RE: [qmailtoaster] Re: qmail-dk and DKIM status
Eric, Glad to help if I can. I am not a developer or even a packaging person. Where would I find the qmail.spec file? Helmut -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Thursday, November 20, 2014 11:22 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: qmail-dk and DKIM status On 11/18/2014 03:40 PM, Helmut Fritz wrote: > I ran into an issue with the dreaded and familiar "Transaction failed > 554 qmail-dk: Cannot sign message due to invalid message syntax. (#5.3.0)". > > I checked and sure enough my system was using qmail-dk. I had 'fixed' > that years ago, but I have recently updated my toaster (with the clamav > release). So if I do a complete rebuild it seems to put this back to > default? > > I thought DKIM was going to be disabled in the toaster until working? > did it slip back in somehow? > > Also, what is the status of this? are we just going to say goodbye to > DKIM? Is it really needed? My guess is no since most of us are > probably doing without it? or did I miss something somewhere? > > Thx! > > Helmut > I'd have to look at the qmail.spec file to know for sure what the default is. I know I left the program in the package just in case someone was using it successfully. DKIM would be nice to have, but it's not necessary. DKIM is preferred these days, and the wiki has instructions for setting that up, although I haven't done so myself. I'm sorry if a reinstall broke your setup. If you'd care to modify the spec so that the default doesn't use it, feel free to do so and issue a pull request for the change. I'll be happy to have you do that. Thanks. -- -Eric 'shubes' - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: qmail-dk
On 6/26/2014 9:47 PM, Eric Shubert wrote: On 06/26/2014 06:41 PM, Gary Bowling wrote: Update, I just changed my tcp.smtp to what I have listed below and then linked to qmail-queue.orig and continued to get these. qmail-smtpd: qq soft reject (mail server temporarily rejected message (#4.3.0) When I leave the tcp.smtp as set at the bottom and link back to qmail-dk I get this error on some messages. qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to invalid message syntax. (#5.3.0) Due to the 2nd error, I would really like to get rid of qmail-dk, but every time I link back to the qmail-queue.orig I get the soft rejects on ALL mail. Is it something in my tcp.smtp or is it something else? For now I have put it back to qmail-dk, at least I get most of the mail with the hard rejects only happening on some emails. Thanks, gb On 6/26/2014 9:21 PM, Gary Bowling wrote: I recently had some problems with some domain key errors. Following the suggestions in the list, I tried to disable domain keys by doing a "ln -sf qmail-queue.orig qmail-queue" However, when I did this it completely broke my server, I could not send or receive any email, I would get this error in the smtp logs. qmail-smtpd: qq soft reject (mail server temporarily rejected message (#4.3.0) I think it has to do with my tcp.smtp rules. Over the years I have probably gotten this thing out of whack. I have simscan 1.4 and pretty much wish to use it to scan everything. There really isn't anything unusual about my server. Can I get some help with what my tcp.smtp file is suppose to look like? Here's what it is now. 127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private",QMAILQUEUE="/var/qmail/bin/simscan" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/b in/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/%/private" It sounds like the latest recommendation is to get rid of qmail-dk and use the qmail-queue.orig, if I do that here's what I think my tcp.smtp should look like, will this work? Suggestions on making it better? 127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/simscan" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan" Thanks for the help, gb - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com What are your permissions on qmail-queue.orig? Should be: lrwxrwxrwx 1 root root 16 Mar 24 11:31 /var/qmail/bin/qmail-queue -> qmail-queue.orig -rws--x--x 1 qmailq qmail 22348 Mar 24 11:18 /var/qmail/bin/qmail-queue.orig tcp.smtp should have: :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",NOP0FCHECK="1" as the last line. The 127. line is only for using squirrelmail with no authentication. It's better to configure SM to authenticate, then you don't need the 127. line in tcp.smtp. This change will be stock soon if it isn't already. Eric, that worked once I got the rws--x--x permissions on qmail-queue.orig. Now I have to figure out how to set squirrelmail with auth, but that's for another day. Thanks for the help as always! GB - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Re: qmail-dk
On 6/26/2014 9:47 PM, Eric Shubert wrote: On 06/26/2014 06:41 PM, Gary Bowling wrote: Update, I just changed my tcp.smtp to what I have listed below and then linked to qmail-queue.orig and continued to get these. qmail-smtpd: qq soft reject (mail server temporarily rejected message (#4.3.0) When I leave the tcp.smtp as set at the bottom and link back to qmail-dk I get this error on some messages. qmail-smtpd: qq hard reject (qmail-dk: Cannot sign message due to invalid message syntax. (#5.3.0) Due to the 2nd error, I would really like to get rid of qmail-dk, but every time I link back to the qmail-queue.orig I get the soft rejects on ALL mail. Is it something in my tcp.smtp or is it something else? For now I have put it back to qmail-dk, at least I get most of the mail with the hard rejects only happening on some emails. Thanks, gb On 6/26/2014 9:21 PM, Gary Bowling wrote: I recently had some problems with some domain key errors. Following the suggestions in the list, I tried to disable domain keys by doing a "ln -sf qmail-queue.orig qmail-queue" However, when I did this it completely broke my server, I could not send or receive any email, I would get this error in the smtp logs. qmail-smtpd: qq soft reject (mail server temporarily rejected message (#4.3.0) I think it has to do with my tcp.smtp rules. Over the years I have probably gotten this thing out of whack. I have simscan 1.4 and pretty much wish to use it to scan everything. There really isn't anything unusual about my server. Can I get some help with what my tcp.smtp file is suppose to look like? Here's what it is now. 127.:allow,RELAYCLIENT="",DKSIGN="/var/qmail/control/domainkeys/%/private",QMAILQUEUE="/var/qmail/bin/simscan" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",DKVERIFY="",QMAILQUEUE="/var/qmail/bin/simscan",DKQUEUE="/var/qmail/b in/qmail-queue.orig",DKSIGN="/var/qmail/control/domainkeys/%/private" It sounds like the latest recommendation is to get rid of qmail-dk and use the qmail-queue.orig, if I do that here's what I think my tcp.smtp should look like, will this work? Suggestions on making it better? 127.:allow,RELAYCLIENT="",QMAILQUEUE="/var/qmail/bin/simscan" :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan" Thanks for the help, gb - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com What are your permissions on qmail-queue.orig? Should be: lrwxrwxrwx 1 root root 16 Mar 24 11:31 /var/qmail/bin/qmail-queue -> qmail-queue.orig -rws--x--x 1 qmailq qmail 22348 Mar 24 11:18 /var/qmail/bin/qmail-queue.orig tcp.smtp should have: :allow,BADMIMETYPE="",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="50",CHKUSER_WRONGRCPTLIMIT="10",QMAILQUEUE="/var/qmail/bin/simscan",NOP0FCHECK="1" as the last line. The 127. line is only for using squirrelmail with no authentication. It's better to configure SM to authenticate, then you don't need the 127. line in tcp.smtp. This change will be stock soon if it isn't already. Thanks Eric, I have this for permissions. lrwxrwxrwx 1 root root 16 Jun 26 20:50 qmail-queue -> qmail-queue.orig -rwx--x--x 1 qmailq qmail 24776 Sep 3 2012 qmail-queue.orig Looks like I need to set the sticky bit on qmail-queue.orig, I'll try that. I'll also mod up the tcp.smtp and let you know. Gb - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: qmail-dk
Scott, Are all three of those necessary? Desired? What if one has SPF records but does not implement DKIM? Personally I have been running without DKIM. The most trouble I have had has been with AOL, but I implemented a feedback loop and all seems good so far. I have had occasional problems with SBCGlobal as well, but only when a registration process for an event creates a flood of emails to a particular email address (the event organizer). The only issue there is that there is no real way to follow up on a complaint from AOL. Someone can report an email as a SPAM, AOL forwards it to the feedback email address, but removes the reporting email address to protect their customer. So now I cannot actually have that email address removed from the list that sent the email. And even though removal links are included in all list emails sent (I run the system for my client) the spam reporter does not bother to use those and just reports it to AOL abuse. arrgh! -Original Message- From: Scott Hughes [mailto:sc...@renshawauto.net] Sent: Wednesday, April 27, 2011 11:10 AM To: qmailtoaster-list@qmailtoaster.com Subject: RE: [qmailtoaster] Re: qmail-dk -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Wednesday, April 27, 2011 12:06 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: qmail-dk I would like to see opinions about this as well. Most of my QMT hosts have been on dynamic IPs in the past, so they use a smarthost relay. A few have been converted to static IPs recently, and I'm in the process of converting them to send mail out directly. I expect there will be a few hoops to jump through, for instance with yahoo. We should probably have a wiki page that addresses deliverability issues. Some are probably already covered in the faqs. Does anyone have any insights they'd care to share? -- I have found that SPF / DomainKeys / DKIM increases the correct delivery to services list MSN, Yahoo, Gmail, etc whereas before some of our emails would go into the Spam folder instead of the Inbox. Scott - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: qmail-dk
-Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Wednesday, April 27, 2011 12:06 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: qmail-dk I would like to see opinions about this as well. Most of my QMT hosts have been on dynamic IPs in the past, so they use a smarthost relay. A few have been converted to static IPs recently, and I'm in the process of converting them to send mail out directly. I expect there will be a few hoops to jump through, for instance with yahoo. We should probably have a wiki page that addresses deliverability issues. Some are probably already covered in the faqs. Does anyone have any insights they'd care to share? -- I have found that SPF / DomainKeys / DKIM increases the correct delivery to services list MSN, Yahoo, Gmail, etc whereas before some of our emails would go into the Spam folder instead of the Inbox. Scott - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: qmail-dk
AT&T/Bellsouth (now part of Yahoo's email) have always been difficult for deliverability from private mail servers. This is even evident when using static IP's on commercial lines (T1/T3/SHDSL). -P. Ring -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Wednesday, April 27, 2011 12:06 PM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: qmail-dk I would like to see opinions about this as well. Most of my QMT hosts have been on dynamic IPs in the past, so they use a smarthost relay. A few have been converted to static IPs recently, and I'm in the process of converting them to send mail out directly. I expect there will be a few hoops to jump through, for instance with yahoo. We should probably have a wiki page that addresses deliverability issues. Some are probably already covered in the faqs. Does anyone have any insights they'd care to share? -- -Eric 'shubes' On 04/27/2011 09:46 AM, Helmut Fritz wrote: > Thx Eric. Yeah I was more pointing out the scripts. > > I will check out Jakes, and it would be great to get opinions on DKIM. > > Necessary? > > Or just good to do? > > Or not really needed? > > Helmut > > -Original Message- > From: Eric Shubert [mailto:e...@shubes.net] > Sent: Wednesday, April 27, 2011 7:43 AM > To: qmailtoaster-list@qmailtoaster.com > Subject: [qmailtoaster] Re: qmail-dk > > On 04/26/2011 09:04 PM, Helmut Fritz wrote: >> Hello! >> >> I am running latest version of toaster and had a client run into the >> qmail-dk signing issue last night - with only one email recipient. He >> tried multiple times to send the email - same thing. >> >> "554 qmail-dk: Cannot sign message due to invalid message syntax. > (#5.3.0)" > > There are very rare (unidentified) circumstances where this error occurs. > >> Is it still best practice to unlink qmail-dk and use qmail-queue.orig? > > TTBOMK, yes. > >> Is there a good way to use DKSIGNing? I found a reference to some >> scripts by a Kyle Wheeler. >> >> http://qmail.jms1.net/patches/domainkeys.shtml > > JMS recommends *not* patching qmail to implement DK. Kyle's method > uses perl scripts, which is much more flexible. > > See http://www.memoryhole.net/qmail/#dkim > > I haven't implemented Jake's DKIM scripts yet personally. I suspect > they're the same as Kyle's, but I'm not sure. Would someone care to > compare these with what Jake's video uses and verify if they're the > same or not? If they're not the same, I'd like to see a comparison. > >> is DKSIGNing necessary or suggested? Is qmail-dk now reliable and >> something different caused the issue with this one recipient address? > > > If DK isn't yet deprecated, it probably should be. DKIM is preferable. > > > DKIM is not required. It *may* affect deliverability to some > destinations, but I'm not sure to what degree. Someone else may have > some experiences to share in this area. > > -- > -Eric 'shubes' > - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
RE: [qmailtoaster] Re: qmail-dk
Thx Eric. Yeah I was more pointing out the scripts. I will check out Jakes, and it would be great to get opinions on DKIM. Necessary? Or just good to do? Or not really needed? Helmut -Original Message- From: Eric Shubert [mailto:e...@shubes.net] Sent: Wednesday, April 27, 2011 7:43 AM To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Re: qmail-dk On 04/26/2011 09:04 PM, Helmut Fritz wrote: > Hello! > > I am running latest version of toaster and had a client run into the > qmail-dk signing issue last night - with only one email recipient. He > tried multiple times to send the email - same thing. > > "554 qmail-dk: Cannot sign message due to invalid message syntax. (#5.3.0)" There are very rare (unidentified) circumstances where this error occurs. > Is it still best practice to unlink qmail-dk and use qmail-queue.orig? TTBOMK, yes. > Is there a good way to use DKSIGNing? I found a reference to some > scripts by a Kyle Wheeler. > > http://qmail.jms1.net/patches/domainkeys.shtml JMS recommends *not* patching qmail to implement DK. Kyle's method uses perl scripts, which is much more flexible. See http://www.memoryhole.net/qmail/#dkim I haven't implemented Jake's DKIM scripts yet personally. I suspect they're the same as Kyle's, but I'm not sure. Would someone care to compare these with what Jake's video uses and verify if they're the same or not? If they're not the same, I'd like to see a comparison. > is DKSIGNing necessary or suggested? Is qmail-dk now reliable and > something different caused the issue with this one recipient address? If DK isn't yet deprecated, it probably should be. DKIM is preferable. DKIM is not required. It *may* affect deliverability to some destinations, but I'm not sure to what degree. Someone else may have some experiences to share in this area. -- -Eric 'shubes' - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - Qmailtoaster is sponsored by Vickers Consulting Group (www.vickersconsulting.com) Vickers Consulting Group offers Qmailtoaster support and installations. If you need professional help with your setup, contact them today! - Please visit qmailtoaster.com for the latest news, updates, and packages. To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com