[qmailtoaster] Re: _SOLVED_ [qmailtoaster] Re: domainkeys signing failing?

[John Fernandez]

That's not right!!! hehe

Yap I just validated that domainkeys will not work when using 
smtproutes. Sucks for those (like me) who has dynamic ip whose e-mail 
will be considered spam and no other choice but to use their ISP's mta. 
Oh well, I guess I don't have any luck at all. (DSL is not an option 
either, too far from central office.)

Thanks Erik for all your help,

John.

Erik Espinoza wrote:
Hey John,

I don't think that DomainKeys is compatible with smtproutes. According
to the wikipedia:

http://www.wikipedia.org/wiki/DomainKeys
Content modification in-transit

One of the problems with DomainKeys is that if the message is
significantly modified en route by a forwarding mechanism such as a
list server, then the signature may no longer be valid and the message
may be rejected. If the only modifications en-route involve the
addition or modification of headers before the DomainKey-Signature:
header, the signature should remain valid; also the mechanism includes
features that allow certain limited modifications to be made to
headers and the message body without invalidating the signature.

Some suggest that this limitation could be addressed by combining
DomainKeys with SPF, because SPF is immune to modifications of the
e-mail data, and mailing lists typically use their own SMTP error
address aka Return-Path. In short SPF works without problems where
DomainKeys might run into difficulties, and vice versa.

Mailing Lists that add or change content also effectively invalidate
DomainKeys signatures. Yahoo! suggested that the mailing list should
re-sign the message itself under these circumstances, thus in effect
taking responsibility for the message.

On 5/22/06, John Fernandez <[EMAIL PROTECTED]> wrote:
I am having no luck with this. I have a question though, does domainkeys
work when you are using your ISP's mta instead of qmail-toaster to
deliver remote mail??

for e.g.
$ cat /var/qmail/control/smtproutes
:isp.mta.net

Thanks,
John

Erik Espinoza wrote:
> Not sure I understand what you're asking.
>
> On 5/22/06, Mattias Segerdahl <[EMAIL PROTECTED]> wrote:
>> Erik,
>>
>> Why would you put up the domain key signing for both the ip address
>> and once
>> again in the allow group? This should only be needed once.
>>
>> // Mattias
>>
>> -----Original Message-----
>> From: John Q. Fernandez [mailto:[EMAIL PROTECTED]
>> Sent: den 22 maj 2006 14:32
>> To: qmailtoaster-list@qmailtoaster.com
>> Subject: Re: [qmailtoaster] Re: domainkeys signing failing?
>>
>> I had it setup like this:
>> 127.:allow,RELAYCLIENT=""
>> 
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONG 

>>
>> 
RCPTLIMIT="10",DKVERIFY="BDEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQU 

>>
>> 
EUE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/ 

>>
>> %/private"
>>
>> Then I tried the way you said it should look like
>> 
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private" 

>>
>> 
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONG 

>>
>> 
RCPTLIMIT="10",DKVERIFY="BDEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQU 

>>
>> 
EUE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/ 

>>
>> %/private"
>>
>> I am still getting:
>> DomainKey-Status: bad
>> .
>> .
>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;  s=private;
>> d=domain.com;
>>
>> 
b=KXnemYAno0ThL4LaL7sTRY+4U1dlzwTefvLyz0AFjklEY8yEfSO+Qp6zrUqtMPpWla2F76LNpp 

>>
>> EW7+etv2E1FhnkOowygaN6YZosad9E+QQcp6dNLfQRQHkzLMFstsz8
>>  ;
>>
>> Any help on resolution would be great.
>>
>> Thanks,
>> John
>>
>> > Looks like your key is set up correctly in DNS. Perhaps your 
tcp.smtp
>> > is misconfigured. Without these two lines, you will not be 
signing at
>> > all.
>> >
>> > The default should look as follows (2 lines):
>> >
>> 
127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private" 

>>
>> >
>> 
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONG 

>>
>> 
RCPTLIMIT="10",DKVERIFY="BDEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQU 

>>
>> 
EUE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/ 

>>
>> %/private"
>> >
>> > Thanks,
>> > Erik
>> >
>> > On 5/21/06, John Fernandez <[EMAIL PROTECTED]> wrote:
>> >> $  host -t txt private._domainkey.domain.com
>> >> private._domainkey.domain.com text "k=rsa\;
>> >>
>> 
p=MEwwDQYJKoZIhvcNxdrvfeAIxAPL//Tp0mGa06ZYwnJWEfds4tgEFvvdV5/f2zEyrb5ohF#5fs 

>>
>> dfsdfdh53fzGHXV+/087gKKwIDAQAB"
>> >>
>> >>
>> >> Erik Espinoza wrote:
>> >> > Oops. I pulled the wrong record. Type 'host -t txt
>> >> > private._domainkey.domain.com'
>> >> >
>> >> > Thanks,
>> >> > Erik
>> >> >
>> >> > On 5/21/06, John Fernandez <[EMAIL PROTECTED]> wrote:
>> >> >> Maybe I didn't add it right but here is what I added.
>> >> >>
>> >> >> I added a TXT record using godaddy wizard
>> >> >>
>> >> >> TXT name is: private._domainkey.domain.com
>> >> >> TXT value is: k=rsa;
>> >> >> p=XXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.........
>> >> >>
>> >> >> I wasn't really sure what to put on the name. In my SPF I only
>> had @
>> >> in
>> >> >> the TXT name. Should I be putting @ also for domainkeys?
>> >> >>
>> >> >> Here is the output you are asking for.
>> >> >> $ host -t txt domain.com
>> >> >> domain.com text "v=spf1 a mx:domain.com ip4:xxx.xxx.xxx.xxx/24
>> -all"
>> >> >>
>> >> >> Thanks,
>> >> >>
>> >> >> John.
>> >> >>
>> >> >>
>> >> >> Erik Espinoza wrote:
>> >> >> > What type of record did you add in GoDaddy? Did you make 
sure it
>> >> was a
>> >> >> > txt record? What shows up when you type host -t txt
>> domain.com at
>> >> the
>> >> >> > command line?
>> >> >> >
>> >> >> > On 5/20/06, John Fernandez <[EMAIL PROTECTED]> wrote:
>> >> >> >>       I am getting the below results when sending to both 
yahoo
>> >> and
>> >> >> >> gmail.
>> >> >> >>
>> >> >> >>  yahoo
>> >> >> >>  Authentication-Results:    mta183.mail.re4.yahoo.com
>> >> >> from=domain.com;
>> >> >> >> domainkeys=fail (bad sig)
>> >> >> >>  .
>> >> >> >>  .
>> >> >> >>  DomainKey-Signature:    a=rsa-sha1; q=dns; c=nofws; 
s=private;
>> >> >> >> d=domain.com;
>> >> >> >>
>> b=Dxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ;
>> >> >> >>
>> >> >> >>  gmail
>> >> >> >>  DomainKey-Status: bad
>> >> >> >>  .
>> >> >> >>  .
>> >> >> >>  DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;  
s=private;
>> >> >> >> d=domain.com;
>> >> >> >>
>> b=Zxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  ;
>> >> >> >>
>> >> >> >>  here is my tcp.smtp
>> >> >> >>  127.:allow,RELAYCLIENT=""
>> >> >> >>
>> >> >>
>> 
:allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONG 

>>
>> 
RCPTLIMIT="10",DKVERIFY="DEGIJKfh",QMAILQUEUE="/var/qmail/bin/simscan",DKQUE 

>>
>> 
UE="/var/qmail/bin/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/d 

>>
>> omain.com/private"
>> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >>  Here is what I have in my dns. (i have godaddy and im 
guessing
>> >> >> they are
>> >> >> >> using bind).
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >> >> private._domainkey.domain.com
>> >> >> >>  k=rsa;
>> >> >> >>
>> >> >>
>> 
p=Mxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 

>>
>> xx
>> >> >>
>> >> >> >>
>> >> >> >>  3600
>> >> >> >>
>> >> >> >>
>> >> >>
>> ---------------------------------------------------------------------
>> >> >> >>  QmailToaster hosted by: VR Hosted
>> >> >> >>
>> >> >>
>> ---------------------------------------------------------------------
>> >> To
>> >> >> >> unsubscribe, e-mail:
>> >> >> [EMAIL PROTECTED] For
>> >> >> >> additional commands, e-mail:
>> >> [EMAIL PROTECTED]
>> >> >> >
>> >> >> >
>> ---------------------------------------------------------------------
>> >> >> >     QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> >> >> >
>> ---------------------------------------------------------------------
>> >> >> > To unsubscribe, e-mail:
>> >> [EMAIL PROTECTED]
>> >> >> > For additional commands, e-mail:
>> >> >> [EMAIL PROTECTED]
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> ---------------------------------------------------------------------
>> >> >>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> >> >>
>> ---------------------------------------------------------------------
>> >> >> To unsubscribe, e-mail:
>> >> [EMAIL PROTECTED]
>> >> >> For additional commands, e-mail:
>> >> [EMAIL PROTECTED]
>> >> >>
>> >> >>
>> >> >
>> >> >
>> ---------------------------------------------------------------------
>> >> >     QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> >> >
>> ---------------------------------------------------------------------
>> >> > To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> >> > For additional commands, e-mail:
>> >> [EMAIL PROTECTED]
>> >> >
>> >>
>> >>
>> >> 
---------------------------------------------------------------------
>> >>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> >> 
---------------------------------------------------------------------
>> >> To unsubscribe, e-mail:
>> [EMAIL PROTECTED]
>> >> For additional commands, e-mail:
>> [EMAIL PROTECTED]
>> >>
>> >>
>> >
>> > 
---------------------------------------------------------------------
>> >      QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> > 
---------------------------------------------------------------------
>> > To unsubscribe, e-mail: 
[EMAIL PROTECTED]
>> > For additional commands, e-mail:
>> [EMAIL PROTECTED]
>> >
>> >
>>
>>
>>
>> ---------------------------------------------
>> .how soon not now becomes never. _martin luther
>>
>>
>> ---------------------------------------------------------------------
>>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
[EMAIL PROTECTED]
>> For additional commands, e-mail: 
[EMAIL PROTECTED]
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: 
[EMAIL PROTECTED]
>> For additional commands, e-mail: 
[EMAIL PROTECTED]
>>
>>
>
> ---------------------------------------------------------------------
>     QmailToaster hosted by: VR Hosted <http://www.vr.org>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: 
[EMAIL PROTECTED]
>


---------------------------------------------------------------------
     QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]