Re: [dkim-milter-discuss] error on DKIM one inbound domain

[Murray S. Kucherawy]

dkim-milter support has been discontinued.  You should instead switch to 
OpenDKIM, http://www.opendkim.org.

That said, the error means you're getting mail from someone that's signed by a 
key that can't be found in the DNS.  The error is legitimate, and there's not 
much you can do about it other than ignore it or filter mail from that source.

-MSK

From: Admin [mailto:h...@pchelpdock.com]
Sent: Friday, February 17, 2012 10:09 AM
To: dkim-milter-discuss@lists.sourceforge.net
Subject: [dkim-milter-discuss] error on DKIM one inbound domain

Hello. can someone help me get this error and continuing server errors with 
DKIM?

The problem is that i am getting this in my OSSEC logs my the thousands from 
this ONE domain. Postfix, mailman. I have no other problems with DKIM ever, but 
for the last few weeks with this error.


Received From: www-/var/log/maillog
Rule: 1002 fired (level 2) - Unknown problem somewhere in the system.
Portion of the log(s):
Feb 16 20:42:47 www dkim-filter[1305]: 560704ACD3D: key retrieval failed (s=k1, 
d=monobestoffers.infohttp://monobestoffers.info/): res_query(): 
`k1._domainkey.monobestoffers.infohttp://domainkey.monobestoffers.info/' 
Unknown host


IT would not bother me, except i have blocked the ip from the firewall and 
continue to recieve the errors and am worried about the load on the mailsystem 
and server.

How can I stop it and what is going on, any help would be appreciated.

Thanks,
--
Virtualization  Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] sendmail non-smtpd possible?

[Murray S. Kucherawy]

(Since you installed OpenDKIM instead, I'll Cc: that list and we should move 
this discussion over there.)

There are rewrite rules in the sendmail configuration that change the From: 
field (features called masquerade and genericstable).  That's why it 
appears to be delivered with the From: field you expect.  The problem is that 
those changes are made only after the filter has seen them, which is why you 
have to tell opendkim to sign for localhost.localdomain because that's what 
the filter sees.

In fact, you might want to check that the signatures are being validated, 
because they probably are failing since the data are essentially being changed 
in transit.

You will probably need either the replace rules feature to deal with this, or 
you'll need to arrange that your mail is generated with the final domain name 
in there and not localhost.localdomain to get it verifying properly.

From: Willem Kossen [mailto:w.kos...@gmail.com]
Sent: Monday, August 08, 2011 5:16 AM
To: dkim-milter general discussion
Subject: Re: [dkim-milter-discuss] sendmail non-smtpd possible?

Ah, I think i figured it out...
what happens in many cases is that mail originates from 
user@localhost.localdomain. I didn't tell opendkim to sign mail from that 
domain. Still the mail ends up as @wkossen.nlhttp://wkossen.nl in the 
recipients mailbox, but sendmail didn't know that at the time the mail was 
delivered to it. during input, it was localhost.localdomain. therefor no 
signing. Now I told opendkim in the config file that the domain 
localhost.localdomain should be signed and it worked.

and squirrelmail delivered mail as user@localhost (no localdomain) I added that 
domain too. this is far from ideal, a bit of a hack, but I guess it works.

thanks for the help
On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy 
m...@cloudmark.commailto:m...@cloudmark.com wrote:
First, as Rolf said, you should switch to opendkim.  This package has been 
unmaintained for over two years.

I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and 
it signed a message I sent using the sendmail shell interface rather than SMTP. 
 Since that means sendmail does provide milter service to mail that's piped in, 
you should be able to get dkim-milter to do it too unless there was a bug in it 
in this regard.

You can always use LogWhy to track down why your mail isn't being signed.  It 
might have something to do with a domain name mismatch in the mail you're 
feeding.

Good luck,
-MSK

From: Willem Kossen [mailto:w.kos...@gmail.commailto:w.kos...@gmail.com]
Sent: Friday, August 05, 2011 5:57 AM
To: 
dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net
Subject: [dkim-milter-discuss] sendmail non-smtpd possible?

Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only works 
when mail is delivered to it via smtp. A lot of mail however comes in via 
sendmail executable for instance because of websites, webmail or applications 
sending out notices. I want that mail to be signed as well. Is it possible at 
all (like in postfix non-smtpd filters) or in any other way? in fact, i would 
like all outgoing mail to be signed.

Thanks

--

Willem Kossen

--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos  much more. Register early  save!
http://p.sf.net/sfu/rim-blackberry-1
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss



--

Willem Kossen
w.kos...@gmail.commailto:w.kos...@gmail.com
--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos  much more. Register early  save!
http://p.sf.net/sfu/rim-blackberry-1___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] sendmail non-smtpd possible?

[Murray S. Kucherawy]

First, as Rolf said, you should switch to opendkim.  This package has been 
unmaintained for over two years.

I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and 
it signed a message I sent using the sendmail shell interface rather than SMTP. 
 Since that means sendmail does provide milter service to mail that's piped in, 
you should be able to get dkim-milter to do it too unless there was a bug in it 
in this regard.

You can always use LogWhy to track down why your mail isn't being signed.  It 
might have something to do with a domain name mismatch in the mail you're 
feeding.

Good luck,
-MSK

From: Willem Kossen [mailto:w.kos...@gmail.com]
Sent: Friday, August 05, 2011 5:57 AM
To: dkim-milter-discuss@lists.sourceforge.net
Subject: [dkim-milter-discuss] sendmail non-smtpd possible?

Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only works 
when mail is delivered to it via smtp. A lot of mail however comes in via 
sendmail executable for instance because of websites, webmail or applications 
sending out notices. I want that mail to be signed as well. Is it possible at 
all (like in postfix non-smtpd filters) or in any other way? in fact, i would 
like all outgoing mail to be signed.

Thanks

--

Willem Kossen
--
BlackBerryreg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos  much more. Register early  save!
http://p.sf.net/sfu/rim-blackberry-1___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] RSA_verify: bad signature

[Murray S. Kucherawy]

 -Original Message-
 From: Robert Schetterer [mailto:rob...@schetterer.org]
 Sent: Wednesday, July 07, 2010 2:23 AM
 To: dkim-milter-discuss@lists.sourceforge.net
 Subject: Re: [dkim-milter-discuss] RSA_verify: bad signature
 
 Am 30.04.2010 18:25, schrieb Simon Bell:
  Hi, I am running postfix with dkim-milter. I sign out-going mail and
  verify incoming. When my mail server receives from google or yahoo,
  all seems to be fine, I get:
  --
  dkim-filter: DKIM verification successful
  --
  But mail from 'bluebottle' email gives me this error:
  --
  dkim-filter: DKIM verification successful
  dkim-filter: s=fe0 d=bluebottle[dot]com SSL error:04077068:rsa
  routines:RSA_verify:bad signature
  --
 
  Could someone help me understand what the error means and if it is
  something wrong with my server?
 
 got the same now for i.e xing.com under ubuntu lucid
 v2.8.3 running in only verify mode
 someone any ideas  ?

No idea about xing.com, but Bluebottle definitely had a bug in its signing code 
that would give false negatives if the message went to two recipients.  Perhaps 
xing.com is having a similar issue.

--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-milter protocol documentation

[Murray S. Kucherawy]

It looks like that milter-protocol.txt document is slightly out of date, but it 
is otherwise pretty accurate.

The only other documentation I know of is the source code itself.  You'd have 
to trace it back into libmilter/mfdef.h to find out what each represents (they 
appear to be skip and insheader), and then for the format of the associated 
messages, check sendmail/milter.c to see how the MTA will decode them.

(I remember adding insheader myself when I still worked there, and skip 
came sometime later.)

From: Elanchezhiyan Elango [mailto:elanela...@gmail.com]
Sent: Thursday, April 22, 2010 2:41 AM
To: dkim-milter general discussion
Subject: Re: [dkim-milter-discuss] dkim-milter protocol documentation

Hi Murray,

Thanks for the response. I did do a google search before posting. Most of the 
resources were about the libmiter package and developing milters using the 
milter API. I was interested in the actual communication between the MTA and a 
milter. Only related page I could find was,
http://cpansearch.perl.org/src/AVAR/Sendmail-PMilter-0.98/doc/milter-protocol.txt
However, as I mentioned earlier, the response commands such as 's', 'i' are not 
documented in this page.

The wikipedia page (http://en.wikipedia.org/wiki/Milter) does mentions that 
documentation of the protocol used for communication between sendmail and 
milter processes is not provided. This internal protocol is subject to changes 
in new sendmail versions. Probably the responses I am receiving are introduced 
in later sendmail versions.

Any other relavent documentation you are aware of will be helpful.

Thanks,
Elan.


On Wed, Apr 21, 2010 at 9:16 PM, Murray S. Kucherawy 
m...@cloudmark.commailto:m...@cloudmark.com wrote:
A Google search for milter protocol produced some highly useful results.

You might also look at the miltertest tool in the OpenDKIM package.  It 
provides a scripting interface to do what you're after.

From: Elanchezhiyan Elango [elanela...@gmail.commailto:elanela...@gmail.com]
Sent: Wednesday, April 21, 2010 5:57 PM
To: 
dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net
Subject: [dkim-milter-discuss] dkim-milter protocol documentation

Hi,

I am trying to write a script that would directly communicate to the 
dkim-filter process through its socket using the milter protocol. My script 
would essentially act like sendmail. In the process I am finding some responses 
whose meaning I am not aware of. For example I get responses with command 's', 
'i' which don't seem to be documented as a part of milter protocol. Is there a 
place where I can find the meaning of these response commands from dkim-milter?

Thanks,
Elan.
--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.netmailto:dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] help me debug why my signature is breaking

[Murray S. Kucherawy]

 -Original Message-
 From: Mark Martinec [mailto:mark.marti...@ijs.si]
 Sent: Tuesday, February 02, 2010 8:04 AM
 To: dkim-milter-discuss@lists.sourceforge.net
 Subject: Re: [dkim-milter-discuss] help me debug why my signature is
 breaking
 
 On Tuesday 02 February 2010 06:05:33 ram wrote:
  The full mail (sent to gmail ) is  available here
  http://ecm.netcore.co.in/tmp/mail2.txt
 
 If your message violates rfc5322 (ex 2822), mailer may break its
 promises too. Garbage-in, garbage-out.

I also noticed that your From: and To: header fields didn't have a space before 
the  character.  Some MTAs might insert one for you, and that would break 
the signature.

--
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] problems with length of headers

[Murray S. Kucherawy]

 -Original Message-
 From: Sven-Thorsten Fahrbach [mailto:jo...@alice-dsl.de]
 Sent: Thursday, January 21, 2010 12:14 AM
 To: dkim-milter general discussion
 Subject: Re: [dkim-milter-discuss] problems with length of headers
 
 I now have my parser add the missing quotes and the signatures are once
 again accepted. :-)

Just to be clear, the RFCs require a comment that contains punctuation to be 
quoted, so you were sending malformed header fields and a downstream MTA was 
adding them for you to make the message compliant.

--
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Milter rejected message

[Murray S. Kucherawy]

This is fixed in OpenDKIM v1.1.0 (v1.2.0 is current) by creating special 
handling for this case that defaults to accept.

It's not clear if or when a patch would be made available to dkim-milter to 
resolve this.

From: Mark Martinec [mark.marti...@ijs.si]
Sent: Thursday, December 17, 2009 5:43 AM
To: dkim-milter-discuss@lists.sourceforge.net
Subject: Re: [dkim-milter-discuss] Milter rejected message

On Thursday 17 December 2009 14:13:20 SM wrote:
 At 01:53 17-12-2009, Rolf E. Sonneveld wrote:
 Seems these messages carry a DKIM signature, but their DKIM DNS
 entry is not correct. I assume the dkim-filter status is then not
 'reject' but maybe the mail server is interpreting the result of
 dkim-filter as a temp. failure, giving back a 4.x.y status code to
 the SMTP partner?

 Yes, that's what happening.  You can override that behavior with
 On-InternalError accept.

This should be fixed. A NXDOMAIN is a definite and permanent answer
from a DNS resolver, it can in no way be treated as an 'internal error'
or a temporary failure.

  Mark

--
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Can anyone explain this?

[Murray S. Kucherawy]

It's not clear that this has anything at all to do with your DKIM signing.  The 
error returned by Yahoo's mail server is too generic to tell why it got 
rejected.

From: Tony Birnseth, 1st Source IT, LLC [mailto:to...@1sit.com]
Sent: Tuesday, August 25, 2009 8:46 PM
To: dkim-milter general discussion
Subject: [dkim-milter-discuss] Can anyone explain this?

I sent a batch of emails today as part of a marketing campaign.  I received 
several ND responses similar to this one and was wondering if there is a way 
for me to determine the cause (real addressee xxx'd out).

This is the mail system at host ezms1.ez-merchant-hosting.com.



I'm sorry to have to inform you that your message could not

be delivered to one or more recipients. It's attached below.



For further assistance, please send mail to postmaster



If you do so, please include this problem report. You can

delete your own text from the attached returned message.



   The mail system



x...@zlabs.usmailto:i...@zlabs.us: host 
milter1.store.vip.mud.yahoo.com[68.142.205.143] said: 554

5.7.1 Command rejected (in reply to end of DATA command)











Reporting-MTA: dns; ezms1.ez-merchant-hosting.com

X-Postfix-Queue-ID: 32B4E2D283E1

X-Postfix-Sender: rfc822; sa...@ez-ms.commailto:sa...@ez-ms.com

Arrival-Date: Tue, 25 Aug 2009 14:10:35 -0700 (PDT)



Final-Recipient: rfc822; x...@zlabs.usmailto:i...@zlabs.us

Original-Recipient: rfc822;x...@zlabs.usmailto:rfc822;i...@zlabs.us

Action: failed

Status: 5.7.1

Remote-MTA: dns; milter1.store.vip.mud.yahoo.com

Diagnostic-Code: smtp; 554 5.7.1 Command rejected

--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Apple Mail consistently fails DKIM verify under 2.8.x

[Murray S. Kucherawy]

 -Original Message-
 From: Robert Sink [mailto:si...@cbl.umces.edu]
 Sent: Tuesday, August 25, 2009 1:44 PM
 To: dkim-milter general discussion
 Subject: Re: [dkim-milter-discuss] Apple Mail consistently fails DKIM
 verify under 2.8.x
 
 Hello Murray,
 
 Could you give me an example on how to set up and interpret these
 values on my end?
 
 Thank you for your time.

Try the stuff in the DEBUG FEATURES section of the dkim-filter/README file 
you got in your dkim-milter distribution.

--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Verification not failing

[Murray S. Kucherawy]

There's still an issue in there.  In this case, it's possibly that unsigned 
mail is skipping the ADSP check altogether, and defaulting to reporting none. 
 I need to take a closer look.

 -Original Message-
 From: Erik Lotspeich [mailto:e...@lotspeich.org]
 Sent: Monday, July 27, 2009 6:56 AM
 To: dkim-milter general discussion
 Subject: Re: [dkim-milter-discuss] Verification not failing
 
 Hi Murray  SM:
 
 You guys are awesome, as usual -- thanks for the quick response and
 help.
 
 Murray:
 
 I recompiled with _FFR_SENDER_HEADERS enabled and added SenderHeaders
 From to my config.
 
 I was quite confident that this would solve the problem, but it did not
 seem to.  The good news is that we made some progress; the logs are
 interesting:
 [...]


--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Verification not failing

[Murray S. Kucherawy]

 -Original Message-
 From: Erik Lotspeich [mailto:e...@lotspeich.org]
 Sent: Monday, July 27, 2009 10:08 AM
 To: dkim-milter general discussion
 Subject: Re: [dkim-milter-discuss] Verification not failing
 
 Hi Murray,
 
 Here's another data point, if it helps.  Here's the log from my
 postings
 to this list (dkim-milter-discuss):
 [...]

My guess is that list doesn't add a Sender: header, or something like that.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Verification not failing

[Murray S. Kucherawy]

 -Original Message-
 From: Erik Lotspeich [mailto:e...@lotspeich.org]
 Sent: Saturday, July 25, 2009 9:19 PM
 To: dkim-milter
 Subject: [dkim-milter-discuss] Verification not failing
 
 Hi,
 
 I am extremely stumped by this issue.  Here are some e-mail headers for
 an e-mail that is not failing an ADSP check.  My policy is sign
 everything.  This mailing list strips the DKIM signature out of the
 headers, as you can see.
 [...]

I'm on a layover enroute to IETF, but I had a quick look and thus here's a 
guess.  There's some old code that's still in there from the early DomainKeys 
days which specifies a list of headers to search for the actual sender of the 
message.  That list is not constrained to From only by default (as it 
probably should be for modern DKIM), so it's probably doing its ADSP check 
based on the Sender header which, in this case, contains the address of the 
list and not that of the message's author.

To test this, recompile enabling _FFR_SENDER_HEADERS, then set this in your 
configuration file:

SenderHeaders From

...and watch your logs for another message from the list.

-MSK

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] FW: [ietf-dkim] DKIM field usage survey

[Murray S. Kucherawy]

I encourage users of dkim-milter to reply to Dave directly at 
d...@dcrocker.net.  This is useful data when deciding what the next steps are 
for DKIM in the IETF standards process.  Specifically, if you are using 
particular features of the DKIM specification, that's an argument for keeping 
them; if there are some you're not using, they're candidates for being dropped 
when and if the spec gets revised.  The idea is that features nobody's using 
can be removed, simplifying the specification and thus making it harder for new 
implementations to get it wrong.  If they become useful features later, they 
can always be re-added by publishing a revision or a new spec that describes an 
extension.

dkim-milter implements the entire DKIM specification as well as adding a few 
useful features of its own.  You have to be somewhat familiar with the 
specification itself to complete this survey (and thus know the difference 
between the add-ons and the core stuff), but I suspect a decent percentage of 
this list's readership fits that description.  To those of you that do, your 
feedback would be valuable here.

-Original Message-
From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On 
Behalf Of Dave CROCKER
Sent: Sunday, July 12, 2009 10:50 AM
To: DKIM IETF WG
Subject: [ietf-dkim] DKIM field usage survey

Folks,

G'day.

One requirement for moving a specification from Proposed to Draft status is to 
supply an Implementation Report:

http://www.ietf.org/IESG/implementation.html

http://tools.ietf.org/html/draft-dusseault-impl-reports-04

I've put together survey forms -- one for signers and one for verifiers -- that 
should supply us with some raw field data, to make it possible to assemble a 
detailed report.


*  If you run a DKIM signing and/or verifying operation, please complete the
   appropriate survey questionnaire and return it to me.

   *   If you know of others operate DKIM signing and/or verifying services --
   such as your customers -- please forward this to them and request that
   they complete a version, returning it to me.


Because the report seeks information about interoperability, it does not ask 
about the capabilities of software, but rather looks for actual usage.  It is 
information about /interaction/ between software that is important, not merely 
what code exists.  This is why real field data is sought, rather than a report 
from developers.

I'm hoping we can get a useful set of responses by the time of the IETF 
meeting, so that we can start considering the feedback.

Thanks!

d/

-- 

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net

 
 
 
   Report:   RFC4871 - DKIM Signatures 
 Implementation Report Form -- SIGNING
 
 Please obtain responses directly from 
 operators of DKIM installations

   
   Report Date:  
   
   Report Author Name:   
   
   Report Organization:  
   
   Report Author Email:  

   Purpose:  
   
   This solicits detailed information about your organization's direct
   use of an individual implementation of DKIM signing and its 
   interoperability with other implementations doing DKIM validating. The 
   purpose of the questionnaire is to asertain what features of DKIM are 
   being used.
   
   Besides a basic history of success and failure with signature 
   validation, it requests details concerning the use of individual DKIM 
   tags in DNS records and in the DKIM-Signature: header field.  In 
   addition to the question of whether tags are set with a value please 
   indicate whether they are set with different values for different uses 
   or whether a single, constant value is used.
   
   Some information is best obtained directly from the software or its 
   manuals.  Other information is obtained from local policies or service 
   logs.
   
  
   Implementation name:
   
   Implementation author or source:
   
   Implementation contact address:
   
   Implementation operational first fielded on (date):
   
   
   Interoperability summary:
   
  (Please provide a basic statement about use of the implementation in 
  fielded operations, concerning successes and failures and how DKIM is 
  used. This summary will satisfy the basic question of whether the core 
  function of signature validation is interoperable.)



   
   DNS TXT record tags -- ranges set, if at all:
   
  (For each tag, please explain whether your use of the implementation 
  chooses particular values for the tag and, if so, with what range of 
  values and according to what rules.)
   
  (The tags v=, p=, n= need not be reported.)
  
  
  g -- Granularity of the key:  
  
 
  h -- Acceptable hash algorithms:  
  
 
  k -- Key type:  
  
 
  s -- 

Re: [dkim-milter-discuss] Any dkim signed mail goes to spam in gmail

[Murray S. Kucherawy]

 -Original Message-
 From: ram [mailto:r...@netcore.co.in]
 Sent: Friday, July 10, 2009 6:11 AM
 To: dkim-milter-discuss@lists.sourceforge.net
 Subject: [dkim-milter-discuss] Any dkim signed mail goes to spam in
 gmail
 
 I have set up dkim signatures , but gmail seems to mark every dkim
 signed mail as spam. If I dont sign the mail, it goes fine
 
 Is there anythying wrong with my dkim signature , how can I check ?

What do the autoresponders say when you try them?  Try sending a signed message 
to sa-t...@sendmail.net, for example.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] High memory usage

[Murray S. Kucherawy]

On Wed, 27 May 2009, Andy Fiddaman wrote:
 This would seem to point to the filter component as being the leaky 
 part..

Or possibly some features of libdkim that you're not using, but the filter 
is.  In either case, this is a very interesting data point.

--
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT 
is a gathering of tech-side developers  brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing,  
iPhoneDevCamp as they present alongside digital heavyweights like Barbarian 
Group, R/GA,  Big Spaceship. http://p.sf.net/sfu/creativitycat-com 
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM-Signature but no DomainKey-Signature

[Murray S. Kucherawy]

On Tue, 21 Apr 2009, double wrote:
 dkim-milter creates in the email-header a DKIM-Signature
 but no DomainKey-Signature.

Correct.

 Is there an option to create a DKIM-Signature?

(Assuming you meant DomainkKey-Signature) No.  You need to install and 
run dk-milter, or some other signing filter, in parallel.

--
Stay on top of everything new and different, both inside and 
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today. 
Use priority code J9JMT32. http://p.sf.net/sfu/p
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Build failed - undefined reference

[Murray S. Kucherawy]

On Fri, 27 Mar 2009, Johannes Siebert wrote:
 No change at all. Exactly the same output:

Did you do sh Build -c?  Makefile.m4 is only read when you wipe out the 
build and start over.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Build failed - undefined reference

[Murray S. Kucherawy]

On Thu, 26 Mar 2009, Johannes Siebert wrote:
 dkim-keys.c:(.text+0x3b9): undefined reference to `__dn_expand'
 dkim-keys.c:(.text+0x3c4): undefined reference to `__dn_skipname'
 dkim-keys.c:(.text+0x604): undefined reference to `__dn_expand'
 dkim-keys.c:(.text+0x634): undefined reference to `__dn_expand'
 [...]

Those are resolver utility functions.  You may need to add -lresolv or 
some such.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Build failed - undefined reference

[Murray S. Kucherawy]

On Thu, 26 Mar 2009, Johannes Siebert wrote:
 Thank you for your answer. Where do I need to add this -lresolv?

In dkim-filter/Makefile.m4, you need to add something like:

APPENDDEF(`confLIBS', `-lresolv ')

...right before the first bldPRODUCT_END line.  If other applications also 
complain, move that to above the first bldPRODUCT_START line.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] POP Authentication Problem

[Murray S. Kucherawy]

On Tue, 24 Mar 2009, Todd Lyons wrote:
 These are wild guesses, don't be surprised if I'm totally in the wrong 
 direction.

They're very good guesses, actually.  If the agent updating the POP DB 
replaces the file rather than simply updating it, then dkim-filter will 
have the old one still open while the new one is visible in the 
filesystem.  This would explain the symptoms being reported.

--
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] POP Authentication Problem

[Murray S. Kucherawy]

On Tue, 24 Mar 2009, Robert Barty wrote:
 What could possibly be wrong? If not a dkim problem could it be sendmail 
 (8.13.1) or perhaps the Berkley DB?

It's certainly not sendmail since it has no idea about POP.  The only 
possibilities are the one that has been suggested (your POP server is 
replacing the database rather than simply updating it) or Sleepycat DB is 
doing negative caching, although I find that quite unlikely.

Which POP server are you using?

--
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM signs spam mails

[Murray S. Kucherawy]

On Sun, 1 Mar 2009, Seba wrote:
 DKIM signs the spam mails when the sender address is forged (if sender 
 address is a recipient in mydomain) - but this should not be I think.

 Spam comes in, gets signed if sender is a recipient in my local domain 
 and gets delivered to the mailbox of the user. Are there any settings to 
 prevent this?

Yes.  The OPERATION section of the dkim-filter(8) man page explains the 
decision process regarding whether to sign a message or verify it.  Some 
tuning based on the information you find there will probably solve your 
problem.

If externally-originated mail with a forged From: header is being signed, 
my first guess would be you have an internal hosts list which is too 
permissive.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Validation problem

[Murray S. Kucherawy]

On Sun, 1 Mar 2009, Tony Birnseth, 1st Source IT, LLC wrote:
 I have installed the 'sendmail' version of DKIM since I can't find a
lib64 binary specifically for postfix.  I made links to get the key
locations to resolve and that seems to be working ok.
I created a regex file to perpend an DKIM Signature: header for every
email sent from this system whether that be from the system itself or
on behalf of an authenticated smtp connection (I.e one of the domains I
support)...

As I believe Mike pointed out, this isn't how DKIM works.  The signature 
takes into account the body and header contents as well as the current 
time, so you can't recycle the same signature for all of your mail as none 
of them will ever verify (except the one on which the original signature 
was based).

You need to sign each message individually using the filter.

I guess I would expect the checker to:
1) Use the info in the header to check the dkim info  (I.e.
ezms1._domainkey.ez-merchant-hosting.com)
2) Validate against those credentials.

It does, but the digital signature is based on the message content and 
headers, which (obviously) changes from one message to the next.  Also the 
t= portion of the signature is a timestamp, so eventually you'd be 
affixing signatures generated before the actual message you're sending.

I'm trying to avoid setting up unique dkim info for each client that
uses this system.  Maintenance nightmare.  Is that even possible?

Absolutely.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] The value of features within DKIM

[Murray S. Kucherawy]

This is probably of particular interest to those of you who are familiar 
with the internals of DKIM, i.e. the standard document and thus the 
protocol itself, but everyone is invited to participate.

Are there any portions of DKIM you feel are not useful to you?  That is, 
are there things in DKIM which, if they weren't there to begin with, 
wouldn't make a difference to you?  Or, on the flipside, are there some 
things outside of the obviously mandatory features which without which you 
would consider DKIM not useful?  Or possibly, are there some features 
you're not using now but you plan to use in the future?

Some specific topics, if you need a starting place:

In signatures:
x= (signature expiration)
t= (signature timestamps)
l= (body lengths)
i= (signing identity)
q= (query method)
z= (original signed header set)

In keys:
g= (key granularity; restricting keys to specific users)
n= (free-form comment)

Our implementation provides at least indirect access to or support of 
nearly all of these.  I, for example, have found z= to be useful when 
debugging interoperability issues, so it would get a keep vote from me.

Please give it some thought and let me know if you have any opinions about 
these.

-MSK

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM Gateway Question

[Murray S. Kucherawy]

On Fri, 13 Feb 2009, Nick Pettola wrote:
 I have a windows server running Imail. I have a Red Hat server that I 
 have setup with DKIM running sendmail. It signs messages that originate 
 from it but I need to send messages from my windows server through the 
 sendmail server and have it sign them as well. I have added the 
 ExternalIgnoreList option to the config file with the IP address of my 
 windows server. There is no signature. Any help with this would be 
 greatly appreciated.

Look at the InternalHosts option:

InternalHosts (string)
   Identifies  a file of internal hosts whose mail should be signed
   rather than verified.  Entries in this file follow the same form
   as  those  of  the PeerList option below.  If not specified, the
   default of 127.0.0.1 is applied.  Naturally, providing a value
   here  overrides the default, so if mail from 127.0.0.1 should be
   signed, the list  provided  here  should  include  that  address
   explicitly.

See also the OPERATION section of the dkim-filter(8) man page.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM Gateway Question

[Murray S. Kucherawy]

On Fri, 13 Feb 2009, Nick Pettola wrote:
 I added the ip to the InternalHosts file as well, did not work.

Did you restart the filter after doing so, or send it SIGUSR1 to reload 
the configuration?

If that still doesn't work, turn on the LogWhy option and send a message 
through that should be signed.  When it's not, find the records about it 
in the sendmail log, and it should tell you why it wasn't signed.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DNS setup problems

[Murray S. Kucherawy]

On Fri, 13 Feb 2009, Tomasz Chmielewski wrote:
 So I can't have the key file called default for all of them, their
 names have to be unique.

Why not?  You could have a default selector in each domain, all using 
the same key if that's what you want.

 Isn't using the domain name in that case the most obvious solution (and 
 everyone will have to look up mydomain.tld._domainkey.mydomain.tld for 
 each domain)?

That will work, if that's what you want to do.  But if you want to change 
the key for one domain later, what would you call it?  Replacing the key 
in the DNS record without renaming it invalidates all signed mail in 
transit at the time you do so.

 Or, what do you suggest?

Depends on what you want to do.  If each domain should have a unique key 
called default, you could have a directory called (for example) 
/var/dkim-keys which contains a subdirectory for each domain, and put the 
private key for each domain in a file called default in that domain's 
subdirectory.  So:

/var/dkim-keys/domain1/default
/var/dkim-keys/domain2/default

...etc.

If you have some other scheme, try describing it and I can see about 
proposing some other alternative.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM Gateway Question

[Murray S. Kucherawy]

On Fri, 13 Feb 2009, Nick Pettola wrote:
 Yes I did restart. Do I need to add the LogWhy option in the dkim.conf file?

Yes.

--
Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA
-OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise
-Strategies to boost innovation and cut costs with open source participation
-Receive a $600 discount off the registration fee with the source code: SFAD
http://p.sf.net/sfu/XcvMzF8H
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] d2i_PUBKEY_BIO() failures

[Murray S. Kucherawy]

An intermittent but recurring problem is the above error message.  It's 
caused when that function in the OpenSSL library fails to create a handle 
representing a public key after the key data has been retrieved from DNS. 
So far every time I've seen it, it's been caused by a public key that got 
mangled in the transition from being a PEM file to a DNS TXT record and 
is thus corrupted.

At the moment, libdkim returns DKIM_STAT_NORESOURCE to the filter when 
this happens, which assumes that error is transient and (by default) 
temp-fails the message hoping a later retry would work.  There's been some 
discussion on other lists that this behaviour isn't the best idea; the 
claim is that the message should be treated as though a permanent key 
retrieval problem occurred (e.g. key not found), and the message delivered 
with presumably a neutral status reported by the filter.

libdkim could be changed to report DKIM_STAT_CANTVRFY instead, indicating 
to the calling application that a more permanent failure in verification 
occurred.  This would caused dkim-filter to immediately report a 
verification error (permerror) and pass the message instead of arranging 
for a temp-fail of the message.

I'm hesitant though, because I don't know for sure that this is the only 
reason d2i_PUBKEY_BIO() might ever fail.  But if it fails for some other 
reason, is there a need to make the distiction?  What if it failed because 
it couldn't allocate more memory, for example?

In fact, the current behaviour came in handy today when I was able to talk 
to a signer with a corrupted key and get it fixed, at which point all the 
temp-failing mail came through.

Anyone want to offer up other opinions?

--
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] d2i_PUBKEY_BIO() failures

[Murray S. Kucherawy]

On Tue, 10 Feb 2009, SM wrote:
 libdkim could be changed to report DKIM_STAT_CANTVRFY instead, indicating
 to the calling application that a more permanent failure in verification
 occurred.  This would caused dkim-filter to immediately report a
 verification error (permerror) and pass the message instead of arranging
 for a temp-fail of the message.

 Are we sure that this always results in a DKIM_STAT_CANTVRFY?

For dkim-filter, yes.  Naturally, I can't speak for other applications 
that use libdkim, but they're free to make such intepretations.

Another option would be to create a new DKIM_STAT return which 
specifically indicates an error of this nature, such as 
DKIM_STAT_OPENSSLERROR.

 If there was a permerror, this might not have been fixed.

So you're (generally) opting for leaving it as-is?

--
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Problem in building 64-bit Dynamic library

[Murray S. Kucherawy]

On Wed, 4 Feb 2009, Murray S. Kucherawy wrote:

2) The symbol MAXDNAME is not defined in your
/usr/local/include/resolv.conf.  That probably means you have installed
some resolver other than the standard one (bind-9.6.0 perhaps?) which has
some new format or dependencies.  You need to find out where MAXDNAME is
defined and include that as well.  You might try adding this to
libar/Makefile.m4, just as a guess:


Actually my guess may not work.  Instead, try the attached patch on 
libar/manual.c to solve the second problem.Index: manual.c
===
RCS file: /cvs/libar/manual.c,v
retrieving revision 1.7
diff -u -r1.7 manual.c
--- manual.c19 Feb 2008 20:16:11 -  1.7
+++ manual.c5 Feb 2009 06:24:22 -
@@ -15,6 +15,10 @@
 #ifdef DARWIN
 # include arpa/nameser.h
 #endif /* DARWIN */
+#if SOLARIS = 21000
+# include arpa/nameser.h
+# include arpa/nameser_compat.h
+#endif /* SOLARIS = 21000 */
 #include resolv.h
 #include netdb.h
 #include ctype.h
--
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Any threads created in libdkim ?

[Murray S. Kucherawy]

On Wed, 4 Feb 2009, deiva shanmugam wrote:
 Just wanted to confirm , is any threads are created within dkim 
 library code ?

No threads are created or destroyed by libdkim.  It does, however, use 
other pthread primitives such as mutex and condition functions.

--
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM - No DNS Record

[Murray S. Kucherawy]

On Wed, 21 Jan 2009, Jason Carson wrote:
 ... I get the following results...

 DKIM Test: pass
 DKIM Author Signing Practice: no DNS record

 ... so the email is being signed because it passes but it says I have no
 DNS record, but I do. It may be that my DNS is configured improperly. Here
 is my DNS configuration, I am using Bind...

 jasondkim._domainkey.jasoncarson.ca. IN TXT v=DKIM1; g=*; k=rsa; p=key;

 Does anybody know what I am doing wrong?

Yes, you're misinterpreting the result.

 DKIM Test: pass
 DKIM Author Signing Practice: no DNS record

For DKIM to pass, obviously your DNS record is there or the process 
couldn't complete.

The DKIM Author Signing Practise is a different DNS record, which you 
probably haven't published yet.

--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] asn1 encoding routines failure

[Murray S. Kucherawy]

On Sat, 10 Jan 2009, Robert Schetterer wrote:
 Jan 10 13:32:35 postmailer dkim-filter[3843]: 96634260010: dkim_eoh():
 resource unavailable: d2i_PUBKEY_bio() failed
 Jan 10 13:32:35 postmailer dkim-filter[3843]: 96634260010 SSL
 error:0D06B08E:asn1 encoding routines:ASN1_D2I_READ_BIO:not enough data

At a guess, the public key the filter retrieved to verify a message didn't 
contain enough information, i.e. the encoding was broken or truncated.

Using your logs, you might be able to figure out what the domain and 
selector are, and then retrieve the public key manually to see if it looks 
right or not (and use the openssl binary to see if it could be parsed).


--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM sign locally

[Murray S. Kucherawy]

On Thu, 8 Jan 2009, Bailo, John wrote:
 My DKIM milter is signing emails perfectly when I connect from a remote 
 machine on mynetworks (Postfix) and send email with Outlook Express.

 But if I send an email locally, from the postfix server itself using the 
 mail command, it doesn't sign.

My guess, since I'm not familiar with Postfix, is you've defined an 
internal host list for your internal network (which is why Outlook Express 
works) but left localhost off.

--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] dkim-filter crash bug and workaround

[Murray S. Kucherawy]

This affects all versions from 2.5.0 to 2.7.2.

With the addition of configuration reloads in 2.5.0, there is a failure to 
set up some configuration defaults in certain circumstances.  This can 
lead to crashes when particular message mutations pass through the filter 
because of assertion failures or invalid pointer dereferences.

Specifically, if you don't use -C on the command line and don't use any 
of the On- action directives in the configuration file (or don't use a 
configuration file at all), the default actions for those exceptions are 
never loaded.  The action is to continue in those cases as a result, 
rather than the intended (documented) defaults.  This means when libdkim 
rejects a message for formatting reasons, the filter will plunder forward, 
continuing to process the same message rather than halting processing as 
it should.  This eventually causes the filter to make a call into the DKIM 
library which causes an illegal request or an assertion failure, and the 
filter will crash.

The specific instance of this that has been observed is as follows:

a) no use of -C on the command line
b) no On-* directives in the configuration file (or no configuration file)
c) a Sender: header with an address whose domain is in the list of domains
to sign
d) no From: header on the message

A permanent fix has already been added to the impending 2.8.0 release.  A 
patched beta release of it is already available.  I expect to be posting 
that around the end of this week.  In the interim, you can protect your 
installations from this by either:

1) starting your filter with -C int=t on the command line.  The default 
includes int=t so this won't change your filter's operation, but it will 
cause the full set of defaults to be established properly as the filter 
starts up; OR

2) editing your configuration file to contain the line:

On-InternalError tempfail

...which has the same effect.

The upcoming release fixes the filter's default loading and also hardens 
the library so even without that fix (or without the filter), a crash will 
no longer result.

If people want or need a patch to 2.7.2 while waiting for 2.8.0 or would 
rather do that than upgrade right away to a new release, I can produce a 
2.7.3 or just post a source patch here.  Please let me know if you have 
such requirements.

--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter crash bug and workaround

[Murray S. Kucherawy]

On Wed, 7 Jan 2009, Scott Kitterman wrote:
This affects two Ubuntu versions that are post-release and I'll have to 
patch if I am to fix them, so a patch would be handy.  It's 2.5.4 and 
2.6.0 if it matters.


Diffs to those two versions attached.  They're identical except for the 
line numbers and version numbers.Index: dkim-filter/dkim-filter.c
===
RCS file: /cvs/dkim-filter/dkim-filter.c,v
retrieving revision 1.360
diff -u -r1.360 dkim-filter.c
--- dkim-filter/dkim-filter.c   15 Apr 2008 20:42:29 -  1.360
+++ dkim-filter/dkim-filter.c   7 Jan 2009 20:56:14 -
@@ -975,9 +975,6 @@
char *v;
char *tmp;
 
-   /* load defaults */
-   memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling);
-
if (confstr == NULL)
return TRUE;
 
@@ -1128,6 +1125,9 @@
new-conf_signbytes = -1L;
new-conf_sigmintype = SIGMIN_BYTES;
 
+   /* load defaults */
+   memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling);
+
return new;
 }
 
Index: libdkim/dkim.c
===
RCS file: /cvs/libdkim/dkim.c,v
retrieving revision 1.469
diff -u -r1.469 dkim.c
--- libdkim/dkim.c  14 Apr 2008 20:02:58 -  1.469
+++ libdkim/dkim.c  7 Jan 2009 20:56:14 -
@@ -2723,6 +2723,7 @@
{
dkim_error(dkim, required header \%s\ not found,
   required_signhdrs[c]);
+   dkim-dkim_state = DKIM_STATE_UNUSABLE;
return DKIM_STAT_SYNTAX;
}
}
Index: dkim-filter/dkim-filter.c
===
RCS file: /cvs/dkim-filter/dkim-filter.c,v
retrieving revision 1.385
diff -u -r1.385 dkim-filter.c
--- dkim-filter/dkim-filter.c   5 Jun 2008 15:12:44 -   1.385
+++ dkim-filter/dkim-filter.c   7 Jan 2009 20:55:47 -
@@ -1130,9 +1130,6 @@
char *v;
char *tmp;
 
-   /* load defaults */
-   memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling);
-
if (confstr == NULL)
return TRUE;
 
@@ -1278,6 +1275,9 @@
new-conf_signbytes = -1L;
new-conf_sigmintype = SIGMIN_BYTES;
 
+   /* load defaults */
+   memcpy(conf-conf_handling, defaults, sizeof conf-conf_handling);
+
return new;
 }
 
Index: libdkim/dkim.c
===
RCS file: /cvs/libdkim/dkim.c,v
retrieving revision 1.485
diff -u -r1.485 dkim.c
--- libdkim/dkim.c  5 Jun 2008 23:32:41 -   1.485
+++ libdkim/dkim.c  7 Jan 2009 20:55:47 -
@@ -2776,6 +2776,7 @@
{
dkim_error(dkim, required header \%s\ not found,
   required_signhdrs[c]);
+   dkim-dkim_state = DKIM_STATE_UNUSABLE;
return DKIM_STAT_SYNTAX;
}
}
--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter crash bug and workaround

[Murray S. Kucherawy]

On Wed, 7 Jan 2009, Murray S. Kucherawy wrote:
 The specific instance of this that has been observed is as follows:

 a) no use of -C on the command line
 b) no On-* directives in the configuration file (or no configuration file)
 c) a Sender: header with an address whose domain is in the list of domains
   to sign
 d) no From: header on the message

Forgot one:

e) all other signing criteria are met (MTA name matches, macros match, 
source is on the internal list, etc.)

That is, one cannot craft a message from outside and send it inbound and 
expect the filter to crash, i.e. it's not exploitable from outside.

--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] meaning of padding too short message?

[Murray S. Kucherawy]

On Sun, 4 Jan 2009, Thomas Bader wrote:
 At first sight, everything looks well. However, there's a log message
 which is a bit confusing:

 Jan  3 23:09:26 valmar dkim-filter[952]: 3C9D8342EEEF SSL
 error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short

 (On successful verification, this is the _only_ logged message. In case
 of failed verification, a log line indicating bad signature data
 follows.)

The dkim-filter code will log errors that the OpenSSL library reports.  If 
you're getting successful verification, you can probably ignore this.

I'm not an expert about the data structures OpenSSL uses, but the error 
appears to mean the public key retrieved to verify a message was 
corrupted.  However, if it's verifying successfully then I suppose it was 
not corrupted enough to prevent completion of the verify operation.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] meaning of padding too short message?

[Murray S. Kucherawy]

On Sun, 4 Jan 2009, Thomas Bader wrote:
 Jan 3 23:09:26 valmar dkim-filter[952]: 3C9D8342EEEF SSL 
 error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too 
 short

Can you use the logs (i.e. grep for 3C9D8342EEEF) to figure out which 
public key was used to sign the message, or go look at the message if it's 
still there and give me the values of d= and s=?

I wonder if I can reproduce the problem just by knowing which key it is.

The error would seem to indicate that there's a padding problem with the 
public key, not the signature or the header hash (which are the three 
inputs to the RSA verify function).  Based on some reading just now after 
searching online for that error string, OpenSSL v0.9.8c and later include 
a test to thwart what they labeled a PKCS #1 v1.5 signature attack, and 
this is the error returned when that attack is detected.

http://marc.info/?l=openssl-cvsm=115744474426944w=2

That the message still succeeds verification would appear to contradict 
the code added by that patch.

Right now I suspect the key being retrieved from the signing domain's DNS 
was either improperly encoded or improperly generated.  However, just to 
be sure, I'd like to run a few examples through a debugger here to see if 
I have a problem with the DNS or base64 code in the filter.  I need some 
sample data to be able to do so.

I checked my own domain's logs and I've had no instances of that error for 
the last week, so I don't have any data to work with yet.  Hopefully 
someone on this list can help me out.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] meaning of padding too short message?

[Murray S. Kucherawy]

The padding too short check and error was removed from OpenSSL sometime 
in September of 2006.

In particular:

http://cvs.openssl.org/rlog?f=openssl/crypto/rsa/rsa_eay.c

Version 1.52 of that file added the test which triggered this error report 
and returned an error, and 1.53 removed it.  That yours reports the error 
in the error stack but doesn't actually return a verification error is 
mysterious.

Interestingly, the time difference between those two versions was under 24 
hours.  The previous release was 0.9.8c a few weeks earlier, and it didn't 
have the change either (obviously).  I'd guess the version you're running 
is 0.9.8c with that patch added manually, even though the patch was later 
retracted by the OpenSSL maintainers.

I would guess then that upgrading to a newer version of the library would 
remove the problem.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers

[Murray S. Kucherawy]

On Tue, 30 Dec 2008, UUN Hostmaster wrote:
 I get no output with this command:

 # strings /usr/sbin/dkim-filter | fgrep ar.c,v

That means your code wasn't compiled with the asynchronous resolver 
library provided as part of the dkim-milter package.  This eliminates it 
as your problem.  That means the operating system's stock resolver is 
doing what you've observed.  dkim-filter (actually, libdkim) is just using 
the system's res_search() or res_query() function and thus doesn't have 
any direct influence about what UDP descriptors are created or how they're 
used.

 What does the ,v do in this command?

Note this at the top of each .c and .h file in the distribution:

#ifndef lint
static char dkim_filter_c_id[] = @(#)$Id: dkim-filter.c,v 1.416 2008/11/10 
07:02:28 msk Exp $;
#endif /* !lint */

For files which actually comprise part of the binary, that string inside 
quotes will actually appear as part of the binary (and thus, the output of 
strings).  This is how one can determine which files were used to build 
your executable.  The entire string between the $ characters is 
generated by our source code control system and is updated whenever one of 
the files is changed, so you can tell which version and what the revision 
date of each file was.

The ,v suffix is added to files in the revision control system RCS we 
use.  For example, foo.c might be the working C source file but RCS 
keeps a history of all changes and comments describing them in 
RCS/foo.c,v.  This is used to generate the ID tag automatically.

That there's no ar.c,v shows me that your binary did not include the 
code found in libar/ar.c, which is the asynchronous resolver library 
shipped with dkim-milter.  That's the detail I was seeking.

 Here is the output without the ,v

 # strings /usr/sbin/dkim-filter | fgrep ar.c
 dkim-ar.c

That means your binary was compiled with dkim-filter/dkim-ar.c, which is 
expected; that code parses Authentication-Results header fields, and is 
different from libar/ar.c.

--
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Checking results with openssl

[Murray S. Kucherawy]

On Thu, 18 Dec 2008, deiva shanmugam wrote:
 I had built 64-bit libdkim in solaris 10. I'm trying to cross 
 check whether the body hash and signature created by libdkim against 
 openssl , by doing manual canonicalization and calculating hash and 
 signature using openssl commands. But the hash created by both of them 
 differs.

 The Data Was very simple to be: This\r\n

 But the hash was completely different.

 The openssl command was:

   opennsl dgst -sha1 -in Inputfile -out Outfile

 Inputfile contains : This\r\n

 The Version of dkim-milter i'm using is: dkim-milter-2.8.0.Beta4

In general, please restrict conversations about the beta releases to the 
beta list.  However, this probably applies to all versions and is a 
general theory question.

In the public releases, try setting the environment variable DKIMDEBUG to 
c, then restart your filter and send your test message.  In /var/tmp 
you'll find some dkim.* files named, in part, after the MTA job ID that 
was processed.  You should be able to back-track from your logs or the 
Received: headers in your message to find the canonicalized body.  You can 
then diff that against your original file to see how they may have 
changed between your file and what the MTA actually saw.

The method is different in the 2.8.0 Beta releases.  Check your 
dkim-filter.conf(5) man page for details there.

--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] [EMAIL PROTECTED] - no DNS entry

[Murray S. Kucherawy]

On Tue, 25 Nov 2008, Tamara McDonald wrote:
 dkim is now signing however the dkim test to dk.elandsys.com is not 
 giving me a clean test.  Also gmail sets me at dkim=neutral.

Your signature says:

 DKIM-Signature: v=1; a=rsa-sha1; c=simple/simple; d=ns1.rentapad.com;
s=mail; t=1227635239; bh=s75zFFqW8KSw5Gb4dsEga72PgKQ=; h=From:To:
 Subject; b=d1eAD3IRfpx58kVIXEzr28L1Kvn+3qFKhTl4hOG0SWEMf7QWfVn0VKO
NzpspZ4LLg7rXK0fCDlwxko/b6D/nuSXmnC2RkFbnFD/pTgvJ3yyCb0cAOLE4+J0IcS
bEwNxWa/ALSxyJphlZMRcEoNwh3Vej7uKbxcFrTk9IWdggOgo=

I don't see a key in your DNS at mail._domainkey.ns1.rentapad.com.  Hence, 
the errors you're getting are correct.

Also, you may be confusing DomainKeys with DKIM.  They're not the same 
thing.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers

[Murray S. Kucherawy]

Please paste the output of:

% strings dkim-filter-path | fgrep ar.c,v

I've looked over the most recent libar source code but can't find any code 
path that would cause UDP descriptor leakage.  I want to make sure I'm 
looking at the same copy of that file that you're using.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers

[Murray S. Kucherawy]

On Sun, 16 Nov 2008, Jim Hermann - UUN Hostmaster wrote:
 I was not using the asynchronous (ARLIB) resolver, so I compiled 
 dkim-filter version 2.7.0 with define(`bld_USE_ARLIB', `True').

In that case any leftover descriptors prior to your rebuild are in use by 
(and perhaps leaked by) your system's resolver library.

 After a week with the new dkim-filter, there are 25 netstat udp entries 
 for my Upstream Nameserver #1 and 5 entires for the local nameserver, 
 all for dkim-filter.

I've been running dkim-milter 2.8.0.Beta2 for eight days now and it has 
one TCP port open on which it is listening and two UDP ports open which 
aren't associated with anything in particular.  The former is for 
accepting connections from the MTA; the latter are presumably for DNS 
work.

If you have lsof installed, using it on your dkim-filter process would 
be really helpful in corroborating what netstat is claiming.  I would 
trust the output of lsof before that of netstat in terms of tracking 
down a possible problem.

 DKIM does not release the tcp ports either.  It has 6 tcp ports open to 
 port  on the local machine.

That would be the MTA connecting to dkim-filter.  There's one of those for 
every connection your MTA has open.  That's normal.  The connections go 
away when the SMTP client disconnects from the MTA.  Try it yourself; 
telnet to your own port 25 and you should see one more TCP connection 
appear between the MTA and the filter; disconnect, and it should go away.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] AOL.COM DKIM Check Header: X-AOL-SCOLL-AUTHENTICATION

[Murray S. Kucherawy]

On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote:
 Why would AOL.COM add this Header to a received email?

 X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-m271.1 ; domain : No
 domain found DKIM = none

You'd have to ask AOL's postmaster team about that one.  The headers look 
fine to me.  Perhaps it was a transient DNS error at the time that mail 
tried to get in.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] AOL.COM DKIM Check Header: X-AOL-SCOLL-AUTHENTICATION

[Murray S. Kucherawy]

On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote:
 I found another one and it failed, rather than just reporting none.

 X-AOL-SCOLL-AUTHENTICATION: mail_rly_antispam_dkim-m222.2 ; domain : 
 uuserver.net DKIM = fail

 Any ideas why it failed?

At a glance, no.  I'd have to have a copy of the original to try it with 
my own code.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter connections to upstream nameservers

[Murray S. Kucherawy]

On Sat, 8 Nov 2008, Jim Hermann - UUN Hostmaster wrote:
 Why does my dkim-filter make and keep open so many connecting to my 
 upstream DNS?
 [...]

Just to be precise, there's no such thing as a UDP connection, just a 
socket that gets reserved for communication with a particular source.

Are you compiling with USE_ARLIB enabled?  If so, that might be something 
we can address by fixing that library.  If not, your operating system's 
resolver library is responsible for the sockets.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] dkim-milter-2.8.0 betas starting

[Murray S. Kucherawy]

Beta releases of 2.8.0 have begun and are available for download from 
SourceForge.

The usual request applies:

Please restrict discussion of comments on or issues with the Beta to the 
dkim-milter-beta list. Don't use this list or the trackers on SourceForge.

Also, I won't be making regular announcements about new Beta releases. 
If you want to be notified, subscribe to notifications via the tools on 
SourceForge for the Pre-Release package.

I'm hoping to do the formal release in about a week to ten days.

The main features of this release include DNSSEC support and experimental 
improved handling of some MTA header field rewrites.  Some support for 
more of the dkim-reporting draft extensions has also been added, and 
several other minor improvements were also made.

Enjoy!

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Header folding and verification

[Murray S. Kucherawy]

On Fri, 7 Nov 2008, SM wrote:
 Section 5.5 of the DKIM specification has a list of headers that should 
 be included in the signature.  The To: header is part of that.

 It's not a good idea not to sign the To: header as it's part of the 
 visible headers that are displayed in the MUA.

Moreover, the sendmail MTA will rewrite about a dozen header fields if 
they're present with the same formatting code.  If you insist on omitting 
To, by the same logic may as well omit the rest of them.

Unfortunately, From: is one of them, and that one MUST be signed. 
(Fortunately, though, it almost always contains only a single address so 
it doesn't really get rewritten.)

There's also at least one verifier out there that insists To (and 
Subject and any other header field most MUAs render) be signed or it 
considers the signature invalid.

To mitigate some of these false verification failures, I'm considering 
making relaxed/simple the default canonicalization for the filter rather 
than simple/simple.  Opinions?

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim and Yahoo

[Murray S. Kucherawy]

On Fri, 7 Nov 2008, Bailo, John wrote:
 Has anyone had any experience with dkim and yahoo.com?

They are in the process of deploying DKIM verification (using libdkim, in 
fact) but have not yet completed that work.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter: (stdin): verify mode requires rsa-sha256 support on OpenBSD

[Murray S. Kucherawy]

Apparently the version of OpenSSL that comes stock on OpenBSD (at least 
the version you have) is not 0.9.8 or later, which was the first version 
in which SHA256 was provided.

You'll need to upgrade your installed version of OpenSSL to get the right 
stuff.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Another interesting verification fail...

[Murray S. Kucherawy]

On Wed, 5 Nov 2008, Jonas Eckerman wrote:
 Seeing as quite a few mailing lists alter the messages (adding footers, 
 tags, and sometimes even ads), stripping signatures should continue. The 
 alternative would be to leave the signatures even though verification is 
 virtually guaranteed to fail.

I disagree.  The preferred solution would be to have the MLM re-sign the 
message on distribution.  That way, when the MLM receives the message and 
performs DKIM verification, that verification could be recorded by the 
addition of an Authentication-Results: header as passing.  Then the new 
signature added by the MLM would protect that header's content (i.e. the 
original pass), even if the MLM's modifications invalidate the author's 
signature.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation

[Murray S. Kucherawy]

On Tue, 4 Nov 2008, Bailo, John wrote:
 I read that I have to specify Internal Hosts or subnets in the 
 dkim-filter.conf however, I cannot find this file in my installation(!)

You can create one, or you can specify the internal host list on the 
command line (check the man page for details).  Either will work.

 Is this something I should just create with vi?

Yes, with respect to both files.

 Do you think adding the IP address range to Internal Hosts will some the 
 problem of the signature not being added?

Yes, that's its intent.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation

[Murray S. Kucherawy]

On Tue, 4 Nov 2008, Bailo, John wrote:
 How can I determine where to create dkim-filter.conf?

 In what subdirectory?

It's up to you.  I suppose /etc/mail is a common location, but there are 
no restrictions.

 However the service is started with:

   /usr/sbin/rcdkim

 In this script, I see

 DKIM_BIN=/usr/bin/dkim-filter

Does that script make any reference to a configuration file at all?  If 
not you may have to modify it to have dkim-filter use your configuration 
file in whatever location you select when it starts.

 Does dkim-filter automatically look for dkim-filter.conf ?

No.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] setting Internal Hosts in a Suse 11 Postfix installation

[Murray S. Kucherawy]

On Tue, 4 Nov 2008, Bailo, John wrote:
 I'm guessing, but I think what I need to do is edit the startup script 
 scdkim and change

 DKIM_BIN=/usr/bin/dkim-filter

 To

 DKIM_BIN=/usr/bin/dkim-filter -C /etc/mail/dkim-filter.conf

-x instead of -C, but yes.

 Then in dkim-filter.conf I would add (this is my reference
 http://bugs.gentoo.org/attachment.cgi?id=148815 ):

 InternalHosts /etc/mail/dkim-filter/internalhosts


 And in /etc/mail/dkim-filter/internalhosts, I would add

 192.168.26.0/24

 To handle all the servers on my subnet...

Looks right to me.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] Adding DNSSEC to dkim-filter

[Murray S. Kucherawy]

Thanks to John Dickinson, a patch has been provided which adds support for 
DNSSEC to libdkim.  This will appear in v2.8.0 of the filter which I'm 
hoping to put into public beta as early as next week.

This will necessarily create a couple of new configuration options since 
the DNSSEC data may have an impact in terms of local policy.

I was thinking about adding an authentication method to the 
Authentication-Results: draft called something like dkim-sec 
representing the DKIM result if the key/policy records were secured with 
DNSSEC, but that draft is on its way to publication so I don't want to 
make any changes to it now.  So until it's appropriate to publish an 
extension to it, we're left with adding a parenthetical comment to the 
Authentication-Results: header field which reflects the DNSSEC result, or 
changing the actual result based on key/policy security (or both).  I plan 
to do the comments regardless, but I'm thinking about how to do the other.

The result for any DNSSEC-aware query basically comes down to one of these 
four:

- evaluation not completed (unknown)
- signer not using DNSSEC (insecure)
- signer using DNSSEC, successful (secure)
- signer using DNSSEC, unsuccessful (bogus)

Therefore, I believe we need four new configuration settings.  In 
particular (with invented names so far):

InsecureKey
- specifies what to do with insecure keys
- possible values:
- ignore (no action; default)
- neutral (degrade a pass to neutral)
- fail (degrade a pass to fail)

BogusKey
- specifies what to do with bogus keys
- possible values:
- ignore
- neutral
- fail (default)

InsecureADSP
- specifies what to do with insecure keys
- possible values:
- apply (default)
- ignore

BogusADSP
- specifies what to do with bogus ADSP records
- possible values:
- apply
- ignore (default)

Opinions welcome!

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Selection of signing domain by arbitrary header?

[Murray S. Kucherawy]

On Wed, 1 Oct 2008, Florian Sager wrote:
 According to my tests the first field of the list always refers to the 
 From header. A SIGNINGDOMAIN_HEADER would help in the following case (we 
 discussed this in our working group):

I replied to this about two weeks ago but never got further response or a 
feature request on SourceForge.  So:

1) Is this still a concern?

2) If so, will _FFR_SELECTOR_HEADER not suffice?

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Extra spaces in DKIM-Signature

[Murray S. Kucherawy]

On Sat, 4 Oct 2008, UUN Hostmaster wrote:
 Each continuation line is preceded by a return (/n) and tab (/t). 
 However, the value for h= has a extra space in front of Content-Type: 
 and MIME-Version.

Yep, this is intentional.  I wanted continued values within the header to 
be indented a bit more to show that it's a continued value within a 
continued value.  In fact, I'd like to add that for other values that 
might wrap, such as bh=, b= and z=.

 I run milter-null and it looks for Date: and Message-ID:, followed by a 
 space, anywhere in a bounce message.  It is confusing the DKIM-Signature 
 continuation line as part of the Message-ID:

Sounds more like an issue with milter-null.  Shouldn't it be looking for 
lines that start with Date:  and Message-ID:  rather than for those 
strings anywhere in the message?

As it is right now (based on your description) this won't be the last 
instance of it mis-identifying a message.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Selection of signing domain by arbitrary header?

[Murray S. Kucherawy]

On Fri, 12 Sep 2008, Florian Sager wrote:
 I am looking for something similar, a SIGNINGDOMAIN_HEADER:
Enable selection of which signing domain to use when signing based
 on the
contents of an arbitrary header (default is signing by the domain in
 the From
header).

Doesn't the key list already support this behaviour?  For example:

[EMAIL PROTECTED]:domain1.com:/path/to/keys/for/domain1/foo
[EMAIL PROTECTED]:domain2.com:/path/to/keys/for/domain2/bar

The second field in that table defines the signing domain, and the 
selector is inferred from the path to the key, so [EMAIL PROTECTED] 
signatures would include s=foo; d=domain1.com and [EMAIL PROTECTED]
signatures would include s=bar; d=domain2.com.

If that's not what's happening then there's a bug.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] selctive not signing mails to special domain

[Murray S. Kucherawy]

On Thu, 11 Sep 2008, Robert Schetterer wrote:
 is there a parameter/list in dkim-filter
 to exclude dkim signing for outgoing mails
 to special domains

v2.6.0 added a DontSignMailTo feature, available via the configuration 
file.  Check the dkim-filter.conf(5) man page for details.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Message from Yahoo not hitting under milter-dkim

[Murray S. Kucherawy]

On Sat, 6 Sep 2008, Dan Mahoney, System Admin wrote:
 Can anyone help me figure this out?  I realize it's only been a few 
 months since I last had DKIM working, and have fallen a little behind 
 since the spacs and standards all change overnight, but...

 My message (sent through YahooGroups) with full headers is at
 http://www.gushi.org/dkim_message.txt

 Milter-dkim claims it's unsigned (although SpamAssassin detects the
 signature separately).

It's a correct claim.  There's no DKIM-Signature: header field in the 
message.

It is, however, signed with DomainKeys (there's a DomainKey-Signature: 
header field).

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] how 'whitelist' a site

[Murray S. Kucherawy]

On Thu, 28 Aug 2008, steve ladewig wrote:
 I belong to a couple of mailing lists which are producing things like:
 SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too
 short; error:04077068:rsa routines:RSA_verify:bad signature
 SSL error:04077068:rsa routines:RSA_verify:bad signature

pkcs1 padding too short generally means the public key matching the 
signature on the message is corrupted.  This probably has nothing to do 
with the fact that it's coming from a mailing list.

 So i created a peerlist file with the CIDR in it and added it to 
 dkim-filter.conf. The milter seems to ignore it.

Right, that's what the peerlist is for.

 I also created a TrustSignaturesFrom file with the domain name of the 
 listserver in it. This didn't work either.

That just means you should trust signatures from specific domains (rather 
than ignoring them) if the domain of the signature doesn't match the 
domain of the From: header.  Also probably not relevant to your case.

If you're interested in debugging the problem, have the person who sent 
the message which failed try sending you a message directly to see if that 
works.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Any problems with 2.7.1?

[Murray S. Kucherawy]

There is indeed an issue, introduced by the OpenSSL threading code 
activated in 2.7.1.  It appears only on Solaris (versions uncertain) 
because of a certain aspect of its threading implementation.

A fix will be posted shortly, after I do a little more testing.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Any problems with 2.7.1?

[Murray S. Kucherawy]

Attached is a patch that fixes the problem.

The OpenSSL thread locking code added in 2.7.1, which OpenSSL requires in 
order to be thread-safe, contained a bug which leaked a small amount of 
memory (one int per thread) on all operating systems, and had the added 
bonus of provoking an infinite loop upon thread exit on Solaris because of 
an idiosyncracy in Sun's implementation of pthreads.


The patch I sent out privately as a trial earlier today fixes the loop, 
but not the leak.


The actual patch here is only two lines of additional code, but it's 
wrapped it in descriptive text which is why the patch is somewhat larger 
than that.


I'll probably release a v2.7.2 in about a week which contains this fix.

If you're not having any problems with 2.7.0, feel free to downgrade to it 
or remain there until the 2.7.2 announcement.  On the other hand, if you 
were having problems with 2.7.0, the upgrade to 2.7.1 plus this patch is 
the way to go for now.Index: dkim-crypto.c
===
RCS file: /cvs/dkim-filter/dkim-crypto.c,v
retrieving revision 1.2
retrieving revision 1.4
diff -u -r1.2 -r1.4
--- dkim-crypto.c   28 Aug 2008 06:41:31 -  1.2
+++ dkim-crypto.c   28 Aug 2008 21:51:31 -  1.4
@@ -2,11 +2,11 @@
 **  Copyright (c) 2008 Sendmail, Inc. and its suppliers.
 ** All rights reserved.
 **
-**  $Id: dkim-crypto.c,v 1.2 2008/08/28 06:41:31 msk Exp $
+**  $Id: dkim-crypto.c,v 1.4 2008/08/28 21:51:31 msk Exp $
 */
 
 #ifndef lint
-static char dkim_crypto_c_id[] = @(#)$Id: dkim-crypto.c,v 1.2 2008/08/28 
06:41:31 msk Exp $;
+static char dkim_crypto_c_id[] = @(#)$Id: dkim-crypto.c,v 1.4 2008/08/28 
21:51:31 msk Exp $;
 #endif /* !lint */
 
 /* system includes */
@@ -100,9 +100,27 @@
 static void
 dkimf_crypto_free_id(void *ptr)
 {
+   /*
+   **  Trick dkim_crypto_get_id(); the thread-specific pointer has already
+   **  been cleared at this point, but dkimf_crypto_get_id() will be
+   **  called by libcrypto which will in then allocate a new thread
+   **  pointer if the thread-specific pointer isn't set.  This means
+   **  a memory leak of thread IDs and, on Solaris, an infinite loop
+   **  because the destructor (indirectly) re-sets the thread-specific
+   **  pointer to something not NULL.  See pthread_key_create(3).
+   */
+
+   assert(pthread_setspecific(id_key, ptr) == 0);
+
ERR_remove_state(0);
if (ptr != NULL)
free(ptr);
+
+   /*
+   **  Now we can actually clear it for real.
+   */
+
+   assert(pthread_setspecific(id_key, NULL) == 0);
 }
 
 /*
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-milter 2.7.0 considers some DK signatures from yahoo invalid

[Murray S. Kucherawy]

On Wed, 27 Aug 2008, Mark Martinec wrote:
 Is this a know limitation of dkim-milter, or a bug?

A patch to libdk which addresses this problem has been posted to the 
dk-milter-discuss mailing list.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-milter 2.7.0 considers some DK signatures from yahoo invalid

[Murray S. Kucherawy]

On Wed, 27 Aug 2008, Mark Martinec wrote:
 Is this a know limitation of dkim-milter, or a bug?

It appears to be a bug in libdk, not in dkim-milter or libdkim.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-milter crushing / 2.7 / milter_protocol = 6

[Murray S. Kucherawy]

On Wed, 6 Aug 2008, Zbigniew Szalbot wrote:
 Many thanks - I started the milter manually and now I am waiting for the 
 dump.

Also, be sure you compiled the filter with debugging enabled (i.e. the 
-g flag passed to your compiler) so that the coredumps are detailed. 
Instructions for doing that are in site.config.m4.dist near the top.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-milter crushing / 2.7 / milter_protocol = 6

[Murray S. Kucherawy]

On Thu, 7 Aug 2008, Mark Martinec wrote:
 I don't think it is worth the trouble. There are several things one 
 needs to be aware of and check when setting up a core dump trap, a 
 current working directory is just a minor detail.

The other possible use I can think of: by setting a base directory, other 
paths in the configuration file can be relative instead of absolute.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM Failing -- Looking for guidance

[Murray S. Kucherawy]

On Tue, 5 Aug 2008, Mark Martinec wrote:
 As some mailers (like the Microsoft SMTPSVC apparently) move a
 signature towards the end of a message header, it is prudent that
 DKIM verifiers search the entire header section for the listed
 header fields. The Mail::DKIM module does so, I'm not sure about
 the verifier at sendmail.net.

libdkim (and thus that verifier) is position-agnostic as well.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Signing verification failures

[Murray S. Kucherawy]

On Mon, 4 Aug 2008, Alan Halachmi wrote:
 My question is simply:  Is there yet a mechanism to get DKIM to work in 
 this configuration?  The DKIM signature consistently fails.

Since the signature is added based on what the filter sees via SMTP 
inbound, and the rewriting of the headers occurs outbound, you're 
guaranteed that any signature that gets added will be invalidated when the 
MTA rewrites the headers.

The most common solutions are:

1) Inject the headers such that they don't need rewriting.

2) Run a second MTA which does the signing after your genericstable and 
masquerading are done.  It's possible to do this on the same machine.

3) Try compiling the filter with and using _FFR_REPLACE_RULES, which 
provides the means to do string substitution before canonicalization in 
message headers.  This code is experimental but was seen to work in unit 
tests.  If you want to go this route, let me know and I can give you a 
quick rundown on how to use it.

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Signing verification failures

[Murray S. Kucherawy]

On Mon, 4 Aug 2008, Alan Halachmi wrote:
   Looking through the conversation today with Jim Maloney, it would 
 seem that the issue I describe below is fixable either with a second MTA 
 or proper use of _FRR_REPLACE_RULES.  I've compiled in the 
 _FRR_REPLACE_RULES option, but I wasn't able to find documentation on 
 how to invoke it.

FFRs (For Future Release features) are undocumented deliberately, because 
I don't want to provide something and then remove it later if it's decided 
that the feature was a bad idea.

When you compile with _FFR_REPLACE_RULES, you add a new configuration file 
option called ReplaceRules.  This names a file which should contain 
entries of the form:

regexp  TAB   string

(Blank lines are ignored, and the # character denotes the beginning of a 
comment which is also ignored.)

Then, anywhere there's text matching regexp in the value of any header 
field in the message, that text will be replaced by string.  So if your 
file contains:

host\.example\.com  TAB   example.com

...then this:

From: [EMAIL PROTECTED]

...will be canonicalized as:

From: [EMAIL PROTECTED]

You can have any number of lines in the ReplaceRules file you create.  The 
rules are all applied in order to each header field as it arrives.  That 
means more than one rule can match, so if your ReplaceRules file contains:

X   tab   Y
Y   tab   Z

...then all Xs will be changed to Ys, and then all Ys will be changed to 
Zs.  However, in the opposite order, you'd get a different result.

(Note that I've exaggerated the spaces in the lines for illustration 
reasons; the actual lines would look like:

X   Y
Y   Z

...and those are single tabs, not seven spaces, in between the two fields 
on each line.)

This is currently done in both signing and verifying mode, but I'm pretty 
sure I want to change it so it only applies in signing mode.

Let me know if you have any further questions.

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Is dkim-milter-2.7.0 beta?

[Murray S. Kucherawy]

On Wed, 30 Jul 2008, Jim Hermann - UUN Hostmaster wrote:
 Is dkim-filter version 2.7.0 for beta testing or production?

It's a production release.  The beta series ended late last week.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Not signing

[Murray S. Kucherawy]

Jim Maloney wrote:
 I have set up DKIM-filter to work with sendmail and have obviously
 missed something because my mail is not being signed.  [...]

 mail._domainkey.clubshop.com. IN TXT
 ( k=rsa; t=y;
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Kz+5d4CuaGKRJAKg6vmaBKFJhs6I60c70yIQOj3NwHi
  

 FIhlu0f/GJGGxSf21JY+VcHNjGcevXkSrpsnTeENF8CkcIyjduDhDsElkFprKTDqeIA50u9BCKkKla4cvzjET
  

 XRw+6Ijc7bqtKxxOmE2l29K21NwZ )
What's with all the *s?

 mail._domainkey. TXT
 XRw+6Ijc7bqtKxxOmE2l29K21Nw ) DELETE UPDATE
 mail._domainkey. TXT ( k=rsa; t=y; DELETE UPDATE
 mail._domainkey. TXT
 p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Kz+5d4CuaGKRJAKg6vmaBKFJhs6I60c70yIQOj3NwHi
  

It looks like you've taken something that should be in one single TXT 
record and spread it across four TXT records.  You need to merge them 
all into one record and reload your nameserver with the corrected data.  
The verifying agent will not do that for you as the protocol specifies 
that the reply should be all in one piece.


 Tests:

 sudo /usr/bin/dkim-testkey -d clubshop.com -k /var/db/dkim/mail.key.pem
 -s mail
 dkim-testkey: multiple DNS replies for `mail._domainkey.clubshop.com'

That confirms the error.


 /var/log/maillog after mailing to [EMAIL PROTECTED]
 Jul 29 11:14:12 outbound2 sendmail[5379]: m6TFEAij005379:
 from=j.maloney, size=44, class=0, nrcpts=1,
 msgid=[EMAIL PROTECTED],
 [EMAIL PROTECTED]
 Jul 29 11:14:18 outbound2 sendmail[5380]: m6TFECvJ005380:
 from=[EMAIL PROTECTED], size=356, class=0, nrcpts=1,
 msgid=[EMAIL PROTECTED], proto=ESMTP,
 daemon=MTA, relay=outbound2.clubshop.com [127.0.0.1]
 Jul 29 11:14:28 outbound2 sendmail[5380]: m6TFECvJ005380: Milter
 (dkim-filter): timeout before data read, where=body
This is odd; it suggests your filter was either hung or crashed.  Do you 
have any core dumps or other evidence that it died and restarted?

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Quick libdkim question

[Murray S. Kucherawy]

Erik Lotspeich wrote:
 I am wondering about dkim_getsiglist().  Can a message contain multiple 
 valid signatures?  How does this function differ from dkim_getsignature()? 
 When should I use each one?
   
It depends on how much control you want over signature processing.

dkim_getsignature() is used late in the process (i.e.after 
end-of-message) to return the first signature that validated or, if none 
did, the first syntactically valid signature.  This is useful for an 
application with very simple policies.

dkim_getsiglist() returns all signatures that were minimally 
syntactically valid, and this information is available much earlier in 
message processing (i.e. at end-of-headers).  You can use the signature 
array you get back to inspect each one and mark specific ones to be 
ignored by the library.  You can request the signature list late in the 
process too if you want to inspect all valid signatures to see which 
one(s) you want to report.

Yes, a message can contain multiple valid signatures, if for example two 
different agents (maybe the sender and his/her ISP) signed it.  This is 
why dkim_getsiglist() was added to the API.
 I also have a question about dkim_sig_getbh().  The comments refer to a 
 bh test state.  What is the bh test state?

   
The bh tag on a signature is a cryptographic hash of the message 
body.  The bh flag inside a signature handle is an indication of 
whether or not the body hash in the DKIM signature matched the message 
body the library was given.

This is an important step of DKIM verification.  The actual cryptography 
in a DKIM signature only covers the headers and the signature itself 
(which in turn includes the body hash), meaning signature validation 
only proves the headers and signature were unchanged in transit.  You 
have to take the extra step of checking that the body hash in the 
signature also matched the body you got, otherwise someone could send an 
altered body and you'd still approve it.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] MTA option issue

[Murray S. Kucherawy]

On Fri, 18 Jul 2008, Rickard Bondesson wrote:
 Yeah, that is is correct. And also point out that a message, with a
 sender address from our domain, will be signed even if it is delivered
 from an external host.

That's coverred in the OPERATION section of the dkim-filter(8) man page.

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] MTA option issue

[Murray S. Kucherawy]

It sounds like simply changing the description of the default will 
suffice, i.e. change it from There is no default to The default is to 
ignore the MTA name when making the signing decision.

Is that correct?

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

[dkim-milter-discuss] dkim-milter-2.7.0 betas starting

[Murray S. Kucherawy]

The first beta release of 2.7.0 is now available via SourceForge for 
download and testing.

The usual request applies:

Please restrict discussion of comments on or issues with the Beta to the 
dkim-milter-beta list.  Don't use this list or the trackers on 
SourceForge.

I'm hoping to do the formal release in about a week's time.

The beta contains an update to the new SSP draft (now called ADSP, or 
Author Domain Signing Practises), fixes a DNS processing bug, and 
services two feature requests.

If I get some diagnostic information about the crashing that was reported 
recently, I'll see about getting a patch included in the released version.

I have received a patch to add support for DNSSEC but it's a little too 
involved to include in this release.  Look forward to that in a near 
future release.

Enjoy!

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] Different verification settings for different originating domains

[Murray S. Kucherawy]

This is precisely what ADSP (Author Domain Signing Practises) is for. 
It's a draft proposal adjunct to DKIM which permits a sending domain to 
announce via DNS a policy like We sign all our mail, so anything unsigned 
should be considered suspicious.

The idea is: Upon receipt of mail from (to use your example) gmail.com and 
the processing of signatures (if any), an ADSP-aware verifier will also 
query that domain for an ADSP record which advertises what its signing 
practises are.  If that domain advertises We sign everything and the 
mail was unsigned, you have reason to be suspicious.  You can in fact go 
one step further and recommend to verifiers that unsigned mail, or mail 
whose signatures fail to verify, should be rejected or discarded.

This is basically a general way to do what Google and Yahoo! have done 
with eBay and PayPal; anyone will be able to tell a verifier that unsigned 
mail from them shouldn't be trusted.

The spec has been changing.  It was originally called SSP, then ASP, and 
is now called ADSP.  dkim-milter has been keeping in step with it as it 
evolves.  Version 2.6.0 queries for an ASP record.  The ADSP version of 
the draft just came out last week, so there's no update available yet to 
use the new name but one will be out soon.

Unfortunately none of those four domains (again, only as examples) 
currently advertise an ADSP record.  Thus we'd have to hack in the ability 
to do ADSP for domains you know sign their mail with DKIM even though the 
published system doesn't show such.  And this is a reasonable feature 
request, so feel free to make that request through the trackers and I'll 
see if I can get it added to the pending release or the one after it.

Good question!

The text of the ASP draft is included in your dkim-milter-2.6.0 tarball as 
draft-ietf-dkim-ssp-03.  The -04 draft includes the rename to ADSP and 
a slightly different algorithm.  It will be included in the tarball of the 
next release, or you can find it under the Internet-Drafts area of 
http://www.ietf.org.

-MSK

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim stats and bounce messages

[Murray S. Kucherawy]

On Tue, 15 Jul 2008, Ben Lentz wrote:
 The From: header contains the sending domain's postmaster address, but I 
 believe the SMTP MAIL FROM: contains  only.

The envelope information isn't used for DKIM, so only the From: header is 
really of interest.

What's the whole Authentication-Results: header of one of those bounces?

-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK  win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter dies periodically

[Murray S. Kucherawy]

On Fri, 11 Jul 2008, [EMAIL PROTECTED] wrote:
 I just upgraded on of our MXs, and now I'm having a problem where 
 dkim-filter periodically dies.  Doesn't dump core, doesn't log SEGV, 
 nothing.

SM suggested compiling with -g and running the filter that way, 
hopefully producing a coredump.  Remember that these days you need to 
satisfy certain system requirements to get coredumps:

- process has to have write permission to its current working directory

- process to have no coredump size limit imposed (set this with the shell)

- process must not have changed its userid (i.e. don't use -u on the 
command line or UserID in the configuration file), OR you must have 
configured your system to dump cores anyway

You can also capture the message which caused it to die by running your 
sendmail MTA with the flag -d71.100.  When the filter crashes, any 
message(s) in progress will be quarantined and you can get them out of the 
queue manually.  If the message doesn't reveal anything sensitive, you can 
(at your discretion of course) submit it as data about the problem.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter dies periodically

[Murray S. Kucherawy]

On Fri, 11 Jul 2008, [EMAIL PROTECTED] wrote:
 Jul  9 15:18:40 flotsam dkim-filter[1158]: m69JIeCZ003524: syntax error:
 required header from not found

Although it doesn't cause my filter to crash, I can produce this error by 
trying to send a message through which has a Sender: header but no From: 
header.  The DKIM specification requires a From: header.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] SSL Error

[Murray S. Kucherawy]

On Wed, 9 Jul 2008, Rickard Bondesson wrote:
 This time I did not need to restart Bind. Just waited like 20 minutes 
 and then restarted dkim-filter. The problem remained during these 20 
 minutes. Is there some cache in dkim-filter that would keep bad data and 
 ruin future validations?

If you compiled with QUERY_CACHE, it will maintain old keys in an internal 
cache for up to the TTL of the record it retrieved.  Without that it 
re-queries the key from DNS each time, relying on the nameserver's cache 
instead.

Other than that, all data are discarded between verify operations.

 I have activated the Syslog option, but is there a way to have dkim
 log more events?

Not at present.  What additional data would you like to see?

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] DKIM restarting

[Murray S. Kucherawy]

If the filter is terminating with singal 11, it should be dumping a core 
(or should be able to).

If you're not finding a core, then the process either:

a) has a current working directory to which it has no write permissions;

b) was started with a coredump size limit of 0;

c) changed userid, perhaps using -u on the command line or UserID in 
the configuration file

If you can solve those, you can get a core.  Then if your binary was 
compiled with -g, you can get a stack trace using your debugger and thus 
some useful hints about what went wrong.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] SSL Error

[Murray S. Kucherawy]

On Tue, 8 Jul 2008, Rickard Bondesson wrote:
 I am testing a patch to DKIM Milter 2.5.0 that will give support for
 DNSSEC. The problem is that I am getting an SSL Error now and then.

 Jul  8 09:57:45 mask dkim-filter[31900]: m687vaAr002778 SSL
 error:04077068:rsa routines:RSA_verify:bad signature;
 error:04077068:rsa routines:RSA_verify:bad signature
 Jul  8 09:57:45 mask dkim-filter[31900]: m687vaAr002778: key retrieval failed

The first line is simply a dump of the error stack from libcrypto.  It 
means a signature verification was attempted (using the RSA_verify() 
function) but that failed, i.e. the data being verified and the signature 
didn't match.  That's all the information you get.

key retrieval failed maps to the DKIM_STAT_KEYFAIL error code, which is 
reported when the attempt to retrieve a key from DNS either timed out or 
returned some kind of error.

If you're running with a DNSSEC patch, perhaps the key being returned 
wasn't signed?  (I can only guess without seeing the patch.)

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter fails to process mail

[Murray S. Kucherawy]

On Tue, 8 Jul 2008, Ron Echeverri wrote:
 No messages about fulfilling action requirements, and the only warning i 
 get is the same i had in my original message:

 Jul 3 15:47:45 plum postfix/smtpd[3655]: warning: milter 
 inet:localhost:8891: can't read SMFIC_DATA reply packet header: Success

Try setting MilterDebug to 9 and restarting the filter, then running it 
until the error occurs.

There is in fact a way that the premature EOF can occur deliberately 
inside libmilter, but only if there's a protocol error between the MTA and 
the filter.  With MilterDebug set high enough, such an error should be 
logged.

If that doesn't report anything interesting, we're back to tracking down 
an I/O error of some kind.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter fails to process mail

[Murray S. Kucherawy]

On Tue, 8 Jul 2008, Murray S. Kucherawy wrote:
 Try setting MilterDebug to 9 and restarting the filter, then running it 
 until the error occurs.

For this to work, you'll need to disable AutoRestart if you have it 
enabled (remove -A from the command line and/or set AutoRestart false 
in the configuration file) and run the filter in foreground mode (i.e. add 
-f to the command line and/or Background false in the configuration 
file) since libmilter's logging writes to standard output by default.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] can't read SMFIC_BODYEOB reply packet header (cont'd)

[Murray S. Kucherawy]

The only thing I can think of asking for now is a truss/strace/ktrace of 
the process around the time of the error to see if we can spot the errant 
close() call.  Unfortunately if it can take hours or days or weeks for the 
problem to appear, such a log could be enormous.

...but if you have a way to get one, it might prove valuable.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim-filter fails to process mail

[Murray S. Kucherawy]

On Tue, 8 Jul 2008, Ron Echeverri wrote:
 I guess that the trick is figuring out what the actual minimum libmilter
 version for postfix would be.  I suppose that just saying 8.14.0 or
 later would do the trick.

But it might be possible to tell postfix that it's going to be talking to 
an older version of libmilter.  I seem to recall a configuration option to 
that effect.

Let me know what they say.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.

[Murray S. Kucherawy]

On Mon, 23 Jun 2008, David Gibbs wrote:
 Sounds like you don't have Mailman configured to remove the existing 
 dkim headers.  The DKIM headers are being left intact, so anyone trying 
 to validate the signature will detect a failure because the message is 
 being modified by Mailman.

 Investigate the REMOVE_DKIM_HEADERS setting in Mailman ... that's 
 probably what you need.

This is hopefully a temporary solution.  What really should happen is that 
Mailman (or any MLM) or the MTA after it should be re-signing the message 
as it's being remailed.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.

[Murray S. Kucherawy]

On Mon, 23 Jun 2008, bob 001 wrote:
 Yahoo header message says, domainkeys=fail (bad syntax) to such emails
 coming from outside domain.

Note that domainkeys and DKIM aren't the same.  The thing you're looking 
at refers to an older specification that Yahoo! invented but is being 
superseded by DKIM, which is a newer specification.

Yahoo! is in the process of converting.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkim + mailman + postfix - dkim=fail.

[Murray S. Kucherawy]

On Fri, 4 Jul 2008, David Gibbs wrote:
 If I disable DK, it says  domainkeys=neutral (no sig)

 Have you added the Mailman option to remove dkim headers?

Again, domainkeys != dkim.

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] ASP query: missing parameter(s) in policy data

[Murray S. Kucherawy]

On Sat, 21 Jun 2008, Russell Bell wrote:
dkim-filter returns this error to the log.  After a few instances of 
 getting the same error it quits.
  I can restart by hand and it runs without problem.

It shouldn't quit just from that.  Mine has been running since June 11th 
and has logged that message three times today alone.

Do you have a coredump or other forensics that might explain what 
happened?

 What does this error mean?

It means the filter did a DKIM ASP query looking for sender policy for 
some domain, but the record it got back was missing required value(s). 
This can be caused by a malformed ASP advertisement by a sending domain, 
but is more likely caused by a domain with a wildcard TXT record, usually 
advertising an SPF policy (which doesn't match ASP syntax).

 The first time I sent this message it didn't go through.

One of mine was dropped earlier today as well.  I think SourceForge is 
having difficulty.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] dkimproxy + mailman + postfix (dkim=fail)

[Murray S. Kucherawy]

On Sat, 21 Jun 2008, bob 001 wrote:
 1. Email addresses on the same server where postfix, mailman, dkimproxy
 lives.
 2. Email addresses on gmail/yahoo etc.

dkimproxy isn't supported on this list.  This list is for users of the 
dkim-milter package.

Please go to http://dkimproxy.sourceforge.net/ for assistance.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] (S|A|AD)SP

[Murray S. Kucherawy]

On Tue, 17 Jun 2008, Ben Lentz wrote:
 Do I have all my facts straight, and what is the current recommendation 
 for publishing a signing policy?

You've got it right.  I've been following the ietf-dkim list and attending 
the related conferences, so we're current on what's going on and what's to 
be expected.  I simply haven't updated the software because a newer draft 
has yet to be posted.  Indeed, when ADSP posts, I have this code plus 
three Internet Drafts to update.

So given that's our posture, the currently correct practise is to post a 
policy at _asp._domainkey.(domain) according to the -03 draft.

I'd bet we're likely to see the -04 draft before the next IETF conference 
which is at the end of July, but I've been wrong before.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] (S|A|AD)SP

[Murray S. Kucherawy]

On Tue, 17 Jun 2008, Ben Lentz wrote:
 Without a testing flag available in the ASP policy record, what can a 
 signing system do to help ensure that a recipient will do something 
 benign should the signature fail for some reason? Is the concept of a 
 testing flag being completely obsoleted?

The test flag still exists in key records.  It's just been removed from 
policy.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] why does dkim-filter make a log entry for some messages but not others?

[Murray S. Kucherawy]

On Sun, 15 Jun 2008, Russell Bell wrote:
 dkim-filter writes 'X-DKIM: Sendmail DKIM Filter v2.5.5 ...' to the 
 header of every message we receive but makes no entry in the log for the 
 vast majority of them.  For some it records 'no signature data'.  Those 
 messages have no signature data but many more without signature data 
 result in no entry in the logs.  I turn on logging for all events in 
 dkim-filter's configuration.

If you've asked for X-Header service, it will add that header to all 
messages it sees (except those excluded by -a/PeerFile) as a rubber 
stamp that the message was processed by the filter.

The no signature data is logged if the DKIM library reports the message 
was unsigned.  If the filter never got that far, instead, for example, 
deciding the message can't be processed because it was malformed in some 
way (e.g. missing required headers), then it never gets far enough in the 
code to make that decision, and it doesn't get logged.

If you can give me an example of a message which causes the logging and 
one which doesn't, I can be more precise.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss

Re: [dkim-milter-discuss] messages being logged as mail, not local2

[Murray S. Kucherawy]

On Sun, 15 Jun 2008, Russell Bell wrote:
 I specify a SyslogFacility local2 in order to separate dkim-filter's 
 log entries.  Some messages go to local2, others to mail.  Why?

Anything that gets logged by the filter before openlog() is called (which 
happens late in the filter startup process) goes to the default facility 
which is probably daemon.  Everything else should go to the requested 
facility.

Calls to syslog() don't let the code specify which facility to use.  You 
specify that once, with openlog().  If your syslog daemon is writing some 
things in the wrong place, it's a bug in your C library or in the daemon 
since the filter itself doesn't make that request explicitly.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss