On Fri, 4 Jan 2008, Andrew Haveland-Robinson wrote:
So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other
stuff. I just want to install, configure and run the thing!
The INSTALL and README should give you everything you need. In fact, the
COMPILING section of the former indicates which version of sendmail must
be installed and also specifically mentions that libmilter needs to be
available. The first errors you hit indicated that libmilter and its
include files were not present on your system (or at least not in the
compiler's search rules).
Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist,
copied to devtools/Site/site.config.m4 and hoped to make some
intelligent decisions on what options to enable.
[Aside: In fact, if libmilter and its includes (and other dependencies
like OpenSSL) are installed and in the compiler's search rules, you can
completely skip the site.config.m4 step.]
dkim-filter.h:86: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_connect???
dkim-filter.h:87: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_envfrom???
dkim-filter.h:88: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_header???
dkim-filter.h:89: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_eoh???
dkim-filter.h:90: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_body???
dkim-filter.h:91: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_eom???
dkim-filter.h:92: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_abort???
dkim-filter.h:93: error: expected ???=???, ???,???, ???;???, ???asm??? or
???__attribute__??? before ???mlfi_close???
That's bizarre. Those lines of dkim-filter.h contain C prototypes in my
copy. I've no idea why the compile would be expecting control characters
in a C header file.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4
Your build would've picked up devtools/OS/Linux automatically (based on
the output of "uname") so that step was not necessary.
./Build install was successful after manually creating dirs
/usr/man/man15 and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.
We don't have the means in our build system to specify that man pages go
someplace else specifically on Fedora since "uname" doesn't say something
other than Linux. Thus, the build is only as specific as Linux and
versions thereof.
I can add a section to the README about what changes need to or should be
made for Fedora installations if that would be helpful. This is the first
I've heard that such are necessary. If someone can combine the man page
and file ownership requirements, I'd be happy to add that.
It even adds signatures to my messages (hopefully to this one), but
silently crashes regularly without any indication on processing a simple
locally generated mail from a perl script and/or/exor from logwatch or
virus notification from MailScanner. eg:
Does it produce a core file when it crashes? A backtrace would be really
helpful, especially if it comes along with a copy of a message that causes
the problem.
If you didn't already, enable the first "define" in site.config.m4 which
changes confOPTIMIZE to "-g", and recompile. This will produce a version
that should be able to generate a core dump when it crashes. One caveat
though is your use of "Userid" in the configuration file; Linux processes
are forbidden from generating coredumps if they change userid during
execution, so you'll have to comment that out of the configuration file
and either (a) run it as root, or (b) start it as smmsp some other way,
until you get the problem fixed.
I'm disappointed, disillusioned and frustrated in trying to nail jelly
to a wall... This doesn't say anything useful at all!
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
Having crashed, dkim-filter can't very well log anything. That log entry
is from sendmail, not the filter, and all it indicates is that it was
expecting a reply from the filter when what came back is 0 bytes
(end-of-file, meaning the filter had gone away). sendmail can't really
tell you more than that.
(To translate the error: "milter_sys_read" is the function waiting for
data from the filter, "dkim-filter" is the filter on which it was waiting,
the read() function returned 0 meaning EOF when it was expecting five
bytes back.)
Since you set DKIMDEBUG's "c" flag, there may be temporary files in
/var/tmp you can examine to see how far it got in processing a message
before it died. That might helpful.
There's also a documented sendmail trace flag, "-d71.100", which will
cause sendmail to quarantine mail that was in progress at the time a
filter crashed. You might also find this useful. You just need to start
up sendmail with its usual arguments plus that flag.
without real diagnostic tools, skills and a lot of time, I can't solve
it. I'm an experienced sysadmin, not a C programmer! Programmers should
try to make all our lives easier! :-)
Progarmmers love making people's lives easier but can't do so without the
data they need. dkim-filter is stable and doesn't exhibit this behaviour
on any other system I've heard of, but there may not be that many people
using it on 64-bit Linux systems yet. I don't have a 64-bit Fedora system
here with which to try to reproduce your problems so I have to rely on the
help of others and/or you to point us in the right direction. If you can
provide more information we might be able to get you either a patch or a
workaround.
When it does work, another gripe is this padding too short error, which
may or may not be a reason for the verification failure:
Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL error:04067069:rsa
routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa
routines:RSA_verify:bad signature
Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
Jan 4 08:14:35 gaia sendmail[10080]: m047EY6O010080: Milter insert (1):
header: Authentication-Results: gaia.haveland.com; dkim=neutral (verification
failed) [EMAIL PROTECTED]
How can a gmail signature fail verification?
There are many possible reasons: Message modification in transit (e.g.
through an MLM that altered the message), corrupted reply to the DNS
query, signature expiration, key revocation, etc. libdkim actually
enumerates 29 of them.
What did it fail on?
It looks, according to the logs you pasted, like OpenSSL didn't like
something in the key they're using or in the signature they generated.
Perhaps some truncation occurred, but it's hard to say without more
forensics such as the message which caused the problem.
What version of OpenSSL do you have installed?
What is the "i" in "header.i" ?
In the specification for the Authentication-Results: header, a copy of
which is included in the source code you downloaded, this is explained.
It's the value of the "i=" portion of the DKIM signature about which the
report is being generated.
It was a mysql mailing list, so perhaps other headers got in the way,
but this isn't what I would call a robust solution!
Other added (or even reordered) headers don't get in the way unless an MTA
modifies one of the headers the signer included when generating the
signature. Read about DKIM's "h=" tag to find out why if you're curious.
Omitheaders command in dkim.conf seems to be a blanket fudge.
OmitHeaders is there to omit during signing headers that you know will
very likely get munged in transit, thus invalidating the signature you
generate. A prime example is Return-Path: which Exchange adds but
downstream MTAs tend to delete or replace.
If we are to stand a chance of defeating spammers, then we have to make
DKIM easier to install and configure so mere mortals can install and use
it, and encourage adoption. I'm sure many would like to see dkim-filter
available in rpm for various distros.
At least one person on this list is maintaining an RPM, I believe for
Debian. There are probably others. It's also in the ports tree for at
least FreeBSD.
-MSK
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
dkim-milter-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
