Re: [qmailtoaster] domainkeys guide
I've done some testing with yahoo, and this is what I've found: .) yahoo to toaster seems to work fine with domain keys. I see yahoo's signature in the header, and it was accepted ok. .) toaster directly to yahoo with dk signature works. Message goes into bulk yahoo folder, I think because toaster is on a dynamic IP address. .) toaster using smtproutes (I presume with dk is still signing) via outbound.mailhop.org (a dyndns.org service) works. Message goes into inbox yahoo folder. I don't see a way on yahoo to inspect headers, so I'm presuming a little here. I have a test in progress with cox.net where I'll be able to inspect headers. I expect it will be ok too. BL, domainkeys work ok with smtproutes (at least through dyndns's mailhop). It's still possible that some ISPs *may* screw things up, but they shouldn't (in theory). If anyone would care to explain in more detail why this works, or comes across a case where it doesn't, I'm all ears. I'm guessing that DK signatures reflect some, but not all header information. Note, I'm running the current (1.3) toaster on CentOS4.3. Eric Shubes wrote: Ok, I think I'm getting it. My understanding is that the DK signature is generated from the header and the body, so any additions/alterations would invalidate the signature. So I tend to agree with you. If that's the case, though, then what DynDNS told me is wrong. I'm hesitant to question them, as they're pretty sharp with this stuff too. I'm wondering how this *could* work. Maybe certain (routing related) header entries aren't included in the signature. That would almost need to be the case, given server farms and requirements of very large companies. Otherwise, key (especially private) distribution could be a nightmare. Anywise, no sense in speculating. I should be seeing failures in a day or two if this indeed doesn't work. Stay tuned... Erik Espinoza wrote: DomainKeys only works if your server talks directly to the destination server. If you force all your mail via your isp server using smtproutes, then their server will add some headers which will in turn invalidate all your DomainKey signatures. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
I gave up on domainkeys signing in my server since my ISP (optonline) alters the header thus invalidating my domainkeys signature. Both yahoo and gmail header shows bad domainkeys. I had alot of help from Erik with this and came up with the solution that the use of smtproutes with domainkeys does not work, I think it was on wikipedia too. Thanks, John. On Sat, August 5, 2006 11:10 am, Eric \Shubes\ wrote: I've done some testing with yahoo, and this is what I've found: .) yahoo to toaster seems to work fine with domain keys. I see yahoo's signature in the header, and it was accepted ok. .) toaster directly to yahoo with dk signature works. Message goes into bulk yahoo folder, I think because toaster is on a dynamic IP address. .) toaster using smtproutes (I presume with dk is still signing) via outbound.mailhop.org (a dyndns.org service) works. Message goes into inbox yahoo folder. I don't see a way on yahoo to inspect headers, so I'm presuming a little here. I have a test in progress with cox.net where I'll be able to inspect headers. I expect it will be ok too. BL, domainkeys work ok with smtproutes (at least through dyndns's mailhop). It's still possible that some ISPs *may* screw things up, but they shouldn't (in theory). If anyone would care to explain in more detail why this works, or comes across a case where it doesn't, I'm all ears. I'm guessing that DK signatures reflect some, but not all header information. Note, I'm running the current (1.3) toaster on CentOS4.3. Eric Shubes wrote: Ok, I think I'm getting it. My understanding is that the DK signature is generated from the header and the body, so any additions/alterations would invalidate the signature. So I tend to agree with you. If that's the case, though, then what DynDNS told me is wrong. I'm hesitant to question them, as they're pretty sharp with this stuff too. I'm wondering how this *could* work. Maybe certain (routing related) header entries aren't included in the signature. That would almost need to be the case, given server farms and requirements of very large companies. Otherwise, key (especially private) distribution could be a nightmare. Anywise, no sense in speculating. I should be seeing failures in a day or two if this indeed doesn't work. Stay tuned... Erik Espinoza wrote: DomainKeys only works if your server talks directly to the destination server. If you force all your mail via your isp server using smtproutes, then their server will add some headers which will in turn invalidate all your DomainKey signatures. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - .how soon not now becomes never. _martin luther - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
Nick Hemmesch wrote: Hi Andy, Make your tcp.smtp like this (without the \s): 127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=30,\ CHKUSER_WRONGRCPTLIMIT=3,DKVERIFY=DEGIJKfh,\ QMAILQUEUE=/var/qmail/bin/simscan,\ DKSIGN=/var/qmail/control/domainkeys/%/private Run: qmailctl cdb Note: ,DKSIGN=/var/qmail/control/domainkeys/%/private is added to your second statement. Without making this addition, mail relayed by an authorized user from a remote client will not be signed. Hope this helps. Regards, Nick Hey Nick, I just ran into this problem too. I started w/ v1.2 and upgraded to v1.3, so I don't know if this change made it into the main distribution or not. I hope you've added it. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
Dewain Riddle wrote: Hey all, been working off and on all week on getting a guide to setting up domainkeys on the wiki. I probably left some stuff out, and may be wrong on some minor technical stuff, but that's why i put it on the wiki, so others can change and add. i've set up 4 domains with domainkeys, and this is the method i've used. hope this is helpful. also - i forgot to put in there that i used Nick's existing guides and emails, along with some of the other mailing-list users emails in the guide. http://wiki.qmailtoaster.com/index.php/Domainkeys thanks all! Dewain Nice job, Dewain. I hope you don't mind, but I polished it up a bit, as I just went through the process today and wanted to do it while it was fresh on my mind. I couldn't have done it without something meaty to start with. I hope that I cleared up a few things without adding any errata. Someone knowledgable should probably edit it. ;) I hope everyone likes it. (and if you don't, change it!) -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
Erik Espinoza wrote (on 5/26/06): You may want to add that DomainKeys can't be used in conjunction with a smart host. So if you define a ':mail.isp.com' in smtproutes, then DomainKeys will always fails. Erik Why would that be? (Maybe I don't understand what a smart host is) I'm using dyndns.org's mailhop outbound service for some destination domains (because I'm on a pseudo-dynamic ip address). I specify this using smtproutes. I asked dyndns.org about domainkeys with mailhop outbound, and here's how the emails went: I relay *some* of my email through mailhop outbound. I recently (today) configured domainkeys for my domain. My server signs all outgoing email, including that which is routed through mailhop. Will routing through mailhop outbound cause a problem with domainkeys? I haven't experienced a specific problem yet, but I'd like to know whether or not to expect this to be a problem. It should not be a problem. Your email is validated at the receiving end based on your domainkey and your signature. Since the email still originates from you and your signature matches your domainkey, your mail should be fine. You may want to contact Yahoo for more information regarding domainkeys. I just now turned off the test status on my domain, so it'll be some time before I see a problem if there is one. I'll post to the list if this indeed doesn't work. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
DomainKeys only works if your server talks directly to the destination server. If you force all your mail via your isp server using smtproutes, then their server will add some headers which will in turn invalidate all your DomainKey signatures. On 8/4/06, Eric Shubes [EMAIL PROTECTED] wrote: Erik Espinoza wrote (on 5/26/06): You may want to add that DomainKeys can't be used in conjunction with a smart host. So if you define a ':mail.isp.com' in smtproutes, then DomainKeys will always fails. Erik Why would that be? (Maybe I don't understand what a smart host is) I'm using dyndns.org's mailhop outbound service for some destination domains (because I'm on a pseudo-dynamic ip address). I specify this using smtproutes. I asked dyndns.org about domainkeys with mailhop outbound, and here's how the emails went: I relay *some* of my email through mailhop outbound. I recently (today) configured domainkeys for my domain. My server signs all outgoing email, including that which is routed through mailhop. Will routing through mailhop outbound cause a problem with domainkeys? I haven't experienced a specific problem yet, but I'd like to know whether or not to expect this to be a problem. It should not be a problem. Your email is validated at the receiving end based on your domainkey and your signature. Since the email still originates from you and your signature matches your domainkey, your mail should be fine. You may want to contact Yahoo for more information regarding domainkeys. I just now turned off the test status on my domain, so it'll be some time before I see a problem if there is one. I'll post to the list if this indeed doesn't work. -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
Ok, I think I'm getting it. My understanding is that the DK signature is generated from the header and the body, so any additions/alterations would invalidate the signature. So I tend to agree with you. If that's the case, though, then what DynDNS told me is wrong. I'm hesitant to question them, as they're pretty sharp with this stuff too. I'm wondering how this *could* work. Maybe certain (routing related) header entries aren't included in the signature. That would almost need to be the case, given server farms and requirements of very large companies. Otherwise, key (especially private) distribution could be a nightmare. Anywise, no sense in speculating. I should be seeing failures in a day or two if this indeed doesn't work. Stay tuned... Erik Espinoza wrote: DomainKeys only works if your server talks directly to the destination server. If you force all your mail via your isp server using smtproutes, then their server will add some headers which will in turn invalidate all your DomainKey signatures. On 8/4/06, Eric Shubes [EMAIL PROTECTED] wrote: Erik Espinoza wrote (on 5/26/06): You may want to add that DomainKeys can't be used in conjunction with a smart host. So if you define a ':mail.isp.com' in smtproutes, then DomainKeys will always fails. Erik Why would that be? (Maybe I don't understand what a smart host is) I'm using dyndns.org's mailhop outbound service for some destination domains (because I'm on a pseudo-dynamic ip address). I specify this using smtproutes. I asked dyndns.org about domainkeys with mailhop outbound, and here's how the emails went: I relay *some* of my email through mailhop outbound. I recently (today) configured domainkeys for my domain. My server signs all outgoing email, including that which is routed through mailhop. Will routing through mailhop outbound cause a problem with domainkeys? I haven't experienced a specific problem yet, but I'd like to know whether or not to expect this to be a problem. It should not be a problem. Your email is validated at the receiving end based on your domainkey and your signature. Since the email still originates from you and your signature matches your domainkey, your mail should be fine. You may want to contact Yahoo for more information regarding domainkeys. I just now turned off the test status on my domain, so it'll be some time before I see a problem if there is one. I'll post to the list if this indeed doesn't work. -- -Eric 'shubes' -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] domainkeys guide
Nick, Very much appreciated, I was bout ready to pull my hair out. Andy -Original Message- From: Nick Hemmesch [mailto:[EMAIL PROTECTED] Sent: Saturday, May 27, 2006 1:32 AM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] domainkeys guide Hi Andy, Make your tcp.smtp like this (without the \s): 127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=30,\ CHKUSER_WRONGRCPTLIMIT=3,DKVERIFY=DEGIJKfh,\ QMAILQUEUE=/var/qmail/bin/simscan,\ DKSIGN=/var/qmail/control/domainkeys/%/private Run: qmailctl cdb Note: ,DKSIGN=/var/qmail/control/domainkeys/%/private is added to your second statement. Without making this addition, mail relayed by an authorized user from a remote client will not be signed. Hope this helps. Regards, Nick Hi all, I followed Dewain's steps to set up the domain keys and I think I have everything set up right except that when I send an email to a yahoo account the headers say X-Apparently-To: [EMAIL PROTECTED] via 68.142.201.234; Fri, 26 May 2006 21:42:19 -0700 X-YahooFilteredBulk: 66.79.95.94 X-Originating-IP: [66.79.95.94] Return-Path: [EMAIL PROTECTED] Authentication-Results: mta226.mail.re4.yahoo.com from=roweboat.net; domainkeys=neutral (no sig) Received: from 66.79.95.94 (EHLO mail.roweboat.net) (66.79.95.94) by mta226.mail.re4.yahoo.com with SMTP; Fri, 26 May 2006 21:42:19 -0700 Received: (qmail 32113 invoked by uid 89); 27 May 2006 04:41:17 - Received: by simscan 1.2.0 ppid: 32106, pid: 32109, t: 0.1184s scanners: clamav: 0.88.2/m:38/d:1478 Received: from unknown (HELO mycomputer) ([EMAIL PROTECTED]@66.79.95.94) by mail.roweboat.net with ESMTPA; 27 May 2006 04:41:17 - From: Andy Rowe [EMAIL PROTECTED] Add to Address BookAdd to Address Book Add Mobile Alert To: [EMAIL PROTECTED] Subject: hey Date: Fri, 26 May 2006 23:44:11 -0500 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_002D_01C6811E.4AF59BD0 X-Mailer: Microsoft Office Outlook 11 X-MimeOLE:Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaBSDI5kOMIBmDpS4WyZ/Fo2fkJZQ== Content-Length: 780 What is bothering me is Authentication-Results: mta226.mail.re4.yahoo.com from=roweboat.net; domainkeys=neutral (no sig) Its not supposed to me neutral is it? I am including my tcp.smtp file as a feel it might help. Tcp.smtp 127.:allow,RELAYCLIENT=,DKSIGN=/var/qmail/control/domainkeys/%/private :allow,BADMIMETYPE=,BADLOADERTYPE=M,CHKUSER_RCPTLIMIT=30,CHKUSER_WRONG RCPTLIMIT=3,DKVERIFY=DEGIJKfh,QMAILQUEUE=/var/qmail/bin/simscan I am not sure what I am doing wrong I have ran the tests for checking domain key dns configuration at the following addresses and everything checks out. http://domainkeys.sourceforge.net/policycheck.html http://domainkeys.sourceforge.net/selectorcheck.html I have also glanced at this page too http://jeremy.kister.net/howto/dk.html I think the problem probably lies within my tcp.smtp file but I am at my wits end on what do do, Im officially lost :D Any help would be great, Let me know if you need anything else from me Andy Rowe -Original Message- From: Erik Espinoza [mailto:[EMAIL PROTECTED] Sent: Friday, May 26, 2006 4:13 PM To: qmailtoaster-list@qmailtoaster.com Subject: Re: [qmailtoaster] domainkeys guide Very nice. You may want to add that DomainKeys can't be used in conjunction with a smart host. So if you define a ':mail.isp.com' in smtproutes, then DomainKeys will always fails. Erik On 5/26/06, Dewain Riddle [EMAIL PROTECTED] wrote: Hey all, been working off and on all week on getting a guide to setting up domainkeys on the wiki. I probably left some stuff out, and may be wrong on some minor technical stuff, but that's why i put it on the wiki, so others can change and add. i've set up 4 domains with domainkeys, and this is the method i've used. hope this is helpful. also - i forgot to put in there that i used Nick's existing guides and emails, along with some of the other mailing-list users emails in the guide. http://wiki.qmailtoaster.com/index.php/Domainkeys thanks all! Dewain - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted
[qmailtoaster] domainkeys guide
Hey all, been working off and on all week on getting a guide to setting up domainkeys on the wiki. I probably left some stuff out, and may be wrong on some minor technical stuff, but that's why i put it on the wiki, so others can change and add. i've set up 4 domains with domainkeys, and this is the method i've used. hope this is helpful. also - i forgot to put in there that i used Nick's existing guides and emails, along with some of the other mailing-list users emails in the guide. http://wiki.qmailtoaster.com/index.php/Domainkeys thanks all! Dewain - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] domainkeys guide
Very nice. You may want to add that DomainKeys can't be used in conjunction with a smart host. So if you define a ':mail.isp.com' in smtproutes, then DomainKeys will always fails. Erik On 5/26/06, Dewain Riddle [EMAIL PROTECTED] wrote: Hey all, been working off and on all week on getting a guide to setting up domainkeys on the wiki. I probably left some stuff out, and may be wrong on some minor technical stuff, but that's why i put it on the wiki, so others can change and add. i've set up 4 domains with domainkeys, and this is the method i've used. hope this is helpful. also - i forgot to put in there that i used Nick's existing guides and emails, along with some of the other mailing-list users emails in the guide. http://wiki.qmailtoaster.com/index.php/Domainkeys thanks all! Dewain - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[qmailtoaster] Domainkeys guide
Hey all, been working off and on all week on getting a guide to setting up domainkeys on the wiki. I probably left some stuff out, and may be wrong on some minor technical stuff, but that's why i put it on the wiki, so others can change and add. i've set up 4 domains with domainkeys, and this is the method i've used. hope this is helpful. also - i forgot to put in there that i used Nick's existing guides and emails, along with some of the other mailing-list users emails in the guide. http://wiki.qmailtoaster.com/index.php/Domainkeys thanks all! Dewain - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]