[Assp-user] Stop spam in Arabic

2023-01-06 Thread Eric Germann via Assp-user 
Is there anyway to tag as spam messages in certain languages?

I get all kinds of spam in Arabic.  Some makes it to the spam folder and some 
doesn’t.  Wondering if there a way to block it

--
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] whitedomains.txt

2022-09-07 Thread Eric Germann via Assp-user 
This works great.  Thanks!

Eric

> On Sep 6, 2022, at 09:18, K Post  wrote:
> 
> (@|.)wsj.com <http://wsj.com/> 
> will match @wsj.com <http://wsj.com/> and all subdomains
> 
> FYI, I generally use DKIMWLAddresses where possible, instead of 
> WhitelistedDomains.  For a domain like WSJ.com, it's perfect since I know 
> that nearly everything is DKIM signed from (and by) them.  
> 
> The (@|.)wsj.com <http://wsj.com/> syntax was suggested Thomas for 
> DKIMWLAddresses, and that should work with WhitelistedDomains too.  The 
> wildcard (*) isn't necessary as both DKIMWLAddresses and WhitelistedDomains 
> match the end of the from address.  (from the GUI:  "Note this matches the 
> end of the address, so if you don't want to match subdomains then include the 
> @.")  
> 
> Using DKIMWLAddresses prevents WhitelistedDomains from allowing spoofed mail 
> through.  The only time I use WhitelistedDomains is if there's a subdomain 
> that I need to always let through that isn't signed by the sender.
> 
> Hope this helps.
> 
> 
> 
> On Tue, Aug 30, 2022 at 7:51 PM Doug Lytle  <mailto:supp...@drdos.info>> wrote:
> On 8/30/22 18:02, Robert Ellsworth wrote:
>> *.wsj.com <http://wsj.com/>
>> On Tue, Aug 30, 2022, 5:21 PM Eric Germann via Assp-user 
>> mailto:assp-user@lists.sourceforge.net>> 
>> wrote:
>> If I want to match all subdomains of a domain (@interactive.wsj.com 
>> <http://interactive.wsj.com/> as well as @wsj.com <http://wsj.com/>), what 
>> is the proper format for the entry in whitedomains.txt
> 
> You'll also need to add @wsj.com <http://wsj.com/> as well.
> 
> Doug
> 
> ___
> Assp-user mailing list
> Assp-user@lists.sourceforge.net <mailto:Assp-user@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/assp-user 
> <https://lists.sourceforge.net/lists/listinfo/assp-user>
> ___
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] whitedomains.txt

2022-08-30 Thread Eric Germann via Assp-user 
If I want to match all subdomains of a domain (@interactive.wsj.com as well as 
@wsj.com), what is the proper format for the entry in whitedomains.txt

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] Adding Authentication-Results header to ASSP?

2022-04-12 Thread Eric Germann via Assp-user 
Am I missing some setting in ASSP for it to add the “Authentication-Results” 
header to an email passing thru?

It already adds "X-Original-Authentication-Results” to the email so it’s doing 
some validation of DKIM, DMARC, and ARC.

Thoughts?

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] IPv6 addresses in ipwl.txt

2022-03-30 Thread Eric Germann via Assp-user 
What is the correct format for IPv6 addresses in ipwl.txt and other files with 
IP addresses?


I get the following when I spec them as such with brackets.  Without didn’t 
seem to work correctly either.

unable to resolve IP for hostname '[2600::yyy:::/56]' in 
configuration of ‘whiteListedIPs'


---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] Converting to db files

2021-10-14 Thread Eric Germann via Assp-user 
For a number of “databases” I’m using files and I get messages like this:

PTRCache: the PTRCache contains 1417 records - it is recommended to use a 
database for 'pbdb' to prevent memory leaking

How do I convert to using db files?  If I spec a db file in the config, will it 
automatically inhale the existing data?

Thanks

---
Eric Germann
ekgermann {at} semperen {dot} com || ekgermann {at} gmail {dot} com
LinkedIn: https://www.linkedin.com/in/ericgermann 
<https://www.linkedin.com/in/ericgermann>
Medium: https://ekgermann.medium.com <https://ekgermann.medium.com/> 
Twitter: @ekgermann
Telegram || Signal || Skype || Phone +1 {dash} 419 {dash} 513 {dash} 0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] Proper connection string to use BerkeleyDB for databases

2021-05-27 Thread Eric Germann via Assp-user 
Hello all.

I’m getting a "it is highly recommended to use a database for 'pbdb' to reduce 
memory usage and to prevent memory leaking" suggestion from ASSP.  What is the 
proper connection string/database type to use BDB similar to those for mysql, 
etc?

Thanks

---
Eric Germann
ekgermann{at}semperen{dot}com || ekgermann{at}gmail{dot}com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann
Telegram || Signal || Phone +1{dash}419{dash}513{dash}0712

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1







___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] Odd behavior with STARTTLS

2021-05-16 Thread Eric Germann via Assp-user 
Figured it out.  For the archives:

internet.nl <http://internet.nl/> walks through a series of ciphers and 
protocols including SSL2, SSL3.  It also negotiates a number of ciphers.  This 
caused it to trip the failed SSL trigger and ending up in "SSL-failed-cache”

To fix it and let the test complete, added the IP address (62.204.66.10 at this 
time) of internet.nl <http://internet.nl/> to “noBanFailedSSLIP” field and test 
completed with SSL available.

---
Eric Germann
ekgermann(at)semperen(dot)com || ekgermann(at)gmail(dot)com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
Telegram||Signal +1(dash)419(dash)513(dash)0712






> On May 16, 2021, at 11:12 AM, Eric Germann  wrote:
> 
> I’m testing the rollout of MTA-STS for my mail server.
> 
> It passes tests from https://aykevl.nl/apps/mta-sts/ 
> <https://aykevl.nl/apps/mta-sts/> and 
> https://www.mailhardener.com/tools/mta-sts-validator?domain=semperen.com 
> <https://www.mailhardener.com/tools/mta-sts-validator?domain=semperen.com>  
> 
> What it doesn’t pass is https://internet.nl/mail/semperen.com/529704/ 
> <https://internet.nl/mail/semperen.com/529704/> where it claims STARTTLS 
> isn’t presented.
> 
> So I dug into a packet capture and sure enough STARTTLS is not presented to 
> the internet.nl <http://internet.nl/> client as an option (see highlighted 
> sections from the packet capture.
> 
> STARTTLS is presented to all other hosts I’ve tested so what would make it 
> not present it in this case?
> 
> 
> 15:01:37.902309 IP ip-100-86-20-120.smtp > internet.nl 
> <http://internet.nl/>.4514: Flags [P.], seq 1:38, ack 1, win 26883, length 
> 37: SMTP: 220 smtp.semperen.com <http://smtp.semperen.com/> ESMTP Postfix
> 0x:  4500 004d 142e 4000 ff06 6dd8 6456 1478  e.@...m.dv.x
> 0x0010:  3ecc 420a 0019 11a2 9b8e ac99 466e 6e00  >.B.Fnn.
> 0x0020:  5018 6903 f9e3  3232 3020 736d 7470  P.i.220.smtp
> 0x0030:  2e73 656d 7065 7265 6e2e 636f 6d20 4553  .semperen.com.ES
> 0x0040:  4d54 5020 506f 7374 6669 780d 0a MTP.Postfix..
> 15:01:37.992610 IP internet.nl <http://internet.nl/>.4514 > 
> ip-100-86-20-120.smtp: Flags [.], ack 38, win 64203, length 0
> 0x:  4500 0028 4aa3 4000 2e06 0889 3ecc 420a  E..(J.@.>.B.
> 0x0010:  6456 1478 11a2 0019 466e 6e00 9b8e acbe  dV.xFnn.
> 0x0020:  5010 facb aced  d931 4a68 9257   P1Jh.W
> 15:01:38.016294 IP internet.nl <http://internet.nl/>.4514 > 
> ip-100-86-20-120.smtp: Flags [P.], seq 1:19, ack 38, win 64203, length 18: 
> SMTP: EHLO internet.nl <http://internet.nl/>
> 0x:  4500 003a 4aa4 4000 2e06 0876 3ecc 420a  E..:J.@v>.B.
> 0x0010:  6456 1478 11a2 0019 466e 6e00 9b8e acbe  dV.xFnn.
> 0x0020:  5018 facb c8e1  4548 4c4f 2069 6e74  P...EHLO.int
> 0x0030:  6572 6e65 742e 6e6c 0d0a ernet.nl 
> <http://ernet.nl/>..
> 15:01:38.016301 IP ip-100-86-20-120.smtp > internet.nl 
> <http://internet.nl/>.4514: Flags [.], ack 19, win 26883, length 0
> 0x:  4500 0028 142f 4000 ff06 6dfc 6456 1478  E..(./@...m.dV.x
> 0x0010:  3ecc 420a 0019 11a2 9b8e acbe 466e 6e12  >.B.Fnn.
> 0x0020:  5010 6903 f9be   P.i.
> 15:01:38.051355 IP ip-100-86-20-120.smtp > internet.nl 
> <http://internet.nl/>.4514: Flags [P.], seq 38:171, ack 19, win 26883, length 
> 133: SMTP: 250-smtp.semperen.com <http://250-smtp.semperen.com/>
> 0x:  4500 00ad 1430 4000 ff06 6d76 6456 1478  e.@...mvdv.x
> 0x0010:  3ecc 420a 0019 11a2 9b8e acbe 466e 6e12  >.B.Fnn.
> 0x0020:  5018 6903 fa43  3235 302d 736d 7470  P.i..C..250-smtp
> 0x0030:  2e73 656d 7065 7265 6e2e 636f 6d0d 0a32  .semperen.com 
> <http://semperen.com/>..2
> 0x0040:  3530 2d53 495a 4520 3230 3030 3030 3030  50-SIZE.2000
> 0x0050:  300d 0a32 3530 2d56 5246 590d 0a32 3530  0..250-VRFY..250
> 0x0060:  2d4e 4f4f 500d 0a32 3530 2d41 5554 4820  -NOOP..250-AUTH.
>     0x0070:  504c 4149 4e20 4c4f 4749 4e0d 0a32 3530  PLAIN.LOGIN..250
> 0x0080:  2d45 4e48 414e 4345 4453 5441 5455 5343  -ENHANCEDSTATUSC
> 0x0090:  4f44 4553 0d0a 3235 302d 3842 4954 4d49  ODES..250-8BITMI
> 0x00a0:  4d45 0d0a 3235 3020 4453 4e0d 0a ME..250.DSN..
> 
> ---
> Eric Germann
> ekgermann(at)semperen(dot)com || ekgermann(at)gmail(dot)com
> LinkedIn: https://www.linkedin.com/in/ericgermann 
> <https://www.linkedin.com/in/ericgermann>
> Twitter: @ekgermann
> 
> GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
> Telegram||Signal +1(dash)419(dash)513(dash)0712
> 
> 
> 
> 
> 
> 

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] Odd behavior with STARTTLS

2021-05-16 Thread Eric Germann via Assp-user 
I’m testing the rollout of MTA-STS for my mail server.

It passes tests from https://aykevl.nl/apps/mta-sts/ 
<https://aykevl.nl/apps/mta-sts/> and 
https://www.mailhardener.com/tools/mta-sts-validator?domain=semperen.com 
<https://www.mailhardener.com/tools/mta-sts-validator?domain=semperen.com>  

What it doesn’t pass is https://internet.nl/mail/semperen.com/529704/ 
<https://internet.nl/mail/semperen.com/529704/> where it claims STARTTLS isn’t 
presented.

So I dug into a packet capture and sure enough STARTTLS is not presented to the 
internet.nl <http://internet.nl/> client as an option (see highlighted sections 
from the packet capture.

STARTTLS is presented to all other hosts I’ve tested so what would make it not 
present it in this case?


15:01:37.902309 IP ip-100-86-20-120.smtp > internet.nl.4514: Flags [P.], seq 
1:38, ack 1, win 26883, length 37: SMTP: 220 smtp.semperen.com ESMTP Postfix
0x:  4500 004d 142e 4000 ff06 6dd8 6456 1478  e.@...m.dv.x
0x0010:  3ecc 420a 0019 11a2 9b8e ac99 466e 6e00  >.B.Fnn.
0x0020:  5018 6903 f9e3  3232 3020 736d 7470  P.i.220.smtp
0x0030:  2e73 656d 7065 7265 6e2e 636f 6d20 4553  .semperen.com.ES
0x0040:  4d54 5020 506f 7374 6669 780d 0a MTP.Postfix..
15:01:37.992610 IP internet.nl.4514 > ip-100-86-20-120.smtp: Flags [.], ack 38, 
win 64203, length 0
0x:  4500 0028 4aa3 4000 2e06 0889 3ecc 420a  E..(J.@.>.B.
0x0010:  6456 1478 11a2 0019 466e 6e00 9b8e acbe  dV.xFnn.
0x0020:  5010 facb aced  d931 4a68 9257   P1Jh.W
15:01:38.016294 IP internet.nl.4514 > ip-100-86-20-120.smtp: Flags [P.], seq 
1:19, ack 38, win 64203, length 18: SMTP: EHLO internet.nl
0x:  4500 003a 4aa4 4000 2e06 0876 3ecc 420a  E..:J.@v>.B.
0x0010:  6456 1478 11a2 0019 466e 6e00 9b8e acbe  dV.xFnn.
0x0020:  5018 facb c8e1  4548 4c4f 2069 6e74  P...EHLO.int
0x0030:  6572 6e65 742e 6e6c 0d0a ernet.nl..
15:01:38.016301 IP ip-100-86-20-120.smtp > internet.nl.4514: Flags [.], ack 19, 
win 26883, length 0
0x:  4500 0028 142f 4000 ff06 6dfc 6456 1478  E..(./@...m.dV.x
0x0010:  3ecc 420a 0019 11a2 9b8e acbe 466e 6e12  >.B.Fnn.
0x0020:  5010 6903 f9be   P.i.
15:01:38.051355 IP ip-100-86-20-120.smtp > internet.nl.4514: Flags [P.], seq 
38:171, ack 19, win 26883, length 133: SMTP: 250-smtp.semperen.com
0x:  4500 00ad 1430 4000 ff06 6d76 6456 1478  e.@...mvdv.x
0x0010:  3ecc 420a 0019 11a2 9b8e acbe 466e 6e12  >.B.Fnn.
0x0020:  5018 6903 fa43  3235 302d 736d 7470  P.i..C..250-smtp
0x0030:  2e73 656d 7065 7265 6e2e 636f 6d0d 0a32  .semperen.com..2
0x0040:  3530 2d53 495a 4520 3230 3030 3030 3030  50-SIZE.2000
0x0050:  300d 0a32 3530 2d56 5246 590d 0a32 3530  0..250-VRFY..250
0x0060:  2d4e 4f4f 500d 0a32 3530 2d41 5554 4820  -NOOP..250-AUTH.
0x0070:  504c 4149 4e20 4c4f 4749 4e0d 0a32 3530  PLAIN.LOGIN..250
0x0080:  2d45 4e48 414e 4345 4453 5441 5455 5343  -ENHANCEDSTATUSC
0x0090:  4f44 4553 0d0a 3235 302d 3842 4954 4d49  ODES..250-8BITMI
0x00a0:  4d45 0d0a 3235 3020 4453 4e0d 0a ME..250.DSN..

---
Eric Germann
ekgermann(at)semperen(dot)com || ekgermann(at)gmail(dot)com
LinkedIn: https://www.linkedin.com/in/ericgermann
Twitter: @ekgermann

GPG Fingerprint: 89ED 36B3 515A 211B 6390  60A9 E30D 9B9B 3EBF F1A1
Telegram||Signal +1(dash)419(dash)513(dash)0712






___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] subject tagging with spam

2021-04-15 Thread Eric Germann via Assp-user 
Thank you!  It’s been driving me nuts!

Eric


> On Apr 15, 2021, at 9:37 AM, K Post  wrote:
> 
> Hi Eric,
> Under "TestModes and SPAM Tagging"you'll see:
> Prepend Spam Subject (spamSubject) and
> Prepend Spam Tag (spamTag)
> 
> The spamSubject gets prepended to the message's subject if you're in testmode 
> or when a message score is above PentaltyMessageLowLimit.  That's why you're 
> seeing [SPAM] prepended (good - you said you want that).
> 
> The spamTag checkbox puts the reasons that the message was scored.  The 
> option name isn't terribly clear in my opinion, but the the explanation in 
> the gui helps:
> If checked, the method(s) ASSP used which caught the spam will be prepended 
> to the subject of the email. For example; [DNSBL]
> 
> 
> 
> On Wed, Apr 14, 2021 at 4:14 PM Eric Germann via Assp-user 
> mailto:assp-user@lists.sourceforge.net>> 
> wrote:
> I’m seeing messages like this for spam messages which I filter in to a Junk 
> mail folder
> 
> [SPAM] - [MessageLimit][lowlimit] 
> 
> What causes [MessageLimit][lowlimit] and how do I get rid of those.  I’d like 
> it to just say "[SPAM] - "
> ___
> Assp-user mailing list
> Assp-user@lists.sourceforge.net <mailto:Assp-user@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/assp-user 
> <https://lists.sourceforge.net/lists/listinfo/assp-user>
> ___
> Assp-user mailing list
> Assp-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-user

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] subject tagging with spam

2021-04-14 Thread Eric Germann via Assp-user 
I’m seeing messages like this for spam messages which I filter in to a Junk 
mail folder

[SPAM] - [MessageLimit][lowlimit] 

What causes [MessageLimit][lowlimit] and how do I get rid of those.  I’d like 
it to just say "[SPAM] - "___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] Converting to databases

2021-04-01 Thread Eric Germann 
Hello all,

I’m looking to convert my install to using a DB to eliminate messages like "it 
is highly recommended to use a database for 'spamdb' to reduce memory usage and 
to prevent memory leaking”

I’d prefer to use a standalone file based database as my volume is low, 
relatively speaking.

Is there a guide to do this?

If not, I have several questions:

1.  What is the database driver string for BerkleyDB?

2.  Is the file created automatically?

3.  Are the tables created automatically?

4.  If not, how do you load the schema?

5.  Any tips, caveats, or issues to watch out for?

6.  Is it worth it to convert?

Thanks in advance

Eric



___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
Issue is fixed.  It was a record formatting issue in BIND that clipped the 
record (before the one that only showed v=DKIM1)

I route several domains thru this box.  Is there any issue with using the same 
private key and published public key for each domain.

Formatting the DNS record is a PITA.

Sorry for the flurry of questions.  Thanks for the heads up to chase down DNS.

Eric


> On Mar 31, 2021, at 4:22 PM, Eric Germann  wrote:
> 
> Fixed that now.  I was working on wrapping in the DNS to get it to load.
> 
> Eric
> 
> 
>> On Mar 31, 2021, at 3:11 PM, Dossy Shiobara > <mailto:do...@panoptic.com>> wrote:
>> 
>> 
>> 
>> On 3/31/21 12:57 PM, Eric Germann wrote:
>>> [...]
>>> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
>>> 
>>> [...]
>>> 
>>> My public key is published in the DNS for .com <http://.com/>.  
>>> I’ve verified it’s there by doing a "dig @nameserver 
>>> dkim._domainkey..com <http://domainkey..com/> +short".  It matches 
>>> what is in the DKIM generator.
>> 
>> You tried to obscure the domain name but you missed redacting it one place.  
>> If that domain name is the actual one you're working with, then your DNS 
>> entry is incomplete:
>> 
>> ```
>> $ dig dkim._domainkey.semperen.com <http://domainkey.semperen.com/> txt 
>> +short
>> "v=DKIM1"
>> ```
>> 
>> Compare that to the published DKIM key for my domain, panoptic.com 
>> <http://panoptic.com/>:
>> 
>> ```
>> $ dig default._domainkey.panoptic.com <http://domainkey.panoptic.com/> txt 
>> +short
>> "v=DKIM1\; k=rsa\; 
>> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM"
>>  
>> "yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE"
>>  
>> "y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa"
>>  "50F0L9kMwGyfqVTUaE+KcEQIDAQAB"
>> ```
>> 
>> Not sure if the lack of public key published in your DNS entry would result 
>> in a "bad RSA signature" failure on validation, but there's no way to 
>> validate the signature without your public key published properly.
>> 
>> HTH, HAND,
>> 
>> Dossy
>> 
>> -- 
>> Dossy Shiobara |  "He realized the fastest way to change
>> do...@panoptic.com <mailto:do...@panoptic.com> |   is to laugh at your 
>> own folly -- then you
>> http://panoptic.com/ <http://panoptic.com/>   |   can let go and quickly 
>> move on." (p. 70) 
>>   * WordPress * jQuery * MySQL * Security * Business Continuity *
> 

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
Fixed that now.  I was working on wrapping in the DNS to get it to load.

Eric


> On Mar 31, 2021, at 3:11 PM, Dossy Shiobara  wrote:
> 
> 
> 
> On 3/31/21 12:57 PM, Eric Germann wrote:
>> [...]
>> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
>> 
>> [...]
>> 
>> My public key is published in the DNS for .com <http://.com/>.  I’ve 
>> verified it’s there by doing a "dig @nameserver dkim._domainkey..com 
>> <http://domainkey..com/> +short".  It matches what is in the DKIM 
>> generator.
> 
> You tried to obscure the domain name but you missed redacting it one place.  
> If that domain name is the actual one you're working with, then your DNS 
> entry is incomplete:
> 
> ```
> $ dig dkim._domainkey.semperen.com txt +short
> "v=DKIM1"
> ```
> 
> Compare that to the published DKIM key for my domain, panoptic.com:
> 
> ```
> $ dig default._domainkey.panoptic.com txt +short
> "v=DKIM1\; k=rsa\; 
> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM"
>  
> "yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE"
>  
> "y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa"
>  "50F0L9kMwGyfqVTUaE+KcEQIDAQAB"
> ```
> 
> Not sure if the lack of public key published in your DNS entry would result 
> in a "bad RSA signature" failure on validation, but there's no way to 
> validate the signature without your public key published properly.
> 
> HTH, HAND,
> 
> Dossy
> 
> -- 
> Dossy Shiobara |  "He realized the fastest way to change
> do...@panoptic.com <mailto:do...@panoptic.com> |   is to laugh at your 
> own folly -- then you
> http://panoptic.com/ <http://panoptic.com/>   |   can let go and quickly move 
> on." (p. 70) 
>   * WordPress * jQuery * MySQL * Security * Business Continuity *

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
One added note/question.  If I remove the dkim private key, my understanding is 
assp is to create them on startup.

Two questions

1.  Is this accurate and if it isn’t doing it, how does one force it?
2.  If I run more than one domain thru ASSP and want them signed (defined in 
dkimconfig.txt), where do the autogenerated certs put their keys?  If they’re 
in dlim-pub, how do you distinguish them for each domain?

Thanks


> On Mar 31, 2021, at 12:57 PM, Eric Germann  wrote:
> 
> Hello all,
> 
> I’m pulling my hair out with DKIM in ASSP and not sure where else I can look.
> 
> Inbound DKIM works fine.  Mail validates and passes.
> 
> Outbound mail is a different story.
> 
> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
> 
> http://.com/>>
>   
> Algorithm=rsa-sha1
> Method=relaxed/relaxed
> Headers=From:Subject:To
> KeyFile=/usr/local/assp/certs/dkim-dkim-.com.key
> Mode=DKIM
>   
> http://semperen.com/>>
> 
> The key is 2048 bits and is generated by 
> https://easydmarc.com/tools/dkim-record-generator 
> <https://easydmarc.com/tools/dkim-record-generator>.  I trimmed down the 
> Headers to just From, Subject and To which shouldn’t be calculated or change 
> at all.
> 
> I know it’s picking up the key because when it’s in place, it generates a 
> “bad RSA signature” in https://dkimvalidator.com/results 
> <https://dkimvalidator.com/results>.  If I remove the private key file, no 
> sig is generated in the headers at all.  Google also shows only the SPF 
> header as matching and completely skips over the DKIM status when the key 
> file is missing.  DMARC passes because the policy is set to SPF or DKIM need 
> to pass, not both.  rsa-sha1 is listed in the DKIM sig and k=rsa is in the 
> public key.
> 
> My public key is published in the DNS for .com <http://.com/>.  I’ve 
> verified it’s there by doing a "dig @nameserver dkim._domainkey..com 
> <http://domainkey..com/> +short".  It matches what is in the DKIM 
> generator.
> 
> I know the DKIM generator is generating valid sigs because it outputs the 
> public and private keys in PEM format also.  I’m able to sign a file and 
> decode it with the public and private keys just fine.
> 
> So, I’m at wits end.  Is there a way to mimic what Mail:DKIM is doing?  Is it 
> as simple as extracting the headers to From, Subject and To in that order 
> then trying to sign them from the command line.
> 
> Any other debugging advice?
> 
> Thanks in advance for any advice.
> 
> Eric
> 
> 
> 

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

[Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
Hello all,

I’m pulling my hair out with DKIM in ASSP and not sure where else I can look.

Inbound DKIM works fine.  Mail validates and passes.

Outbound mail is a different story.

In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain


  
Algorithm=rsa-sha1
Method=relaxed/relaxed
Headers=From:Subject:To
KeyFile=/usr/local/assp/certs/dkim-dkim-.com.key
Mode=DKIM
  


The key is 2048 bits and is generated by 
https://easydmarc.com/tools/dkim-record-generator 
.  I trimmed down the 
Headers to just From, Subject and To which shouldn’t be calculated or change at 
all.

I know it’s picking up the key because when it’s in place, it generates a “bad 
RSA signature” in https://dkimvalidator.com/results 
.  If I remove the private key file, no sig 
is generated in the headers at all.  Google also shows only the SPF header as 
matching and completely skips over the DKIM status when the key file is 
missing.  DMARC passes because the policy is set to SPF or DKIM need to pass, 
not both.  rsa-sha1 is listed in the DKIM sig and k=rsa is in the public key.

My public key is published in the DNS for .com .  I’ve 
verified it’s there by doing a "dig @nameserver dkim._domainkey..com 
 +short".  It matches what is in the DKIM generator.

I know the DKIM generator is generating valid sigs because it outputs the 
public and private keys in PEM format also.  I’m able to sign a file and decode 
it with the public and private keys just fine.

So, I’m at wits end.  Is there a way to mimic what Mail:DKIM is doing?  Is it 
as simple as extracting the headers to From, Subject and To in that order then 
trying to sign them from the command line.

Any other debugging advice?

Thanks in advance for any advice.

Eric



___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user