I wanted to use DKIM with Sendmail on Fedora 7. Easy, I thought, just do the
following:
1. yum install dkim-filter (+dependencies)
2. create keys
3. edit a couple of template files
4. update dns txt records
5 /etc/init.d/named reload
5 /etc/init.d/dkim-filter start
6 /etc/init.d/sendmail (or MailScanner) restart
Max 30 mins work.
However, life is rarely so simple.
yum search dkim didn't find anything.
So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff.
I just want to install, configure and run the thing!
Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied
to devtools/Site/site.config.m4 and hoped to make some intelligent decisions
on what options to enable.
# ./Build
...
>Making all in:
>/etc/mail/dkim/dkim-milter-2.4.1/dkim-filter
>Configuration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2,
>rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized
>Using M4=/usr/bin/m4
>Creating
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux
>Making dependencies in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>rm -f sm_os.h
>ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h
>cc -M -I. -I../../include -I../libdkim/ -D_REENTRANT config.c dkim-ar.c
>dkim-filter.c stats.c test.c util.c dkim-testkey.c dkim-testssp.c >>
>Makefile
>In file included from config.h:23,
> from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from dkim-ar.h:19,
> from dkim-ar.c:23:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>dkim-filter.c:59:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
> from dkim-filter.c:78:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from test.c:31:
>test.h:24:29: error: libmilter/mfapi.h: No such file or directory
>In file included from util.c:49:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>make[1]: *** [depend] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>Making in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>cc -O2 -I. -I../../include -I../libdkim/ -D_REENTRANT -DXP_MT -c -o
>config.o config.c
>In file included from config.h:23,
> from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
> from config.c:20:
>dkim-filter.h:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_connect’
>dkim-filter.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_envfrom’
>dkim-filter.h:88: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_header’
>dkim-filter.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eoh’
>dkim-filter.h:90: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_body’
>dkim-filter.h:91: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eom’
>dkim-filter.h:92: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_abort’
>dkim-filter.h:93: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_close’
>make[1]: *** [config.o] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>make: *** [all] Error 2
After some googling, a "yum install sendmail-devel" fixed this problem, and
a ./Build -c completed successfully.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4
./Build install was successful after manually creating dirs /usr/man/man15
and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.
Sendmail of Fedora 7 is currently 8.14.1:
# sendmail -d0.1
Version 8.14.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
I created the keys, updated the dns zone files and decided to use user smmsp
instead of creating yet another user.
I created:
/var/db/dkim :
-rw-r----- 1 smmsp smmsp 887 2008-01-01 08:30 jan2008.admin.key.pem
-rw-r--r-- 1 smmsp smmsp 272 2008-01-01 08:30 jan2008.admin.public.pem
/var/run :
drwxr-xr-x 2 smmsp smmsp 4096 2008-01-04 09:23 milter
and created this basic start/stop init script:
/etc/init.d/dkim-filter
then:
chkconfig --add dkim-filter
chkconfig dkim-filter on
contents:
>#
># dkim-filter Starts /usr/bin/dkim-filter
>#
># chkconfig: 2345 67 33
>#
># description: Domain Keys Milter
># processname: dkim-filter
>#
># Source function library.
>. /etc/init.d/functions
>
>[ -f /usr/bin/dkim-filter ] || exit 0
>RETVAL=0
>
>umask 077
>
>start() {
> echo -n $"Starting dkim-filter: "
> /usr/bin/dkim-filter -x /etc/mail/dkim.conf
> RETVAL=$?
> if [ $RETVAL -eq 0 ]
> then
> echo_success
> touch /var/lock/subsys/dkim-filter
> else
> echo_failure
> fi
> echo
>}
>stop() {
> echo -n $"Shutting down dkim-filter: "
> /bin/kill `cat /var/run/milter/dkim-filter.pid 2> /dev/null ` >
> /dev/null 2>&1
> RETVAL=$?
> sleep 3
> if [ $RETVAL -eq 0 ]
> then
> echo_success
> rm -f /var/lock/subsys/dkim-filter
> rm -f /var/run/milter/dkim-filter.pid
> else
> echo_failure
> fi
> echo
>}
>rhstatus() {
> status dkim-filter
>}
>restart() {
> stop
> start
>}
>
>case "$1" in
> start)
> start
> ;;
> stop)
> stop
> ;;
> status)
> rhstatus
> ;;
> restart|reload)
> restart
> ;;
> condrestart)
> [ -f /var/lock/subsys/dkim-filter ] && restart || :
> ;;
> *)
> echo $"Usage: $0 {start|stop|status|restart|condrestart}"
> exit 1
>esac
>
>exit $?
Now for configuration files:
/etc/mail/dkim.conf :
Canonicalization relaxed/simple
Domain /etc/mail/domains
KeyFile /var/db/dkim/jan2008.admin.key.pem
#MTA MTA
Selector jan2008.admin
SignatureAlgorithm rsa-sha256
Socket inet:[EMAIL PROTECTED]
#Socket /var/run/milter/dkim-filter.sock
Syslog Yes
SyslogSuccess Yes
Userid smmsp
PidFile /var/run/milter/dkim-filter.pid
SubDomains Yes
X-Header No
SendReports No
/etc/mail/domains contains just one domain on one line.
and added to sendmail.rc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:[EMAIL PROTECTED]')
I started the script with
/etc/init.d/dkim-filter start
and it worked, eg:
>Jan 4 10:58:10 gaia dkim-filter[6033]: Sendmail DKIM Filter v2.4.1 starting
>(args: -x /etc/mail/dkim.conf)
It even adds signatures to my messages (hopefully to this one), but silently
crashes regularly without any indication on processing a simple locally
generated mail from a perl script and/or/exor from logwatch or virus
notification from MailScanner. eg:
DKIMDEBUG=ct :
>Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: from=<[EMAIL
>PROTECTED]>, size=1780, class=0, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
>proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
>Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 header
>Jan 3 02:57:18 gaia last message repeated 6 times
>Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh
>Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260:
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
>Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter (dkim-filter): to
>error state
>Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: to=<[EMAIL PROTECTED]>,
>delay=00:00:00, mailer=esmtp, pri=31780, stat=queued
I have spent the last couple of days trying to solve this
The only relevant information I found was Jim Hermann's useful message and
thread last month
http://www.mail-archive.com/[email protected]/msg00409.html
I'm disappointed, disillusioned and frustrated in trying to nail jelly to a
wall... This doesn't say anything useful at all!
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
It only seems to happen by locally generated mail, sometimes it even seemed
as if having a Reply-To: field influenced its crash frequency, but without
real diagnostic tools, skills and a lot of time, I can't solve it. I'm an
experienced sysadmin, not a C programmer! Programmers should try to make all
our lives easier! :-)
I want to get this working reliably and dependably on a few production
systems, and know what options to compile with and what settings to use for
Fedora, but I'm now stumped.
When it does work, another gripe is this padding too short error, which may
or may not be a reason for the verification failure:
>Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL error:04067069:rsa
>routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa
>routines:RSA_verify:bad signature
>Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
>Jan 4 08:14:35 gaia sendmail[10080]: m047EY6O010080: Milter insert (1):
>header: Authentication-Results: gaia.haveland.com; dkim=neutral (verification
>failed) [EMAIL PROTECTED]
How can a gmail signature fail verification? What did it fail on? What is
the "i" in "header.i" ?
It was a mysql mailing list, so perhaps other headers got in the way, but
this isn't what I would call a robust solution! Omitheaders command in
dkim.conf seems to be a blanket fudge.
If we are to stand a chance of defeating spammers, then we have to make DKIM
easier to install and configure so mere mortals can install and use it, and
encourage adoption. I'm sure many would like to see dkim-filter available
in rpm for various distros.
However, Network Solutions, amongst others need to wake up and allow people
to modify their DNS TXT attributes... Here's what their completely
ridiculous FAQ says on the subject:
http://customersupport.networksolutions.com/article.php?id=369
>"Can I Make Changes To The TXT Record
>
> Network Solutions does not currently support changes to the
> TXT record for a domain name registration.
>
> The TXT Record is strictly informational, not functional."
What planet are they living on?
Cheers,
Andy.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
