Re: [qmailtoaster] DKIM and SPF configurations

[Remo Mattei]

Agree with Eric. Not many are using DMARC. I also have it on my Spamassassin 
config. 

Remo 

> On Sep 28, 2019, at 10:28, Eric Broch  > wrote:
> 
> Hi Gary,
> 
> If you have spf, and dkim set up the only other thing you might do is add a 
> dmarc record and make sure all servers sending email are included in you spf 
> record. I decided to allow spamassassin to check dkim as well and don't think 
> it would be wise to reject email in absence of such a record.
> 
> Eric
> 
> 
> On Fri, Sep 27, 2019 at 8:07 AM Gary Bowling  > wrote:
> 
> 
> The recent questions about setting up DKIM prompted me to review my setup and 
> see if I needed to tighten things up a bit. ALL of my config surrounding 
> these things is very old, so what are the best practices in 2019?
> 
> 
> 
> On the receiving side of things, my server has spfbehavior set to 2 and I 
> believe the default is 3. I seem to recall many years ago having problems 
> rejecting email, that I didn't want rejected, with it set to 3. But that's 
> been so long ago, it's not worth considering. Do most of you have it set to 
> 3? And have you had any problems with that if you do?
> 
> 
> 
> For DKIM receiving, I'm doing that in spamassassin/spamd. But it appears that 
> spamassassin just assigns a score if there is a DKIM_INVALID situation and 
> that score seems to be pretty low. Is   this really the right way to 
> handle receiving messages where DKIM is concerned? I'm sure there is a way to 
> increase the DKIM_INVALID score, but not sure of the ramifications of that. 
> Do any of you change those settings? Or do DKIM checking somewhere else for 
> improvements?
> 
> 
> 
> On the outbound side of things. 
> 
> For my DNS, I have SPF records that have been there for years, that affects 
> other domains receiving mail from my server. So not sure how much good it 
> does, but it's there.
> 
> 
> 
> I do not have DKIM set up. Many years ago it seemed pretty useless from what 
> I read, so I didn't bother with it. From what I understand, if the receiving 
> end doesn't check for DKIM, then it does nothing. Or like in my servers case, 
> it just adds a tiny bit of score to spamassasin, so minimal help. But maybe 
> enough are doing something more robust now for it to be useful. Maybe I 
> should implement this now?
> 
> 
> 
> What are everyone's thoughts on all this in 2019? Should I be doing stricter 
> checking of spf? Does DKIM actually provide a useful service? And are there 
> better ways to handle DKIM checking?
> 
> 
> 
> All discussion and help is greatly appreciated!
> 
> 
> 
> Thanks Gary 
> 
> -- 
> 
> Gary Bowling
> The Moderns on Spotify  
> 
> - To 
> unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com 
>  For additional 
> commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com 
> 

Re: [qmailtoaster] spam folder into gmail

[Eric Broch]

Also,

I've decided to allow Spamassassin to do DKIM (and other) checks so 
don't have to code anything.


go to page:

https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/

and search for:

Know your Spam – get the most out of Spamassassin


On 9/30/2019 6:34 AM, Eric Broch wrote:


I've removed DomainKeys (not DKIM) from qmail altogether in later 
versions and decided to use a wrapper for DKIM.


So,

If you have below list from /var/qmail/bin

# ls -l /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue.orig 
/var/qmail/bin/qmail-dk

-rws--x--x 1 qmailq qmail 52096 Jan 21  2018 /var/qmail/bin/qmail-dk
lrwxrwxrwx 1 root   root 23 Jun 14  2018 
/var/qmail/bin/qmail-queue -> /var/qmail/bin/qmail-dk
-rws--x--x 1 qmailq qmail 27040 Jan 21  2018 
/var/qmail/bin/qmail-queue.orig


Stop qmail

# qmailctl stop

Remove symlink to qmail-dk

# unlink /var/qmail/bin/qmail-queue

Move qmail-queue.orig to qmail-queue

# mv /var/qmail/bin/qmail-queue.orig /var/qmail/bin/qmail-queue

Start qmail

# qmailctl start

Remove DKSIGN, DKVERIFY, DKQUEUE (DomainKeys) from tcp.smtp.

# qmailctl cdb


On 9/29/2019 10:56 PM, ChandranManikandan wrote:

Hi Eric,

Thanks for your help.
I have successfully rectified the issue with the following your steps 
above and tested in Gmail account from squirrel webmail.

It is working now.

I have notified in /etc/tcprules.d/tcp.smtp file in below lines. Do i 
need amend the lines in this file. please let me know.


DKSIGN="/var/qmail/control/domainkeys/%/private"

On Sun, Sep 29, 2019 at 10:47 PM Eric Broch > wrote:


Step 2) from http://www.qmailtoaster.com/dkim.html

At the command line first create the key and txt record for the
domain you want signed (replace otherdomain.com
 with the domain you want in every
command below).
So if your domain is mydomain.com  the
command would be, '# dknewkey
/var/qmail/control/dkim/mydomain.com.key 1024 >
/var/qmail/control/dkim/mydomain.com.txt'
# dknewkey /var/qmail/control/dkim/otherdomain.com.key 1024 >
/var/qmail/control/dkim/otherdomain.com.txt

At command line change the selector in the txt record from
'otherdomain.com.key._domainkey'  to 'dkim1._domainkey'
# perl -pi -e 's/^.*\.key/dkim1/'
/var/qmail/control/dkim/otherdomain.com.txt

Check the file to see if substitution happened.
# cat /var/qmail/control/dkim/otherdomain.com.txt
   dkim1._domainkey       IN      TXT    "k=rsa;
p=**"


Create DNS TXT record for otherdomain.com
 using the output from the text file
'otherdomain.com.txt' where your DNS settings are managed,
usually your ISP (mine are Godaddy).
   Host Text
   dkim1._domainkey       IN       TXT v=DKIM1; k=rsa;
p=*

Edit the signature file and add your domain. This is what the
perl script 'qmail-remote' will read and then call the original
qmail-remote now renamed to qmail-remote.orig.
# vi /var/qmail/control/dkim/signconf.xml
  http://otherdomain.com>
domain="otherdomain.com "
keyfile="/var/qmail/control/dkim/otherdomain.com.key"
selector="dkim1">
    
    
  http://otherdomain.com>>

So file looks like this:


  
  
    
  
  http://otherdomain.com>
domain="otherdomain.com "
keyfile="/var/qmail/control/dkim/otherdomain.com.key"
selector="dkim1">
    
    
  http://otherdomain.com>>



Notes Step 2) Test your DKIM signature (Remember, replace
otherdomain.com  with your domain).
# yum install epel-release opendkim
# opendkim-testkey - -d otherdomain.com
 -k
/var/qmail/control/dkim/otherdomain.com.key -s dkim1

On Sun, Sep 29, 2019 at 7:19 AM ChandranManikandan
mailto:kand...@gmail.com>> wrote:

Hi Eric,

How do i implement DKIM for my domain. Really need your help.
I have followed your 1 step only. do i need to follow all the
four steps and how do i configure in DNS server.
why the gmail marked into spam folder of my domains emails.

Appreciate discussions and help.


On Fri, Sep 27, 2019 at 11:51 PM Eric Broch
mailto:ebr...@whitehorsetc.com>> wrote:

DKIM is not DomainKeys


On 9/27/2019 3:54 AM, ChandranManikandan wrote:

Hi Eric,

I have setup Global key (default for all domains)from
your link and also configured in dns server then i
checked in mxtoolbox and getting the result of the
domain key. after that i tried to send an email to gmail
it is showing the error. the email header is below.

Do i need to follow the all 4 steps.

 

Re: [qmailtoaster] dovecot CVE-2019-11500

[Eric Broch]

Correct

On 9/30/2019 4:38 AM, Angus McIntyre wrote:
I think Eric is saying that the version in the testing repository -- 
which, as you said, is 2.3.7.2 -- fixes the vulnerability. 


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] spam folder into gmail

[Eric Broch]

I've removed DomainKeys (not DKIM) from qmail altogether in later 
versions and decided to use a wrapper for DKIM.


So,

If you have below list from /var/qmail/bin

# ls -l /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue.orig 
/var/qmail/bin/qmail-dk

-rws--x--x 1 qmailq qmail 52096 Jan 21  2018 /var/qmail/bin/qmail-dk
lrwxrwxrwx 1 root   root 23 Jun 14  2018 /var/qmail/bin/qmail-queue 
-> /var/qmail/bin/qmail-dk

-rws--x--x 1 qmailq qmail 27040 Jan 21  2018 /var/qmail/bin/qmail-queue.orig

Stop qmail

# qmailctl stop

Remove symlink to qmail-dk

# unlink /var/qmail/bin/qmail-queue

Move qmail-queue.orig to qmail-queue

# mv /var/qmail/bin/qmail-queue.orig /var/qmail/bin/qmail-queue

Start qmail

# qmailctl start

Remove DKSIGN, DKVERIFY, DKQUEUE (DomainKeys) from tcp.smtp.

# qmailctl cdb


On 9/29/2019 10:56 PM, ChandranManikandan wrote:

Hi Eric,

Thanks for your help.
I have successfully rectified the issue with the following your steps 
above and tested in Gmail account from squirrel webmail.

It is working now.

I have notified in /etc/tcprules.d/tcp.smtp file in below lines. Do i 
need amend the lines in this file. please let me know.


DKSIGN="/var/qmail/control/domainkeys/%/private"

On Sun, Sep 29, 2019 at 10:47 PM Eric Broch > wrote:


Step 2) from http://www.qmailtoaster.com/dkim.html

At the command line first create the key and txt record for the
domain you want signed (replace otherdomain.com
 with the domain you want in every command
below).
So if your domain is mydomain.com  the
command would be, '# dknewkey
/var/qmail/control/dkim/mydomain.com.key 1024 >
/var/qmail/control/dkim/mydomain.com.txt'
# dknewkey /var/qmail/control/dkim/otherdomain.com.key 1024 >
/var/qmail/control/dkim/otherdomain.com.txt

At command line change the selector in the txt record from
'otherdomain.com.key._domainkey'  to 'dkim1._domainkey'
# perl -pi -e 's/^.*\.key/dkim1/'
/var/qmail/control/dkim/otherdomain.com.txt

Check the file to see if substitution happened.
# cat /var/qmail/control/dkim/otherdomain.com.txt
   dkim1._domainkey       IN      TXT  "k=rsa;
p=**"


Create DNS TXT record for otherdomain.com 
using the output from the text file 'otherdomain.com.txt' where
your DNS settings are managed, usually your ISP (mine are Godaddy).
   Host Text
   dkim1._domainkey       IN       TXT v=DKIM1; k=rsa;
p=*

Edit the signature file and add your domain. This is what the perl
script 'qmail-remote' will read and then call the original
qmail-remote now renamed to qmail-remote.orig.
# vi /var/qmail/control/dkim/signconf.xml
  http://otherdomain.com>
domain="otherdomain.com "
keyfile="/var/qmail/control/dkim/otherdomain.com.key"
selector="dkim1">
    
    
  http://otherdomain.com>>

So file looks like this:


  
  
    
  
  http://otherdomain.com>
domain="otherdomain.com "
keyfile="/var/qmail/control/dkim/otherdomain.com.key"
selector="dkim1">
    
    
  http://otherdomain.com>>



Notes Step 2) Test your DKIM signature (Remember, replace
otherdomain.com  with your domain).
# yum install epel-release opendkim
# opendkim-testkey - -d otherdomain.com
 -k
/var/qmail/control/dkim/otherdomain.com.key -s dkim1

On Sun, Sep 29, 2019 at 7:19 AM ChandranManikandan
mailto:kand...@gmail.com>> wrote:

Hi Eric,

How do i implement DKIM for my domain. Really need your help.
I have followed your 1 step only. do i need to follow all the
four steps and how do i configure in DNS server.
why the gmail marked into spam folder of my domains emails.

Appreciate discussions and help.


On Fri, Sep 27, 2019 at 11:51 PM Eric Broch
mailto:ebr...@whitehorsetc.com>> wrote:

DKIM is not DomainKeys


On 9/27/2019 3:54 AM, ChandranManikandan wrote:

Hi Eric,

I have setup Global key (default for all domains)from
your link and also configured in dns server then i
checked in mxtoolbox and getting the result of the domain
key. after that i tried to send an email to gmail it is
showing the error. the email header is below.

Do i need to follow the all 4 steps.

I will wait one day for the dns propagation and will
update you.
Meanwhile could you look at the message header below.

Delivered-To:kand...@gmail.com  
Received: by 2002:ac0:bf91:0:0:0:0:0 with SMTP id o17csp3358759imk;
 Fri, 27 Sep 

Re: [qmailtoaster] dovecot CVE-2019-11500

[Angus McIntyre]

I think Eric is saying that the version in the testing repository -- 
which, as you said, is 2.3.7.2 -- fixes the vulnerability.


The relevant part of the CVE-2019-11500 report -- which Eric quoted in 
his message, with the key words emphasized -- says that this 
vulnerability exists in versions of 2.3.x before 2.3.7.2. That suggests 
that installing 2.3.7.2 from the testing repository would fix the issue 
for you.


That's how I understand his answer, anyway.

Angus



On 2019-09-30 05:09, Ionut Hoza wrote:

Hi Eric,

I don't think I understand your answer :).

I'll try to upgrade to the package available in testing inventory.

Thanks,
I.

On Fri, Sep 27, 2019 at 5:36 PM Eric Broch 
wrote:


In Dovecot before 2.2.36.4 and 2.3.x _BEFORE_ 2.3.7.2 (and
Pigeonhole before 0.5.7.2), protocol processing can fail for quoted
strings. This occurs because '' characters are mishandled, and can
lead to out-of-bounds writes and remote code execution.
On 9/27/2019 3:10 AM, Ionut Hoza wrote:


Hi all,

Are there any plans to address this security vulnerability and
publish a patched package in the qmt current repository ?
https://nvd.nist.gov/vuln/detail/CVE-2019-11500 [1]

Currently I'm using 2.2.35-23 (built in 2018).

I saw there is dovecot 2.3.7.2 rpm package in testing repository,
does that contains the fix ? Any advices (issues) regarding
upgrading dovecot from 2.2.35 to 2.3.7.2 ?

Thanks in advance,
-I.



Links:
--
[1] https://nvd.nist.gov/vuln/detail/CVE-2019-11500


-
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] dovecot CVE-2019-11500

[Ionut Hoza]

Hi Eric,

I don't think I understand your answer :).

I'll try to upgrade to the package available in testing inventory.

Thanks,
I.

On Fri, Sep 27, 2019 at 5:36 PM Eric Broch  wrote:

> In Dovecot before 2.2.36.4 and 2.3.x *before* 2.3.7.2 (and Pigeonhole
> before 0.5.7.2), protocol processing can fail for quoted strings. This
> occurs because '\0' characters are mishandled, and can lead to
> out-of-bounds writes and remote code execution.
> On 9/27/2019 3:10 AM, Ionut Hoza wrote:
>
> Hi all,
>
> Are there any plans to address this security vulnerability and publish a
> patched package in the qmt current repository ?
> https://nvd.nist.gov/vuln/detail/CVE-2019-11500
>
> Currently I'm using 2.2.35-23 (built in 2018).
>
> I saw there is dovecot 2.3.7.2 rpm package in testing repository, does
> that contains the fix ? Any advices (issues) regarding upgrading dovecot
> from 2.2.35 to 2.3.7.2 ?
>
> Thanks in advance,
> -I.
>
>