Dear Jake,
I have changed my config file qmail-remote as follows:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha256" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
<types id="dkim" />
</global>
<!-- use dkim + domainkey for example.com -->
<gnvfc.net selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</gnvfc.net>
<nprocure.com selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</nprocure.com>
<npay.in selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</npay.in>
<ncode.in selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</ncode.in>
<!-- no signing for example2.com -->
<example2.com />
</dkimsign>
But I have another issue now. Before install dkim i was already using
DomainKeys and have a folder for domain in keys in my control dir and it was
working fine till the day I installed DKIM. now my mails are getting singed
twice for domainkeys after putting new qmail-remote file.
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
acali...@gnvfc.net designates 203.77.193.20 as permitted sender)
smtp.mail=acali...@gnvfc.net; dkim=neutral (no key) header...@gnvfc.net
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gnvfc.net; h=message-id
:reply-to:from:to:cc:subject:date:mime-version:content-type; q=
dns; s=dkim1; b=oPBhLaC3ThBMUn8wFl4ZFpJYlqdXplzczaVB1iESxqGLGIUR
vkmItNyTFpuMtFtMrzfFQ4oqNEXMZ96dIfKbCPCQYdpvA7BgkqhZvzTOkYoZIPcT
oWPvmfhjT3T4n+aLwThDBn/QLNWbRccoObaYFBqEJwWeY5fxPbo0peZbY70=
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=gnvfc.net; h=message-id
:reply-to:from:to:cc:subject:date:mime-version:content-type; s=
dkim1; bh=iHUq0zWCNvVWpMdk41w7F+GJs8A=; b=lNVvKsVPYpDjDvGO5M3ib7
+ITzHwjluyLcDzy0DLiNvv3mmYuqSUJB72keCx5W5TJaKPJRtAkDSSxKP7vTyUB6
9/Xx2sQilYSGFXuhmWt2gGDBSyDd9g3ftSF2HlYEFr3CA48cr/wgLk60NsDQHB0x
iQDnbl7kfjVGoFo4R64Pc=
Received: (qmail 11637 invoked by uid 89); 3 Nov 2009 07:58:09 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=private; d=gnvfc.net;
b=2gAcG+kbzh8Etw72xpd/pQzg1uMKJ0ucro5sqtM3TSdK4eIM45uBC9/K3OlPthBbbhFzIDdxRnWIinELV6SHxx6UuYpd9fkwAoyvGkI/WbRSu0hJGCrYDAJjTFqm0gxShkolKzL4rJv9qRS4k2HzQAZGNtspZ5SJqyiumIyVFoE=;
Received: by simscan 1.4.0 ppid: 11631, pid: 11633, t: 0.0337s
scanners: attach: 1.4.0 clamav: 0.95.2/m:51/d:9979
Received: from unknown (HELO ANIL) (acali...@gnvfc.net@203.77.193.110)
How can discard old domainkeys not to sign mails instead use DIKM+Domainkeys
config. As I have used types <id="domainkey" method="nofws"/> in the above
config that means same keys will be used for DomainKeys as well, if i am wrong
and old domainkeys will not be used in this case.
To achieve the same i removed below mentioned line from tcp.smtp
DKSIGN="/var/qmail/control/domainkeys/%/private"
But after removing this line from tcp.smtp my clients are unable to deliver
mails with an server side error saying that it cannot read the key file to sign
the mail.
Regards,
Anil Aliyan
----- Original Message -----
From: Anil Aliyan
To: qmailtoaster-list@qmailtoaster.com
Sent: Tuesday, November 03, 2009 1:01 PM
Subject: Re: [qmailtoaster] DKIM Error
Dear Jake,
I am ready to provide all the details, please let me know what information or
config file you want to provide to you.
use strict;
use warnings;
our $VERSION = '0.2';
use Mail::DKIM 0.29;
use Mail::DKIM::Signer;
# enable support for "pretty" signatures, if available
eval 'require Mail::DKIM::TextWrap';
=head
config file structure
- missing settings will be merged from the global-node
- domain-entry will also match its subdomains
- create empty domain-node to omit signing (or specify "none" as id)
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha256" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="beta">
<types id="dkim" />
</global>
<!-- use dkim + domainkey for example.com -->
<example.com selector="beta2">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</example.com>
<!-- no signing for example2.com -->
<example2.com />
</dkimsign>
=cut
my $configfile = undef;
$configfile = '/var/qmail/control/dkim/signconf.xml';
my $debugfile = undef;
#$debugfile = '/tmp/dkim.debug';
my $qremote = '/var/qmail/bin/qmail-remote.orig';
my $binary = 0;
our $config;
$config->{'global'} = {
types => { dkim => {} },
keyfile => '/var/qmail/control/dkim/global.key',
algorithm => 'rsa-sha256',
method => 'simple',
selector => 'beta',
# either string or file (first line of file will be used)
domain => '/var/qmail/control/me'
};
#-------------------------------------------------------------------------------
# read config file. safely
if (defined($configfile) && -r $configfile)
{
eval 'use XML::Simple';
if (!$@)
{
my $xmlconf;
eval { $xmlconf = XMLin($configfile, ForceArray => ['types'], KeyAttr =>
['id']); };
qexit_deferral('Unable to read config file: ', $@)
if ($@);
ConfigMerge::merge($config, $xmlconf);
}
}
# open debug file
my $debugfh = undef;
if (defined($debugfile))
{
open($debugfh, '>', $debugfile)
or qexit_deferral('Unable to open ', $debugfile, ' to writing: ', $!);
}
# generate signatures
my $dkim;
my $mailbuf = '';
eval
{
my $conf = $config->{'global'};
$dkim = Mail::DKIM::Signer->new(
Policy => 'MySignerPolicy',
Debug_Canonicalization => $debugfh
);
if ($binary)
{
binmode STDIN;
}
while (<STDIN>)
{
$mailbuf .= $_;
unless ($binary)
{
chomp $_;
s/\015?$/\015\012/s;
}
$dkim->PRINT($_);
}
$dkim->CLOSE();
};
qexit_deferral('Error while signing: ', $@)
if ($@);
# close debug file
close($debugfh)
if (defined($debugfh));
# execute qmail-remote
unshift(@ARGV, $qremote);
open(QR, '|-') || exec { $ARGV[0] } @ARGV
or qexit_deferral('Unable to run qmail-remote: ', $!);
foreach my $dkim_signature ($dkim->signatures)
{
my $sig = $dkim_signature->as_string;
$sig =~ s/\015\012\t/\012\t/g;
print QR $sig."\012";
}
print QR $mailbuf;
close(QR);
#-------------------------------------------------------------------------------
sub qexit
{
print @_, "\0";
exit(0);
}
sub qexit_deferral
{
return qexit('Z', @_);
}
sub qexit_failure
{
return qexit('D', @_);
}
sub qexit_success
{
return qexit('K', @_);
}
#-------------------------------------------------------------------------------
package ConfigMerge;
# merge config hashes. arrays and scalars will be copied.
sub merge
{
my ($left, $right) = @_;
foreach my $rkey (keys(%$right))
{
my $rtype = ref($right->{$rkey}) eq 'HASH' ? 'HASH'
: ref($right->{$rkey}) eq 'ARRAY' ? 'ARRAY'
: defined($right->{$rkey}) ? 'SCALAR'
: '';
my $ltype = ref($left->{$rkey}) eq 'HASH' ? 'HASH'
: ref($left->{$rkey}) eq 'ARRAY' ? 'ARRAY'
: defined($left->{$rkey}) ? 'SCALAR'
: '';
if ($rtype ne 'HASH' || $ltype ne 'HASH')
{
$left->{$rkey} = $right->{$rkey};
}
else
{
merge($left->{$rkey}, $right->{$rkey});
}
}
return;
}
#-------------------------------------------------------------------------------
package MySignerPolicy;
use Mail::DKIM::SignerPolicy;
use base 'Mail::DKIM::SignerPolicy';
use Mail::DKIM::Signature;
use Mail::DKIM::DkSignature;
use Carp;
use strict;
use warnings;
sub apply
{
my ($self, $signer) = @_;
my $domain = undef;
$domain = lc($signer->message_sender->host)
if (defined($signer->message_sender));
# merge configs
while($domain)
{
if (defined($config->{$domain}))
{
$config->{'global'}->{'types'} = undef;
ConfigMerge::merge($config->{'global'}, $config->{$domain});
last;
}
(undef, $domain) = split(/\./, $domain, 2);
}
my $conf = $config->{'global'};
return 0
if (!defined($conf->{'types'}) || defined($conf->{'types'}->{'none'}));
# set key file
$signer->key_file($conf->{'keyfile'});
# parse (signature) domain
if (substr($conf->{'domain'}, 0, 1) eq '/')
{
open(FH, '<', $conf->{'domain'})
or croak('Unable to open domain-file: '.$!);
my $newdom = (split(/ /, <FH>))[0];
close(FH);
croak("Unable to read domain-file. Maybe empty file.")
if (!$newdom);
chomp($newdom);
$conf->{'domain'} = $newdom;
}
# generate signatures
my $sigdone = 0;
foreach my $type (keys(%{$conf->{'types'}}))
{
my $sigconf = $conf->{'types'}->{$type};
if ($type eq 'dkim')
{
$signer->add_signature(
new Mail::DKIM::Signature(
Algorithm => $sigconf->{'algorithm'} || $conf->{'algorithm'} ||
$signer->algorithm,
Method => $sigconf->{'method'} || $conf->{'method'} || $signer->method,
Headers => $sigconf->{'headers'} || $conf->{'headers'} || $signer->headers,
Domain => $sigconf->{'domain'} || $conf->{'domain'} || $signer->domain,
Selector => $sigconf->{'selector'} || $conf->{'selector'} || $signer->selector,
Query => $sigconf->{'query'} || $conf->{'query'},
Identity => $sigconf->{'identity'} || $conf->{'identity'},
Expiration => $sigconf->{'expiration'} || $conf->{'expiration'}
)
);
$sigdone = 1;
}
elsif ($type eq 'domainkey')
{
$signer->add_signature(
new Mail::DKIM::DkSignature(
Algorithm => 'rsa-sha1', # only rsa-sha1 supported
Method => $sigconf->{'method'} || $conf->{'method'} || $signer->method,
Headers => $sigconf->{'selector'} || $conf->{'headers'} || $signer->headers,
Domain => $sigconf->{'domain'} || $conf->{'domain'} || $signer->domain,
Selector => $sigconf->{'selector'} || $conf->{'selector'} || $signer->selector,
Query => $sigconf->{'query'} || $conf->{'query'}
)
);
$sigdone = 1;
}
}
return $sigdone;
}
Regards,
Anil Aliyan
----- Original Message -----
From: Jake Vickers
To: qmailtoaster-list@qmailtoaster.com
Sent: Monday, November 02, 2009 11:42 PM
Subject: Re: [qmailtoaster] DKIM Error
Anil Aliyan wrote:
Dear Jakes,
Please find some time to help resolve my problem also, will very greatful
to you.
Thanks & Regards,
Anil Aliyan
----- Original Message -----
From: Anil Aliyan
To: qmailtoaster-list@qmailtoaster.com
Sent: Saturday, October 31, 2009 2:28 AM
Subject: [qmailtoaster] DKIM Error
Jakes,
Please find the config file attached with this mail.
Pasting the config file into the email is easier for us to help you.
It looks like your config file may be wrong, depending on how you configured
your system.
Right now, your system is going to sign every domain sending email as the
domain listed in your /var/qmail/control/me file since you only defined a
global rule. This is fine if the me file only contain your domain name
(gnvfc.com) but you probably have your hostname in the me file as well
(mail.gnvfc.com) so it's signing using that domain.
You can define individual domains to sign for in this format:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple" selector="dkim1">
<types id="dkim" />
</global>
<gnvfc.com selector="dkim1">
<types id="dkim" />
</gnvcf>
</dkimsign>
----------------
This will inherit any declarations from the <global> tags that you do not
override (so it will inherit the algorithm="rsa-sha1", keyfile, method).
But without seeing how you configured other things it's hard to guess.
