Re: [dkim-milter-discuss] error on DKIM one inbound domain
dkim-milter support has been discontinued. You should instead switch to OpenDKIM, http://www.opendkim.org. That said, the error means you're getting mail from someone that's signed by a key that can't be found in the DNS. The error is legitimate, and there's not much you can do about it other than ignore it or filter mail from that source. -MSK From: Admin [mailto:h...@pchelpdock.com] Sent: Friday, February 17, 2012 10:09 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: [dkim-milter-discuss] error on DKIM one inbound domain Hello. can someone help me get this error and continuing server errors with DKIM? The problem is that i am getting this in my OSSEC logs my the thousands from this ONE domain. Postfix, mailman. I have no other problems with DKIM ever, but for the last few weeks with this error. Received From: www-/var/log/maillog Rule: 1002 fired (level 2) - Unknown problem somewhere in the system. Portion of the log(s): Feb 16 20:42:47 www dkim-filter[1305]: 560704ACD3D: key retrieval failed (s=k1, d=monobestoffers.infohttp://monobestoffers.info/): res_query(): `k1._domainkey.monobestoffers.infohttp://domainkey.monobestoffers.info/' Unknown host IT would not bother me, except i have blocked the ip from the firewall and continue to recieve the errors and am worried about the load on the mailsystem and server. How can I stop it and what is going on, any help would be appreciated. Thanks, -- Virtualization Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] sendmail non-smtpd possible?
(Since you installed OpenDKIM instead, I'll Cc: that list and we should move this discussion over there.) There are rewrite rules in the sendmail configuration that change the From: field (features called masquerade and genericstable). That's why it appears to be delivered with the From: field you expect. The problem is that those changes are made only after the filter has seen them, which is why you have to tell opendkim to sign for localhost.localdomain because that's what the filter sees. In fact, you might want to check that the signatures are being validated, because they probably are failing since the data are essentially being changed in transit. You will probably need either the replace rules feature to deal with this, or you'll need to arrange that your mail is generated with the final domain name in there and not localhost.localdomain to get it verifying properly. From: Willem Kossen [mailto:w.kos...@gmail.com] Sent: Monday, August 08, 2011 5:16 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] sendmail non-smtpd possible? Ah, I think i figured it out... what happens in many cases is that mail originates from user@localhost.localdomain. I didn't tell opendkim to sign mail from that domain. Still the mail ends up as @wkossen.nlhttp://wkossen.nl in the recipients mailbox, but sendmail didn't know that at the time the mail was delivered to it. during input, it was localhost.localdomain. therefor no signing. Now I told opendkim in the config file that the domain localhost.localdomain should be signed and it worked. and squirrelmail delivered mail as user@localhost (no localdomain) I added that domain too. this is far from ideal, a bit of a hack, but I guess it works. thanks for the help On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy m...@cloudmark.commailto:m...@cloudmark.com wrote: First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years. I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard. You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding. Good luck, -MSK From: Willem Kossen [mailto:w.kos...@gmail.commailto:w.kos...@gmail.com] Sent: Friday, August 05, 2011 5:57 AM To: dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net Subject: [dkim-milter-discuss] sendmail non-smtpd possible? Hi there, I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed. Thanks -- Willem Kossen -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss -- Willem Kossen w.kos...@gmail.commailto:w.kos...@gmail.com -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] sendmail non-smtpd possible?
First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years. I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard. You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding. Good luck, -MSK From: Willem Kossen [mailto:w.kos...@gmail.com] Sent: Friday, August 05, 2011 5:57 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: [dkim-milter-discuss] sendmail non-smtpd possible? Hi there, I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed. Thanks -- Willem Kossen -- BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos much more. Register early save! http://p.sf.net/sfu/rim-blackberry-1___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] RSA_verify: bad signature
-Original Message- From: Robert Schetterer [mailto:rob...@schetterer.org] Sent: Wednesday, July 07, 2010 2:23 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: Re: [dkim-milter-discuss] RSA_verify: bad signature Am 30.04.2010 18:25, schrieb Simon Bell: Hi, I am running postfix with dkim-milter. I sign out-going mail and verify incoming. When my mail server receives from google or yahoo, all seems to be fine, I get: -- dkim-filter: DKIM verification successful -- But mail from 'bluebottle' email gives me this error: -- dkim-filter: DKIM verification successful dkim-filter: s=fe0 d=bluebottle[dot]com SSL error:04077068:rsa routines:RSA_verify:bad signature -- Could someone help me understand what the error means and if it is something wrong with my server? got the same now for i.e xing.com under ubuntu lucid v2.8.3 running in only verify mode someone any ideas ? No idea about xing.com, but Bluebottle definitely had a bug in its signing code that would give false negatives if the message went to two recipients. Perhaps xing.com is having a similar issue. -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter protocol documentation
It looks like that milter-protocol.txt document is slightly out of date, but it is otherwise pretty accurate. The only other documentation I know of is the source code itself. You'd have to trace it back into libmilter/mfdef.h to find out what each represents (they appear to be skip and insheader), and then for the format of the associated messages, check sendmail/milter.c to see how the MTA will decode them. (I remember adding insheader myself when I still worked there, and skip came sometime later.) From: Elanchezhiyan Elango [mailto:elanela...@gmail.com] Sent: Thursday, April 22, 2010 2:41 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] dkim-milter protocol documentation Hi Murray, Thanks for the response. I did do a google search before posting. Most of the resources were about the libmiter package and developing milters using the milter API. I was interested in the actual communication between the MTA and a milter. Only related page I could find was, http://cpansearch.perl.org/src/AVAR/Sendmail-PMilter-0.98/doc/milter-protocol.txt However, as I mentioned earlier, the response commands such as 's', 'i' are not documented in this page. The wikipedia page (http://en.wikipedia.org/wiki/Milter) does mentions that documentation of the protocol used for communication between sendmail and milter processes is not provided. This internal protocol is subject to changes in new sendmail versions. Probably the responses I am receiving are introduced in later sendmail versions. Any other relavent documentation you are aware of will be helpful. Thanks, Elan. On Wed, Apr 21, 2010 at 9:16 PM, Murray S. Kucherawy m...@cloudmark.commailto:m...@cloudmark.com wrote: A Google search for milter protocol produced some highly useful results. You might also look at the miltertest tool in the OpenDKIM package. It provides a scripting interface to do what you're after. From: Elanchezhiyan Elango [elanela...@gmail.commailto:elanela...@gmail.com] Sent: Wednesday, April 21, 2010 5:57 PM To: dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net Subject: [dkim-milter-discuss] dkim-milter protocol documentation Hi, I am trying to write a script that would directly communicate to the dkim-filter process through its socket using the milter protocol. My script would essentially act like sendmail. In the process I am finding some responses whose meaning I am not aware of. For example I get responses with command 's', 'i' which don't seem to be documented as a part of milter protocol. Is there a place where I can find the meaning of these response commands from dkim-milter? Thanks, Elan. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] help me debug why my signature is breaking
-Original Message- From: Mark Martinec [mailto:mark.marti...@ijs.si] Sent: Tuesday, February 02, 2010 8:04 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: Re: [dkim-milter-discuss] help me debug why my signature is breaking On Tuesday 02 February 2010 06:05:33 ram wrote: The full mail (sent to gmail ) is available here http://ecm.netcore.co.in/tmp/mail2.txt If your message violates rfc5322 (ex 2822), mailer may break its promises too. Garbage-in, garbage-out. I also noticed that your From: and To: header fields didn't have a space before the character. Some MTAs might insert one for you, and that would break the signature. -- The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] problems with length of headers
-Original Message- From: Sven-Thorsten Fahrbach [mailto:jo...@alice-dsl.de] Sent: Thursday, January 21, 2010 12:14 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] problems with length of headers I now have my parser add the missing quotes and the signatures are once again accepted. :-) Just to be clear, the RFCs require a comment that contains punctuation to be quoted, so you were sending malformed header fields and a downstream MTA was adding them for you to make the message compliant. -- Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Milter rejected message
This is fixed in OpenDKIM v1.1.0 (v1.2.0 is current) by creating special handling for this case that defaults to accept. It's not clear if or when a patch would be made available to dkim-milter to resolve this. From: Mark Martinec [mark.marti...@ijs.si] Sent: Thursday, December 17, 2009 5:43 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: Re: [dkim-milter-discuss] Milter rejected message On Thursday 17 December 2009 14:13:20 SM wrote: At 01:53 17-12-2009, Rolf E. Sonneveld wrote: Seems these messages carry a DKIM signature, but their DKIM DNS entry is not correct. I assume the dkim-filter status is then not 'reject' but maybe the mail server is interpreting the result of dkim-filter as a temp. failure, giving back a 4.x.y status code to the SMTP partner? Yes, that's what happening. You can override that behavior with On-InternalError accept. This should be fixed. A NXDOMAIN is a definite and permanent answer from a DNS resolver, it can in no way be treated as an 'internal error' or a temporary failure. Mark -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Can anyone explain this?
It's not clear that this has anything at all to do with your DKIM signing. The error returned by Yahoo's mail server is too generic to tell why it got rejected. From: Tony Birnseth, 1st Source IT, LLC [mailto:to...@1sit.com] Sent: Tuesday, August 25, 2009 8:46 PM To: dkim-milter general discussion Subject: [dkim-milter-discuss] Can anyone explain this? I sent a batch of emails today as part of a marketing campaign. I received several ND responses similar to this one and was wondering if there is a way for me to determine the cause (real addressee xxx'd out). This is the mail system at host ezms1.ez-merchant-hosting.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system x...@zlabs.usmailto:i...@zlabs.us: host milter1.store.vip.mud.yahoo.com[68.142.205.143] said: 554 5.7.1 Command rejected (in reply to end of DATA command) Reporting-MTA: dns; ezms1.ez-merchant-hosting.com X-Postfix-Queue-ID: 32B4E2D283E1 X-Postfix-Sender: rfc822; sa...@ez-ms.commailto:sa...@ez-ms.com Arrival-Date: Tue, 25 Aug 2009 14:10:35 -0700 (PDT) Final-Recipient: rfc822; x...@zlabs.usmailto:i...@zlabs.us Original-Recipient: rfc822;x...@zlabs.usmailto:rfc822;i...@zlabs.us Action: failed Status: 5.7.1 Remote-MTA: dns; milter1.store.vip.mud.yahoo.com Diagnostic-Code: smtp; 554 5.7.1 Command rejected -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Apple Mail consistently fails DKIM verify under 2.8.x
-Original Message- From: Robert Sink [mailto:si...@cbl.umces.edu] Sent: Tuesday, August 25, 2009 1:44 PM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] Apple Mail consistently fails DKIM verify under 2.8.x Hello Murray, Could you give me an example on how to set up and interpret these values on my end? Thank you for your time. Try the stuff in the DEBUG FEATURES section of the dkim-filter/README file you got in your dkim-milter distribution. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Verification not failing
There's still an issue in there. In this case, it's possibly that unsigned mail is skipping the ADSP check altogether, and defaulting to reporting none. I need to take a closer look. -Original Message- From: Erik Lotspeich [mailto:e...@lotspeich.org] Sent: Monday, July 27, 2009 6:56 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] Verification not failing Hi Murray SM: You guys are awesome, as usual -- thanks for the quick response and help. Murray: I recompiled with _FFR_SENDER_HEADERS enabled and added SenderHeaders From to my config. I was quite confident that this would solve the problem, but it did not seem to. The good news is that we made some progress; the logs are interesting: [...] -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Verification not failing
-Original Message- From: Erik Lotspeich [mailto:e...@lotspeich.org] Sent: Monday, July 27, 2009 10:08 AM To: dkim-milter general discussion Subject: Re: [dkim-milter-discuss] Verification not failing Hi Murray, Here's another data point, if it helps. Here's the log from my postings to this list (dkim-milter-discuss): [...] My guess is that list doesn't add a Sender: header, or something like that. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Verification not failing
-Original Message- From: Erik Lotspeich [mailto:e...@lotspeich.org] Sent: Saturday, July 25, 2009 9:19 PM To: dkim-milter Subject: [dkim-milter-discuss] Verification not failing Hi, I am extremely stumped by this issue. Here are some e-mail headers for an e-mail that is not failing an ADSP check. My policy is sign everything. This mailing list strips the DKIM signature out of the headers, as you can see. [...] I'm on a layover enroute to IETF, but I had a quick look and thus here's a guess. There's some old code that's still in there from the early DomainKeys days which specifies a list of headers to search for the actual sender of the message. That list is not constrained to From only by default (as it probably should be for modern DKIM), so it's probably doing its ADSP check based on the Sender header which, in this case, contains the address of the list and not that of the message's author. To test this, recompile enabling _FFR_SENDER_HEADERS, then set this in your configuration file: SenderHeaders From ...and watch your logs for another message from the list. -MSK -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] FW: [ietf-dkim] DKIM field usage survey
I encourage users of dkim-milter to reply to Dave directly at d...@dcrocker.net. This is useful data when deciding what the next steps are for DKIM in the IETF standards process. Specifically, if you are using particular features of the DKIM specification, that's an argument for keeping them; if there are some you're not using, they're candidates for being dropped when and if the spec gets revised. The idea is that features nobody's using can be removed, simplifying the specification and thus making it harder for new implementations to get it wrong. If they become useful features later, they can always be re-added by publishing a revision or a new spec that describes an extension. dkim-milter implements the entire DKIM specification as well as adding a few useful features of its own. You have to be somewhat familiar with the specification itself to complete this survey (and thus know the difference between the add-ons and the core stuff), but I suspect a decent percentage of this list's readership fits that description. To those of you that do, your feedback would be valuable here. -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Dave CROCKER Sent: Sunday, July 12, 2009 10:50 AM To: DKIM IETF WG Subject: [ietf-dkim] DKIM field usage survey Folks, G'day. One requirement for moving a specification from Proposed to Draft status is to supply an Implementation Report: http://www.ietf.org/IESG/implementation.html http://tools.ietf.org/html/draft-dusseault-impl-reports-04 I've put together survey forms -- one for signers and one for verifiers -- that should supply us with some raw field data, to make it possible to assemble a detailed report. * If you run a DKIM signing and/or verifying operation, please complete the appropriate survey questionnaire and return it to me. * If you know of others operate DKIM signing and/or verifying services -- such as your customers -- please forward this to them and request that they complete a version, returning it to me. Because the report seeks information about interoperability, it does not ask about the capabilities of software, but rather looks for actual usage. It is information about /interaction/ between software that is important, not merely what code exists. This is why real field data is sought, rather than a report from developers. I'm hoping we can get a useful set of responses by the time of the IETF meeting, so that we can start considering the feedback. Thanks! d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net Report: RFC4871 - DKIM Signatures Implementation Report Form -- SIGNING Please obtain responses directly from operators of DKIM installations Report Date: Report Author Name: Report Organization: Report Author Email: Purpose: This solicits detailed information about your organization's direct use of an individual implementation of DKIM signing and its interoperability with other implementations doing DKIM validating. The purpose of the questionnaire is to asertain what features of DKIM are being used. Besides a basic history of success and failure with signature validation, it requests details concerning the use of individual DKIM tags in DNS records and in the DKIM-Signature: header field. In addition to the question of whether tags are set with a value please indicate whether they are set with different values for different uses or whether a single, constant value is used. Some information is best obtained directly from the software or its manuals. Other information is obtained from local policies or service logs. Implementation name: Implementation author or source: Implementation contact address: Implementation operational first fielded on (date): Interoperability summary: (Please provide a basic statement about use of the implementation in fielded operations, concerning successes and failures and how DKIM is used. This summary will satisfy the basic question of whether the core function of signature validation is interoperable.) DNS TXT record tags -- ranges set, if at all: (For each tag, please explain whether your use of the implementation chooses particular values for the tag and, if so, with what range of values and according to what rules.) (The tags v=, p=, n= need not be reported.) g -- Granularity of the key: h -- Acceptable hash algorithms: k -- Key type: s --
Re: [dkim-milter-discuss] Any dkim signed mail goes to spam in gmail
-Original Message- From: ram [mailto:r...@netcore.co.in] Sent: Friday, July 10, 2009 6:11 AM To: dkim-milter-discuss@lists.sourceforge.net Subject: [dkim-milter-discuss] Any dkim signed mail goes to spam in gmail I have set up dkim signatures , but gmail seems to mark every dkim signed mail as spam. If I dont sign the mail, it goes fine Is there anythying wrong with my dkim signature , how can I check ? What do the autoresponders say when you try them? Try sending a signed message to sa-t...@sendmail.net, for example. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] High memory usage
On Wed, 27 May 2009, Andy Fiddaman wrote: This would seem to point to the filter component as being the leaky part.. Or possibly some features of libdkim that you're not using, but the filter is. In either case, this is a very interesting data point. -- Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, iPhoneDevCamp as they present alongside digital heavyweights like Barbarian Group, R/GA, Big Spaceship. http://p.sf.net/sfu/creativitycat-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM-Signature but no DomainKey-Signature
On Tue, 21 Apr 2009, double wrote: dkim-milter creates in the email-header a DKIM-Signature but no DomainKey-Signature. Correct. Is there an option to create a DKIM-Signature? (Assuming you meant DomainkKey-Signature) No. You need to install and run dk-milter, or some other signing filter, in parallel. -- Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Build failed - undefined reference
On Fri, 27 Mar 2009, Johannes Siebert wrote: No change at all. Exactly the same output: Did you do sh Build -c? Makefile.m4 is only read when you wipe out the build and start over. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Build failed - undefined reference
On Thu, 26 Mar 2009, Johannes Siebert wrote: dkim-keys.c:(.text+0x3b9): undefined reference to `__dn_expand' dkim-keys.c:(.text+0x3c4): undefined reference to `__dn_skipname' dkim-keys.c:(.text+0x604): undefined reference to `__dn_expand' dkim-keys.c:(.text+0x634): undefined reference to `__dn_expand' [...] Those are resolver utility functions. You may need to add -lresolv or some such. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Build failed - undefined reference
On Thu, 26 Mar 2009, Johannes Siebert wrote: Thank you for your answer. Where do I need to add this -lresolv? In dkim-filter/Makefile.m4, you need to add something like: APPENDDEF(`confLIBS', `-lresolv ') ...right before the first bldPRODUCT_END line. If other applications also complain, move that to above the first bldPRODUCT_START line. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] POP Authentication Problem
On Tue, 24 Mar 2009, Todd Lyons wrote: These are wild guesses, don't be surprised if I'm totally in the wrong direction. They're very good guesses, actually. If the agent updating the POP DB replaces the file rather than simply updating it, then dkim-filter will have the old one still open while the new one is visible in the filesystem. This would explain the symptoms being reported. -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] POP Authentication Problem
On Tue, 24 Mar 2009, Robert Barty wrote: What could possibly be wrong? If not a dkim problem could it be sendmail (8.13.1) or perhaps the Berkley DB? It's certainly not sendmail since it has no idea about POP. The only possibilities are the one that has been suggested (your POP server is replacing the database rather than simply updating it) or Sleepycat DB is doing negative caching, although I find that quite unlikely. Which POP server are you using? -- Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM signs spam mails
On Sun, 1 Mar 2009, Seba wrote: DKIM signs the spam mails when the sender address is forged (if sender address is a recipient in mydomain) - but this should not be I think. Spam comes in, gets signed if sender is a recipient in my local domain and gets delivered to the mailbox of the user. Are there any settings to prevent this? Yes. The OPERATION section of the dkim-filter(8) man page explains the decision process regarding whether to sign a message or verify it. Some tuning based on the information you find there will probably solve your problem. If externally-originated mail with a forged From: header is being signed, my first guess would be you have an internal hosts list which is too permissive. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Validation problem
On Sun, 1 Mar 2009, Tony Birnseth, 1st Source IT, LLC wrote: I have installed the 'sendmail' version of DKIM since I can't find a lib64 binary specifically for postfix. I made links to get the key locations to resolve and that seems to be working ok. I created a regex file to perpend an DKIM Signature: header for every email sent from this system whether that be from the system itself or on behalf of an authenticated smtp connection (I.e one of the domains I support)... As I believe Mike pointed out, this isn't how DKIM works. The signature takes into account the body and header contents as well as the current time, so you can't recycle the same signature for all of your mail as none of them will ever verify (except the one on which the original signature was based). You need to sign each message individually using the filter. I guess I would expect the checker to: 1) Use the info in the header to check the dkim info (I.e. ezms1._domainkey.ez-merchant-hosting.com) 2) Validate against those credentials. It does, but the digital signature is based on the message content and headers, which (obviously) changes from one message to the next. Also the t= portion of the signature is a timestamp, so eventually you'd be affixing signatures generated before the actual message you're sending. I'm trying to avoid setting up unique dkim info for each client that uses this system. Maintenance nightmare. Is that even possible? Absolutely. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] The value of features within DKIM
This is probably of particular interest to those of you who are familiar with the internals of DKIM, i.e. the standard document and thus the protocol itself, but everyone is invited to participate. Are there any portions of DKIM you feel are not useful to you? That is, are there things in DKIM which, if they weren't there to begin with, wouldn't make a difference to you? Or, on the flipside, are there some things outside of the obviously mandatory features which without which you would consider DKIM not useful? Or possibly, are there some features you're not using now but you plan to use in the future? Some specific topics, if you need a starting place: In signatures: x= (signature expiration) t= (signature timestamps) l= (body lengths) i= (signing identity) q= (query method) z= (original signed header set) In keys: g= (key granularity; restricting keys to specific users) n= (free-form comment) Our implementation provides at least indirect access to or support of nearly all of these. I, for example, have found z= to be useful when debugging interoperability issues, so it would get a keep vote from me. Please give it some thought and let me know if you have any opinions about these. -MSK -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM Gateway Question
On Fri, 13 Feb 2009, Nick Pettola wrote: I have a windows server running Imail. I have a Red Hat server that I have setup with DKIM running sendmail. It signs messages that originate from it but I need to send messages from my windows server through the sendmail server and have it sign them as well. I have added the ExternalIgnoreList option to the config file with the IP address of my windows server. There is no signature. Any help with this would be greatly appreciated. Look at the InternalHosts option: InternalHosts (string) Identifies a file of internal hosts whose mail should be signed rather than verified. Entries in this file follow the same form as those of the PeerList option below. If not specified, the default of 127.0.0.1 is applied. Naturally, providing a value here overrides the default, so if mail from 127.0.0.1 should be signed, the list provided here should include that address explicitly. See also the OPERATION section of the dkim-filter(8) man page. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM Gateway Question
On Fri, 13 Feb 2009, Nick Pettola wrote: I added the ip to the InternalHosts file as well, did not work. Did you restart the filter after doing so, or send it SIGUSR1 to reload the configuration? If that still doesn't work, turn on the LogWhy option and send a message through that should be signed. When it's not, find the records about it in the sendmail log, and it should tell you why it wasn't signed. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DNS setup problems
On Fri, 13 Feb 2009, Tomasz Chmielewski wrote: So I can't have the key file called default for all of them, their names have to be unique. Why not? You could have a default selector in each domain, all using the same key if that's what you want. Isn't using the domain name in that case the most obvious solution (and everyone will have to look up mydomain.tld._domainkey.mydomain.tld for each domain)? That will work, if that's what you want to do. But if you want to change the key for one domain later, what would you call it? Replacing the key in the DNS record without renaming it invalidates all signed mail in transit at the time you do so. Or, what do you suggest? Depends on what you want to do. If each domain should have a unique key called default, you could have a directory called (for example) /var/dkim-keys which contains a subdirectory for each domain, and put the private key for each domain in a file called default in that domain's subdirectory. So: /var/dkim-keys/domain1/default /var/dkim-keys/domain2/default ...etc. If you have some other scheme, try describing it and I can see about proposing some other alternative. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM Gateway Question
On Fri, 13 Feb 2009, Nick Pettola wrote: Yes I did restart. Do I need to add the LogWhy option in the dkim.conf file? Yes. -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] d2i_PUBKEY_BIO() failures
An intermittent but recurring problem is the above error message. It's caused when that function in the OpenSSL library fails to create a handle representing a public key after the key data has been retrieved from DNS. So far every time I've seen it, it's been caused by a public key that got mangled in the transition from being a PEM file to a DNS TXT record and is thus corrupted. At the moment, libdkim returns DKIM_STAT_NORESOURCE to the filter when this happens, which assumes that error is transient and (by default) temp-fails the message hoping a later retry would work. There's been some discussion on other lists that this behaviour isn't the best idea; the claim is that the message should be treated as though a permanent key retrieval problem occurred (e.g. key not found), and the message delivered with presumably a neutral status reported by the filter. libdkim could be changed to report DKIM_STAT_CANTVRFY instead, indicating to the calling application that a more permanent failure in verification occurred. This would caused dkim-filter to immediately report a verification error (permerror) and pass the message instead of arranging for a temp-fail of the message. I'm hesitant though, because I don't know for sure that this is the only reason d2i_PUBKEY_BIO() might ever fail. But if it fails for some other reason, is there a need to make the distiction? What if it failed because it couldn't allocate more memory, for example? In fact, the current behaviour came in handy today when I was able to talk to a signer with a corrupted key and get it fixed, at which point all the temp-failing mail came through. Anyone want to offer up other opinions? -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] d2i_PUBKEY_BIO() failures
On Tue, 10 Feb 2009, SM wrote: libdkim could be changed to report DKIM_STAT_CANTVRFY instead, indicating to the calling application that a more permanent failure in verification occurred. This would caused dkim-filter to immediately report a verification error (permerror) and pass the message instead of arranging for a temp-fail of the message. Are we sure that this always results in a DKIM_STAT_CANTVRFY? For dkim-filter, yes. Naturally, I can't speak for other applications that use libdkim, but they're free to make such intepretations. Another option would be to create a new DKIM_STAT return which specifically indicates an error of this nature, such as DKIM_STAT_OPENSSLERROR. If there was a permerror, this might not have been fixed. So you're (generally) opting for leaving it as-is? -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Problem in building 64-bit Dynamic library
On Wed, 4 Feb 2009, Murray S. Kucherawy wrote: 2) The symbol MAXDNAME is not defined in your /usr/local/include/resolv.conf. That probably means you have installed some resolver other than the standard one (bind-9.6.0 perhaps?) which has some new format or dependencies. You need to find out where MAXDNAME is defined and include that as well. You might try adding this to libar/Makefile.m4, just as a guess: Actually my guess may not work. Instead, try the attached patch on libar/manual.c to solve the second problem.Index: manual.c === RCS file: /cvs/libar/manual.c,v retrieving revision 1.7 diff -u -r1.7 manual.c --- manual.c19 Feb 2008 20:16:11 - 1.7 +++ manual.c5 Feb 2009 06:24:22 - @@ -15,6 +15,10 @@ #ifdef DARWIN # include arpa/nameser.h #endif /* DARWIN */ +#if SOLARIS = 21000 +# include arpa/nameser.h +# include arpa/nameser_compat.h +#endif /* SOLARIS = 21000 */ #include resolv.h #include netdb.h #include ctype.h -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Any threads created in libdkim ?
On Wed, 4 Feb 2009, deiva shanmugam wrote: Just wanted to confirm , is any threads are created within dkim library code ? No threads are created or destroyed by libdkim. It does, however, use other pthread primitives such as mutex and condition functions. -- Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM) software. With Adobe AIR, Ajax developers can use existing skills and code to build responsive, highly engaging applications that combine the power of local resources and data with the reach of the web. Download the Adobe AIR SDK and Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM - No DNS Record
On Wed, 21 Jan 2009, Jason Carson wrote: ... I get the following results... DKIM Test: pass DKIM Author Signing Practice: no DNS record ... so the email is being signed because it passes but it says I have no DNS record, but I do. It may be that my DNS is configured improperly. Here is my DNS configuration, I am using Bind... jasondkim._domainkey.jasoncarson.ca. IN TXT v=DKIM1; g=*; k=rsa; p=key; Does anybody know what I am doing wrong? Yes, you're misinterpreting the result. DKIM Test: pass DKIM Author Signing Practice: no DNS record For DKIM to pass, obviously your DNS record is there or the process couldn't complete. The DKIM Author Signing Practise is a different DNS record, which you probably haven't published yet. -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] asn1 encoding routines failure
On Sat, 10 Jan 2009, Robert Schetterer wrote: Jan 10 13:32:35 postmailer dkim-filter[3843]: 96634260010: dkim_eoh(): resource unavailable: d2i_PUBKEY_bio() failed Jan 10 13:32:35 postmailer dkim-filter[3843]: 96634260010 SSL error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data At a guess, the public key the filter retrieved to verify a message didn't contain enough information, i.e. the encoding was broken or truncated. Using your logs, you might be able to figure out what the domain and selector are, and then retrieve the public key manually to see if it looks right or not (and use the openssl binary to see if it could be parsed). -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM sign locally
On Thu, 8 Jan 2009, Bailo, John wrote: My DKIM milter is signing emails perfectly when I connect from a remote machine on mynetworks (Postfix) and send email with Outlook Express. But if I send an email locally, from the postfix server itself using the mail command, it doesn't sign. My guess, since I'm not familiar with Postfix, is you've defined an internal host list for your internal network (which is why Outlook Express works) but left localhost off. -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] dkim-filter crash bug and workaround
This affects all versions from 2.5.0 to 2.7.2. With the addition of configuration reloads in 2.5.0, there is a failure to set up some configuration defaults in certain circumstances. This can lead to crashes when particular message mutations pass through the filter because of assertion failures or invalid pointer dereferences. Specifically, if you don't use -C on the command line and don't use any of the On- action directives in the configuration file (or don't use a configuration file at all), the default actions for those exceptions are never loaded. The action is to continue in those cases as a result, rather than the intended (documented) defaults. This means when libdkim rejects a message for formatting reasons, the filter will plunder forward, continuing to process the same message rather than halting processing as it should. This eventually causes the filter to make a call into the DKIM library which causes an illegal request or an assertion failure, and the filter will crash. The specific instance of this that has been observed is as follows: a) no use of -C on the command line b) no On-* directives in the configuration file (or no configuration file) c) a Sender: header with an address whose domain is in the list of domains to sign d) no From: header on the message A permanent fix has already been added to the impending 2.8.0 release. A patched beta release of it is already available. I expect to be posting that around the end of this week. In the interim, you can protect your installations from this by either: 1) starting your filter with -C int=t on the command line. The default includes int=t so this won't change your filter's operation, but it will cause the full set of defaults to be established properly as the filter starts up; OR 2) editing your configuration file to contain the line: On-InternalError tempfail ...which has the same effect. The upcoming release fixes the filter's default loading and also hardens the library so even without that fix (or without the filter), a crash will no longer result. If people want or need a patch to 2.7.2 while waiting for 2.8.0 or would rather do that than upgrade right away to a new release, I can produce a 2.7.3 or just post a source patch here. Please let me know if you have such requirements. -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter crash bug and workaround
On Wed, 7 Jan 2009, Scott Kitterman wrote: This affects two Ubuntu versions that are post-release and I'll have to patch if I am to fix them, so a patch would be handy. It's 2.5.4 and 2.6.0 if it matters. Diffs to those two versions attached. They're identical except for the line numbers and version numbers.Index: dkim-filter/dkim-filter.c === RCS file: /cvs/dkim-filter/dkim-filter.c,v retrieving revision 1.360 diff -u -r1.360 dkim-filter.c --- dkim-filter/dkim-filter.c 15 Apr 2008 20:42:29 - 1.360 +++ dkim-filter/dkim-filter.c 7 Jan 2009 20:56:14 - @@ -975,9 +975,6 @@ char *v; char *tmp; - /* load defaults */ - memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling); - if (confstr == NULL) return TRUE; @@ -1128,6 +1125,9 @@ new-conf_signbytes = -1L; new-conf_sigmintype = SIGMIN_BYTES; + /* load defaults */ + memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling); + return new; } Index: libdkim/dkim.c === RCS file: /cvs/libdkim/dkim.c,v retrieving revision 1.469 diff -u -r1.469 dkim.c --- libdkim/dkim.c 14 Apr 2008 20:02:58 - 1.469 +++ libdkim/dkim.c 7 Jan 2009 20:56:14 - @@ -2723,6 +2723,7 @@ { dkim_error(dkim, required header \%s\ not found, required_signhdrs[c]); + dkim-dkim_state = DKIM_STATE_UNUSABLE; return DKIM_STAT_SYNTAX; } } Index: dkim-filter/dkim-filter.c === RCS file: /cvs/dkim-filter/dkim-filter.c,v retrieving revision 1.385 diff -u -r1.385 dkim-filter.c --- dkim-filter/dkim-filter.c 5 Jun 2008 15:12:44 - 1.385 +++ dkim-filter/dkim-filter.c 7 Jan 2009 20:55:47 - @@ -1130,9 +1130,6 @@ char *v; char *tmp; - /* load defaults */ - memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling); - if (confstr == NULL) return TRUE; @@ -1278,6 +1275,9 @@ new-conf_signbytes = -1L; new-conf_sigmintype = SIGMIN_BYTES; + /* load defaults */ + memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling); + return new; } Index: libdkim/dkim.c === RCS file: /cvs/libdkim/dkim.c,v retrieving revision 1.485 diff -u -r1.485 dkim.c --- libdkim/dkim.c 5 Jun 2008 23:32:41 - 1.485 +++ libdkim/dkim.c 7 Jan 2009 20:55:47 - @@ -2776,6 +2776,7 @@ { dkim_error(dkim, required header \%s\ not found, required_signhdrs[c]); + dkim-dkim_state = DKIM_STATE_UNUSABLE; return DKIM_STAT_SYNTAX; } } -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter crash bug and workaround
On Wed, 7 Jan 2009, Murray S. Kucherawy wrote: The specific instance of this that has been observed is as follows: a) no use of -C on the command line b) no On-* directives in the configuration file (or no configuration file) c) a Sender: header with an address whose domain is in the list of domains to sign d) no From: header on the message Forgot one: e) all other signing criteria are met (MTA name matches, macros match, source is on the internal list, etc.) That is, one cannot craft a message from outside and send it inbound and expect the filter to crash, i.e. it's not exploitable from outside. -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] meaning of padding too short message?
On Sun, 4 Jan 2009, Thomas Bader wrote: At first sight, everything looks well. However, there's a log message which is a bit confusing: Jan 3 23:09:26 valmar dkim-filter[952]: 3C9D8342EEEF SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short (On successful verification, this is the _only_ logged message. In case of failed verification, a log line indicating bad signature data follows.) The dkim-filter code will log errors that the OpenSSL library reports. If you're getting successful verification, you can probably ignore this. I'm not an expert about the data structures OpenSSL uses, but the error appears to mean the public key retrieved to verify a message was corrupted. However, if it's verifying successfully then I suppose it was not corrupted enough to prevent completion of the verify operation. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] meaning of padding too short message?
On Sun, 4 Jan 2009, Thomas Bader wrote: Jan 3 23:09:26 valmar dkim-filter[952]: 3C9D8342EEEF SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short Can you use the logs (i.e. grep for 3C9D8342EEEF) to figure out which public key was used to sign the message, or go look at the message if it's still there and give me the values of d= and s=? I wonder if I can reproduce the problem just by knowing which key it is. The error would seem to indicate that there's a padding problem with the public key, not the signature or the header hash (which are the three inputs to the RSA verify function). Based on some reading just now after searching online for that error string, OpenSSL v0.9.8c and later include a test to thwart what they labeled a PKCS #1 v1.5 signature attack, and this is the error returned when that attack is detected. http://marc.info/?l=openssl-cvsm=115744474426944w=2 That the message still succeeds verification would appear to contradict the code added by that patch. Right now I suspect the key being retrieved from the signing domain's DNS was either improperly encoded or improperly generated. However, just to be sure, I'd like to run a few examples through a debugger here to see if I have a problem with the DNS or base64 code in the filter. I need some sample data to be able to do so. I checked my own domain's logs and I've had no instances of that error for the last week, so I don't have any data to work with yet. Hopefully someone on this list can help me out. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] meaning of padding too short message?
The padding too short check and error was removed from OpenSSL sometime in September of 2006. In particular: http://cvs.openssl.org/rlog?f=openssl/crypto/rsa/rsa_eay.c Version 1.52 of that file added the test which triggered this error report and returned an error, and 1.53 removed it. That yours reports the error in the error stack but doesn't actually return a verification error is mysterious. Interestingly, the time difference between those two versions was under 24 hours. The previous release was 0.9.8c a few weeks earlier, and it didn't have the change either (obviously). I'd guess the version you're running is 0.9.8c with that patch added manually, even though the patch was later retracted by the OpenSSL maintainers. I would guess then that upgrading to a newer version of the library would remove the problem. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers
On Tue, 30 Dec 2008, UUN Hostmaster wrote: I get no output with this command: # strings /usr/sbin/dkim-filter | fgrep ar.c,v That means your code wasn't compiled with the asynchronous resolver library provided as part of the dkim-milter package. This eliminates it as your problem. That means the operating system's stock resolver is doing what you've observed. dkim-filter (actually, libdkim) is just using the system's res_search() or res_query() function and thus doesn't have any direct influence about what UDP descriptors are created or how they're used. What does the ,v do in this command? Note this at the top of each .c and .h file in the distribution: #ifndef lint static char dkim_filter_c_id[] = @(#)$Id: dkim-filter.c,v 1.416 2008/11/10 07:02:28 msk Exp $; #endif /* !lint */ For files which actually comprise part of the binary, that string inside quotes will actually appear as part of the binary (and thus, the output of strings). This is how one can determine which files were used to build your executable. The entire string between the $ characters is generated by our source code control system and is updated whenever one of the files is changed, so you can tell which version and what the revision date of each file was. The ,v suffix is added to files in the revision control system RCS we use. For example, foo.c might be the working C source file but RCS keeps a history of all changes and comments describing them in RCS/foo.c,v. This is used to generate the ID tag automatically. That there's no ar.c,v shows me that your binary did not include the code found in libar/ar.c, which is the asynchronous resolver library shipped with dkim-milter. That's the detail I was seeking. Here is the output without the ,v # strings /usr/sbin/dkim-filter | fgrep ar.c dkim-ar.c That means your binary was compiled with dkim-filter/dkim-ar.c, which is expected; that code parses Authentication-Results header fields, and is different from libar/ar.c. -- ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Checking results with openssl
On Thu, 18 Dec 2008, deiva shanmugam wrote: I had built 64-bit libdkim in solaris 10. I'm trying to cross check whether the body hash and signature created by libdkim against openssl , by doing manual canonicalization and calculating hash and signature using openssl commands. But the hash created by both of them differs. The Data Was very simple to be: This\r\n But the hash was completely different. The openssl command was: opennsl dgst -sha1 -in Inputfile -out Outfile Inputfile contains : This\r\n The Version of dkim-milter i'm using is: dkim-milter-2.8.0.Beta4 In general, please restrict conversations about the beta releases to the beta list. However, this probably applies to all versions and is a general theory question. In the public releases, try setting the environment variable DKIMDEBUG to c, then restart your filter and send your test message. In /var/tmp you'll find some dkim.* files named, in part, after the MTA job ID that was processed. You should be able to back-track from your logs or the Received: headers in your message to find the canonicalized body. You can then diff that against your original file to see how they may have changed between your file and what the MTA actually saw. The method is different in the 2.8.0 Beta releases. Check your dkim-filter.conf(5) man page for details there. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] [EMAIL PROTECTED] - no DNS entry
On Tue, 25 Nov 2008, Tamara McDonald wrote: dkim is now signing however the dkim test to dk.elandsys.com is not giving me a clean test. Also gmail sets me at dkim=neutral. Your signature says: DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ns1.rentapad.com; s=mail; t=1227635239; bh=s75zFFqW8KSw5Gb4dsEga72PgKQ=; h=From:To: Subject; b=d1eAD3IRfpx58kVIXEzr28L1Kvn+3qFKhTl4hOG0SWEMf7QWfVn0VKO NzpspZ4LLg7rXK0fCDlwxko/b6D/nuSXmnC2RkFbnFD/pTgvJ3yyCb0cAOLE4+J0IcS bEwNxWa/ALSxyJphlZMRcEoNwh3Vej7uKbxcFrTk9IWdggOgo= I don't see a key in your DNS at mail._domainkey.ns1.rentapad.com. Hence, the errors you're getting are correct. Also, you may be confusing DomainKeys with DKIM. They're not the same thing. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers
Please paste the output of: % strings dkim-filter-path | fgrep ar.c,v I've looked over the most recent libar source code but can't find any code path that would cause UDP descriptor leakage. I want to make sure I'm looking at the same copy of that file that you're using. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers
On Sun, 16 Nov 2008, Jim Hermann - UUN Hostmaster wrote: I was not using the asynchronous (ARLIB) resolver, so I compiled dkim-filter version 2.7.0 with define(`bld_USE_ARLIB', `True'). In that case any leftover descriptors prior to your rebuild are in use by (and perhaps leaked by) your system's resolver library. After a week with the new dkim-filter, there are 25 netstat udp entries for my Upstream Nameserver #1 and 5 entires for the local nameserver, all for dkim-filter. I've been running dkim-milter 2.8.0.Beta2 for eight days now and it has one TCP port open on which it is listening and two UDP ports open which aren't associated with anything in particular. The former is for accepting connections from the MTA; the latter are presumably for DNS work. If you have lsof installed, using it on your dkim-filter process would be really helpful in corroborating what netstat is claiming. I would trust the output of lsof before that of netstat in terms of tracking down a possible problem. DKIM does not release the tcp ports either. It has 6 tcp ports open to port on the local machine. That would be the MTA connecting to dkim-filter. There's one of those for every connection your MTA has open. That's normal. The connections go away when the SMTP client disconnects from the MTA. Try it yourself; telnet to your own port 25 and you should see one more TCP connection appear between the MTA and the filter; disconnect, and it should go away. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] AOL.COM DKIM Check Header: X-AOL-SCOLL-AUTHENTICATION
On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote: Why would AOL.COM add this Header to a received email? X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-m271.1 ; domain : No domain found DKIM = none You'd have to ask AOL's postmaster team about that one. The headers look fine to me. Perhaps it was a transient DNS error at the time that mail tried to get in. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] AOL.COM DKIM Check Header: X-AOL-SCOLL-AUTHENTICATION
On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote: I found another one and it failed, rather than just reporting none. X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-m222.2 ; domain : uuserver.net DKIM = fail Any ideas why it failed? At a glance, no. I'd have to have a copy of the original to try it with my own code. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers
On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote: Why does my dkim-filter make and keep open so many connecting to my upstream DNS? [...] Just to be precise, there's no such thing as a UDP connection, just a socket that gets reserved for communication with a particular source. Are you compiling with USE_ARLIB enabled? If so, that might be something we can address by fixing that library. If not, your operating system's resolver library is responsible for the sockets. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] dkim-milter-2.8.0 betas starting
Beta releases of 2.8.0 have begun and are available for download from SourceForge. The usual request applies: Please restrict discussion of comments on or issues with the Beta to the dkim-milter-beta list. Don't use this list or the trackers on SourceForge. Also, I won't be making regular announcements about new Beta releases. If you want to be notified, subscribe to notifications via the tools on SourceForge for the Pre-Release package. I'm hoping to do the formal release in about a week to ten days. The main features of this release include DNSSEC support and experimental improved handling of some MTA header field rewrites. Some support for more of the dkim-reporting draft extensions has also been added, and several other minor improvements were also made. Enjoy! -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Header folding and verification
On Fri, 7 Nov 2008, SM wrote: Section 5.5 of the DKIM specification has a list of headers that should be included in the signature. The To: header is part of that. It's not a good idea not to sign the To: header as it's part of the visible headers that are displayed in the MUA. Moreover, the sendmail MTA will rewrite about a dozen header fields if they're present with the same formatting code. If you insist on omitting To, by the same logic may as well omit the rest of them. Unfortunately, From: is one of them, and that one MUST be signed. (Fortunately, though, it almost always contains only a single address so it doesn't really get rewritten.) There's also at least one verifier out there that insists To (and Subject and any other header field most MUAs render) be signed or it considers the signature invalid. To mitigate some of these false verification failures, I'm considering making relaxed/simple the default canonicalization for the filter rather than simple/simple. Opinions? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim and Yahoo
On Fri, 7 Nov 2008, Bailo, John wrote: Has anyone had any experience with dkim and yahoo.com? They are in the process of deploying DKIM verification (using libdkim, in fact) but have not yet completed that work. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter: (stdin): verify mode requires rsa-sha256 support on OpenBSD
Apparently the version of OpenSSL that comes stock on OpenBSD (at least the version you have) is not 0.9.8 or later, which was the first version in which SHA256 was provided. You'll need to upgrade your installed version of OpenSSL to get the right stuff. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Another interesting verification fail...
On Wed, 5 Nov 2008, Jonas Eckerman wrote: Seeing as quite a few mailing lists alter the messages (adding footers, tags, and sometimes even ads), stripping signatures should continue. The alternative would be to leave the signatures even though verification is virtually guaranteed to fail. I disagree. The preferred solution would be to have the MLM re-sign the message on distribution. That way, when the MLM receives the message and performs DKIM verification, that verification could be recorded by the addition of an Authentication-Results: header as passing. Then the new signature added by the MLM would protect that header's content (i.e. the original pass), even if the MLM's modifications invalidate the author's signature. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation
On Tue, 4 Nov 2008, Bailo, John wrote: I read that I have to specify Internal Hosts or subnets in the dkim-filter.conf however, I cannot find this file in my installation(!) You can create one, or you can specify the internal host list on the command line (check the man page for details). Either will work. Is this something I should just create with vi? Yes, with respect to both files. Do you think adding the IP address range to Internal Hosts will some the problem of the signature not being added? Yes, that's its intent. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation
On Tue, 4 Nov 2008, Bailo, John wrote: How can I determine where to create dkim-filter.conf? In what subdirectory? It's up to you. I suppose /etc/mail is a common location, but there are no restrictions. However the service is started with: /usr/sbin/rcdkim In this script, I see DKIM_BIN=/usr/bin/dkim-filter Does that script make any reference to a configuration file at all? If not you may have to modify it to have dkim-filter use your configuration file in whatever location you select when it starts. Does dkim-filter automatically look for dkim-filter.conf ? No. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation
On Tue, 4 Nov 2008, Bailo, John wrote: I'm guessing, but I think what I need to do is edit the startup script scdkim and change DKIM_BIN=/usr/bin/dkim-filter To DKIM_BIN=/usr/bin/dkim-filter -C /etc/mail/dkim-filter.conf -x instead of -C, but yes. Then in dkim-filter.conf I would add (this is my reference http://bugs.gentoo.org/attachment.cgi?id=148815 ): InternalHosts /etc/mail/dkim-filter/internalhosts And in /etc/mail/dkim-filter/internalhosts, I would add 192.168.26.0/24 To handle all the servers on my subnet... Looks right to me. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] Adding DNSSEC to dkim-filter
Thanks to John Dickinson, a patch has been provided which adds support for DNSSEC to libdkim. This will appear in v2.8.0 of the filter which I'm hoping to put into public beta as early as next week. This will necessarily create a couple of new configuration options since the DNSSEC data may have an impact in terms of local policy. I was thinking about adding an authentication method to the Authentication-Results: draft called something like dkim-sec representing the DKIM result if the key/policy records were secured with DNSSEC, but that draft is on its way to publication so I don't want to make any changes to it now. So until it's appropriate to publish an extension to it, we're left with adding a parenthetical comment to the Authentication-Results: header field which reflects the DNSSEC result, or changing the actual result based on key/policy security (or both). I plan to do the comments regardless, but I'm thinking about how to do the other. The result for any DNSSEC-aware query basically comes down to one of these four: - evaluation not completed (unknown) - signer not using DNSSEC (insecure) - signer using DNSSEC, successful (secure) - signer using DNSSEC, unsuccessful (bogus) Therefore, I believe we need four new configuration settings. In particular (with invented names so far): InsecureKey - specifies what to do with insecure keys - possible values: - ignore (no action; default) - neutral (degrade a pass to neutral) - fail (degrade a pass to fail) BogusKey - specifies what to do with bogus keys - possible values: - ignore - neutral - fail (default) InsecureADSP - specifies what to do with insecure keys - possible values: - apply (default) - ignore BogusADSP - specifies what to do with bogus ADSP records - possible values: - apply - ignore (default) Opinions welcome! -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Selection of signing domain by arbitrary header?
On Wed, 1 Oct 2008, Florian Sager wrote: According to my tests the first field of the list always refers to the From header. A SIGNINGDOMAIN_HEADER would help in the following case (we discussed this in our working group): I replied to this about two weeks ago but never got further response or a feature request on SourceForge. So: 1) Is this still a concern? 2) If so, will _FFR_SELECTOR_HEADER not suffice? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Extra spaces in DKIM-Signature
On Sat, 4 Oct 2008, UUN Hostmaster wrote: Each continuation line is preceded by a return (/n) and tab (/t). However, the value for h= has a extra space in front of Content-Type: and MIME-Version. Yep, this is intentional. I wanted continued values within the header to be indented a bit more to show that it's a continued value within a continued value. In fact, I'd like to add that for other values that might wrap, such as bh=, b= and z=. I run milter-null and it looks for Date: and Message-ID:, followed by a space, anywhere in a bounce message. It is confusing the DKIM-Signature continuation line as part of the Message-ID: Sounds more like an issue with milter-null. Shouldn't it be looking for lines that start with Date: and Message-ID: rather than for those strings anywhere in the message? As it is right now (based on your description) this won't be the last instance of it mis-identifying a message. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Selection of signing domain by arbitrary header?
On Fri, 12 Sep 2008, Florian Sager wrote: I am looking for something similar, a SIGNINGDOMAIN_HEADER: Enable selection of which signing domain to use when signing based on the contents of an arbitrary header (default is signing by the domain in the From header). Doesn't the key list already support this behaviour? For example: [EMAIL PROTECTED]:domain1.com:/path/to/keys/for/domain1/foo [EMAIL PROTECTED]:domain2.com:/path/to/keys/for/domain2/bar The second field in that table defines the signing domain, and the selector is inferred from the path to the key, so [EMAIL PROTECTED] signatures would include s=foo; d=domain1.com and [EMAIL PROTECTED] signatures would include s=bar; d=domain2.com. If that's not what's happening then there's a bug. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] selctive not signing mails to special domain
On Thu, 11 Sep 2008, Robert Schetterer wrote: is there a parameter/list in dkim-filter to exclude dkim signing for outgoing mails to special domains v2.6.0 added a DontSignMailTo feature, available via the configuration file. Check the dkim-filter.conf(5) man page for details. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Message from Yahoo not hitting under milter-dkim
On Sat, 6 Sep 2008, Dan Mahoney, System Admin wrote: Can anyone help me figure this out? I realize it's only been a few months since I last had DKIM working, and have fallen a little behind since the spacs and standards all change overnight, but... My message (sent through YahooGroups) with full headers is at http://www.gushi.org/dkim_message.txt Milter-dkim claims it's unsigned (although SpamAssassin detects the signature separately). It's a correct claim. There's no DKIM-Signature: header field in the message. It is, however, signed with DomainKeys (there's a DomainKey-Signature: header field). - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] how 'whitelist' a site
On Thu, 28 Aug 2008, steve ladewig wrote: I belong to a couple of mailing lists which are producing things like: SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa routines:RSA_verify:bad signature SSL error:04077068:rsa routines:RSA_verify:bad signature pkcs1 padding too short generally means the public key matching the signature on the message is corrupted. This probably has nothing to do with the fact that it's coming from a mailing list. So i created a peerlist file with the CIDR in it and added it to dkim-filter.conf. The milter seems to ignore it. Right, that's what the peerlist is for. I also created a TrustSignaturesFrom file with the domain name of the listserver in it. This didn't work either. That just means you should trust signatures from specific domains (rather than ignoring them) if the domain of the signature doesn't match the domain of the From: header. Also probably not relevant to your case. If you're interested in debugging the problem, have the person who sent the message which failed try sending you a message directly to see if that works. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Any problems with 2.7.1?
There is indeed an issue, introduced by the OpenSSL threading code activated in 2.7.1. It appears only on Solaris (versions uncertain) because of a certain aspect of its threading implementation. A fix will be posted shortly, after I do a little more testing. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Any problems with 2.7.1?
Attached is a patch that fixes the problem. The OpenSSL thread locking code added in 2.7.1, which OpenSSL requires in order to be thread-safe, contained a bug which leaked a small amount of memory (one int per thread) on all operating systems, and had the added bonus of provoking an infinite loop upon thread exit on Solaris because of an idiosyncracy in Sun's implementation of pthreads. The patch I sent out privately as a trial earlier today fixes the loop, but not the leak. The actual patch here is only two lines of additional code, but it's wrapped it in descriptive text which is why the patch is somewhat larger than that. I'll probably release a v2.7.2 in about a week which contains this fix. If you're not having any problems with 2.7.0, feel free to downgrade to it or remain there until the 2.7.2 announcement. On the other hand, if you were having problems with 2.7.0, the upgrade to 2.7.1 plus this patch is the way to go for now.Index: dkim-crypto.c === RCS file: /cvs/dkim-filter/dkim-crypto.c,v retrieving revision 1.2 retrieving revision 1.4 diff -u -r1.2 -r1.4 --- dkim-crypto.c 28 Aug 2008 06:41:31 - 1.2 +++ dkim-crypto.c 28 Aug 2008 21:51:31 - 1.4 @@ -2,11 +2,11 @@ ** Copyright (c) 2008 Sendmail, Inc. and its suppliers. ** All rights reserved. ** -** $Id: dkim-crypto.c,v 1.2 2008/08/28 06:41:31 msk Exp $ +** $Id: dkim-crypto.c,v 1.4 2008/08/28 21:51:31 msk Exp $ */ #ifndef lint -static char dkim_crypto_c_id[] = @(#)$Id: dkim-crypto.c,v 1.2 2008/08/28 06:41:31 msk Exp $; +static char dkim_crypto_c_id[] = @(#)$Id: dkim-crypto.c,v 1.4 2008/08/28 21:51:31 msk Exp $; #endif /* !lint */ /* system includes */ @@ -100,9 +100,27 @@ static void dkimf_crypto_free_id(void *ptr) { + /* + ** Trick dkim_crypto_get_id(); the thread-specific pointer has already + ** been cleared at this point, but dkimf_crypto_get_id() will be + ** called by libcrypto which will in then allocate a new thread + ** pointer if the thread-specific pointer isn't set. This means + ** a memory leak of thread IDs and, on Solaris, an infinite loop + ** because the destructor (indirectly) re-sets the thread-specific + ** pointer to something not NULL. See pthread_key_create(3). + */ + + assert(pthread_setspecific(id_key, ptr) == 0); + ERR_remove_state(0); if (ptr != NULL) free(ptr); + + /* + ** Now we can actually clear it for real. + */ + + assert(pthread_setspecific(id_key, NULL) == 0); } /* - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter 2.7.0 considers some DK signatures from yahoo invalid
On Wed, 27 Aug 2008, Mark Martinec wrote: Is this a know limitation of dkim-milter, or a bug? A patch to libdk which addresses this problem has been posted to the dk-milter-discuss mailing list. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter 2.7.0 considers some DK signatures from yahoo invalid
On Wed, 27 Aug 2008, Mark Martinec wrote: Is this a know limitation of dkim-milter, or a bug? It appears to be a bug in libdk, not in dkim-milter or libdkim. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter crushing / 2.7 / milter_protocol = 6
On Wed, 6 Aug 2008, Zbigniew Szalbot wrote: Many thanks - I started the milter manually and now I am waiting for the dump. Also, be sure you compiled the filter with debugging enabled (i.e. the -g flag passed to your compiler) so that the coredumps are detailed. Instructions for doing that are in site.config.m4.dist near the top. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter crushing / 2.7 / milter_protocol = 6
On Thu, 7 Aug 2008, Mark Martinec wrote: I don't think it is worth the trouble. There are several things one needs to be aware of and check when setting up a core dump trap, a current working directory is just a minor detail. The other possible use I can think of: by setting a base directory, other paths in the configuration file can be relative instead of absolute. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM Failing -- Looking for guidance
On Tue, 5 Aug 2008, Mark Martinec wrote: As some mailers (like the Microsoft SMTPSVC apparently) move a signature towards the end of a message header, it is prudent that DKIM verifiers search the entire header section for the listed header fields. The Mail::DKIM module does so, I'm not sure about the verifier at sendmail.net. libdkim (and thus that verifier) is position-agnostic as well. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Signing verification failures
On Mon, 4 Aug 2008, Alan Halachmi wrote: My question is simply: Is there yet a mechanism to get DKIM to work in this configuration? The DKIM signature consistently fails. Since the signature is added based on what the filter sees via SMTP inbound, and the rewriting of the headers occurs outbound, you're guaranteed that any signature that gets added will be invalidated when the MTA rewrites the headers. The most common solutions are: 1) Inject the headers such that they don't need rewriting. 2) Run a second MTA which does the signing after your genericstable and masquerading are done. It's possible to do this on the same machine. 3) Try compiling the filter with and using _FFR_REPLACE_RULES, which provides the means to do string substitution before canonicalization in message headers. This code is experimental but was seen to work in unit tests. If you want to go this route, let me know and I can give you a quick rundown on how to use it. -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Signing verification failures
On Mon, 4 Aug 2008, Alan Halachmi wrote: Looking through the conversation today with Jim Maloney, it would seem that the issue I describe below is fixable either with a second MTA or proper use of _FRR_REPLACE_RULES. I've compiled in the _FRR_REPLACE_RULES option, but I wasn't able to find documentation on how to invoke it. FFRs (For Future Release features) are undocumented deliberately, because I don't want to provide something and then remove it later if it's decided that the feature was a bad idea. When you compile with _FFR_REPLACE_RULES, you add a new configuration file option called ReplaceRules. This names a file which should contain entries of the form: regexp TAB string (Blank lines are ignored, and the # character denotes the beginning of a comment which is also ignored.) Then, anywhere there's text matching regexp in the value of any header field in the message, that text will be replaced by string. So if your file contains: host\.example\.com TAB example.com ...then this: From: [EMAIL PROTECTED] ...will be canonicalized as: From: [EMAIL PROTECTED] You can have any number of lines in the ReplaceRules file you create. The rules are all applied in order to each header field as it arrives. That means more than one rule can match, so if your ReplaceRules file contains: X tab Y Y tab Z ...then all Xs will be changed to Ys, and then all Ys will be changed to Zs. However, in the opposite order, you'd get a different result. (Note that I've exaggerated the spaces in the lines for illustration reasons; the actual lines would look like: X Y Y Z ...and those are single tabs, not seven spaces, in between the two fields on each line.) This is currently done in both signing and verifying mode, but I'm pretty sure I want to change it so it only applies in signing mode. Let me know if you have any further questions. -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Is dkim-milter-2.7.0 beta?
On Wed, 30 Jul 2008, Jim Hermann - UUN Hostmaster wrote: Is dkim-filter version 2.7.0 for beta testing or production? It's a production release. The beta series ended late last week. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Not signing
Jim Maloney wrote: I have set up DKIM-filter to work with sendmail and have obviously missed something because my mail is not being signed. [...] mail._domainkey.clubshop.com. IN TXT ( k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Kz+5d4CuaGKRJAKg6vmaBKFJhs6I60c70yIQOj3NwHi FIhlu0f/GJGGxSf21JY+VcHNjGcevXkSrpsnTeENF8CkcIyjduDhDsElkFprKTDqeIA50u9BCKkKla4cvzjET XRw+6Ijc7bqtKxxOmE2l29K21NwZ ) What's with all the *s? mail._domainkey. TXT XRw+6Ijc7bqtKxxOmE2l29K21Nw ) DELETE UPDATE mail._domainkey. TXT ( k=rsa; t=y; DELETE UPDATE mail._domainkey. TXT p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Kz+5d4CuaGKRJAKg6vmaBKFJhs6I60c70yIQOj3NwHi It looks like you've taken something that should be in one single TXT record and spread it across four TXT records. You need to merge them all into one record and reload your nameserver with the corrected data. The verifying agent will not do that for you as the protocol specifies that the reply should be all in one piece. Tests: sudo /usr/bin/dkim-testkey -d clubshop.com -k /var/db/dkim/mail.key.pem -s mail dkim-testkey: multiple DNS replies for `mail._domainkey.clubshop.com' That confirms the error. /var/log/maillog after mailing to [EMAIL PROTECTED] Jul 29 11:14:12 outbound2 sendmail[5379]: m6TFEAij005379: from=j.maloney, size=44, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], [EMAIL PROTECTED] Jul 29 11:14:18 outbound2 sendmail[5380]: m6TFECvJ005380: from=[EMAIL PROTECTED], size=356, class=0, nrcpts=1, msgid=[EMAIL PROTECTED], proto=ESMTP, daemon=MTA, relay=outbound2.clubshop.com [127.0.0.1] Jul 29 11:14:28 outbound2 sendmail[5380]: m6TFECvJ005380: Milter (dkim-filter): timeout before data read, where=body This is odd; it suggests your filter was either hung or crashed. Do you have any core dumps or other evidence that it died and restarted? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Quick libdkim question
Erik Lotspeich wrote: I am wondering about dkim_getsiglist(). Can a message contain multiple valid signatures? How does this function differ from dkim_getsignature()? When should I use each one? It depends on how much control you want over signature processing. dkim_getsignature() is used late in the process (i.e.after end-of-message) to return the first signature that validated or, if none did, the first syntactically valid signature. This is useful for an application with very simple policies. dkim_getsiglist() returns all signatures that were minimally syntactically valid, and this information is available much earlier in message processing (i.e. at end-of-headers). You can use the signature array you get back to inspect each one and mark specific ones to be ignored by the library. You can request the signature list late in the process too if you want to inspect all valid signatures to see which one(s) you want to report. Yes, a message can contain multiple valid signatures, if for example two different agents (maybe the sender and his/her ISP) signed it. This is why dkim_getsiglist() was added to the API. I also have a question about dkim_sig_getbh(). The comments refer to a bh test state. What is the bh test state? The bh tag on a signature is a cryptographic hash of the message body. The bh flag inside a signature handle is an indication of whether or not the body hash in the DKIM signature matched the message body the library was given. This is an important step of DKIM verification. The actual cryptography in a DKIM signature only covers the headers and the signature itself (which in turn includes the body hash), meaning signature validation only proves the headers and signature were unchanged in transit. You have to take the extra step of checking that the body hash in the signature also matched the body you got, otherwise someone could send an altered body and you'd still approve it. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] MTA option issue
On Fri, 18 Jul 2008, Rickard Bondesson wrote: Yeah, that is is correct. And also point out that a message, with a sender address from our domain, will be signed even if it is delivered from an external host. That's coverred in the OPERATION section of the dkim-filter(8) man page. - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] MTA option issue
It sounds like simply changing the description of the default will suffice, i.e. change it from There is no default to The default is to ignore the MTA name when making the signing decision. Is that correct? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
[dkim-milter-discuss] dkim-milter-2.7.0 betas starting
The first beta release of 2.7.0 is now available via SourceForge for download and testing. The usual request applies: Please restrict discussion of comments on or issues with the Beta to the dkim-milter-beta list. Don't use this list or the trackers on SourceForge. I'm hoping to do the formal release in about a week's time. The beta contains an update to the new SSP draft (now called ADSP, or Author Domain Signing Practises), fixes a DNS processing bug, and services two feature requests. If I get some diagnostic information about the crashing that was reported recently, I'll see about getting a patch included in the released version. I have received a patch to add support for DNSSEC but it's a little too involved to include in this release. Look forward to that in a near future release. Enjoy! -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Different verification settings for different originating domains
This is precisely what ADSP (Author Domain Signing Practises) is for. It's a draft proposal adjunct to DKIM which permits a sending domain to announce via DNS a policy like We sign all our mail, so anything unsigned should be considered suspicious. The idea is: Upon receipt of mail from (to use your example) gmail.com and the processing of signatures (if any), an ADSP-aware verifier will also query that domain for an ADSP record which advertises what its signing practises are. If that domain advertises We sign everything and the mail was unsigned, you have reason to be suspicious. You can in fact go one step further and recommend to verifiers that unsigned mail, or mail whose signatures fail to verify, should be rejected or discarded. This is basically a general way to do what Google and Yahoo! have done with eBay and PayPal; anyone will be able to tell a verifier that unsigned mail from them shouldn't be trusted. The spec has been changing. It was originally called SSP, then ASP, and is now called ADSP. dkim-milter has been keeping in step with it as it evolves. Version 2.6.0 queries for an ASP record. The ADSP version of the draft just came out last week, so there's no update available yet to use the new name but one will be out soon. Unfortunately none of those four domains (again, only as examples) currently advertise an ADSP record. Thus we'd have to hack in the ability to do ADSP for domains you know sign their mail with DKIM even though the published system doesn't show such. And this is a reasonable feature request, so feel free to make that request through the trackers and I'll see if I can get it added to the pending release or the one after it. Good question! The text of the ASP draft is included in your dkim-milter-2.6.0 tarball as draft-ietf-dkim-ssp-03. The -04 draft includes the rename to ADSP and a slightly different algorithm. It will be included in the tarball of the next release, or you can find it under the Internet-Drafts area of http://www.ietf.org. -MSK - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim stats and bounce messages
On Tue, 15 Jul 2008, Ben Lentz wrote: The From: header contains the sending domain's postmaster address, but I believe the SMTP MAIL FROM: contains only. The envelope information isn't used for DKIM, so only the From: header is really of interest. What's the whole Authentication-Results: header of one of those bounces? - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter dies periodically
On Fri, 11 Jul 2008, [EMAIL PROTECTED] wrote: I just upgraded on of our MXs, and now I'm having a problem where dkim-filter periodically dies. Doesn't dump core, doesn't log SEGV, nothing. SM suggested compiling with -g and running the filter that way, hopefully producing a coredump. Remember that these days you need to satisfy certain system requirements to get coredumps: - process has to have write permission to its current working directory - process to have no coredump size limit imposed (set this with the shell) - process must not have changed its userid (i.e. don't use -u on the command line or UserID in the configuration file), OR you must have configured your system to dump cores anyway You can also capture the message which caused it to die by running your sendmail MTA with the flag -d71.100. When the filter crashes, any message(s) in progress will be quarantined and you can get them out of the queue manually. If the message doesn't reveal anything sensitive, you can (at your discretion of course) submit it as data about the problem. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter dies periodically
On Fri, 11 Jul 2008, [EMAIL PROTECTED] wrote: Jul 9 15:18:40 flotsam dkim-filter[1158]: m69JIeCZ003524: syntax error: required header from not found Although it doesn't cause my filter to crash, I can produce this error by trying to send a message through which has a Sender: header but no From: header. The DKIM specification requires a From: header. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] SSL Error
On Wed, 9 Jul 2008, Rickard Bondesson wrote: This time I did not need to restart Bind. Just waited like 20 minutes and then restarted dkim-filter. The problem remained during these 20 minutes. Is there some cache in dkim-filter that would keep bad data and ruin future validations? If you compiled with QUERY_CACHE, it will maintain old keys in an internal cache for up to the TTL of the record it retrieved. Without that it re-queries the key from DNS each time, relying on the nameserver's cache instead. Other than that, all data are discarded between verify operations. I have activated the Syslog option, but is there a way to have dkim log more events? Not at present. What additional data would you like to see? - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM restarting
If the filter is terminating with singal 11, it should be dumping a core (or should be able to). If you're not finding a core, then the process either: a) has a current working directory to which it has no write permissions; b) was started with a coredump size limit of 0; c) changed userid, perhaps using -u on the command line or UserID in the configuration file If you can solve those, you can get a core. Then if your binary was compiled with -g, you can get a stack trace using your debugger and thus some useful hints about what went wrong. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] SSL Error
On Tue, 8 Jul 2008, Rickard Bondesson wrote: I am testing a patch to DKIM Milter 2.5.0 that will give support for DNSSEC. The problem is that I am getting an SSL Error now and then. Jul 8 09:57:45 mask dkim-filter[31900]: m687vaAr002778 SSL error:04077068:rsa routines:RSA_verify:bad signature; error:04077068:rsa routines:RSA_verify:bad signature Jul 8 09:57:45 mask dkim-filter[31900]: m687vaAr002778: key retrieval failed The first line is simply a dump of the error stack from libcrypto. It means a signature verification was attempted (using the RSA_verify() function) but that failed, i.e. the data being verified and the signature didn't match. That's all the information you get. key retrieval failed maps to the DKIM_STAT_KEYFAIL error code, which is reported when the attempt to retrieve a key from DNS either timed out or returned some kind of error. If you're running with a DNSSEC patch, perhaps the key being returned wasn't signed? (I can only guess without seeing the patch.) - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter fails to process mail
On Tue, 8 Jul 2008, Ron Echeverri wrote: No messages about fulfilling action requirements, and the only warning i get is the same i had in my original message: Jul 3 15:47:45 plum postfix/smtpd[3655]: warning: milter inet:localhost:8891: can't read SMFIC_DATA reply packet header: Success Try setting MilterDebug to 9 and restarting the filter, then running it until the error occurs. There is in fact a way that the premature EOF can occur deliberately inside libmilter, but only if there's a protocol error between the MTA and the filter. With MilterDebug set high enough, such an error should be logged. If that doesn't report anything interesting, we're back to tracking down an I/O error of some kind. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter fails to process mail
On Tue, 8 Jul 2008, Murray S. Kucherawy wrote: Try setting MilterDebug to 9 and restarting the filter, then running it until the error occurs. For this to work, you'll need to disable AutoRestart if you have it enabled (remove -A from the command line and/or set AutoRestart false in the configuration file) and run the filter in foreground mode (i.e. add -f to the command line and/or Background false in the configuration file) since libmilter's logging writes to standard output by default. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] can't read SMFIC_BODYEOB reply packet header (cont'd)
The only thing I can think of asking for now is a truss/strace/ktrace of the process around the time of the error to see if we can spot the errant close() call. Unfortunately if it can take hours or days or weeks for the problem to appear, such a log could be enormous. ...but if you have a way to get one, it might prove valuable. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter fails to process mail
On Tue, 8 Jul 2008, Ron Echeverri wrote: I guess that the trick is figuring out what the actual minimum libmilter version for postfix would be. I suppose that just saying 8.14.0 or later would do the trick. But it might be possible to tell postfix that it's going to be talking to an older version of libmilter. I seem to recall a configuration option to that effect. Let me know what they say. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.
On Mon, 23 Jun 2008, David Gibbs wrote: Sounds like you don't have Mailman configured to remove the existing dkim headers. The DKIM headers are being left intact, so anyone trying to validate the signature will detect a failure because the message is being modified by Mailman. Investigate the REMOVE_DKIM_HEADERS setting in Mailman ... that's probably what you need. This is hopefully a temporary solution. What really should happen is that Mailman (or any MLM) or the MTA after it should be re-signing the message as it's being remailed. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.
On Mon, 23 Jun 2008, bob 001 wrote: Yahoo header message says, domainkeys=fail (bad syntax) to such emails coming from outside domain. Note that domainkeys and DKIM aren't the same. The thing you're looking at refers to an older specification that Yahoo! invented but is being superseded by DKIM, which is a newer specification. Yahoo! is in the process of converting. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.
On Fri, 4 Jul 2008, David Gibbs wrote: If I disable DK, it says domainkeys=neutral (no sig) Have you added the Mailman option to remove dkim headers? Again, domainkeys != dkim. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] ASP query: missing parameter(s) in policy data
On Sat, 21 Jun 2008, Russell Bell wrote: dkim-filter returns this error to the log. After a few instances of getting the same error it quits. I can restart by hand and it runs without problem. It shouldn't quit just from that. Mine has been running since June 11th and has logged that message three times today alone. Do you have a coredump or other forensics that might explain what happened? What does this error mean? It means the filter did a DKIM ASP query looking for sender policy for some domain, but the record it got back was missing required value(s). This can be caused by a malformed ASP advertisement by a sending domain, but is more likely caused by a domain with a wildcard TXT record, usually advertising an SPF policy (which doesn't match ASP syntax). The first time I sent this message it didn't go through. One of mine was dropped earlier today as well. I think SourceForge is having difficulty. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkimproxy + mailman + postfix (dkim=fail)
On Sat, 21 Jun 2008, bob 001 wrote: 1. Email addresses on the same server where postfix, mailman, dkimproxy lives. 2. Email addresses on gmail/yahoo etc. dkimproxy isn't supported on this list. This list is for users of the dkim-milter package. Please go to http://dkimproxy.sourceforge.net/ for assistance. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] (S|A|AD)SP
On Tue, 17 Jun 2008, Ben Lentz wrote: Do I have all my facts straight, and what is the current recommendation for publishing a signing policy? You've got it right. I've been following the ietf-dkim list and attending the related conferences, so we're current on what's going on and what's to be expected. I simply haven't updated the software because a newer draft has yet to be posted. Indeed, when ADSP posts, I have this code plus three Internet Drafts to update. So given that's our posture, the currently correct practise is to post a policy at _asp._domainkey.(domain) according to the -03 draft. I'd bet we're likely to see the -04 draft before the next IETF conference which is at the end of July, but I've been wrong before. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] (S|A|AD)SP
On Tue, 17 Jun 2008, Ben Lentz wrote: Without a testing flag available in the ASP policy record, what can a signing system do to help ensure that a recipient will do something benign should the signature fail for some reason? Is the concept of a testing flag being completely obsoleted? The test flag still exists in key records. It's just been removed from policy. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] why does dkim-filter make a log entry for some messages but not others?
On Sun, 15 Jun 2008, Russell Bell wrote: dkim-filter writes 'X-DKIM: Sendmail DKIM Filter v2.5.5 ...' to the header of every message we receive but makes no entry in the log for the vast majority of them. For some it records 'no signature data'. Those messages have no signature data but many more without signature data result in no entry in the logs. I turn on logging for all events in dkim-filter's configuration. If you've asked for X-Header service, it will add that header to all messages it sees (except those excluded by -a/PeerFile) as a rubber stamp that the message was processed by the filter. The no signature data is logged if the DKIM library reports the message was unsigned. If the filter never got that far, instead, for example, deciding the message can't be processed because it was malformed in some way (e.g. missing required headers), then it never gets far enough in the code to make that decision, and it doesn't get logged. If you can give me an example of a message which causes the logging and one which doesn't, I can be more precise. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] messages being logged as mail, not local2
On Sun, 15 Jun 2008, Russell Bell wrote: I specify a SyslogFacility local2 in order to separate dkim-filter's log entries. Some messages go to local2, others to mail. Why? Anything that gets logged by the filter before openlog() is called (which happens late in the filter startup process) goes to the default facility which is probably daemon. Everything else should go to the requested facility. Calls to syslog() don't let the code specify which facility to use. You specify that once, with openlog(). If your syslog daemon is writing some things in the wrong place, it's a bug in your C library or in the daemon since the filter itself doesn't make that request explicitly. - Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss