Dear Jake, I have changed my config file qmail-remote as follows:
<dkimsign> <!-- per default sign all mails using dkim --> <global algorithm="rsa-sha256" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> <types id="dkim" /> </global> <!-- use dkim + domainkey for example.com --> <gnvfc.net selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </gnvfc.net> <nprocure.com selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </nprocure.com> <npay.in selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </npay.in> <ncode.in selector="dkim1"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </ncode.in> <!-- no signing for example2.com --> <example2.com /> </dkimsign> But I have another issue now. Before install dkim i was already using DomainKeys and have a folder for domain in keys in my control dir and it was working fine till the day I installed DKIM. now my mails are getting singed twice for domainkeys after putting new qmail-remote file. Received-SPF: pass (google.com: domain of acali...@gnvfc.net designates 203.77.193.20 as permitted sender) client-ip=203.77.193.20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of acali...@gnvfc.net designates 203.77.193.20 as permitted sender) smtp.mail=acali...@gnvfc.net; dkim=neutral (no key) header...@gnvfc.net DomainKey-Signature: a=rsa-sha1; c=nofws; d=gnvfc.net; h=message-id :reply-to:from:to:cc:subject:date:mime-version:content-type; q= dns; s=dkim1; b=oPBhLaC3ThBMUn8wFl4ZFpJYlqdXplzczaVB1iESxqGLGIUR vkmItNyTFpuMtFtMrzfFQ4oqNEXMZ96dIfKbCPCQYdpvA7BgkqhZvzTOkYoZIPcT oWPvmfhjT3T4n+aLwThDBn/QLNWbRccoObaYFBqEJwWeY5fxPbo0peZbY70= DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=gnvfc.net; h=message-id :reply-to:from:to:cc:subject:date:mime-version:content-type; s= dkim1; bh=iHUq0zWCNvVWpMdk41w7F+GJs8A=; b=lNVvKsVPYpDjDvGO5M3ib7 +ITzHwjluyLcDzy0DLiNvv3mmYuqSUJB72keCx5W5TJaKPJRtAkDSSxKP7vTyUB6 9/Xx2sQilYSGFXuhmWt2gGDBSyDd9g3ftSF2HlYEFr3CA48cr/wgLk60NsDQHB0x iQDnbl7kfjVGoFo4R64Pc= Received: (qmail 11637 invoked by uid 89); 3 Nov 2009 07:58:09 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=gnvfc.net; b=2gAcG+kbzh8Etw72xpd/pQzg1uMKJ0ucro5sqtM3TSdK4eIM45uBC9/K3OlPthBbbhFzIDdxRnWIinELV6SHxx6UuYpd9fkwAoyvGkI/WbRSu0hJGCrYDAJjTFqm0gxShkolKzL4rJv9qRS4k2HzQAZGNtspZ5SJqyiumIyVFoE=; Received: by simscan 1.4.0 ppid: 11631, pid: 11633, t: 0.0337s scanners: attach: 1.4.0 clamav: 0.95.2/m:51/d:9979 Received: from unknown (HELO ANIL) (acali...@gnvfc.net@203.77.193.110) How can discard old domainkeys not to sign mails instead use DIKM+Domainkeys config. As I have used types <id="domainkey" method="nofws"/> in the above config that means same keys will be used for DomainKeys as well, if i am wrong and old domainkeys will not be used in this case. To achieve the same i removed below mentioned line from tcp.smtp DKSIGN="/var/qmail/control/domainkeys/%/private" But after removinTimes New Romang this line fTimes New Romanrom Times New Romantcp.smtp my clients unable to deliver mails with an error saying that it cannot read the key file to sign the mail. ----- Original Message ----- From: Anil Aliyan To: qmailtoaster-list@qmailtoaster.com Sent: Tuesday, November 03, 2009 1:01 PM Subject: Re: [qmailtoaster] DKIM Error Dear Jake, I am ready to provide all the details, please let me know what information or config file you want to provide to you. use strict; use warnings; our $VERSION = '0.2'; use Mail::DKIM 0.29; use Mail::DKIM::Signer; # enable support for "pretty" signatures, if available eval 'require Mail::DKIM::TextWrap'; =head config file structure - missing settings will be merged from the global-node - domain-entry will also match its subdomains - create empty domain-node to omit signing (or specify "none" as id) <dkimsign> <!-- per default sign all mails using dkim --> <global algorithm="rsa-sha256" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="beta"> <types id="dkim" /> </global> <!-- use dkim + domainkey for example.com --> <example.com selector="beta2"> <types id="dkim" /> <types id="domainkey" method="nofws" /> </example.com> <!-- no signing for example2.com --> <example2.com /> </dkimsign> =cut my $configfile = undef; $configfile = '/var/qmail/control/dkim/signconf.xml'; my $debugfile = undef; #$debugfile = '/tmp/dkim.debug'; my $qremote = '/var/qmail/bin/qmail-remote.orig'; my $binary = 0; our $config; $config->{'global'} = { types => { dkim => {} }, keyfile => '/var/qmail/control/dkim/global.key', algorithm => 'rsa-sha256', method => 'simple', selector => 'beta', # either string or file (first line of file will be used) domain => '/var/qmail/control/me' }; #------------------------------------------------------------------------------- # read config file. safely if (defined($configfile) && -r $configfile) { eval 'use XML::Simple'; if (!$@) { my $xmlconf; eval { $xmlconf = XMLin($configfile, ForceArray => ['types'], KeyAttr => ['id']); }; qexit_deferral('Unable to read config file: ', $@) if ($@); ConfigMerge::merge($config, $xmlconf); } } # open debug file my $debugfh = undef; if (defined($debugfile)) { open($debugfh, '>', $debugfile) or qexit_deferral('Unable to open ', $debugfile, ' to writing: ', $!); } # generate signatures my $dkim; my $mailbuf = ''; eval { my $conf = $config->{'global'}; $dkim = Mail::DKIM::Signer->new( Policy => 'MySignerPolicy', Debug_Canonicalization => $debugfh ); if ($binary) { binmode STDIN; } while (<STDIN>) { $mailbuf .= $_; unless ($binary) { chomp $_; s/\015?$/\015\012/s; } $dkim->PRINT($_); } $dkim->CLOSE(); }; qexit_deferral('Error while signing: ', $@) if ($@); # close debug file close($debugfh) if (defined($debugfh)); # execute qmail-remote unshift(@ARGV, $qremote); open(QR, '|-') || exec { $ARGV[0] } @ARGV or qexit_deferral('Unable to run qmail-remote: ', $!); foreach my $dkim_signature ($dkim->signatures) { my $sig = $dkim_signature->as_string; $sig =~ s/\015\012\t/\012\t/g; print QR $sig."\012"; } print QR $mailbuf; close(QR); #------------------------------------------------------------------------------- sub qexit { print @_, "\0"; exit(0); } sub qexit_deferral { return qexit('Z', @_); } sub qexit_failure { return qexit('D', @_); } sub qexit_success { return qexit('K', @_); } #------------------------------------------------------------------------------- package ConfigMerge; # merge config hashes. arrays and scalars will be copied. sub merge { my ($left, $right) = @_; foreach my $rkey (keys(%$right)) { my $rtype = ref($right->{$rkey}) eq 'HASH' ? 'HASH' : ref($right->{$rkey}) eq 'ARRAY' ? 'ARRAY' : defined($right->{$rkey}) ? 'SCALAR' : ''; my $ltype = ref($left->{$rkey}) eq 'HASH' ? 'HASH' : ref($left->{$rkey}) eq 'ARRAY' ? 'ARRAY' : defined($left->{$rkey}) ? 'SCALAR' : ''; if ($rtype ne 'HASH' || $ltype ne 'HASH') { $left->{$rkey} = $right->{$rkey}; } else { merge($left->{$rkey}, $right->{$rkey}); } } return; } #------------------------------------------------------------------------------- package MySignerPolicy; use Mail::DKIM::SignerPolicy; use base 'Mail::DKIM::SignerPolicy'; use Mail::DKIM::Signature; use Mail::DKIM::DkSignature; use Carp; use strict; use warnings; sub apply { my ($self, $signer) = @_; my $domain = undef; $domain = lc($signer->message_sender->host) if (defined($signer->message_sender)); # merge configs while($domain) { if (defined($config->{$domain})) { $config->{'global'}->{'types'} = undef; ConfigMerge::merge($config->{'global'}, $config->{$domain}); last; } (undef, $domain) = split(/\./, $domain, 2); } my $conf = $config->{'global'}; return 0 if (!defined($conf->{'types'}) || defined($conf->{'types'}->{'none'})); # set key file $signer->key_file($conf->{'keyfile'}); # parse (signature) domain if (substr($conf->{'domain'}, 0, 1) eq '/') { open(FH, '<', $conf->{'domain'}) or croak('Unable to open domain-file: '.$!); my $newdom = (split(/ /, <FH>))[0]; close(FH); croak("Unable to read domain-file. Maybe empty file.") if (!$newdom); chomp($newdom); $conf->{'domain'} = $newdom; } # generate signatures my $sigdone = 0; foreach my $type (keys(%{$conf->{'types'}})) { my $sigconf = $conf->{'types'}->{$type}; if ($type eq 'dkim') { $signer->add_signature( new Mail::DKIM::Signature( Algorithm => $sigconf->{'algorithm'} || $conf->{'algorithm'} || $signer->algorithm, Method => $sigconf->{'method'} || $conf->{'method'} || $signer->method, Headers => $sigconf->{'headers'} || $conf->{'headers'} || $signer->headers, Domain => $sigconf->{'domain'} || $conf->{'domain'} || $signer->domain, Selector => $sigconf->{'selector'} || $conf->{'selector'} || $signer->selector, Query => $sigconf->{'query'} || $conf->{'query'}, Identity => $sigconf->{'identity'} || $conf->{'identity'}, Expiration => $sigconf->{'expiration'} || $conf->{'expiration'} ) ); $sigdone = 1; } elsif ($type eq 'domainkey') { $signer->add_signature( new Mail::DKIM::DkSignature( Algorithm => 'rsa-sha1', # only rsa-sha1 supported Method => $sigconf->{'method'} || $conf->{'method'} || $signer->method, Headers => $sigconf->{'selector'} || $conf->{'headers'} || $signer->headers, Domain => $sigconf->{'domain'} || $conf->{'domain'} || $signer->domain, Selector => $sigconf->{'selector'} || $conf->{'selector'} || $signer->selector, Query => $sigconf->{'query'} || $conf->{'query'} ) ); $sigdone = 1; } } return $sigdone; } Regards, Anil Aliyan ----- Original Message ----- From: Jake Vickers To: qmailtoaster-list@qmailtoaster.com Sent: Monday, November 02, 2009 11:42 PM Subject: Re: [qmailtoaster] DKIM Error Anil Aliyan wrote: Dear Jakes, Please find some time to help resolve my problem also, will very greatful to you. Thanks & Regards, Anil Aliyan ----- Original Message ----- From: Anil Aliyan To: qmailtoaster-list@qmailtoaster.com Sent: Saturday, October 31, 2009 2:28 AM Subject: [qmailtoaster] DKIM Error Jakes, Please find the config file attached with this mail. Pasting the config file into the email is easier for us to help you. It looks like your config file may be wrong, depending on how you configured your system. Right now, your system is going to sign every domain sending email as the domain listed in your /var/qmail/control/me file since you only defined a global rule. This is fine if the me file only contain your domain name (gnvfc.com) but you probably have your hostname in the me file as well (mail.gnvfc.com) so it's signing using that domain. You can define individual domains to sign for in this format: <dkimsign> <!-- per default sign all mails using dkim --> <global algorithm="rsa-sha1" domain="/var/qmail/control/me" keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1"> <types id="dkim" /> </global> <gnvfc.com selector="dkim1"> <types id="dkim" /> </gnvcf> </dkimsign> ---------------- This will inherit any declarations from the <global> tags that you do not override (so it will inherit the algorithm="rsa-sha1", keyfile, method). But without seeing how you configured other things it's hard to guess.
