I appreciate you doing a test to yahoo, it gives me one more piece to the puzzle. I've never seriously considered the Mac to be any part of the real problem. But it's where I am in the process of elimination. I would like to turn off DKIM but Yahoo is so strange, the sometimes will block emails that are not spam, have the correct RDNS and also have a good DKIM signature. So I've been hopeful that as I implement each new little thing like DKIM, that yahoo will stop being so retarted on what they block/deffer and put into the spam folder. I've had valid emails from someone for months, and then all of a sudden they are put into my spam folder. But I can't expect yahoo to accept my emails if I'm using DKIM and my HASH doesn't work right. So like you've suggested, maybe I'll just turn it off.
Thanks John On Thu, Aug 28, 2008 at 11:08 AM, Eric Shubert <[EMAIL PROTECTED]> wrote: > FWIW, I just had my Mac user send a test to yahoo, and it came through just > fine: > > Authentication-Results: mta230.mail.re4.yahoo.com from=shubes.net; > domainkeys=pass (ok) > ... > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=shubes.net; > b=UncEkJWJcam4+5rGNSbusen0silI486Nm9KxTZRLuJoA5qQ55efjifjFRc6VKxQX; > Received: by simscan 1.3.1 ppid: 26131, pid: 26134, t: 0.0166s scanners: > clamav: 0.93.3 > > Eric Shubert wrote: >> I'd look very carefully at the Mac's configuration. I have a Mac user on a >> toaster signing with DKs, and haven't heard of any undeliverables. Not sure >> there's much if anything going to yahoo from there though. >> >> Then I'd consider turning off DK signatures. Not many servers actively use >> them. Even google groups (google 'invented' DKs) only uses DKs in test mode >> (last I checked, several months ago). >> >> Tek Support wrote: >>> Yes that's correct, both are in the same domain. >>> >>> Thanks >>> John >>> >>> >>> >>> On Wed, Aug 27, 2008 at 10:24 PM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>>> That's an odd one, all right. And I think you've described the situation >>>> pretty well (at least I think I understand what's happening). >>>> >>>> Both instances are sending from exactly the same domain, right? >>>> >>>> Tek Support wrote: >>>>> You know, I don't think it has anything to do with simscan. A staff >>>>> member in the office using a Mac laptop is sending mail to port 587 >>>>> (no TLS option available in her Mac - only SSL, but she is in the >>>>> local office and the Mail Server is in the local office, and she is >>>>> not sending her password over the internet, so it's probably fine to >>>>> go without TLS in her case). Anyway, when she sends an email to port >>>>> 587 into our mail server to yahoo, it fails with domainkey failed >>>>> error header. When I send via PC and Thuderbird into our external >>>>> firewall port forwarded into Mail Server port 587 with or without TLS >>>>> to yahoo (I've tried both ways), it works perfectly and the domainkey >>>>> header suceeded. >>>>> >>>>> In both instances (Mac internal office, PC external - internet), >>>>> simscan is listed below the Domainkey header. So since mine works and >>>>> her's does not, I don't think it is simscan/clamav. It's happening to >>>>> both of our emails, so that would not appear to be a problem. >>>>> >>>>> But, what in the world could it be? I'm obviously going to have to go >>>>> into the office and try sending from my Thunderbird out to yahoo and >>>>> see if that still works. But no matter if it does or does not, how >>>>> could Mac Mail or PC Thunderbird have anything to do with the headers >>>>> and HASH that would cause domainkeys to fail or suceed since they are >>>>> only calculated and added after the message has been handed off to >>>>> port 587 on the Mail Server? >>>>> >>>>> For referrence, the external firewall only does a packet forwarding >>>>> into our mail server for traffic on port 587, and does not rewrite >>>>> anything. >>>>> >>>>> Thanks >>>>> John >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Aug 27, 2008 at 9:06 PM, Tek Support <[EMAIL PROTECTED]> wrote: >>>>>> Well, we probably don't need it that bad that then. >>>>>> >>>>>> Thanks >>>>>> John >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Aug 27, 2008 at 10:37 AM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>>>>>> I don't know, short of looking at the code. That would be in the >>>>>>> (heavily >>>>>>> patched) source code for the qmail-smtp program. Looking that up would >>>>>>> not >>>>>>> be a trivial exercise. >>>>>>> >>>>>>> Tek Support wrote: >>>>>>>> As you said (would have to), how do I determine the order they are >>>>>>>> run? Is it simply that the DKIM header is added on top of the >>>>>>>> simscan, thus simscan first and dkim 2nd? >>>>>>>> >>>>>>>> Thanks >>>>>>>> John >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Aug 26, 2008 at 2:14 PM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>> wrote: >>>>>>>>> Simscan does scan outbound mail, but scans only for viruses (clamav), >>>>>>>>> not >>>>>>>>> spam (spamassassin). This is consistent with the message you're >>>>>>>>> seeing. >>>>>>>>> >>>>>>>>> Adding the DK signature would (have to) happen after this scan. >>>>>>>>> >>>>>>>>> Tek Support wrote: >>>>>>>>>> Hi Eric, thanks for the quick reply. The reason I think it's doing >>>>>>>>>> outbound scanning is a specific line in the header, maybe you can >>>>>>>>>> shed >>>>>>>>>> some light on it. In an email sent from mydomain to my yahoo accout >>>>>>>>>> these are in the headers. The line I'm interrested in, is possibly >>>>>>>>>> added by yahoo, but I think it's from me. >>>>>>>>>> >>>>>>>>>> Received: by simscan 1.3.1 ppid: 4768, pid: 4895, t: 0.0658s >>>>>>>>>> scanners: attach: 1.3.1 clamav: 0.93.3 >>>>>>>>>> >>>>>>>>>> Wouldn't simscan be run on my box, and if so, would it be done before >>>>>>>>>> DKIM or after? >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> John >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Aug 26, 2008 at 9:42 AM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>>> wrote: >>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>> Hi all, recently I had asked if there was a reason to use the port >>>>>>>>>>>> 587 >>>>>>>>>>>> if I installed spamdyke (because spamdyke authenticated my dynamic >>>>>>>>>>>> users and ignored the rbls). Well, maybe I've found something that >>>>>>>>>>>> would still require me to use 587 instead of port 25. I would >>>>>>>>>>>> appreciate any info. >>>>>>>>>>>> >>>>>>>>>>>> As of right now, my staff are using port 25 for outbound - I just >>>>>>>>>>>> didn't see the need to have another port open to the outside when >>>>>>>>>>>> after installing spamdyke, they were able to send and were not >>>>>>>>>>>> blocked >>>>>>>>>>>> as "dynamic". But the staff have been having trouble sending to >>>>>>>>>>>> yahoo.com, and in looking at the headers on a message that finally >>>>>>>>>>>> arrived into yahoo (and gmail) the headers show this: >>>>>>>>>>>> >>>>>>>>>>>> Authentication-Results: mta553.mail.mud.yahoo.com >>>>>>>>>>>> from=mydomain.com; >>>>>>>>>>>> domainkeys=fail (bad sig) >>>>>>>>>>>> >>>>>>>>>>>> But I had gone through the process step by step and tested my DKIM >>>>>>>>>>>> with the sourceforge.net sites, and those showed that my dkim >>>>>>>>>>>> seemed >>>>>>>>>>>> accurate. So, anyway in a brilliant flash of light I decided to >>>>>>>>>>>> try >>>>>>>>>>>> port 587, and on my first try I got these headers in an email sent >>>>>>>>>>>> to >>>>>>>>>>>> yahoo and gmail: >>>>>>>>>>>> >>>>>>>>>>>> Received-SPF: pass .... >>>>>>>>>>>> DomainKey-Status: good >>>>>>>>>>>> Authentication-Results: mx.google.com; spf=pass ... >>>>>>>>>>>> >>>>>>>>>>>> So, I guess my question would be, does something in the spam >>>>>>>>>>>> checking >>>>>>>>>>>> on outbound emails from pop3/smtp users (not imap and squirrelmail) >>>>>>>>>>>> with spamdyke, rewrite the headers after the dkim has processed the >>>>>>>>>>>> email which would cause my DKIM hash to be invalid when yahoo and >>>>>>>>>>>> gmail check it? >>>>>>>>>>> I don't believe that spam checking is enabled on outgoing mail, at >>>>>>>>>>> least not >>>>>>>>>>> in the 'stock' toaster. So the answer is, not that I'm aware of. >>>>>>>>>>> >>>>>>>>>>> Note, squirrelmail gets a 'free pass' (open relay), due to the >>>>>>>>>>> localhost >>>>>>>>>>> line in the /etc/tcprules/tcp.smtp file. >>>>>>>>>>> >>>>>>>>>>> Also, be aware that DK and DKIM are 2 different things. The toaster >>>>>>>>>>> has a >>>>>>>>>>> (somewhat broken, at least on the incoming side) DK implementation. >>>>>>>>>>> The >>>>>>>>>>> toaster has no DKIM capability. >>>>>>>>>>> >>>>>>>>>>> I suppose that DK might work (better) with the port 587 >>>>>>>>>>> configuration than >>>>>>>>>>> with port 25. I wouldn't know why though, as I'm not familiar with >>>>>>>>>>> the >>>>>>>>>>> problem(s) that DK has. We had a fellow in Russia on the list a >>>>>>>>>>> while back >>>>>>>>>>> who fixed some things with it, but we haven't heard from him in >>>>>>>>>>> quite a while. >>>>>>>>>>> >>>>>>>>>>>> CentOS 5 >>>>>>>>>>>> x86_64bit >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> John >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>> >>>>>>>>> -- >>>>>>>>> -Eric 'shubes' >>>>>>>>> >>>>>>> -- >>>>>>> -Eric 'shubes' >>>>>>> >>>> -- >>>> -Eric 'shubes' >>>> >> >> > > > -- > -Eric 'shubes' > > --------------------------------------------------------------------- > QmailToaster hosted by: VR Hosted <http://www.vr.org> > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
