Alright, it works now. Here is what I did: * Install zdkimfilter-1.1 (perhaps not needed, but still) * fix permissions on /etc/courier/filters/keys to be accessible by courier user * add ESMTPAUTH="PLAIN LOGIN" to esmptd-msa...
Now it seems to work, both for verifying and signing! yay :) ~A On 2013-07-24 20:51, Anders wrote: > On 2013-07-24 18:10, Alessandro Vesely wrote: >> On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: >>> I'll comment in-line. >> Yup :-) >> >>> I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler >>> is gcc 4.7.3 >> I haven't been able to find that version --see below. >> >>>> I think that's because you set RELAYCLIENT based on the IP address, >>>> and have no authsender in the control file (a control record starting >>>> with 'i'). The signing domain is derived from the user id, if it has >>>> a '@'. Courier can work both ways, zdkimfilter should do so as well. >>> I am using courier with virtual users mapped through mysql. The full >>> email address is the user name. >> So do I. >> >>> What is a control record, and where/how do I find how they are created >>> and looks like? >> Control files only exist in the mail queue. They are named Cnnnnnnn >> and correspond to the Dnnnnnnn mail file with the same number. They >> are loosely documented in http://www.courier-mta.org/queue.html >> >>>>> I run "dkimsign test.mail" and get the following output: >>>>> ====================== >>>>> WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: >>>>> compile=0X2020200 link=0X2080400 >>>> (That warning is due to a mismatch between libopendkim-dev and the >>>> actual libopendkim library. It might cause hiccups when verifying >>>> signatures --not the current issue. >>> OK, does this happen at compile time, or is it something predefined by >>> zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but >>> I actually have only opendkim 2.8.4 installed (Gentoo >>> mail-filter/opendkim-2.8.4). >> Yes, it is a compile time conditional. >> >> I checked >> http://packages.gentoo.org/package/mail-filter/opendkim >> http://packages.gentoo.org/package/mail-filter/zdkimfilter >> I found opendkim-2.8.4 (that was released on the 16th this month), but >> zdkimfilter-1.1 not 1.2 >> >> The opendkim-2.2.2 version they used to build zdkimfilter seems to be >> lost. > I realise I have a local overlay with zdkimfilter-1.2. I will revert to 1.1. > > Should I downgrade opendkim-2.2.2? >>> ======================== >>> # ls -l /usr/lib64/libopendkim* >>> lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so -> >>> libopendkim.so.9.0.1 >>> lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 >>> -> libopendkim.so.9.0.1 >>> -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 >>> ======================== >>> >>> I did notice a segmentation fault with courier/zdkimfilter once I have >>> started with filterctl. It happens on every received email: >>> ======================== >>> Jul 24 13:09:14 e350 courieresmtpd: started,ip=[::ffff:216.34.181.88] >>> Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child >>> Jul 24 13:09:17 e350 courieresmtpd: >>> error,relay=::ffff:216.34.181.88,from=<courier-users-boun...@lists.sourceforge.net>: >>> 432 Mail filters temporarily unavailable. >>> Jul 24 13:09:17 e350 submit: Bad file descriptor >>> Jul 24 13:09:17 e350 submit: Connection closed when processing: >>> Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names >>> completed by first call >>> Jul 24 13:09:17 e350 courierfilter: >>> zdkimfilter[13997]:id=0000000000C804F7.0000000051EFB5DC.000036A7: >>> verifying dkim_eoh: No signature (stat=2) >>> ======================== >>> >>> ...and kernel log >>> ======================== >>> [2329247.997445] zdkimfilter[12231]: segfault at e ip 00007f41ffb36411 >>> sp 00007fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+20000] >>> [2329937.290754] zdkimfilter[13997]: segfault at e ip 00007f41ffb36411 >>> sp 00007fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+20000] >>> ======================== >> We should file a bug report. I would have done it myself if the >> version matched. There is a function, dkim_policy(), which takes >> three parameters in opendkim 2.2.2, but takes four in version 2.8.4. >> Depending on the optimizations used at compile time, it might cause >> such behavior. In fact, zdkimfilter calls that function when it >> verifies signatures in received messages. >> >>>>> I run "dkimsign --domain lechevalier.se test.mail" >>>> Yes, dkimsign needs the domain to create a control file similar to >>>> those supplied by Courier. >>> OK, so all seems OK so far then? >> Yeah, I use dkimsign that way to sign messages going out through >> sqwebmail. Possibly, you could prepend it to the mail pipe, until >> this issue is cleared. >> >>>> You should have got at least a "not signing for /user id/: no >>>> /something/" message if it had entered signing mode. That's why I >>>> think you don't authenticate on sending. Please confirm that. I'll >>>> add a message for that case anyway. >>> No all users must authenticate to be able to send emails (relaying >>> denied otherwise). It could be that my courier config is completely >>> wrong, should I post it here? In that case, which of the config files >>> are interresting for you? >>> >>> >>> Output from sending a test email from and...@lechevalier.se to >>> crimsoncott...@gmail.com. At least "from=" is clearly defined in the log >>> file. >> There is a key_choice_header parameter that can be tweaked in order to >> derive the signing domain. Currently, it can be derived from a header >> field, from the authenticated user-id, or from the default domain. >> Hence it misses the possibility to derive it from the envelope sender, >> which is what you get in the logged from= quoted below. But there is >> another problem: If the sender is not authenticated, the current >> version doesn't even enter signing mode. >> We'd need to change the code slightly to obtain such feature. > Seems like a possible future feature, but I do want authentication, so > the problem must be my courier setup. > > >>> ==================== >>> Jul 24 13:33:33 e350 courierd: >>> newmsg,id=0000000000C804F7.0000000051EFBB8D.00004626: dns; >>> [IPv6:2001:16d8:ff02:0:3d19:ef23:9df5:18fe] >>> ([2001:16d8:ff02:0:3d19:ef23:9df5:18fe]) >>> Jul 24 13:33:33 e350 courierd: >>> started,id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,module=esmtp,host=gmail.com,addr=<crimsoncott...@gmail.com> >>> Jul 24 13:33:33 e350 courierd: Waiting. shutdown time=none, wakeup >>> time=none, queuedelivering=1, inprogress=1 >>> Jul 24 13:33:34 e350 courieresmtp: >>> id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>: >>> 250 2.0.0 OK 1374665609 g5si1547113laa.79 - gsmtp >>> Jul 24 13:33:34 e350 courieresmtp: >>> id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>,size=630,success: >>> delivered: gmail-smtp-in.l.google.com [173.194.71.26] >>> Jul 24 13:33:34 e350 courieresmtp: >>> id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>,size=630,status: >>> success >>> Jul 24 13:33:34 e350 courierd: >>> completed,id=0000000000C804F7.0000000051EFBB8D.00004626 >>> Jul 24 13:33:34 e350 courierd: Waiting. shutdown time=Wed Jul 24 >>> 13:45:45 2013, wakeup time=Wed Jul 24 13:45:45 2013, queuedelivering=0, >>> inprogress=0 >>> ==================== >>> >>> >>> This is doing a simple "echo test | mail -s testmail >>> crimsoncott...@gmail.com" as root user: >>> ==================== >>> Jul 24 13:37:01 e350 courierd: >>> newmsg,id=0000000000C804F7.0000000051EFBC5D.00004851: dns; localhost >>> (localhost [127.0.0.1]) >> If you had authenticated, there would have been an additional >> "auth=userid@domain". >> >> The best practice for sending messages is to use submission port 587 >> and one of the available login features, me thinks. >> >> In order to cope with RELAYCLIENT assigned based on IP address, there >> are two easy possibilities that I can see: >> >> 1) Introduce a default_user, but that might be unsuitable if >> different IP addresses correspond to different users. >> >> 2) Deploy the identd lookup done by Courier (unless -noidentlookup is >> specified in TCPDOPTS), but that would impact users not having an >> identd server. >> >> In either case, you'd then need to compile the modified program >> yourself. What you think? >> >> >> >> > I must say I am at loss about the the auth=userid@domain. Never seen it > in my logs... I do use port 587 with TLS and authentication with > username/password to submit email. Perhaps here is where my problem is > and I need to correct.... sigh =( I do not want relayclient based on IP, > though that is needed for some local scripting stuff, but not my normal > users since we should do auth... > > I added DEBUG_LOGIN=1 to authdaemondrc and I see authentication when > logging in with imap, but nothing when submitting on smtp... > > Not sure where to look now. any ideas? Thanks! > > ~A > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > courier-users mailing list > courier-users@lists.sourceforge.net > Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
