag. In this case: to, subject, date, from, reply-to, message-id, mime-version, and content-type. back later... -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter dkim=fail while SpamAssassin says DKIM=pass
On Mon 29/Jul/2013 09:12:12 +0200 I wrote: On Fri 26/Jul/2013 22:08:58 +0200 Anders wrote: By chance I compared the dkim=fail against what SpamAssassin said: == courier log Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: verified: dkim=fail (id=@dkim-reputation.org, body hash mismatch, stat=1) rep=0 == SpamAssassin log Jul 26 21:45:43 e350 spamd[19824]: spamd: processing message 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org for mail:8 Jul 26 21:45:47 e350 spamd[19824]: spamd: clean message (1.8/5.0) for mail:8 in 3.8 seconds, 14419 bytes. Jul 26 21:45:47 e350 spamd[19824]: spamd: result: . 1 - BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE scantime=3.8,size=14419,user=mail,uid=8,required_score=5.0,rhost=e350.lan.lechevalier.se,raddr=127.0.0.1,rport=48478,mid=5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org,bayes=0.499952,autolearn=no That's an unusual result. It might happen that a message gets corrupted, an subsequent verifications fail. The other way around is very unlikely. What does body hash mismatch mean? Perhaps there are some headers not checked by SA but are checked with zdkimfilter? The body hash is SHA-1 of the body, ignoring empty lines at the end of it (simple hashing algorithm). Zdkimfilter assumes Unix-style line endings and reinserts CR chars at line ends. Spamassassin is run through pythonfilter-1.8. I believe pythonfilter might be run first as it is doing greyfiltering. Does it alter the body? Are the added headers from SpamAssassin the culprit? Nope. The signed header fields are those indicated by the h= tag. In this case: to, subject, date, from, reply-to, message-id, mime-version, and content-type. back later... Sorry for he interruption. That was almost it, anyway: it is not possible to say what part,if any, of the body was altered without having two copies of the message. If the reason is that SA does, say, some UTF-8 rewriting of some text, verification would have to be anticipated --the leading 'z' isn't helpful in this respect. -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter dkim=fail while SpamAssassin says DKIM=pass
So far, since I got zdkimfilter to work properly I have recieved som dkim=pass (usually from gmail) and some dkim=fails.. All seems ok. By chance I compared the dkim=fail against what SpamAssassin said: == courier log Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: verified: dkim=fail (id=@dkim-reputation.org, body hash mismatch, stat=1) rep=0 Jul 26 21:45:47 e350 courierfilter: zdkimfilter[12888]:id=00C804FC.51F2D1E6.3235: response: 250 Ok. Jul 26 21:45:47 e350 courierd: newmsg,id=00C804FC.51F2D1E6.3235: dns; repsys.dkim-reputation.org (repsys.dkim-reputation.org [:::46.4.178.182]) Jul 26 21:45:47 e350 courierd: started,id=00C804FC.51F2D1E6.3235,from=www-d...@dkim-reputation.org,module=local,host=and...@lechevalier.se!!8!12!/var/mail/domains/lechevalier.se/anders!!,addr=and...@lechevalier.se Jul 26 21:45:47 e350 courierd: Waiting. shutdown time=none, wakeup time=none, queuedelivering=1, inprogress=1 Jul 26 21:45:47 e350 courierlocal: id=00C804FC.51F2D1E6.3235,from=www-d...@dkim-reputation.org,addr=and...@lechevalier.se,size=14751,success: Message delivered. Jul 26 21:45:47 e350 courierd: completed,id=00C804FC.51F2D1E6.3235 == == SpamAssassin log Jul 26 21:45:43 e350 spamd[19824]: spamd: processing message 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org for mail:8 Jul 26 21:45:47 e350 spamd[19824]: spamd: clean message (1.8/5.0) for mail:8 in 3.8 seconds, 14419 bytes. Jul 26 21:45:47 e350 spamd[19824]: spamd: result: . 1 - BAYES_50,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE scantime=3.8,size=14419,user=mail,uid=8,required_score=5.0,rhost=e350.lan.lechevalier.se,raddr=127.0.0.1,rport=48478,mid=5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org,bayes=0.499952,autolearn=no == What does body hash mismatch mean? Perhaps there are some headers not checked by SA but are checked with zdkimfilter? Spamassassin is run through pythonfilter-1.8. I believe pythonfilter might be run first as it is doing greyfiltering. Are the added headers from SpamAssassin the culprit? These are the headers from the email above == Delivered-To: and...@lechevalier.se Return-Path: www-d...@dkim-reputation.org Authentication-Results: e350; dkim=fail (body hash mismatch) header.i=@dkim-reputation.org X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on e350.lan.lechevalier.se X-Spam-Level: * X-Spam-Status: No, score=1.8 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_IMAGE_ONLY_16,HTML_MESSAGE autolearn=no version=3.3.2 Received: from repsys.dkim-reputation.org (repsys.dkim-reputation.org [:::46.4.178.182]) by e350 with ESMTP; Fri, 26 Jul 2013 21:45:42 +0200 id 00C804FC.51F2D1E6.3235 Received-SPF: none (Address does not pass the Sender Policy Framework) SPF=MAILFROM; sender=www-d...@dkim-reputation.org; remoteip=:::46.4.178.182; remotehost=repsys.dkim-reputation.org; helo=repsys.dkim-reputation.org; receiver=mail.tnonline.net; Received: from repsys.dkim-reputation.org (localhost [127.0.0.1]) by repsys.dkim-reputation.org (Postfix) with ESMTP id 5C210398384 for and...@lechevalier.se; Fri, 26 Jul 2013 21:38:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=dkim-reputation.org; h=to :subject:date:from:reply-to:message-id:mime-version:content-type ; s=default; bh=Zbv3XTgeAhngG+jukxXJGBaEkcA=; b=eYMOEw2x9oUjhWgh MMBsrGuxNzz8MH8OAPpf7aRWvn0LtSBc93wXeSFqIe1LginJBp0VuGR9OaReUNH8 3D7ZRo/b03lPv9FWilixpc3vYEmlMIdSxUxbrY2uKrao/DsMoc3+xOlPppRRZPZa MnbvRRZodqNEmyLAaGu626ME9Hc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=dkim-reputation.org; h=to:subject :date:from:reply-to:message-id:mime-version:content-type; q=dns; s=default; b=I/0X89H+UeDCXaLgwxI33JhjCuIIJpgfPtuzWK0XZyTCybtFX6 A6SfGecLWCPZpm2XofNtD4wkWMdfK7X4H9NFKWkgem5lUdapGKWFmFsdazDh+TPM FoU77hgQr1eiljuaUq9C4WpuERorZxyn3jP7UG3DMATnZNxSgCBCY/LdM= Received: by repsys.dkim-reputation.org (Postfix, from userid 33) id 5497B3983D1; Fri, 26 Jul 2013 21:38:30 +0200 (CEST) To: and...@lechevalier.se Subject: Proposal for DKIM-Reputation-Project [f688b566190ceed5d63f440b7dc3b38e67d68b04] Date: Fri, 26 Jul 2013 19:38:30 + From: DKIM Reputation Project i...@dkim-reputation.org Reply-to: DKIM Reputation Project submit-dom...@dkim-reputation.org Message-ID: 5873b4b23ff3d57de56472c8c0240...@www.dkim-reputation.org X-Priority: 3 MIME-Version: 1.0 Content-Type: multipart/related; type=text/html; boundary=b1_5873b4b23ff3d57de56472c8c0240f9e Received-SPF: none
Re: [courier-users] zdkimfilter
Hi, On Wed 24/Jul/2013 00:17:17 +0200 Anders wrote: So, now comes to testing it all... To summarize, no mails are signed because I think that zdkimfilter can't find anything suitable to match domain/selector against. What can be the cause? I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I have a test.mail file == Message-ID: 51eee029.8070...@lechevalier.se Date: Tue, 23 Jul 2013 21:57:29 +0200 From: Anders and...@lechevalier.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: anders crimsoncott...@gmail.com Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit test == I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[27854]: started child DEBUG: zfilter: zdkimfilter[27854]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[27854]:id=dkimsign: not signing for postmaster: no domain INFO: zfilter: zdkimfilter[27854]:id=dkimsign: response: 250 not filtered. == What is the mismatched library versions? dkimsign doesn't see the domain in FROM: or Message-ID: fields. Is this normal? I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. zdkimfilter.conf: == all_mode = Y verbose = 8 domain_keys = /etc/courier/filters/keys selector = s == That looks fine. A default_domain = lechevalier.se would be needed only if it is needed for Courier too. That is, if your Courier user id is anders rather than and...@lechevalier.se. I have a symlink /etc/courier/filters/keys/lechevalier.se - s.private Correct. So, when sending emails, I get only the following in my mail log: == Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]: started child Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:reading 2 names completed by first call Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:id=00C81E83.51EEFF26.720B: response: 250 not filtered. == I'm at a loss now what could be the root cause here. How can I debug this problem? It seems as the verbosity in the log is too low, even though I have verbosity=8. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter
Hi, I'll comment in-line. I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 Thank you very much. ~A On 2013-07-24 11:13, Alessandro Vesely wrote: Hi, On Wed 24/Jul/2013 00:17:17 +0200 Anders wrote: So, now comes to testing it all... To summarize, no mails are signed because I think that zdkimfilter can't find anything suitable to match domain/selector against. What can be the cause? I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. What is a control record, and where/how do I find how they are created and looks like? I have a test.mail file == Message-ID: 51eee029.8070...@lechevalier.se Date: Tue, 23 Jul 2013 21:57:29 +0200 From: Anders and...@lechevalier.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: anders crimsoncott...@gmail.com Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit test == I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[27854]: started child DEBUG: zfilter: zdkimfilter[27854]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[27854]:id=dkimsign: not signing for postmaster: no domain INFO: zfilter: zdkimfilter[27854]:id=dkimsign: response: 250 not filtered. == What is the mismatched library versions? dkimsign doesn't see the domain in FROM: or Message-ID: fields. Is this normal? I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? zdkimfilter.conf: == all_mode = Y verbose = 8 domain_keys = /etc/courier/filters/keys selector = s == That looks fine. A default_domain = lechevalier.se would be needed only if it is needed for Courier too. That is, if your Courier user id is anders rather than and...@lechevalier.se. No, default domain would not work since courier is providing email for several different domain names. But, each user must login with the full email address. Login is over TLS or SSL connection. I have a symlink /etc/courier/filters/keys/lechevalier.se - s.private Correct. So, when sending emails, I get only the following in my mail log: == Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]: started child Jul 24 00:09:42 e350
Re: [courier-users] zdkimfilter
On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: I'll comment in-line. Yup :-) I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 I haven't been able to find that version --see below. I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. So do I. What is a control record, and where/how do I find how they are created and looks like? Control files only exist in the mail queue. They are named Cnnn and correspond to the Dnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. No all users must authenticate to be able to send emails (relaying denied otherwise). It could be that my courier config is completely wrong, should I post it here? In that case, which of the config files are interresting for you? Output from sending a test email from and...@lechevalier.se to crimsoncott...@gmail.com. At least from= is clearly defined in the log file. There is a key_choice_header parameter that can be tweaked in order to derive the signing domain. Currently, it can be derived from a header field, from the authenticated user-id, or from the default domain. Hence it misses the
Re: [courier-users] zdkimfilter
On 2013-07-24 18:10, Alessandro Vesely wrote: On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: I'll comment in-line. Yup :-) I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 I haven't been able to find that version --see below. I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. So do I. What is a control record, and where/how do I find how they are created and looks like? Control files only exist in the mail queue. They are named Cnnn and correspond to the Dnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. Should I downgrade opendkim-2.2.2? # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. No all users must authenticate to be able to send emails (relaying denied otherwise). It could be that my courier config is completely wrong, should I post it here? In that case, which of the config files are interresting for you? Output from sending a test email from and...@lechevalier.se to crimsoncott...@gmail.com. At least from= is clearly defined in the log file. There is a key_choice_header parameter that can be tweaked in order to derive the signing
Re: [courier-users] zdkimfilter
On Wed 24/Jul/2013 20:51:06 +0200 Anders wrote: On 2013-07-24 18:10, Alessandro Vesely wrote: The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. It won't get things better. Knowing the source of the bad built is only useful for reporting the bug where it belongs to. Should I downgrade opendkim-2.2.2? I'd expect that will avoid the segmentation fault. Can you still find it? We'd need to change the code slightly to obtain such feature. Seems like a possible future feature, but I do want authentication, so the problem must be my courier setup. That the best option, IMHO. I must say I am at loss about the the auth=userid@domain. Never seen it in my logs... I do use port 587 with TLS and authentication with username/password to submit email. Perhaps here is where my problem is and I need to correct sigh =( I do not want relayclient based on IP, though that is needed for some local scripting stuff, but not my normal users since we should do auth... I added DEBUG_LOGIN=1 to authdaemondrc and I see authentication when logging in with imap, but nothing when submitting on smtp... Not sure where to look now. any ideas? Thanks! It should be configured in esmtpd-msa, and run its own couriertcpd that listens on that port. -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter
Alright, it works now. Here is what I did: * Install zdkimfilter-1.1 (perhaps not needed, but still) * fix permissions on /etc/courier/filters/keys to be accessible by courier user * add ESMTPAUTH=PLAIN LOGIN to esmptd-msa... Now it seems to work, both for verifying and signing! yay :) ~A On 2013-07-24 20:51, Anders wrote: On 2013-07-24 18:10, Alessandro Vesely wrote: On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: I'll comment in-line. Yup :-) I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler is gcc 4.7.3 I haven't been able to find that version --see below. I think that's because you set RELAYCLIENT based on the IP address, and have no authsender in the control file (a control record starting with 'i'). The signing domain is derived from the user id, if it has a '@'. Courier can work both ways, zdkimfilter should do so as well. I am using courier with virtual users mapped through mysql. The full email address is the user name. So do I. What is a control record, and where/how do I find how they are created and looks like? Control files only exist in the mail queue. They are named Cnnn and correspond to the Dnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 (That warning is due to a mismatch between libopendkim-dev and the actual libopendkim library. It might cause hiccups when verifying signatures --not the current issue. OK, does this happen at compile time, or is it something predefined by zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but I actually have only opendkim 2.8.4 installed (Gentoo mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. Should I downgrade opendkim-2.2.2? # ls -l /usr/lib64/libopendkim* lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so - libopendkim.so.9.0.1 lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 - libopendkim.so.9.0.1 -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 I did notice a segmentation fault with courier/zdkimfilter once I have started with filterctl. It happens on every received email: Jul 24 13:09:14 e350 courieresmtpd: started,ip=[:::216.34.181.88] Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child Jul 24 13:09:17 e350 courieresmtpd: error,relay=:::216.34.181.88,from=courier-users-boun...@lists.sourceforge.net: 432 Mail filters temporarily unavailable. Jul 24 13:09:17 e350 submit: Bad file descriptor Jul 24 13:09:17 e350 submit: Connection closed when processing: Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names completed by first call Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:id=00C804F7.51EFB5DC.36A7: verifying dkim_eoh: No signature (stat=2) ...and kernel log [2329247.997445] zdkimfilter[12231]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] [2329937.290754] zdkimfilter[13997]: segfault at e ip 7f41ffb36411 sp 7fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+2] We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. I run dkimsign --domain lechevalier.se test.mail Yes, dkimsign needs the domain to create a control file similar to those supplied by Courier. OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. You should have got at least a not signing for /user id/: no /something/ message if it had entered signing mode. That's why I think you don't authenticate on sending. Please confirm that. I'll add a message for that case anyway. No all users must authenticate to be able to send emails (relaying denied otherwise). It could be that my courier config is completely
Re: [courier-users] zdkimfilter
On 2013-07-24 21:25, Alessandro Vesely wrote: On Wed 24/Jul/2013 20:51:06 +0200 Anders wrote: On 2013-07-24 18:10, Alessandro Vesely wrote: The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. It won't get things better. Knowing the source of the bad built is only useful for reporting the bug where it belongs to. Have now tried zdkimfilter-1.2 the same segfault happens. Otherwise it works to sign outgoing and verify incoming emails. Should I downgrade opendkim-2.2.2? I'd expect that will avoid the segmentation fault. Can you still find it? Yes, it did resolve the issue. tar -xzvf opendkim-2.2.2.tar.gz ./configure make make install reinstall zdkimfilter-1.2 (emerge zdkimfilter) We'd need to change the code slightly to obtain such feature. Seems like a possible future feature, but I do want authentication, so the problem must be my courier setup. That the best option, IMHO. I must say I am at loss about the the auth=userid@domain. Never seen it in my logs... I do use port 587 with TLS and authentication with username/password to submit email. Perhaps here is where my problem is and I need to correct sigh =( I do not want relayclient based on IP, though that is needed for some local scripting stuff, but not my normal users since we should do auth... I added DEBUG_LOGIN=1 to authdaemondrc and I see authentication when logging in with imap, but nothing when submitting on smtp... Not sure where to look now. any ideas? Thanks! It should be configured in esmtpd-msa, and run its own couriertcpd that listens on that port. It is now, and that works nice. Not sure why the setting got missing - probably due to upgrading too many times and not checking... Thanks for pointing it out. ~ A -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter
Hi Anders, On Sun 21/Jul/2013 13:23:16 +0200 Anders wrote: Can someone contribute with some example configuration files for zdkimfilter and courier, especially for signing outgoing mail. something like this zone-file snippet? beta._domainkey IN TXT ( v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZmBE7vUMFfhxq pHw46gf55UmKH1B7zsiHD7n/R/mnvdvKabvosrHhcAhuDZcf1hr+8Co LTOr6/rUiJXmJoPeq4d3daD+EeUfNIFov6lDgKuBpxNFTuw6spOpX63 xTh9cu7g+6ABQUEnzQmLULdImvcq91g1E9QK7SaEO2aYiXwIDAQAB ) _adsp._domainkey IN TXT dkim=unknown I have tried to follow the information from the zdkimfilter website The old site contained more step-by-step stuff, much of which is still valid, in particular: http://www.tana.it/sw/zdkimfilter/v-0.5.shtml#setup and the man/config files but I can't get it to work, not even off-line checking/testing against self-generated dkim certs with dkimsign. Does the test suite work? (`make check') It should leave plenty of diagnostic data if it fails. Otherwise you can use the -d (--debug) option to avoid deleting test data, e.g. cd tests ./testsuite -d 4 Then, looking at the test files left ls testsuite.dir/04 might help you figuring out why your checking doesn't work as well. Hth -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter
Thanks! I reset my configs and followed Jérôme's installation tips from the previous emails. It seems as something was odd with my bind config. Apparently, I had to split the _domainkey TXT into several segments, or bind would't add it. So, now comes to testing it all... To summarize, no mails are signed because I think that zdkimfilter can't find anything suitable to match domain/selector against. What can be the cause? I have a test.mail file == Message-ID: 51eee029.8070...@lechevalier.se Date: Tue, 23 Jul 2013 21:57:29 +0200 From: Anders and...@lechevalier.se User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 MIME-Version: 1.0 To: anders crimsoncott...@gmail.com Subject: test Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit test == I run dkimsign test.mail and get the following output: == WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: compile=0X2020200 link=0X2080400 INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[27854]: started child DEBUG: zfilter: zdkimfilter[27854]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[27854]:id=dkimsign: not signing for postmaster: no domain INFO: zfilter: zdkimfilter[27854]:id=dkimsign: response: 250 not filtered. == What is the mismatched library versions? dkimsign doesn't see the domain in FROM: or Message-ID: fields. Is this normal? I run dkimsign --domain lechevalier.se test.mail and get the following output: == WARN: zfilter: zdkimfilter[28454]:Mismatched library versions: compile=0X2020200 link=0X2080400 INFO: zfilter: zdkimfilter: running for dkimsign on 1 ctl + 1 mail files INFO: zfilter: zdkimfilter[28455]: started child DEBUG: zfilter: zdkimfilter[28455]:reading 2 names completed by first call INFO: zfilter: zdkimfilter[28455]:id=dkimsign: signing for postmas...@lechevalier.se with domain lechevalier.se, selector s INFO: zfilter: zdkimfilter[28455]:id=dkimsign: response: 250 Ok. == Now this seems to work fine. test.mail now has the DKIM signature added. zdkimfilter.conf: == all_mode = Y verbose = 8 domain_keys = /etc/courier/filters/keys selector = s == I have a symlink /etc/courier/filters/keys/lechevalier.se - s.private So, when sending emails, I get only the following in my mail log: == Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]: started child Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:reading 2 names completed by first call Jul 24 00:09:42 e350 courierfilter: zdkimfilter[29197]:id=00C81E83.51EEFF26.720B: response: 250 not filtered. == I'm at a loss now what could be the root cause here. How can I debug this problem? It seems as the verbosity in the log is too low, even though I have verbosity=8. ~A On 2013-07-23 12:54, Alessandro Vesely wrote: Hi Anders, On Sun 21/Jul/2013 13:23:16 +0200 Anders wrote: Can someone contribute with some example configuration files for zdkimfilter and courier, especially for signing outgoing mail. something like this zone-file snippet? beta._domainkey IN TXT ( v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDGZmBE7vUMFfhxq pHw46gf55UmKH1B7zsiHD7n/R/mnvdvKabvosrHhcAhuDZcf1hr+8Co LTOr6/rUiJXmJoPeq4d3daD+EeUfNIFov6lDgKuBpxNFTuw6spOpX63 xTh9cu7g+6ABQUEnzQmLULdImvcq91g1E9QK7SaEO2aYiXwIDAQAB ) _adsp._domainkey IN TXT dkim=unknown I have tried to follow the information from the zdkimfilter website The old site contained more step-by-step stuff, much of which is still valid, in particular: http://www.tana.it/sw/zdkimfilter/v-0.5.shtml#setup and the man/config files but I can't get it to work, not even off-line checking/testing against self-generated dkim certs with dkimsign. Does the test suite work? (`make check') It should leave plenty of diagnostic data if it fails. Otherwise you can use the -d (--debug) option to avoid deleting test data, e.g. cd tests ./testsuite -d 4 Then, looking at the test files left ls testsuite.dir/04 might help you figuring out why your checking doesn't work as well. Hth -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe:
Re: [courier-users] zdkimfilter
Le 21/07/2013 13:23, Anders a écrit : Hi! Can someone contribute with some example configuration files for zdkimfilter and courier, especially for signing outgoing mail. I have tried to follow the information from the zdkimfilter website and the man/config files but I can't get it to work, not even off-line checking/testing againt self-generated dkim certs with dkimsign. Thanks! I am running courier-mta on gentoo amd64 ~A Hello, Here is how I implemented it on a debian server: apt-get -y install libopendkim7 libnettle4 libtool libopendkim-dev wget http://www.tana.it/sw/zdkimfilter/zdkimfilter-1.1.tar.gz tar xzf zdkimfilter-1.1.tar.gz cd zdkimfilter-1.1/ ./configure make make install echo all_mode Y verbose 4 selector s /etc/courier/filters/zdkimfilter.conf mkdir /etc/courier/filters/keys echo -BEGIN RSA PRIVATE KEY- [...] -END RSA PRIVATE KEY- /etc/courier/filters/keys/mymarvelousdomain.com filterctl stop zdkimfilter filterctl start zdkimfilter Hope this helps. Best regards. Jerome Blion. -- See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831iu=/4140/ostg.clktrk ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 0.5
Hi all, new features of this release of zdkimfilter [Z] are as follows: *Signing* - It is now possible to select the signing domain according to the value of a configured header in the outgoing message. *Verifying* --- Statistics files. This requires OpenDKIM v2.2.0, released a few days ago. In order to gain some insight in the behavior of DKIM, they collect statistics data in anonymous form from a number of participating MTAs [DB]. With MySQL and an OpenDBX --not to be confused with the similarly named Outlook Express stuff site-- it is possible to feed a local copy of the same schema. Spamhaus Domain whitelist [DWL] is looked up on valid DKIM signatures. *Added parameters* -- key_choice_header (for choosing signing domain) no_dwl (for skipping dwl.spamhaus.org lookup) stats_file (for enabling statistics) stats_wait (for stats file locks) *Other changes* --- -Two utilities, zdkimstats-*, for managing stats files. -Fixed 8k line length limit. -Set header.from in dkim-adsp's A-R entry. *Pointers* -- [Z] http://www.tana.it/sw/zdkimfilter/ [DB] http://www.opendkim.org/stats/report.html [DWL] http://www.spamhauswhitelist.com/ -- -- Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today. http://p.sf.net/sfu/beautyoftheweb ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 0.4, and run_filter confirmation
Hi all, this to announce the new version, and also to confirm a feature of global filtering that Sam has described last May. *zdkimfilter 0.4* In the new version ADSP failures are treated differently, as summarized in the table below, where the failure condition is the result of evaluating ADSP against the domain in the From header field. condition | action | v0.3 was | dkim-adsp +-+--+-- nxdomain| reject | reject | nxdomain all | reject | accept | fail discardable | drop (see [WP]) | reject | discard Actions can be mitigated by whitelisting senders validated by DKIM (also new) or SPF. The meaning of the /no_author_domain/ parameter has changed from don't evaluate ADSP to always accept, but report success/ failure. The setting of this parameter in the distributed zdkimfilter.conf has also changed. Further details and download in [ZD]. *run_filter confirmation* Using codes 0nn works as described in [0n], final paragraphs. In addition, the text of the response is also passed to the remote client. To wit, output of 050 Message dropped from the filter results in Courier answering 250 Message dropped to the client, after it has uploaded the message data. Any remaining filters are not run. -- Links: [WP] http://en.wikipedia.org/wiki/Author_Domain_Signing_Practices [ZD] http://www.tana.it/sw/zdkimfilter/ [0n] http://markmail.org/message/6amrraxgp7ymjdi2 -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter 0.3
On 29/Apr/10 06:25, Carlos Lopez wrote: Site is not working :(, check it. A mediaconverter burned out, for ip 85.18.98.155. Is been replaced about 3 hours ago. Carlos. --- El mié, 4/28/10, Alessandro Veselyves...@tana.it escribió: http://www.tana.it/sw/zdkimfilter/ -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 0.3
I've extended the spf_whitelist option so as to accept john@example.com in case example.com publishes a discard ADSP policy and the signature has been broken by the whitelisted sender. I've also removed the x- from x-dkim-adsp, in Authentication-Results lines, and slightly modified adsp log lines. http://www.tana.it/sw/zdkimfilter/ -- -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] zdkimfilter 0.3
Site is not working :(, check it. Carlos. --- El mié, 4/28/10, Alessandro Vesely ves...@tana.it escribió: De: Alessandro Vesely ves...@tana.it Asunto: [courier-users] zdkimfilter 0.3 A: Courier Users courier-users@lists.sourceforge.net Fecha: miércoles, 28 de abril de 2010, 04:16 am I've extended the spf_whitelist option so as to accept john@example.com in case example.com publishes a discard ADSP policy and the signature has been broken by the whitelisted sender. I've also removed the x- from x-dkim-adsp, in Authentication-Results lines, and slightly modified adsp log lines. http://www.tana.it/sw/zdkimfilter/ -- -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] zdkimfilter 0.2
In case anyone is using it, I've added an spf_whitelist option for accepting messages that have From: john@nospam.example.com from a few domains, while still rejecting the other non-existent From. My stance is that a domain must get an SPF-MAILFROM pass to be eligible for spf_whitelist --better ideas are welcome. http://www.tana.it/sw/zdkimfilter/ -- Download Intel#174; Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
