Re: [dkim-milter-discuss] failed to verify for missing body message using simple canonicalization
On Tuesday 20 November 2007 15:16, Murray S. Kucherawy wrote: On Tue, 20 Nov 2007, Janet N wrote: How do I enable DKIM Filter to ignore the Body message if it is missing? I've sent an email with a missing Body message and it failed to verify. I am running DKIM Filter v2.2.0 with Canonicalization relaxed/relaxed. I've tried switching the Canonicalization to simple, but DKIM still expect a body message :( The filter will accept a message with an empty body without difficulty. The message should verify against any autoresponder with relaxed body canonicalization, but we had a bug in libdkim so the simple body case was not interoperable. This is fixed in 2.4.0 (now in Beta). However, the simple case should verify the same way against our own autoresponder since the flaw is symmetric. If you are sending empty messages and getting verification failures, it could be that an intermediate MTA is adding a blank line to the null message body. That's just a guess though. The DKIM RFC is ambiguous in how empty message bodies are to be dealt with. Hopefully the concensus view at the DKIM interop event will prevail and these transient issues will fade soon. Scott K - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Bug with UseASPDiscard
On Tue, 22 Apr 2008 15:19:53 -0700 (PDT) Murray S. Kucherawy [EMAIL PROTECTED] wrote: A bug has been identified with the UseASPDiscard feature. Its use through version 2.5.4 of dkim-milter is not advised. A tested patch is available, attached to bug #1947301 on SourceForge, if you want a fix before the next release. As usual though, when there are non-trivial bugs open, you're likely to see a patch release around the end of this week. Your timing was good. I got this uploaded to Ubuntu Hardy less than 4 hours before the archives closed. Thanks for letting us know. Scott K - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Postfix installation instructions?
On Friday 25 April 2008 18:24, Doug Kingston wrote: OpenSUSE already packages dkim-milter in their contrib section and there is a README.suse_postfix there. They also have other config changes and supporting tempate files to complete the package. I include their READM here. -Doug- ... What you need to use DKIM with postfix? - Postfix 2.4.x, openssl 0.9.8x I suprised libmilter and DB isn't on that list too. Does OpenSUSE chroot Postfix by default? Scott K - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] debian/ubuntu openssl applies to dkim keys
On Sat, 17 May 2008 13:30:27 +1000 Daniel Black
[EMAIL PROTECTED] wrote:
On Sat, 17 May 2008 12:31:37 am Mike Markley wrote:
On Fri, May 16, 2008 at 07:42:14AM +1000, Daniel Black
[EMAIL PROTECTED] wrote:
i'm hoping people have picked this up however just fyi, dkim-genkey
uses
openssl to generate DKIM keys (rsa).
http://www.debian.org/security/2008/dsa-1571
http://www.ubuntu.com/usn/usn-612-1
Indeed, and thanks for the notice. Scott Kitterman (who maintains the
Ubuntu package) mentioned this to me (as the Debian maintainer), and I'm
working on an upload that will draw attention to this and urge
recreation of any compromised keys found in the configuration.
In the meantime, concerned Debian users certainly don't need to wait on
me to recreate their keys :).
Worth noting as well is the fact that this also applies to dk-milter's
gentxt.csh (or to any keys generated for either with Debian's OpenSSL).
Thanks Mark,
Packaging questions for you are:
should /var/db/dkim/ be created as you've referred to it in
the /usr/share/doc/dkim-filter/examples/dkim-filter.conf.sample.gz
README.Debian refers to gentxt.csh in the examples directory (which it
isn't)
and dkim-genkey is included.
Mark and I had already discussed that issue. It used to be gentxt.csh. I
believe he intends to address this in his next upload.
I've written the following which you (and anyone else) are free to edit
redistribute to http://wiki.debian.org/SSLkeys or
http://www.debian.org/security/key-rollover/
Dkim-filter uses RSA keys to generate digital signatures.
It is recommended that you regenerate a new key on a new selector.
Steps:
1. using dkim-genkey or the instructions
(/usr/share/doc/dkim-filter/README.Debian) to generate a new key using a
unused sector name.
mkdir -p /var/db/dkim/
dkim-genkey -s {{selectorname}} -d {{mydomain.org}} -D /var/db/dkim
2. Publish this new key in DNS.
Public key dns record is listed in /var/db/dkim/{{selectorname}}.txt
Add {{t=y;}} if you are still testing (refer to RCC 4871)
3. edit /etc/dkim-filter.conf as follows
{{Selector}} set to the new selector name {{selectorname}}
{{KeyFile}} set to new RSA private key
filename /var/db/dkim/{{selectorname}}.private
4. remove old key and restart dkim-filter
# rm /var/db/dkim/{{oldselector}}.*
# /etc/init.d/dkim-filter restart
5. After about 3 days to allow for email delivery delays
remove old selector from DNS
I think these instruction would be useful for standard key transitions, but
I wonder if it is appropriate here.
These keys should be considered compromised and so, unless the domain has a
very restrictive ADSP policy, I think the selector should be pulled
immediately. If you've got a very restrictive ADSP policy, then I'd drop
the ADSP record, wait the TTL of the record, and then pull the selector.
Signing with the new selector could start as soon as the key record is
published . After 3-4 days the old ADSP may be restorem
Scott K
-
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
dkim-milter-discuss mailing list
dkim-milter-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] System V init script for Red Hat
I have seen several System V init scripts from source and from different RedHat/Fedora src.rpm packages, but none of them appear to include code for using the -x switch and using a .conf file? Is this a correct assumption? As I am using some of the options that are only available via the .conf file, I was wondering if there is a version of the init script that checks for the configuration file, and uses the -x switch? The Debian package (and the Ubuntu package derived from it) do. Scott K - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM restarting
On Monday 07 July 2008 13:33, Zbigniew Szalbot wrote: Hello, Scott Kitterman: On Monday 07 July 2008 12:40, Murray S. Kucherawy wrote: On Mon, 23 Jun 2008, Zbigniew Szalbot wrote: Jun 21 20:02:43 relay postfix/cleanup[39722]: warning: milter inet:127.0.0.1:4445: can't read SMFIC_BODYEOB reply packet header: Unknown error: 0 Jun 21 20:02:43 relay dkim-filter[783]: terminated with signal 11, restarting Jun 21 20:02:43 relay dkim-filter[39913]: Sendmail DKIM Filter v2.6.0 starting (args: -l -p inet:[EMAIL PROTECTED] -u mailnull -P /var/run/milterdkim/pid -x /usr/local/etc/mail/dkim-filter.conf) Unfortunately, I no longer have this message. Is there a configuration setting that would let me know about service restart (by email for example)? It would make it easier to check for offending message. Thanks! This is a known problem. I've looked into it with the help of some other list participants, but so far I don't have a solution. Oddly, it only appears on systems where Postfix is the MTA in use. The forensic data I've been shown suggests that something is closing the socket that connects the filter to the MTA improperly, but it's very hard to determine where or how that's happening. I have a vague recollection of this coming on up postfix-users and being related to assumptions about buffer sizes that were unfortunate and it being fixed, but have been unable to find it in the archive. IIRC the OP is on Debian. There are newer Postfix packages on backports.org. You ought to see if you can replicate the problem with a newer Postfix. Not sure where from you gather I am on Debian :), because I am a happy FreeBSD user, but this is not important here. I am using postfix-2.5.1_2,1, which I think is pretty much the latest version available. Sorry about that. I must have confused the threads. I haven't seen anything like that myself since 2.3. Scott K - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter fails to process mail
On Tue, 8 Jul 2008 16:46:15 -0700 (PDT) Murray S. Kucherawy [EMAIL PROTECTED] wrote: On Tue, 8 Jul 2008, Ron Echeverri wrote: That did it. I would say that if 8.13.1's libmilter lacks SMFIC_DATA, then the DEPENDENCIES section of the dkim-filter README needs to be updated: o sendmail v8.13.0 (or later), and libmilter from the same distribution (http://www.sendmail.org) Actually it's correct if you're using sendmail. The sendmail MTA will detect that you're running an older libmilter and downgrade its use of the protocol accordingly (and vice-versa). Apparently either postfix makes some assertions about what version of milter will be used by filters, or the version it's using is configurable and defaults to the newest stuff with no automatic back-compatibility. In either case, that's something postfix should document. If someone wants to provide some appropriate postfix-specific text for the README, I'd be happy to include it. Postfix does have a setting for milter protocol version. If no one else comes up with it, I'll provide something. Scott K - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-filter crash bug and workaround
On Wednesday 07 January 2009 15:05, Murray S. Kucherawy wrote: This affects all versions from 2.5.0 to 2.7.2. ... If people want or need a patch to 2.7.2 while waiting for 2.8.0 or would rather do that than upgrade right away to a new release, I can produce a 2.7.3 or just post a source patch here. Please let me know if you have such requirements. This affects two Ubuntu versions that are post-release and I'll have to patch if I am to fix them, so a patch would be handy. It's 2.5.4 and 2.6.0 if it matters. Scott K -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] Use Envelope Sender domain to send mails
On Tue, 07 Jul 2009 13:48:09 +0530 ram r...@netcore.co.in wrote: Hi, I am using postfix dkim-milter. How do I configure dkim-milter to add signatures using domain in Envelope-sender and not the header-From: Signing From is required. What problem are you trying to solve? Scott K -- Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/blackberry ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] RSA_verify: bad signature
Robert Schetterer rob...@schetterer.org wrote: Am 30.04.2010 18:25, schrieb Simon Bell: Hi, I am running postfix with dkim-milter. I sign out-going mail and verify incoming. When my mail server receives from google or yahoo, all seems to be fine, I get: -- dkim-filter: DKIM verification successful -- But mail from 'bluebottle' email gives me this error: -- dkim-filter: DKIM verification successful dkim-filter: s=fe0 d=bluebottle[dot]com SSL error:04077068:rsa routines:RSA_verify:bad signature -- Could someone help me understand what the error means and if it is something wrong with my server? got the same now for i.e xing.com under ubuntu lucid v2.8.3 running in only verify mode someone any ideas ? For Ubuntu Lucid, I would recommend switching to opendkim. Unlike dkim-milter, this fork is actively maintained and has some significant bug fixing beyond what was ever done for dkim-milter. I've done the switch on several systems and it's pretty trivial . Scott K -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] internal error from libdkim: ar_addquery() failed
On Tuesday, March 27, 2012 09:00:40 PM Benny Baumann wrote: I'm having some trouble with the dkim-milter package. Currently I'm using the package from Debian Testing (2.8.2). Switch to opendkim. dkim-milter is dead. The opendkim package in Testing (which I co-maintain) has the current release. If you find that fixes your problems, please file a bug against dkim-milter. It'll help me get it removed so it doesn't get released with Wheezy. Scott K -- This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] DKIM-Milter - dkim show as neutral (bad format).
On Friday, June 29, 2012 05:44:12 PM Hiren Mistry wrote: Hi, I have configured Zimbra 7.0 mail server with community edition, I have tried to installed DKIM-Milter. I got DKIM-Signature in mail headers but in Authentication-Results: the dkim show as *neutral (bad format)*. I also observe, when we make communicate with Gmail, mail goes into spam in both side (Incoming Outgoing). I have copied full mail headers at below. Please any one can help to resolve this issue. dkim-milter is unmaintained, buggy, and obsolete. Use the more modern fork, opendkim, instead. See opendkim.org. Scott K -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
Re: [dkim-milter-discuss] dkim-milter does not sign emails in some headers order (aka no sender header found)
On Friday, August 17, 2012 05:51:18 PM Ilyas -- wrote: ... Somebody known how to fix my problem? ... The first thing to try is switching to opendkim (it is a maintained fork of dkim-milter) because dkim-milter has been unmaintained for years and is known to be buggy in many respects. See opendkim.org. Scott K -- Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ ___ dkim-milter-discuss mailing list dkim-milter-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
