Configuring DKIM for qmail

Hi,

the question of where to send error output of qmail-dkim came up in comments before. The problem is that qmail-dkim needs to behave differently depending on whether it acts as a qmail-queue replacement (incoming/verifying - excepting error messages on file descriptor 4 by default) or a qmail-remote filter (outgoing/signing, with errors supposed to be on stderr). Default for qmail-dkim is the former. The latter can be addressed by setting ERROR_FD=2 in the control/filterargs, like this:

*:remote:/var/qmail/bin/qmail-dkim:ERROR_FD=2,DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

This way the error messages during signing at least show up in the logs (errors still only get treated as temporary ones that lead to a lot of retrying by qmail-send before giving up, but fixing that would require some standardization e.g. about meaning of exit codes of spawn filters). 

Unrelated to the issue that you are not seeing any errors (see other thread), I did make some additional small changes to improve qmail-dkim error reporting when signing outgoing messages. In particular, to properly report temporary vs. permanent errors back to qmail-send. The problem is that spawn-filter expects a different exit code behavior from its filters than what qmail-dkim returns (designed to be qmail-queue replacement, not a spawn filter), resulting in all errors treated as temporary (deferral). I fixed this by have spawn-filter understand the qmail-dkim result (88 exit code and decision encoded in stderr output). This should hopefully not break things as long as other filters don't use exit code 88 for anthing else. 

I also made a small change to qmail-dkim to report a missing From address in the email being signed as permanent rather than temporary error - in my view, this is not something that can resolve itself over time.

Patch is here. 

If I do a test like this

DOMAIN=domain.tld 
RSA2048_SELECTOR=default
MSG=/tmp/mail.txt

( 
echo "From: postmaster@${DOMAIN}" 
echo "To: postmaster@${DOMAIN}" 
echo "Subject: Test" 
echo "Date: $(date -R)" 
echo 
echo "Test message" 
) > ${MSG}

sudo -u qmailr env - \
  CONTROLDIR=/tmp/control \
  DKIMSIGN=/var/qmail/control/domainkeys/%/${RSA2048_SELECTOR} \
  DKIMSIGNOPTIONS="-z 2" \
  DKIMQUEUE=/bin/cat \
  ERROR_FD=2 \
  /var/qmail/bin/qmail-dkim < ${MSG}

I actually get an error on stderr

Dqmail-dkim: Could not parse private key (#5.7.5)

while nothing is showed when I don't declare ERROR_FD=2

But if I deliberately make qmail-dkim to break the signature I don't see any error line on qmail-send log. Why?

Here is what I am seeing in my logs for an email that has a DKIM error (e.g. no "From:" line) after adding ERROR_FD=2 to control/filterargs:

delivery 74: deferral: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_88:_Zqmail-dkim:_DKIMContext_structure_invalid_for_this_operation_(#4.3.0)._(#4.3.0)spawn_said:_Message_deferred

Before adding ERROR_FD=2, the error was something like (don't have the exact log copy any more):

delivery 74: deferral: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_53._(#4.3.0)spawn_said:_Message_deferred

Point being, something should show up in the logs if qmail-dkim is trying to output an error message. At least the non-zero exit code should be recorded by spawn-filter. 

Firstly, note that if you don't declare ERROR_FD, qmail-dkim should exit with an exit code like 53 (IIRC - error when trying to write the output to a non-existing file descriptor since it's trying to write to descriptor 4, which is not open). 

As for your question, what do you mean by "break the signature", what are you changing? Maybe it's because qmail-dkim doesn't consider it an error and hence report one in that case (did you check the exit code?). On the signing side, the signature gets generated by qmail-dkim but not actually verified?!

I am modifing the private key so that the message cannot be signed.

It prints an error msg in the command line test, but I see nothing in qmail-send when sending. Actually it's not signing just like if there's no dkim signature

Sorry, overlapping replies. See my earlier comment. The spawn-filter should log something as long as qmail-dkim exits with any code other than 0 (does it when you test standalone?). Maybe it goes to a different log?

Apparently in doesn't log anywhere...

Strange, it does for me. As long as qmail-dkim exits with a non-zero exit code, spawn-filter should send an error message to qmail-send (which should log it, just like it does for qmail-remote output). Independent of ERROR_FD (that's how I noticed the problem in the first place - qmail-dkim exited with an error since it couldn't write to ERROR_FD and that showed up in my logs). 

Does qmail-dkim exit with a non-zero code for the error case you are simulating? And do you see other qmail-local or qmail-remote errors (when they happen) in your qmail-send logs? 

the command line test shown above doesn't print the error code. I can get it looking at the code:

#define DKIM_BAD_PRIVATE_KEY                -22 /* signing error: Could not parse private key */

That's not the exit code, that's the return value internally passed between dkimsign.c API calls.

To get the exit code of a command you can use "echo $?" after it ran at the end of your script.

But I am pretty sure it will be 88. See the _exit(88) at the end of the custom_error() function in qmail-dkim.c, which is called from maybe_die_dkim().

Again, still not sure why you are not seeing the errors logged. Something's gotta be off with your logging setup for qmail-send. Again, are you seeing other messages from qmail-send/qmail-remote/qmail-local?

yes, it exits with 88.

Again, still not sure why you are not seeing the errors logged. Something's gotta be off with your logging setup for qmail-send. Again, are you seeing other messages from qmail-send/qmail-remote/qmail-local?

I don't get any error logged either in qmail-send nor in /var/log The message is sent successfully with no signature

PS my qmail-send configuration is just like the one described in this site. I'm using the latter patch above

That's all very strange. I have no explanation. Are you sure that your spawn-filter is actually running (QMAILREMOTE is set in qmail-send's environment)? Are your outgoing emails getting signed normally? And maybe try setting QMAILREMOTE to some test script just to see whether that gets called by qmail-send? 

Otherwise, maybe test running spawn-filter just from the command line (should behave just like qmail-remote, i.e. injecting and sending out a tst_msg with something like 'spawn-filter <host> <sender> <recipient> < tst_msg')? 

uh... I'm very sorry... I was testing your code in a test server where spawn-filter is disabled. Now I get also the error code

2025-06-19 22:25:41.528248500 delivery 1: failure: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_88:_Dqmail-dkim:_Could_not_parse_private_key_(#5.7.5)spawn_said:_Giving_up_on_filter/

PS I applied your last patch as well

Hello Roberto,

Thanks for the guide !!!

I have noticed that in some of the scripts, the commands are split across various lines with "\"

Unfortunatelly, in some cases there are spaces after ... I mean "\ " is written, which does not allows to directly copy and paste. One has to remove the extra " " after the "\".

You can find an example under the "/var/qmail/rc" script.

Regards

i$

Thanks, corrected

We have setup DKIM of sendmail for multiple domains (multiple keys) successfully. However, we can't find any online material about how to send DKIM of qmail for multiple domains. We have patch qmail-dkim to netqmail-1.06 .We need the senders with @domain.tld and @subdomain.domain.tld to be delivered. Please advise how to achieve this. Thank you very much.

Do you want to sign all domains with one single key, or you want to assign one key to all subdomains?

I think you can achieve this by putting the location of the keys in your control/filterargs file (or even dkimkeys). For example

*.domain.tld:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/domain.tld/default,DKIMSIGNOPTIONS=-z 2
*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/default,DKIMSIGNOPTIONS=-z 2

The first line will be catched by all *.domain.tld domains, while the last one by all the other domains.

Let me know if it is correct

our subdomain is smtp5.xxx.edu. I touch a file filterargs under the directory control and then add the below lines. The domainkeys includes two directories xxx.edu and smtp5.xxx.edu. Two sets of public key and private keys are included.

*.xxx.edu:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/xxx.edu/default,DKIMSIGNOPTIONS=-z 2
*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/default,DKIMSIGNOPTIONS=-z 2

Unfortunately, it does not work at all.

This issue was fixed in the latest dkim patch. Please reinstall qmail and let me know

Hi Roberto. I think dkim config for qmail-remote must be reviewed after your latest patch. it doesn´t work at all, I've tried it several times and got multiple and different errors trying to get it set. I even straced and found that something really relevant has changed in qmail-spawn in the way it reads the filterargs format. Can you test it in your side ? create a new instance and try your qmail-remote config for dkim. I am absolutely sure you will get in the same case I was for the past day. I ended up using dkimkey with old format suppressing DKIMSIGNOPTIONS even that I've used a rsa 2048 bits key and it worked like a charm. I think you could also review the services/run chain to address dkim options change cos they are in the old format, not to mention the rc file as well. You stated the new changes only in dkim config page, but other config pages are still old. That's a simple suggestion, as always, thanks for your incredible work with your full patch and congrats going into github, it ease your work and for everyone else that also get those patches from you. Thank you

Rodrigo Graeff (qmail user since 1998)

Hi Rodrigo,

Hi Roberto. I think dkim config for qmail-remote must be reviewed after your latest patch. it doesn´t work at all, I've tried it several times and got multiple and different errors trying to get it set. I even straced and found that something really relevant has changed in qmail-spawn in the way it reads the filterargs format. Can you test it in your side ? create a new instance and try your qmail-remote config for dkim.

Of course I tested this configuration. spawn-filter has modifications, yes. Can you share you RC file, your filterargs and your dkimkeys?

I am absolutely sure you will get in the same case I was for the past day. I ended up using dkimkey with old format suppressing DKIMSIGNOPTIONS even that I've used a rsa 2048 bits key and it worked like a charm. I think you could also review the services/run chain to address dkim options change cos they are in the old format, not to mention the rc file as well.

There's no change in the run file configuration. 

You stated the new changes only in dkim config page, but other config pages are still old.

I changed the "configuring" page as well. Of course I could have forgot something and I think it would be much easier for me if you tell me which errors you have found

Hi Roberto, sure.

# cat filterargs.old 
*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/usr/bin/cat,DKIMSIGN=control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

# cat qmail-submission/run | grep DKIMKEY
export DKIMKEY=/var/qmail/control/domainkeys/%/default

Apologies, I see now other config pages config reflects new dkim setup. I could be a cache issue from my browser.eerything looks good indeed.

with those settings I get:

@4000000065ae74d52b9af4cc delivery 2: deferral: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_53._(#4.3.0)spawn-filter_said:_Message_deferred

stracing it, I get qmail-dkim trying to find dkimkey at control/controlcontrol/domainkeys/%/default (yes, that's soooo odd..). I had to rename filterargs to something else and rely on qmail-smtpd to sign my messages.

thanks

# cat filterargs.old 
*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/usr/bin/cat,DKIMSIGN=control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

I would use absolute path here

DKIMSIGN=/var/qmail/control/domainkeys/%/default

instead of

DKIMSIGN=control/domainkeys/%/default

even with absolute path there I still get

@4000000065b00e9f2655cdfc delivery 129: deferral: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_53._(#4.3.0)spawn-filter_said:_Message_deferred

# cat filterargs 
*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/usr/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

do you have a dkimkeys file that interferes with filterargs?

can you show the relevant part of the strace?

not using the absolute path in DKIMSIGN prevents the correct localization of the key

22940 access("control/control/domainkeys/sagredo.eu/default", F_OK) = -1 ENOENT (No such file or directory)

We are using qmail server installed on CentOS 5.3 .When I patch -p1 < dkim-netqmail-1.06.patch-1.20 .It seems no error occurs. It looks like the version of the patch is somewhat correct? However, when I enter "make", it stops with message "make: *** No rule to make target `../libdomainkeys.a', needed by `dktest'. Stop". What's wrong with it?

Should I install libdomainkeys in advance? How can I incoporates libdomainkeys.a into the "make" process of dkim-netqmail-1.06.patch-1.20 .Please advise, Thanks a lot!

Yahoo domain keys support has been dropped in recent versions, so that library is not needed. V.20 still requires it but I strongly recommend to use the latest version, because it brings improvements and fixes and also because the current documentation applies to latest version

When I apply patch of latest version 1.46 as below. It displays "Hunk #x FAILED". Does it mean that this verison of dkim-netqmail is not compatible? It seems that our CentOS 5.3 is too old. Is there any fix?

patch -p1 < dkim-patches/dkim-netqmail-1.06.patch-1.46

Hunk #2 FAILED at 18.
Hunk #3 FAILED at 44.
Hunk #4 FAILED at 80.
3 out of 4 hunks FAILED -- saving rejects to file dns.c.rej

Are the below steps correct?

make

make man

make setup check

Please advise. Thanks!

It applies to netqmail with no errors. Sure that you applied it to a clean netqmail directory? 

The netqmail-1.06 was applied 14 patches already, such as dot-forward, djbdns, ucspi-tcp, qmailanalog, etc. As these patches are applied by my supervisor 10 years ago. It dare not remove them. In fact, I don't know how to uninstall these patches.

Understood.. this explains why you get errors when applying the dkim patch. You have to correct manually the code looking at those .rej files, but I can't be of help here.

Hello Manvendra,

I'm trying to find a way how to solve problem with FAIL Dmarc check in gmail.com by Sieve autorespose message.

When mail server send message with same domain in From: field than all checks successfully passed. But users mostly wanna use their domain to be able get response from people who recieve message from sieve.

My idea is to add second DKIM-signature if From: @doman.com not equal for Return-path:

Return-path:<>  here we have domain.com
From:test@domain2.com
SPF: PASS with IP 1.1.1.1 Learn more
DKIM: 'PASS' with domain domain.com, used from control/me
DKIM: 'FAIL' with domain domain2.com, because we don't have signature
DMARC: 'FAIL' , because we don't have valid DKIM for domain2.com

If we add second DKIM-signature for domain2.com we can pass DMARC check.
Gmail is using From: field for determination of domain name.
Domain can be validate in control/rcpthosts before signing

Pls correct me if I'm wrong.

Hi Mike,

Any dkim verification will use the domain from the d= tag. Can you paste your headers with the DKIM-Signature.

You can set USE_SENDER environment variable to force d=domain_in_sender. The field `domain_in_sender` is what will written as the Return-Path header by qmail-remote. But when dk-filter see the mail, it doesn't yet have the Return-Path.

Delivered-To: info@domain.com
Received: (qmail 1617829 invoked by uid 89); 8 Jan 2024 16:30:54 +0200
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on domain.com
X-Spam-Level: *
X-Spam-Status: No, score=1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HTML_FONT_SIZE_HUGE,HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,TXREP,T_KAM_HTML_FONT_INVALID,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=4.0.0
X-Spam-ExtractText-Flags: _EXTRACTTEXTFLAGS_
Received: from mta-1.marketing.intercars.com.pl (188.252.13.163)
by domain.com with ESMTPS (TLS_AES_256_GCM_SHA384 encrypted); 8 Jan 2024 16:30:40 +0200
Received-SPF: pass (domain.com: SPF record at bounce.marketing.intercars.com.pl designates 188.252.13.163 as permitted sender)
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="UTF-8"
Date: Mon, 08 Jan 2024 14:30:17 +0000
DKIM-Signature: a=rsa-sha256; b=BbbWhmGpgqFUMs8o4E5DLlSp69q6GJ11eKsI+RtW20YanBgI84f86/BrzqVpOl1hXsq4duTtw4gzt3wFdplz/oR50JE3v85jDDYDPcTzW+36Cd3GDSadZh8Xy3U5JMXME+C3IfxsrCrpASnVmuI2HFrjJJ0md5JrFeL7yY/JFrw=; bh=ggTt/TtmzJnFydagYK+RF9rGR4MJ/gx+EsIRhBHLi6Y=; c=simple/simple; d=intercars.eu; h=Sender:From:From:To:To:CC:Subject:Subject:Message-ID:Message-ID:Form-Sub:List-Unsubscribe:List-Unsubscribe:List-Unsubscribe-Post:List-Unsubscribe-Post:X-CSA-Complaints:X-CSA-Complaints; s=gr; t=1704724217; v=1; x=1704810617;
DKIM-Signature: a=rsa-sha256; b=YI+9e77JgvGPBKRmNINdiCGi692iPmt9J+fheUrQYa5o47I/GvUCWeHuFFzORRxDzZhTPSVxsFqNY2744HmAPlgQpGUMIjIiC5BFpVvi09vrgCetIPNPVXDqNqm2aMqaENwZVQZj3XH9e7DsF9xUK7N2rGQaGgVW+xk8htDDzho=; bh=ggTt/TtmzJnFydagYK+RF9rGR4MJ/gx+EsIRhBHLi6Y=; c=simple/simple; d=marketing.intercars.com.pl; h=Sender:From:From:To:To:CC:Subject:Subject:Message-ID:Message-ID:Form-Sub:List-Unsubscribe:List-Unsubscribe:List-Unsubscribe-Post:List-Unsubscribe-Post:X-CSA-Complaints:X-CSA-Complaints; s=s1024a; t=1704724217; v=1; x=1704810617;
From: "Inter Cars Eesti" <turundus@intercars.eu>
List-Unsubscribe: <https://marketing.intercars.com.pl/one_click_unsubscribe.html?x=a62e&m=XlH&s=k2pT&u=q&z=02CpzEf&>, <mailto:listunsubscribe@marketing.intercars.com.pl?subject=inter.xserial.s56ebQaAWatgPz4qjoMI9DTa98Luvol9%2BHfsYVEYq3H%2FKtDd5QAbtZqqEjODRVOKnW1%2BH%2F2pPq0PiOC1kgpRGftaHoefOUlWQwFiXdOh3gypOMI%3D>
List-Unsubscribe-Post: List-Unsubscribe=One-Click
Message-ID: <inter.xserial.s56ebQaAWatgPz4qjoMI9DTa98Luvol9+HfsYVEYq3H/KtDd5QAbtZqqEjODRVOKnW1+H/2pPq0PiOC1kgpRGftaHoefOUlWQwFiXdOh3gypOMI=@marketing.intercars.com.pl>
MIME-Version: 1.0
Reply-To: turundus@intercars.eu
Require-Recipient-Valid-Since: info@domain.com; Fri, 06 May 2022 08:08:31 +0000
Return-Path: bounce-12@bounce.marketing.intercars.com.pl
Subject: Inter Cars - UUDISKIRI
To: info@domain.com
X-Complaints-To: abuse@marketing.intercars.com.pl
X-CSA-Complaints: csa-complaints@eco.de

You can see above headers from maillist what I recieved today. 2 DKIM-signature for diffirent domains.

Hi Mike, can you show the headers you are sending to Gmail, please?

Delivered-To: test@gmail.com
Received: by 2002:a05:6a06:101c:b0:6a8:cd61:aa6d with SMTP id eg28csp2614763pib;
Mon, 8 Jan 2024 06:23:43 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGFUhp+ALYLt1qm6cYN1Hyu0CPi5/a+ySlvZWXq+AsoY+BGxAS7Vv7/sg6zEZ/UM0Uxwv10
X-Received: by 2002:a05:651c:b27:b0:2cc:ad9b:8807 with SMTP id b39-20020a05651c0b2700b002ccad9b8807mr1970761ljr.81.1704723822806;
Mon, 08 Jan 2024 06:23:42 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704723822; cv=none;
d=google.com; s=arc-20160816;
b=nBnKIyDY1ThfUBK/K9IfOswvBkPJAR+PWdFJLwCC9BYEiveuJXgD6RL4Q4cd2nTRgE
K1XEhXFyeZHv+dNHyewKMB6HQ69hDdfB/IZne1xfQWwAjBNjBS34iH980aKt7M1gbPrZ
dN91RnORydDnYQ4f1hVkI4jDAO5hISIOXHizsAHlf2XQILt4gKydpaLOQwBUq3+nFDWI
lnKzse52xHbVf5ujOjqGaFVGrcAywxrpaJgNSmktmoqTk9p1axTnogHXXhEuf3wlMWob
e+uaUJ+XAiz3Goua4qNMeaOeNppPtkQuQPMSUf1ZFtOEPSDkkEQVrlRPl/kcacfH3S/r
t+Ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:to:subject:dkim-signature:message-id:date;
bh=PWnBf6y2sY/sP74l2pPJRjCJoL7Q1CooWa/HVKeVcFI=;
fh=ehWhPnV3kp0f+/7z8f/9Gvl187B8ZJ2IgxHbyl4FPbw=;
b=O8IeewU3H3xaOwdojIFUgQ9+c8hxP7XFJIE+c6CK1OnF47PpwpHg7lhSrEhWumJcoU
Pk3QWtfsxtRlts8Jrrb8xVJ9C+nXhyN49qH8EAA6HsU6TLXdcDwt/l+rbwoew02dFDPl
bGMpr8qvH1Vxfe5ti4GV1pMVntqZJ65HVG2mdwaiy7SNy2uRkmv0whcYhvIQyD8tEXVq
b74+hLmJ9ygMuI6mt86F9HLstYdSLtxSABQHu+pxv3vtwCXFejngPJhAoUrjJL9+nR48
3CLraKwR5Q7LKBLb3820NcK+fCWyzzCTdvssoUa9btITtV7p7O5k5DKqb3aiOz3JsLyU
ytwQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass (test mode) header.i=@domain.com header.s=default header.b=fvSIXmE4;
spf=pass (google.com: domain of postmaster@domain.com designates 1.1.1.1 as permitted sender) smtp.helo=domain.com;
dmarc=fail (p=REJECT sp=NONE dis=QUARANTINE) header.from=domain2.com
Return-Path: <>
Received: from domain.com (domain.com. [1.1.1.1])
by mx.google.com with ESMTPS id g24-20020a2e9cd8000000b002cd0d4e9b18si2111719ljj.301.2024.01.08.06.23.42
for <test@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 08 Jan 2024 06:23:42 -0800 (PST)
Received-SPF: pass (google.com: domain of postmaster@domain.com designates 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com;
dkim=pass (test mode) header.i=@domain.com header.s=default header.b=fvSIXmE4;
spf=pass (google.com: domain of postmaster@domain.com designates 1.1.1.1 as permitted sender) smtp.helo=domain.com;
dmarc=fail (p=REJECT sp=NONE dis=QUARANTINE) header.from=domain2.com
Date: Mon, 08 Jan 2024 06:23:42 -0800 (PST)
Message-ID: <659c056e.2e0a0220.c1227.2335SMTPIN_ADDED_MISSING@mx.google.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; s=default; h=subject:to:from; bh=PWnBf6y2sY/sP74l2 pPJRjCJoL7Q1CooWa/HVKeVcFI=; b=fvSIXmE41Pps4QKWnjQO3S08GCOVt64rT H2SBJViOSEc7CZVqymN9ORXDD6s3vwPAbArLCTyFRjE8JIrEYvAl2L8yibnzQED4 DuQs6Bcib5133kQYqLF4c8xePq2g0jPse9EGjzVPBQ3eyN/Pi8/MdbzcGyDDQuxc yk7HLG+kppJJ06xAD9EOxoHBnYzcW5mKDy0Cttvdvvs+RlFhLymfx5AMg3ZNOHPo 13sVnqP0KswK1Abg4syberBBVZwvBmJjAX8gK85XbgJRTv+uniUdhqy9mTUx+mJJ JMBGKzJTTTC71CLOpIIuk0+Fyeheocyir9kAe5x3KNcYyx8+rItCw==
Received: (qmail 1617098 invoked by uid 89); 8 Jan 2024 16:23:42 +0200
Received: (simscan 1.4.1 ppid 1616931 pid 1617089 t 0.0290s) (scanners:
attach: 1.4.1 clamav: 1.2.1/m:62/d:27138); 08 Jan 0124 14:23:42 -0000
Received: from localhost ()
by domain.com with SMTP; 8 Jan 2024 16:23:40 +0200
subject: This is the subject
to: test@gmail.com
from: test2@domain2.com

Hi Mike,

You are using dkim key for domain1.com to sign email from domain2.com. This is because you are using someone@domain1.com to send mail from somone@domain2.com. 

Probably if you sign using qmail-dkim instead of dk-filter, qmail-dkim will use the From header and dmarc should pass. The downside of doing at SMTP is that both incoming and outgoing mails will get signed

The other option that you can continue to sign using dk-filter, but  to use dkimkeys control file. e.g.

domain1.com:/var/qmail/control/domainkeys/domain2.com/private_key_file:DKIMSIGN=-z 2

Let me know if the second option works for you

Hello Manvendra,

I have tested ver 1.46 and got the same problem with spawn-filter like v1.45 had.

send/current

2024-01-10 22:44:24.195671970 delivery 1: deferral: /var/qmail/bin/qmail-dkim:_(spawn-filter)_exit_code:_53._(#4.3.0)spawn-filter_said:_Message_deferred

strace.log

747247 alarm(86400)                     = 0
747247 getpid()                         = 747247
747247 openat(AT_FDCWD, "/tmp/qmail-dkim.747247.1704924318.1", O_WRONLY|O_CREAT|O_EXCL, 0644) = 3
747247 openat(AT_FDCWD, "/tmp/qmail-dkim.747247.1704924318.1", O_RDONLY|O_NONBLOCK) = 4
747247 unlink("/tmp/qmail-dkim.747247.1704924318.1") = 0
747247 read(0, "Received: (qmail 747240 invoked by uid 89); 11 Jan 2024 00:05:18 +0200\nReceived: (simscan 1.4.1 ppid 745843 pid 747125 t 0.0202s)\n (scanners:  attach:
747247 write(3, "Received: (qmail 747240 invoked by uid 89); 11 Jan 2024 00:05:18 +0200\nReceived: (simscan 1.4.1 ppid 745843 pid 747125 t 0.0202s)\n (scanners:  attach
747247 read(0, "", 4096)                = 0
747247 write(4, "Zqmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)", 70) = -1 EBADF (Bad file descriptor)
747247 exit_group(53)                   = ?
747247 +++ exited with 53 +++
747246 <... wait4 resumed>[{WIFEXITED(s) && WEXITSTATUS(s) == 53}], 0, NULL) = 747247
747246 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=747247, si_uid=1006, si_status=53, si_utime=0, si_stime=1 /* 0.01 s */} ---
747246 rt_sigreturn({mask=[]})          = 747247
747246 wait4(-1, 0x7fffc2b6f2cc, WNOHANG, NULL) = -1 ECHILD (No child processes)
747246 exit_group(53)                   = ?
747246 +++ exited with 53 +++
747243 <... read resumed>"", 2048)      = 0
747243 dup2(3, 0)                       = 0
747243 lseek(0, 0, SEEK_SET)            = 0
747243 wait4(747246, [{WIFEXITED(s) && WEXITSTATUS(s) == 53}], 0, NULL) = 747246
747243 read(5, "", 1024)                = 0
747243 write(1, "s/var/qmail/bin/qmail-dkim: (spawn-filter) exit code: 53. (#4.3.0)\0Zspawn-filter said: Message deferred\0", 104) = 104

qmail/rc

#!/bin/sh
QMAILDIR=/var/qmail
# Comment out to disable dkim sign at qmail-remote level
DKIM_ON=1
if [ -n $DKIM_ON ]; then
# DKIM sign at qmail-remote level (you have to define your variables in control/filterargs. man spawn-filterargs)

exec env - PATH="$QMAILDIR/bin:$PATH" \
QMAILREMOTE=$QMAILDIR/bin/spawn-filter \
qmail-start "`cat $QMAILDIR/control/defaultdelivery`"
else
# Use this if you are signing at qmail-smtpd level or you don't want to sign at all
exec env - PATH="$QMAILDIR/bin:$PATH" \
qmail-start "`cat $QMAILDIR/control/defaultdelivery`"
fi

control/filterargs

*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

Here is an example. This email doesn't have From, Sender or Return-Path header

$ cat /tmp/mail.txt 
X-From: postmaster@example.com
To: postmaster@example.com
Subject: Test
Date: Wed, 10 Jan 2024 08:46:44 +0530

Test message


$ DKIMQUEUE=/bin/cat \
   DKIMSIGN=/etc/indimail/control/domainkeys/default \
   qmail-dkim </tmp/mail.txt;echo
Zqmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)

Thx Manvendra, now it's working for me. Also Autoresponse message comes with correct signature and pass all checks by Gmail.

I didn't use Date in headers  when sent messages from command prompt.

The actual error is

DKIMContext structure invalid for this operation

Since CUSTOM_ERROR_FD is defined as 4 in qmail.h, qmail-dkim writes the error to file descriptor 4 which fails because fd 4 is a RDONLY descriptor

In your rc script define ERROR_FD=2 so that qmail-dkim is able to write the error to stderr

The DKIMContext structure invalid usually comes if the mail does not have Date: header or isn't in a proper email format.

The result is even worst. I believe that we need somehow to add DKIM-signature for domain2.com together with DKIM for domain1.com

Delivered-To: test@gmail.com
Received: by 2002:a05:6a06:101c:b0:6a8:cd61:aa6d with SMTP id eg28csp2801247pib;
Mon, 8 Jan 2024 11:56:12 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEymCHT8KsKGxb6wubVkxVa7sO5VbUbP6pVkRHeKCn395JyhV5CVinaP7yT/n4/Br8PCpuk
X-Received: by 2002:a05:6512:10d6:b0:50e:75ee:ec46 with SMTP id k22-20020a05651210d600b0050e75eeec46mr977096lfg.2.1704743772234;
Mon, 08 Jan 2024 11:56:12 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1704743772; cv=none;
d=google.com; s=arc-20160816;
b=Gav7NbxiXMBXwGYDrNaL51FosHR1yU7RKUgOjJSiFdeYKLeovC1Bs20ILPB9d9jTT5
CKwpIwfvqGx2a3keqQ2eH7LGVPwxNmAR6s7W1OTi+Qa/HDU/dRdQ+H6tGUti5so2N+F+
QclhHiB7Rb+5W6OYLhSQNBSJK7JIlNRev9kTUqvy1X3lSJGSMZYok8UfJjwQ5mPzq/Dr
hCFB6Pr/bRFQ4p9tLE/lSGN3wfjiXgRTXc/koA/+2nvCoylwXaN1gUwsXjf7qgdO6H65
bJNlpXz8CCrH+G+xI5HnhoBBo/UXjWQNzNS2gy1K5m55fLxnJEXIigKKIE3GDok/83JG
zlpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=from:to:subject:dkim-signature:message-id:date;
bh=PWnBf6y2sY/sP74l2pPJRjCJoL7Q1CooWa/HVKeVcFI=;
fh=ehWhPnV3kp0f+/7z8f/9Gvl187B8ZJ2IgxHbyl4FPbw=;
b=cYspX5xA/w80HktYjQzpl+QQDz/oce+M9MgzbK8LuGVAxLHi3p3k6XJ55Cr4HO2WXn
qsN+r/JEFj46PjLjGxfwJvS0rJo2RrpX4V/TOOa1D7hB8LLjen6FNuJ9mGAC03Y6hT0L
NO2OYt9PdU8s8xdg/EMzFefyqjjDdBOw2FM0Ze5T8ydjl+df4C59uO2CKMo2aqdFc1NG
6tvcvoVz0NqJ6V3v3qXHZj5RsDKe4Cb2/vCfZBu0HU8IU738QijKFxBDsRWYoJL93Rm+
kAuc3cL+UN9iPmwXbbD2cfRWCBPvEwcSSFhxB92OhG8yrvQ/1IVrOsANlRQNEvjwQ6LQ
/yAg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=neutral (body hash did not verify) header.i=@domain1.com header.s=default header.b=YdwBl4Xn;
spf=pass (google.com: domain of postmaster@domain1.com designates 1.1.1.1 as permitted sender) smtp.helo=domain1.com;
dmarc=fail (p=REJECT sp=NONE dis=QUARANTINE) header.from=domain2.com
Return-Path: <>
Received: from domain1.com (domain1.com. [1.1.1.1])
by mx.google.com with ESMTPS id x25-20020a056512079900b0050e8a41da0asi104881lfr.377.2024.01.08.11.56.11
for <mihhailaprelski@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Mon, 08 Jan 2024 11:56:12 -0800 (PST)
Received-SPF: pass (google.com: domain of postmaster@domain1.com designates 1.1.1.1 as permitted sender) client-ip=1.1.1.1;
Authentication-Results: mx.google.com;
dkim=neutral (body hash did not verify) header.i=@domain1.com header.s=default header.b=YdwBl4Xn;
spf=pass (google.com: domain of postmaster@domain1.com designates 1.1.1.1 as permitted sender) smtp.helo=domain1.com;
dmarc=fail (p=REJECT sp=NONE dis=QUARANTINE) header.from=domain2.com
Date: Mon, 08 Jan 2024 11:56:12 -0800 (PST)
Message-ID: <659c535c.050a0220.6b7cc.35adSMTPIN_ADDED_MISSING@mx.google.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain1.com; s=default; h=subject:to:from; bh=47DEQpj8HBSa+/TIm W+5JCeuQeRkm5NMpJWZG3hSuFU=; b=YdwBl4XnpU7awUuR0vAMlIWhrY+aRSdBq bPevA4zPPmiBiQRnzuGijRC5roxbH2ldWIMTCi4mV4iaXk3QdGYI/kNFTtxioSNp aJEtO2fqbqmqBRcM8hkJhdtMMhRZfWJKTfrKeb6QtZfc7wa7AAMJa5nBKnztkj1u /NXp4cwdm/rs4O9QGZEtQrEXP/UFDnKp97SJ+ajD2KFcoCvpUFo+ypq1ovbyh4lH R6omJoRZsxKqZIvsPfQx7Y+AYZ+nOSpXgjchV4Hm0Nr+zq770ybSiYG1TMayvF/G Qms20HP+HgKgtGHPVYyWysullUVxs+OXeCG9vjyO+58Vz0tiyfbqw==
Received: (qmail 1628157 invoked by uid 89); 8 Jan 2024 21:56:11 +0200
Received: (simscan 1.4.1 ppid 1628094 pid 1628136 t 0.0188s) (scanners:
attach: 1.4.1 clamav: 1.2.1/m:62/d:27138); 08 Jan 0124 19:56:11 -0000
Received: from localhost ()
by domain1.com with SMTP; 8 Jan 2024 21:56:02 +0200
subject: This is the subject
to: test@gmail.com
from: test2@domain2.com

Thank you for this amazing patch set and amazing setup notes!  I've been using qmail since 1997, but when upgrading hardware and re-installing OSs, I usually have to re-visit the patching every 6 or 8 years.  My last time was in 2021, starting with netqmail-1.06 instead of directly with DJBs qmail.  I did minimal patching that time, not trying to use virtual domains, spam-assassin, clamscan, etc.  In fact I only patched the items that were actually giving me issues, not other nice-to-have items.  So that was only oversize-dns, and any-to-cname patch, and that's been working great since 2021.  Now I need to turn on DKIM, (at least for signing outgoing, not needed for checking incoming).  I used the 1.43 version of this patch ( https://notes.sagredo.eu/files/qmail/patches/dkim/dkim-netqmail-1.06.patch-1.43 ), it wasn't 100% clean, but the 7 patch rejects (.rej files) were fairly easy to figure out and apply (base64.h.rej case_startb.c.rej conf-cc.rej dns.c.rej hier.c.rej Makefile.rej TARGETS.rej).  And then compiled cleanly.

Then on the config notes page (https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html), I generated the keys and did only the qmail-remote change in /var/qmail/rc.

So (phew) thanks for reading all that.  After all that, it doesn't seem to be respecting that rc file change, it doesn't seem to be doing anything differently, not adding any extra headers to outgoing e-mails at all.  Is there some testing, troubleshooting, or turning-on-logging steps anyone can recommend from here?  Please and thank you.

Hi Martin, thanks for all the appreciations. I moved your comment to the dkim page.

The dkim patch applies with no errors here on netqmail. I suggest to apply it before the other smaller patches.

Did you instructed qmail-queue to run qmail-dkim in your qmail-smtpd run file?

export QMAILQUEUE=/var/qmail/bin/qmail-dkim

Sorry, ignore my previous reply. It just enables the verification, but you said you are not interested

Have you done the suggested tests? 

Hi Robert, thanks for the replies.  I will try your first idea, doing the patches in the opposite order (dkim first, then oversize-dns, and any-to-cname).  I will let you know how that works out.

ok

To troubleshoot, you can use strace in your test as follows. In that case send it via mail as it is very long

DOMAIN=domain.tld 
RSA2048_SELECTOR=default

( 
echo "From: postmaster@${DOMAIN}" 
echo "To: postmaster@${DOMAIN}" 
echo "Subject: Test" 
echo "Date: $(date -R)" 
echo 
echo "Test message" 
) > /tmp/mail.txt

sudo -u qmailr strace -f -o strace.log env - \ 
QMAILREMOTE="1" \ 
_SENDER=postmaster@${DOMAIN} \ 
CONTROLDIR=/tmp/control \ 
DKIMSIGN=/var/qmail/control/domainkeys/%/${RSA2048_SELECTOR} \ 
DKIMSIGNOPTIONS="-z 2" \ 
/var/qmail/bin/dk-filter < /tmp/mail.txt

Okay, also, in trying it again, I see a mistake in what I wrote above. The rejects were because I was not starting from straight netqmali-1.06.  It was netqmail-1.06, plus netqmail-1.05-tls-smtpauth-20070417.patch  (which itself applies cleanly on netqmail-1.06 if I try it again from the .tar.gz).  This tls-AND-auth patch is labelled and README'd as version 20070417

VERSION: 20070417
This patch for netqmail 1.05 is a composite of the latest versions of Frederik 
Vermulen's TLS patch (20070408) and Erwin Hoffmann's SMTP-AUTH (0.5.8) update 
to Eric M. Johnston's and Krzysztof Dabrowski's qmail-smtpd-auth-0.31 patch.
...
This composite patch was put together by Bill Shupp

But from the great assembled patches you've got on https://notes.sagredo.eu/en/qmail-notes-185/patching-qmail-82.html  I would think that would be equivalent to the first two that you've listed, qmail-authentication (Hoffman), and qmail-tls (Vermeulen).  However the tgz link on the fehcom page is a broken link.

So in summary.  I was happily (since 2021) using netqmail-1.06, plus the 20070417 (combined qmail-auth and qmail-tls) patch, plus the big-dns, plus any-to-cname.

What would you recommend I do here, to add dkim to this?  Thanks

Hi, my advise is to use my big patch, which is already tested, and disable all features you are not interested in :-)

If you prefer doing it by yourself, I would install dkim first and my Auth+TLS+forcetls https://notes.sagredo.eu/qmail-notes-185/smtp-auth-qmail-tls-forcetls-patch-for-qmail-84.html  on top of that. The last one updates Shupp's Auth+TLS patch that you are using

okay I think the patching is okay, I did your second suggestion (dkim first).  In other words, I started from fresh netqmail-1.06.tar.gz, then applied dkim-netqmail-1.06.patch-1.43, then roberto-netqmail-1.06_auth_tls_force-tls.patch-latest, then qmail-bigdns-103.patch, then any-to-cname.patch.  I think my issue now is more the supervise/run files and environment variables there.

In my older setup, I had old run files from "Copyright (C) 2003-2007 John Simpson.".  This was working with the older patch (netqmail-1.05-tls-smtpauth-20070417.patch) that I mentioned above.  I've switched now to your run file.  I'm testing this on a separate port 466.

Would it be a problem to mix and match, in other words, if my /var/qmail/rc (for qmail-start), and /var/qmail/supervise/qmail-send  are still pointing at my old (no dkim) version in /var/qmail/, while also trying to use /var/qmail.DKIM/supervise/qmail-smtpdssl466/run with this new order of patching including dkim.

If that's not the cause of my problem... then I think something else is wrong with my auth not working, probably because my run file isn't right.  As I said, I'm not running simscan, clamav, spamassassin, etc.  And I don't have all the vpopmail stuff set up, it runs as the old djb-advised users (qmaild, qmailr, qmails, etc).  So when testing with Thunderbird, I can send local messages (but they aren't dkim-signed), and if I try to send to an outside address, I get the error "sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)."

So starting from your run file here https://notes.sagredo.eu/en/qmail-notes-185/configuring-qmail-83.html where you have /var/qmail/supervise/qmail-smtpsd/run, I've changed it as follows

a# diff run.sagredossl run
3,5c3,5
< QMAILDIR=/var/qmail
< QMAILDUID=`id -u vpopmail`
< NOFILESGID=`id -g vpopmail`
---
> QMAILDIR=/var/qmail.DKIM
> QMAILDUID=`id -u qmaild`
> NOFILESGID=`id -g qmaild`
9c9
< TCPRULES_DIR=~vpopmail/etc
---
> TCPRULES_DIR=/etc
15,17c15,17
< CERTFILE="$SSL_DIR/servercert.pem"
< KEYFILE="$SSL_DIR/servercert.pem"
< DHFILE="$SSL_DIR/dh4096.pem"
---
> CERTFILE="/etc/letsencrypt/live/mydomain.com/cert.pem"
> KEYFILE="/etc/letsencrypt/live/mydomain.com/privkey.pem"
> DHFILE="$SSL_DIR/dh1024.pem"
51c51,62
< export DKIMKEY=/usr/local/etc/domainkeys/%/default
---
> export DKIMKEY=/var/qmail.DKIM/control/domainkeys/%/default
> 
> DKIMDOMAIN=`cat /var/qmail.DKIM/control/dkimdomain`
> 
> #####export QMAILQUEUE=/var/qmail.DKIM/bin/qmail-dkim
> export DKIMKEY=/var/qmail.DKIM/control/domainkeys/%/default
> export DKIMDOMAIN="$DKIMDOMAIN"
> 
75c86
< exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
---
> exec /usr/bin/softlimit -m "$SOFTLIMIT" \
78c89
< -u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
---
> -u "$QMAILDUID" -g "$NOFILESGID" 0 466 \

So I appreciate any further advice you can offer.  I suspect its something with the QMAILQUEUE or SURBLQUEUE or whatever not pointing to the right programs.

It seems to be ok, even though the entire run file would be better, in order to find errors. 

But you said you didn't intend to configure the verification. In this case all the dkim stuff in the qmail-smtpsd run file is not needed.

Anyway, before the dkim part I would fix the other problem you have, which seems to be more important, i.e. the "sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1).". Do you have any of the recipient domain in the control/locals file?

Hi Roberto, I think its most of the way there, the patches are fine, the compiling is fine.  I think the problem is just using and trying to modify your run files in my situation (no simscan, no spamassassin, no vpopmail, etc).  I can get the auth working, to allow relaying to outside e-mail addresses, on port 466, but I can't get it to dkim-sign. So my run file, copied from https://notes.sagredo.eu/en/qmail-notes-185/configuring-qmail-83.html, in the section /var/qmail/supervise/qmail-smtpsd/run, and from there I changed QMAILDUID, NOFILESGID, TCPRULES_DIR (to not use vpopmail user), I changed CERTFILE, KEYFILE to use my letsencrypt, uncommented SMTPAUTH, changed DKIMKEY to a custom selector bly01 (not default), added DKIMDOMAIN (and export), and finally changed the exec line to use tcpserver instead of sslserver, and to use /usr/bin/checkpassword

#!/bin/sh

QMAILDIR=/var/qmail
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=/etc

SSL_DIR="$QMAILDIR/control"
SSL_CHROOT="$SSL_DIR"
SSL_UID=$QMAILDUID
SSL_GID=$NOFILESGID
CERTFILE="/etc/letsencrypt/live/mydomain.com/cert.pem"
KEYFILE="/etc/letsencrypt/live/mydomain.com/privkey.pem"
DHFILE="$SSL_DIR/dh4096.pem"
export SSL_UID SSL_GID SSL_CHROOT
export CERTFILE KEYFILE DHFILE

#export REJECTNULLSENDERS=1
export SMTPAUTH="!"

# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1

# enable chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
#export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering
export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
export SURBLQUEUE=$QMAILDIR/bin/simscan # executes simscan after SURBL

#### qmail-dkim disabled => no dkim verification
#### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim

#export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter
export DKIMQUEUE=$QMAILDIR/bin/simscan # simscan is executed after qmail-dkim
export DKIMKEY=/var/qmail/control/domainkeys/%/bly01

###
DKIMDOMAIN=`cat /var/qmail/control/dkimdomain`
export DKIMDOMAIN="$DKIMDOMAIN"
###

# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWp"
# allow msg without "subject" in the h= list
export UNSIGNED_SUBJECT=1
# avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

# turn off TLS on port 25
#export DISABLETLS="1"

# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
export RCPTCHECKRELAYCLIENT="1"
fi

# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" \
-x $TCPRULES_DIR/tcp.submission.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 466 \
$QMAILDIR/bin/qmail-smtpd \
/usr/bin/checkpassword /bin/true 2>&1

I can test this with openssl, as I said, it accepts the auth, allows the relaying to an outside address (yahoo), but does not dkim-sign:

$ openssl s_client -crlf -starttls smtp -connect xxxx.com:466
...
250 SIZE 0
ehlo booger
250-xxxx.com
250-PIPELINING
250-8BITMIME
250-AUTH LOGIN PLAIN
250 SIZE 0
AUTH PLAIN AxxxXXXxxxXXXxxxXXXxxxXXXxxx
235 ok, go ahead (#2.0.0)
mail from:<martin@yyyyy.ca>
250 ok
rcpt to:<mmmmmmm@yahoo.ca>
250 ok
data
354 go ahead
Subject: port 466, ehlo, auth
From: martin@zzzzz.ca
To: mmmmmmm@yahoo.ca
Date: Wed, Dec 27 2023 18:00:00 -0500

blah blah message body
.
250 ok 1703717431 qp 774418
quit
221 xxxx.com
closed

I would greatly appreciate any further guidance and advice on this!

One more thing: if you are configuring the submission service you don't need to verify DKIM, as your clients are already authenticated.

Second: where are you saving your signature?

Probably you have to add something like this in your control/rc file

DKIMSIGN=/var/qmail/control/domainkeys/%/default

Okay some of my problems were just not testing every variation after every change.

In fact dkim signing IS working with some of my domains, but not all : - (

Parts of this may have been already working before but I was testing Test3 below on most attempts.  I've been testing with three of my domains (again these are not virtual domains, just additional domains in control/locals and control/rcpthosts, which are identical).

Just to anonymize, I'll call the domains me1.com as the domain in control/me (same as plusdomain and dkimdomain).  And the others I'll call g2.ca, and r3.ca.

re your question "Second: where are you saving your signature?"

/var/qmail/control/domainkeys/me1.com# ls -la
drwxr-xr-x 2 qmailr qmail 4096 Dec 28 11:09 .
drwxr-xr-x 3 qmailr qmail 4096 Dec 28 12:23 ..
lrwxrwxrwx 1 root   root     7 Dec 22 12:00 bly -> selector01
-rw-r----- 1 qmailr qmail 1704 Dec 15 14:15 selector01
-rw-r--r-- 1 qmailr qmail  466 Dec 15 14:15 selector01.pub
lrwxrwxrwx 1 root   root    11 Dec 22 12:00 bly.pub -> selector01.pub
lrwxrwxrwx 1 root   root     7 Dec 28 11:09 default -> selector01
lrwxrwxrwx 1 root   root    11 Dec 28 11:09 default.pub -> selector01.pub

Note, I also made control/dkimkeys because otherwise I could not get anything but the default selector to work.  And yes I am (for now) trying to signing all outgoing mail with the same key and same selector:

/var/qmail/control# cat dkimkeys 
*.com:/var/qmail/control/domainkeys/%/bly
*.ca:/var/qmail/control/domainkeys/%/bly

Test1:   smtp mail-from: me1.com   header from: me1.com   dkim signature works (d=me1.com s=bly)

( therefore the control/dkimkeys file seems to be working to cause it to use that "bly" selector.  That selector is not mentioned anywhere else.  In my qmail/rc file, has only DKIMSIGN=/var/qmail/control/domainkeys/%/default )

Test2:   smtp mail-from: me1.com   header from: g2.ca   dkim signature works (d=g2.ca  s=bly)

Test3:   smtp mail-from: r3.ca   header from: g2.ca   dkim signature not added  : - (

Do you know why the dkim signature is not added in this Test3 scenario?  As I understood, dkim is all about the header From: address, not about the address used in the smtp mail-from.  In my earlier posts above, I was mainly testing with Test3, so it might have already been partially working sooner than I thought if I had been doing Test1 or 2.

Thank you so much for your quick replies and valuable insights.

Martin, my guess is this:

the '%' character in the selector path is replaced by the domain. So, in your 3rd test the program will look for the key in the following directories

1. /var/qmail/control/domainkeys/g2.ca/bly

2. and if the previous one returns nothing /var/qmail/control/domainkeys/bly

But none of these keys can be retrieved from your filesystem. I think that the other two tests had success because they get the key from /var/qmail/control/domainkeys/me1.com/bly, but we should have a look at the code to see if it replaces the '%' with the header-from and then with the mail-from domain.

So, when you decide to sign all emails with one single key, you should place them in the top dir /var/qmail/control/domainkeys and then define its location in control/domainkeys with no % as follows

*.com:/var/qmail/control/domainkeys/bly
*.ca:/var/qmail/control/domainkeys/bly

or simply

*.*:/var/qmail/control/domainkeys/bly

Hi Martin,

first of all, if you are configuring a submission server (tcpserver) you can drop all the SSL stuff in your run file. You have to merge your fullchain+private key into /var/qmail/control/servercert.pem as explained here (you'll find a scriptlet to automate everything) https://notes.sagredo.eu/en/qmail-notes-185/installing-a-let-s-encrypt-certificate-for-your-qmail-dovecot-and-apache-servers-233.html 

cat ${CERTDIR}/privkey.pem ${CERTDIR}/fullchain.pem > ${QMAILDIR}/control/servercert.pem

Concerning the DKIM signing, do you want to sign at qmail-remote or qmail-smtpd level?

If you want to sign at qmail-remote level you have to modify your qmail/rc file as explained above in this same page. Just be aware that 1024bit and 2048bit options are slightly different.

This is the configuration in your run file as far as the DKIM verification is concerned. You have to drop all references of QMAILQUEUE / DKIMQUEUE /SURBLQUEUE to simscan

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter

export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter
export DKIMQUEUE=$QMAILDIR/bin/qmail-queue # qmail-queue is executed after qmail-dkim

# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWp"
# allow msg without "subject" in the h= list
export UNSIGNED_SUBJECT=1
# avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

In this case you have both SURBL and DKIM verification active. So, SURBLQUEUE and DKIMQUEUE are used to decide what to execute when their respective programs are finished. At the end qmail-queue must be launched, which is what it would have been if we hadn't directed QMAILQUEUE to surblqueue.

If you prefer to use qmail-smtpd for both signing and verifying, read the instructions in this page

Hi Roberto,

Thanks again for all your help.  I'm most of the way there now.  I moved the keys up one folder level, and changed control/dkimkeys as you suggested, and now Test1, Test2, and Test3 all work and add the DKIM signature as expected.  Excellent, Thanks!

To answer one of your questions, yes I am configuring the submission server, that will hopefully be one of my last questions... Port 587 (supervise/qmail-submission/run) is working well for starttls, and requiring auth.  But I have other clients that need to use port 465, so for port 465 (supervise/qmail-smtpsd/run), when I start from your run file and try to turn on auth, it still doesn't offer auth, it says "538 auth not available without TLS":

$ openssl s_client -crlf -connect ddd.me1.com:465
...
220 me1.com ESMTP
ehlo booger
250-me1.com
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 SIZE 0
AUTH PLAIN Avvvvvvvvvvvvvvvvvvvvvvvvvvv
538 auth not available without TLS (#5.3.3)
quit
221 me1.com
closed

From my understanding, port 465 can usually be used with just ssl/tls  (not starttls), thats why its listening with sslserver (not tcpserver)?

But maybe you could notice what I'm missing here in turning on plain auth SMTPAUTH="!" and adding /usr/bin/checkpassword to the exec line (I've bolded the changes versus your qmail-smtpsd/run file from configuring-qmail-83.html):

#!/bin/sh

QMAILDIR=/var/qmail
QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat $QMAILDIR/control/concurrencyincoming`
SOFTLIMIT=`cat $QMAILDIR/control/softlimit`
LOCAL=`head -1 $QMAILDIR/control/me`
TCPRULES_DIR=/etc

SSL_DIR="$QMAILDIR/control"
SSL_CHROOT="$SSL_DIR"
SSL_UID=$QMAILDUID
SSL_GID=$NOFILESGID
CERTFILE="$SSL_DIR/servercert.pem"
KEYFILE="$SSL_DIR/servercert.pem"
DHFILE="$SSL_DIR/dh4096.pem"
export SSL_UID SSL_GID SSL_CHROOT
export CERTFILE KEYFILE DHFILE

#export REJECTNULLSENDERS=1
export SMTPAUTH="!"

# qmail-spp plugins
#export ENABLE_SPP=1
#export HELO_DNS_CHECK=PLRIV

# This enables greetdelay for qmail-smtpd
export SMTPD_GREETDELAY=20
export DROP_PRE_GREET=1

# greylisting
#export JGREYLIST_DIR="$QMAILDIR/jgreylist"
#export JGREYLIST_LOG_SMTP=1

# enable chkuser
export CHKUSER_START=ALWAYS

# DKIM - SURBL configuration
# DKIMQUEUE and SURBLQUEUE are front-ends of qmail-queue
export SURBL=1 # Comment out to enable SURBL filtering
#export QMAILQUEUE=$QMAILDIR/bin/simscan # do not execute SURBL nor DKIM filtering
export QMAILQUEUE=$QMAILDIR/bin/surblqueue # executes surblfilter
export SURBLQUEUE=$QMAILDIR/bin/simscan # executes simscan after SURBL

#### qmail-dkim disabled => no dkim verification
#### to have verification active export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim

#export SURBLQUEUE=$QMAILDIR/bin/qmail-dkim # executes qmail-dkim after surblfilter
export DKIMQUEUE=$QMAILDIR/bin/simscan # simscan is executed after qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default
# DKIM verification. Use carefully
export DKIMVERIFY="FGHKLMNOQRTVWp"
# allow msg without "subject" in the h= list
export UNSIGNED_SUBJECT=1
# avoid verification of outgoing messages
export RELAYCLIENT_NODKIMVERIFY=1

# turn off TLS on port 25
#export DISABLETLS="1"

# require that authenticated user and 'mail from' are identical
export FORCEAUTHMAILFROM="1"

# rcptcheck-overlimit. Limits the number of emails sent by relayclients
if [ -x $QMAILDIR/bin/rcptcheck-overlimit.sh ]; then
  export RCPTCHECK=$QMAILDIR/bin/rcptcheck-overlimit.sh
  export RCPTCHECKRELAYCLIENT="1"
fi

# enable simscan debug
#export SIMSCAN_DEBUG=4
#export SIMSCAN_DEBUG_FILES=2

exec /usr/local/bin/softlimit -m "$SOFTLIMIT" \
  /usr/local/bin/sslserver -seV -Rp -l "$LOCAL" \
  -Xx $TCPRULES_DIR/tcp.smtp.cdb -c "$MAXSMTPD" \
  -u "$QMAILDUID" -g "$NOFILESGID" 0 smtps \
  $QMAILDIR/bin/qmail-smtpd \
  /usr/bin/checkpassword /bin/true 2>&1

My patch has been built to allow the auth only on submission port and only if TLS enabled by default. In this case you can simply

export FORCETLS=0

in your qmail-smtpsd run file to allow the auth without TLS in that specific port.

Concerning the way you are using QMAILQUEUE, DKIMQUEUE and SURBLQUEUE, I see that you are still running simscan in the end. Read carefully my previous post above.

Thanks again Roberto.  That FORCETLS=0 did indeed do what I wanted for my port 465 (sslserver, with auth) listening process.

One more refinement I would like to do, is use the EXCLUDE_DKIMSIGN as mentioned in the Nov 20 changelog (and I definitely have that version of the dkim patch, 1.43).  However its not clear from the changelog or other comments as to where that environment variable should be set?  /var/qmail/rc? or ?

It's a new feature that I've never tested. I guess it should be placed in your control/dkimkeys file (if you are using it) or your RC file (if signing at qmail-remote level) or in our run file (if signing at qmail-smtpd level)

You are right Roberto. Let me put few things about dkim signing and verification.

There are two entities involved in signing and verification. They are different in way they work.

1. /var/qmail/bin/dkim

2. /var/qmail/bin/qmail-dkim

dkim works like any standard unix program. It takes input from standard in and writes output with DKIM signature on standard out. Or it takes input from standard in and writes the DKIM-Status header on standard out (for verification).

qmail-dkim is a qmail-queue client. It takes input from standard in but writes the message to descriptor 0 and envelope information to descriptor 1 and then calls qmail-queue. This results in the message getting saved to the queue with either the DKIM signature or the DKIM-Status header

tldr;

When your are doing to sign during the SMTP phase you have to use a qmail-queue interface to insert your own message or header in the queue. Hence the only option is to use qmail-dkim. Any environment variable needs to be set in the run file or in control/dkimkeys

When you are going to sign during delivery, it is qmail-send that uses qmail-lspawn and qmail-rspawn for local, remote deliveries. Just like QMAILQUEUE env variable when using SMTP intercepts qmail-queue, we have QMAILREMOTE to intercept mail before it reaches qmail-remote. Similarly we can define QMAILLOCAL to intercept mail before it reaches qmail-local. So we can set QMAILLOCAL or QMAILREMOTE to any binary that reads from stdin and writes to stdout. So putting QMAILREMOTE=/bin/cat will pass the mail unaltered to qmail-remote.

Instead we set QMAILREMOTE to /var/qmail/bin/spawn-filter. spawn-filter is a generic filter scripts that uses the bourne shell script to execute any command in the control file /var/qmail/control/fliterargs. In the netqmail setup we call a shell script dk-filter that can do DKIM signing or DKIM verification using /var/qmail/bin/dkim. It too can use the control/dkimkeys for setting env variabels. So EXCLUDE_DKIMSIGN can be defined in the rc script which starts qmail-send or the control file /var/qmail/control/dkimkeys or /var/qmail/control/filterargs like this

*:remote:env EXCLUDE_DKIMSIGN=some_header_name /var/qmail/bin/dk-filter

Thanks Manvendra for that helpful summary.

Yes I am signing at qmail-remote level, so I tried it in the rc file (/var/qmail/rc)

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
DKIMSIGN=/var/qmail/control/domainkeys/%/default \
DKIMSIGNOPTIONS="$DKIMSIGNOPTIONS" \
DKIMDOMAIN="$DKIMDOMAIN" \
EXCLUDE_DKIMSIGN="User-Agent:Content-Language:Content-Type:Content-Transfer-Encoding" \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

then I stopped and started (svc -d and svc -u) all the qmail supervise programs, sent some test e-mails, but it didn't change which headers were signed.

I also tried it in control/filterargs:

*:remote:env EXCLUDE_DKIMSIGN="User-Agent\:Content-Language\:Content-Type\:Content-Transfer-Encoding" /var/qmail/bin/dk-filter

But it gave me the following in /var/log/qmail/qmail-send/current, so I'm not sure if I'm doing the quotes correctly? or there's a correct way to escape the colons? or some other problem?

2024-01-03 10:31:35.061849500 delivery 14: deferral: remote:env_EXCLUDE_DKIMSIGN="User-Agent\:_(spawn-filter)_exit_code:_2:_/bin/sh:_1:_Syntax_error:_Unterminated_quoted_string/._(#4.3.0)spawn-filter_said:_Message_deferred

or, as you put in your comment, setting it to 1 (not sure what this would do):

*:remote:env EXCLUDE_DKIMSIGN=1 /var/qmail/bin/dk-filter

but it gave me the following in /var/log/qmail/qmail-send/current

2024-01-03 10:39:05.278263500 delivery 151: deferral: remote:env_EXCLUDE_DKIMSIGN=1_/var/qmail/bin/dk-filter:_(spawn-filter)_exit_code:_127:_/bin/sh:_1:_remote:env:_not_found/._(#4.3.0)spawn-filter_said:_Message_deferred

It seems like it is considering "remote:env" as the command it is trying to execute, instead of considering remote as the part of the filter to only take effect on qmail-remote calls.

I also notice my /var/qmail/rc and all supervise/run files start with #!/bin/sh which is softlinked to /bin/dash, in case that is relevant.  But when I also tried it with changing them all to #!/bin/bash and svc -d  and svc -u and resending the tests, the above two problems were the same.

Thank you again Roberto and Manvendra for your expert advice.

Hi Martin,

There is a bug in the way spawn-filter is reading the control file control/filterargs. I will issue a patch today. Meanwhile I tested by setting FILTERARGS and EXCLUDE_DKIMSIGN and it works after adding the single line in dkim.c (refer to my earlier post). The new patch will fix the above two issues.

I made a typo. It should be something like this for EXCLUDE_DKIMSIGN env variable.

*:remote:env EXCLUDE_DKIMSIGN=some_header_name /var/qmail/bin/dk-filter

corrected

Thanks Manvendra, I tried this exactly what you put, just replacing in the exclude for the "User-Agent" header, in control/filterargs

*:remote:env EXCLUDE_DKIMSIGN=User-Agent /var/qmail/bin/dk-filter

But I still can't seem to get exclude to work in control/filterargs, when I stop/start everything and send a test e-mail, I still get "message deferred" (in /var/log/qmail/qmail-send/current):

2024-01-03 14:24:17.460609500 delivery 129: deferral: remote:env_EXCLUDE_DKIMSIGN=User-Agent_/var/qmail/bin/dk-filter:_(spawn-filter)_exit_code:_127:_/bin/sh:_1:_remote:env:_not_found/._(#4.3.0)spawn-filter_said:_Message_deferred

Am I correct in assuming that if I'm putting some content (blah blah ... bin/dk-filter) into control/filterargs, then I should remove this line from /var/qmail/rc (just before the qmail-start line):

FILTERARGS=/var/qmail/bin/dk-filter \

otherwise that would seem redundantly calling dk-filter.

I really appreciate the help.

Hi Martin,

Roberto has updated the patch. I would want to leave few tips on testing.

Here is a simple way to test dk-filter. In the examples below '$' stands for the shell prompt. Also you can literally use user@yourdomain to test your setup.

$ cd /var/qmail/control/domainkeys
$ SELECTOR_DATA=$(cat /var/qmail/control/domainkeys/default.pub |sed -e 's/.*(//' -e 's/).*//' -e '/^$/d' -e 's/"//g' -e 's/\t//g' | tr -d '\n')

Create a test mail. It is important that the Date: header is present.
You can put the output of date -R command. In this email we have a header
Test-Header-1 which we will exclude from DKIM signing

$ cat > /tmp/mail.txt
From: user@yourdomain
To: user@yourdomain
Test-Header-1: blah blah blah
Date: Thu, 04 Jan 2024 09:07:58 +0530
Subject: Testing dkim

Test message
CNTRL-D

Now we will simply sign the email and send the output to dkim -v for verifying
the signature. The -T argument allows dkim to use selector directly from
command line instead of fetching the text record from DNS.

$ env _SENDER=user@yourdomain \
    DKIMSIGN=/var/qmail/control/domainkeys/%/default \
    QMAILREMOTE=/var/qmail/bin/spawn-filter \
    /var/qmail/bin/dk-filter </tmp/mail.txt | /var/qmail/bin/dkim -v -T "$SELECTOR_DATA"
DKIM-Status: good

The above indicates that setup is fine. To test exclusion of header from
signing you could do this. Here we are going to simply sign the email
without excluding any header from signing. The h= tag will have Test-Header-1

$ env _SENDER=user@yourdomain \
    DKIMSIGN=/var/qmail/control/domainkeys/%/default \
    QMAILREMOTE=/var/qmail/bin/spawn-filter \
    /var/qmail/bin/dk-filter </tmp/mail.txt 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=yourdomain; s=default; h=From:To:Test-Header-1:Date:Subject;
    bh=PkbvdhgKiEAAhc+GiwM2ZnxMu+StJ76lWGj3Y9phfFA=; b=Xjsz1nYTpxhhU
    TZHEEOnQk9SeJ0VRDaqg0LRliRNE6KaTR0JRdIdJyYTPV534rdLr/9dBSode3i8c
    nVlRRNOfZ8sCZnOMf5AjBqGFI5bR7Xk5zg+7nNdE4GHk0vv/vxcYBMp+y3HZM/db
    ACTc+P6XfM2l4lGapv4yVcucX096Fw=
From: user@yourdomain
To: user@yourdomain
Test-Header-1: blah blah blah
Date: Thu, 04 Jan 2024 09:07:58 +0530
Subject: Testing dkim

Test message

Now test it by setting the EXCLUDE_DKIMSIGN. Now you should see the h=tag
without Test-Header-1

$ env EXCLUDE_DKIMSIGN=Test-Header-1 \
  _SENDER=user@yourdomain \
  DKIMSIGN=/var/qmail/control/domainkeys/%/default \
  QMAILREMOTE=/var/qmail/bin/spawn-filter \
  /var/qmail/bin/dk-filter </tmp/mail.txt 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=yourdomain; s=default; h=From:To:Date:Subject; bh=PkbvdhgKiEAA
    hc+GiwM2ZnxMu+StJ76lWGj3Y9phfFA=; b=ywlgliGOI87zn2YqK8nKgvx5Bpvk
    A0sKgQ+Nv5funpi67rNCubrUk0RRUT9y+GhlvCTk7AjO95jj/oTdIlgCFxRJFQdM
    jJQvMs75VyNTE8/V6XxzVUCOqqdjs1usTq8/rq+BMEvmqORKjLgCFmvZ1mJ99jRP
    g4ds3ZboHVxRL6U=
From: user@yourdomain
To: user@yourdomain
Test-Header-1: blah blah blah
Date: Thu, 04 Jan 2024 09:07:58 +0530
Subject: Testing dkim

Test message

> Am I correct in assuming that if I'm putting some content (blah blah ... bin/dk-filter) into control/filterargs, then I should remove this line from /var/qmail/rc (just before the qmail-start line):

Yes you should remove the line FILTERARGS from the rc script. Meanwhile I'm going to test dk-filter (which uses /var/qmail/bin/dkim) to test signing. You will hear from me soon.

It is my fault. I find that one line is missing in the patch. dkim.c is missing this line

excl = getenv("EXCLUDE_DKIMSIGN");

This should be just before the while(1) loop in main function. This is the reason my setting the env variable is having no effect

I applied the change: https://github.com/sagredo-dev/qmail/releases/tag/v2024.01.04

Martin, can you test it please?

Hi Roberto,

I have also fixed the issue with filterargs where spawn-filter is trying to execute remote:env xxxxx.... dk-filter. This issue happens when you don't define FILTERARGS environment variable in the qmail-send rc script. The patch has been uploaded as dkim-netqmail-1.06.patch-1.44.gz

Martin,

You should be able to exclude the headers with that one line change.

Thank you. Patch updated

Thanks Roberto and Manvendra for the quick patch.  I re-did my patching from netqmail-1.06.tar.gz. As I said above, in my case I'm not using vpopmail, spamassassin, clamav, etc, so I'm only using the (new) dkim-netqmail-1.06.patch-1.44, netqmail-1.06_auth_tls_force-tls.patch-latest, qmail-bigdns-103.patch, any-to-cname.patch, in that order, there are a few rejects that I merged manually.

I tested with one header in control/filterargs (and removing "FILTERARGS=/var/qmail/bin/dk-filter \" from /var/qmail/rc just before qmail-start line)

*:remote:env EXCLUDE_DKIMSIGN=Content-Transfer-Encoding /var/qmail/bin/dk-filter

However what do you believe should work for excluding multiple headers?  I think I'll need specific quoting and/or escaping but I can not figure out what that would be.  When I try to use multiple headers (colon separated as noted in rel notes), I can not get it to work.

*:remote:env EXCLUDE_DKIMSIGN=User-Agent:Content-Language /var/qmail/bin/dk-filter

Then in /var/log/qmail/qmail-send/current it accepts the message but I immediately get a bounce (seems to be passing no message body - ?headers only?):

2024-01-04 10:35:10.260129500 delivery 470: failure: 67.195.204.79_failed_after_I_sent_the_message./Remote_host_said:_556_5.7.5_Invalid_RFC_missing_body/

And if I quote it, with or without escaping the colon, it says "message deferred" due to "Unterminated quoted string":

*:remote:env EXCLUDE_DKIMSIGN="User-Agent:Content-Language" /var/qmail/bin/dk-filter

or

*:remote:env EXCLUDE_DKIMSIGN="User-Agent\:Content-Language" /var/qmail/bin/dk-filter

I get

2024-01-04 10:41:53.721857500 delivery 564: deferral: env_EXCLUDE_DKIMSIGN="User-Agent:_(spawn-filter)_exit_code:_2:_/bin/sh:_1:_Syntax_error:_Unterminated_quoted_string/._(#4.3.0)spawn-filter_said:_Message_deferred

(it does deliver these okay when they retry later, after I change filterargs back to a single header in EXCLUDE_DKIMSIGN)

Thanks Roberto and Manvendra for the quick patch. I re-did my patching from netqmail-1.06.tar.gz. As I said above, in my case I'm not using vpopmail, spamassassin, clamav, etc, so I'm only using the (new) dkim-netqmail-1.06.patch-1.44, netqmail-1.06_auth_tls_force-tls.patch-latest, qmail-bigdns-103.patch, any-to-cname.patch, in that order, there are a few rejects that I merged manually.

Martin, this is how I update my big patch when a new dkim patch is released:

I have two dkim patch versions, let's say dkim-1.43.patch and dkim-1.44.patch. I create a diff of the two in order to see which files have been modified in the upgrade:

diff -ruN dkim-1.43.patch dkim-1.44.patch > 1.43-1.44.diff

Most of the time Manvendra modifies only files which belong to his dkim, dk-filter.sh for example. In this case I apply dkim-1.44 to a vanilla qmail and copy that file to my patched qmail, and the job is done. If there are modifications to general files like qmail-smtpd.c I can get from that .diff file what I have to do manually

Hi Martin,

I forgot that the control file filterargs has a way to set environment variables. This is how you can set EXCLUDE_DKIMSIGN if you want to use control/filterargs. You can in fact multiple env variables like this. This feature is used for control/dkimkeys. It can be used here too

*:remote:/var/qmail/bin/dk-filter:EXCLUDE_DKIMSIGN=User-Agent:Content-Language:Content-Type:Content-Transfer-Encoding,ENV_VAR2=value2,ENV_VAR3=value3

So you are free to use control/filterargs or define FILTERARGS env variable in your rc script. If you define FILTERARGS, then control/filterargs doesn't get used.

The man pages for qmail-dkim and dk-filter needs an overhaul. Few of these things are not mentioned.

Hi Martin,

The code which uses control/filterargs uses ':' as a delimiter for fields in control/filterargs file. Hence awful things happen when we use EXCLUDE_DKIMSIGN to have multiple headers. So you should define FILTERARGS and EXCLUDE_DKIMSIGN in the rc file.

Maybe I should have used a comma as a delimiter instead of the colon character.

Hi Manvendra and Roberto,

I'm all good and working now, I have multiple headers in EXCLUDE_DKIMSIGN in the /var/qmail/rc file.

Thank you so much for listening to my difficulties, and for your expert replies and quick patches! 

-Martin

Hi Martin,

Happy to know that it is working.

Cheers

Hi Manvendra and Roberto,

The DKIM signing (with multiple exclude headers) has been working great since my last comment.  Just a minor point on my bounce messages, something isn't working right, does the location and wording of this bounce e-mail help suggest to you where my problem might be, qmail local vs remote vs somewhere else?  here's what I get back to my postmaster box:

Hi. This is the qmail-send program at mydomain.com.
I tried to deliver a bounce message to this address, but the bounce bounced!

<atniszn@spammerdomain.de>:
/var/qmail/bin/dk-filter: (spawn-filter) exit code: 2: /var/qmail/bin/dk-filter: 1: /tmp/envfilterpeV0Mn: Syntax error: "(" unexpected
. (#4.3.0)spawn-filter said: Message deferredI'm not going to try again; this message has been in the queue too long.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 20088 invoked for bounce); 10 Jan 2024 16:50:20 -0000
Date: 10 Jan 2024 16:50:20 -0000
From: MAILER-DAEMON@mydomain.com
To: atniszn@spammerdomain.de
Subject: failure notice

Hi. This is the qmail-send program at mydomain.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<contacts@mydomain.com>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <atniszn@spammerdomain.de>
Received: (qmail 20082 invoked from network); 10 Jan 2024 16:50:20 -0000
Received: from mail.spammerdomain.de (185.31.160.254)
  by mydomain.com with SMTP; 10 Jan 2024 16:50:19 -0000
Received: from spammerdomain.de (mail.spammerdomain.de [185.31.160.254])
	by mail.spammerdomain.de (Postfix) with ESMTPA id 681C1810B94C;
	Wed, 10 Jan 2024 18:50:16 +0200 (EET)
Message-ID: <77787011P63663562D01231053V46848251P@idatniszn>
From: "Made in Japan" <atniszn@spammerdomain.de>
To: <info@spammerdomain2.ca>
Subject: The Number 1 Kitchen Knife in the World
Date: Wed, 10 Jan 2024 18:50:18 +0200
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="----=_NextPart_000_0006_01DA43F5.8
...

thanks again.

Hi Martin,

Can you replace dk-filter with qmail-dkim in filterargs.
Roberto and myself have eliminated dk-filter for new setups. qmail-dkim can do everything that dk-filter does and it does it better. dk-filter doesn't handle bounces and auto-replies properly

Something like this

*:remote:/usr/sbin/qmail-dkim:DKIMQUEUE=/bin/cat

Hi Manvendra (or Roberto)...

Recall that, as we discussed, setting this in filterargs didn't work for me because I need the (multiple : colons) setting for EXCLUDE_DKIMSIGN, so filterargs is currently empty (well, all commented out actually).  So I'm doing this in /var/qmail/rc.  So how would I implement your advice of "replace dk-filter with qmail-dkim" when doing it in /var/qmail/rc?  here's what I currently have... as I said its working great for outgoing DKIM signing, but not working for bounces:

#!/bin/sh

# declaring NODKIM disables DKIM

# Sign with 2048 bit RSA. Comment out DKIMSIGNOPTIONS to sign with 1024 bit
DKIMSIGNOPTIONS="-z 2"
DKIMDOMAIN=`cat /var/qmail/control/dkimdomain`
EXCLUDE_DKIMSIGN="MIME-Version:User-Agent:Content-Language:Content-Type:Content-Transfer-Encoding"

# DKIM sign at qmail-remote level
exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
DKIMSIGN=/var/qmail/control/domainkeys/%/default \
DKIMSIGNOPTIONS="$DKIMSIGNOPTIONS" \
DKIMDOMAIN="$DKIMDOMAIN" \
EXCLUDE_DKIMSIGN="$EXCLUDE_DKIMSIGN" \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

# Use this if you are signing at qmail-smtpd level
#exec env - PATH="/var/qmail/bin:$PATH" \
#qmail-start "`cat /var/qmail/control/defaultdelivery`"

Thanks again.

Hi Martin,

how would I implement your advice of "replace dk-filter with qmail-dkim" when doing it in /var/qmail/rc?

download the latest patch, then put something like this in your RC file

#!/bin/sh 

QMAILDIR=/var/qmail 

# Comment out DKIM_ON=1 to disable dkim sign at qmail-remote level 
# You have to define your variables in control/filterargs (DKIM page for more info)
# echo "*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2" > /var/qmail/control/filterargs
DKIM_ON=1 

if [ -r $QMAILDIR/control/filterargs ] &&[ -n $DKIM_ON ]; then 
  # DKIM sign at qmail-remote level
  exec env - PATH="$QMAILDIR/bin:$PATH" \ 
  QMAILREMOTE=$QMAILDIR/bin/spawn-filter \ 
  qmail-start "`cat $QMAILDIR/control/defaultdelivery`" 
else 
  # Use this if you are signing at qmail-smtpd level or you don't want to sign at all 
  exec env - PATH="$QMAILDIR/bin:$PATH" \ 
  qmail-start "`cat $QMAILDIR/control/defaultdelivery`" 
fi

the filterargs will be like this. Put your additional  EXCLUDE_DKIMSIGN variables here

*:remote:/var/qmail/bin/qmail-dkim:DKIMQUEUE=/bin/cat,DKIMSIGN=/var/qmail/control/domainkeys/%/default,DKIMSIGNOPTIONS=-z 2

delete the control/dkimkeys file. Remember that DKIMDOMAIN has been dropped (control/bouncehost by default or control/me if it doesn't exist)

here's what I currently have... as I said its working great for outgoing DKIM signing, but not working for bounces:

the new 1.46 version has improvements in handling bounces

You can define EXCLUDE_DKIMSIGN and other variables as always in the RC file, if you have troubles in defining them in filterargs, or even define everything in the RC file and forgot of filterargs

Buongiorno,

qmail-dkim(8) states:

> By default qmail-dkim will use all of the headers when signing a message.

Is there any way to changed that default other than modifying the source code and recompile?

I ask because a recipient recently has problems with our signature which also include the "ARC-Authentication-Results" of third-party systems when these are forwarded by our mailing-lists.

BTW, I think this header type should be excluded (like e.g. "Authentication-Results" and others already are), because it falls into the category "fields that are modified in transit", compare the recommendations in https://datatracker.ietf.org/doc/html/rfc6376#section-5.4.1 

Personally, to be honest, I'd prefer to be able to configure a list of header types which should be signed instead of the current "sign anything but …" approach, anyway.

Kind regards,
Martin

Hi,

now we found a similar problem with the UI-OutboundReport header line. Of course, I will exclude that, too, but it seems only a matter of time until one of our users (in a very heterogenous environment) comes up with another header line that is then signed by qmail and altered by another user's mail system on the receiving side, causing the signature to get invalid. Or more probably, there already are such cases that I'm not aware of, because not everybody notices that they do not get _all_ mails from e.g. a mailing list and tells me as the postmaster.

Therefore, I still think that defining a whitelist of header lines that should be included in the signature instead of a blacklist that should not would be the proper way to go. (I'll try to code a suggestion when I find the time.)

Kind regards,
Martin

In case anybody is interested, please find a first draft of my dk-filter replacement at https://unf.ug/dkim-sign

Thanks for the contribution. Is it intended to work with the latest dkim patch?

Hi,

it works with the latest version of your patched qmail from GitHub.

Kind regards,
Martin

Buongiorno Martin,

I don't think this is possible in the current dkim program. I'll ask Manvendra to have a look to your question.

I have updated the latest patch. One can have a list of headers to be not signed as a colon separated list of headers in EXCLUDE_DKIMSIGN. The below has been added to qmail-dkim man page

By default qmail-dkim will use all of the headers when signing a message. You an exclude headers from gettng signed by setting a colon separated list of headers in EXCLUDE_DKIMSIGN environment variable.

I have been down with some kind of viral and recovery is being slow. So it is not possible for me to test the changes.

Thanks so much, Manvendra. Get well soon.

There were a couple of missing definitions... 

--- dkim_bak.c    2023-11-14 13:05:07.142460460 +0100 
+++ dkim.c        2023-11-14 13:17:20.866015118 +0100 
@@ -95,6 +95,7 @@ 
int DKIM_CALL 
SignThisHeader(const char *szHeader) 
{ 
+  char *ptr; 
       if ((!strncasecmp(szHeader, "X-", 2) && strncasecmp(szHeader, "X-Mailer:", 9)) 
                       || !strncasecmp(szHeader, "Received:", 9) 
                       || !strncasecmp(szHeader, "Authentication-Results:", 23) 
@@ -104,7 +105,7 @@ 
               return 0; 
       if (!excl) 
               return 1; 
-       for (i = 0, cptr = ptr = excl; *ptr; ptr++, i++) { 
+       for (int i = 0, cptr = ptr = excl; *ptr; ptr++, i++) { 
               if (*ptr == ':') { 
                       *ptr = 0; 
                       fprintf(stderr, "comparing [%s][%s] %d\n", szHeader, cptr, i);

I uploaded a new testing patch here https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/roberto-netqmail-1.06.patch-2023.11.14testing 

Martin, can you please test if everything works as expected? I won't be able to test it myself today

Dear Manvendra,
dear Roberto,

thank you very much for the patch! Today I finally found the time to test it. However, to be honest, I haven't got it to work so far.

First, I found out that qmail-dkim probably isn't even used in my setup; I configured DKIM signing like this:

$ cat /var/qmail/supervise/qmail-send/run  
#!/bin/sh 

exec env - PATH="/var/qmail/bin:$PATH" \ 
DKIMSIGNOPTIONS='-z 2' \ 
NODK=1 \ 
QMAILLOCAL=/var/qmail/bin/spawn-filter \ 
QMAILREMOTE=/var/qmail/bin/spawn-filter \ 
FILTERARGS=/usr/local/sbin/dk-filter \ 
qmail-start "`cat /var/qmail/control/defaultdelivery`"

Sorry for the confusion!

So if I get it right, I would have to tell my dk-filter script to call the dkim binary with "-X ARC-Authentication-Results". However, unfortunately I could not get this to work, either:

$ echo -e 'ARC-Authentication-Results: foo\nFrom: martin.sluka@mensa.de\nTo: martin@sluka.de\nSubject: Test\n\nDas ist der Rand von Ostermundigen.' | /var/qmail/bin/dkim -X ARC-Authentication-Results -z 2 -x - -y it-2350 -s /var/qmail/control/domainkeys/mensa.de/it-2350 
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mensa.de; 
       s=it-2350; h=ARC-Authentication-Results:From:To:Subject; bh=bjee 
       NvsU917RAvwnapQsTjKD4aFVjCLhf32ZmQKg6TY=; b=XofAEPLiKhco7l6c1dQS 
       v71OBa6tJHFrTh05rTf1KYd22hAbH9J/964Lu5QScBAfoW0GYevnn54ofLcGXQl0 
       lH/TmgEz5Fd11STIXUQAvStpTlgcX6wX78ciVOYSi9shC7wobtAe1rozFmv65Ufp 
       E/HgXBD9h3DHJVEENFI57td9aw2U6CJ1toWb39CcHLLiZpPjyNOc1njqCvHnEPse 
       GR9j14hM1L80Wn+pHGeRrWJcE2fH3TPiMqQ+/92e6obA+IODZ/donsKY2jzWi35p 
       8WIPe/vcNyf5DDfqyRgVRNAuxq0MhTjQ98GosLBGEjuZ8A96XPsmJjrjbXCDpH+o 
       DQ==

But the patched version of dkim seems to at least something with this -X option, because if I add a colon, I get a coredump:

$ echo -e 'ARC-Authentication-Results: foo\nFrom: martin.sluka@mensa.de\nTo: martin@sluka.de\nSubject: Test\n\nDas ist der Rand von Ostermundigen.' | /var/qmail/bin/dkim -X ARC-Authentication-Results: -z 2 -x - -y it-2350 -s /var/qmail/control/domainkeys/mensa.de/it-2350 
Segmentation fault (core dumped)

Whereas the old version would just ignore the parameter.

Am I still doing it wrong?

Kind regards,
Martin

I have modified the patch and uploaded

1. The patch now by default excludes X-Arc-Authentication-Results

2. dkim can additionally use the environment variable EXCLUDE_DKIMSIGN to include colon separated list of headers to be excluded from signing (just like qmail-dkim). Hence you need not modify dk-filter to add the -X option. If -X option is used, it overrides the value of EXCLUDE_DKIMSIGN

Thanks Manvendra. Combined patch updated.

Seems to be working well:

# grep -r ARC-Authentication-Results
1685002611.M67441P6782.qmail,S=12531,W=12739:2,RS:ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
/var/qmail/bin/dkim -vS < 1685002611.M67441P6782.qmail,S=12531,W=12739:2,RS
DKIM-Status: good

The code is not correct. I have made changes and will issue a new patch.

Look at dkimsign.cpp 

/* SignThisHeader - return boolean whether or not to sign this tag
*/
bool CDKIMSign::SignThisHeader(const string &sTag)
{ 
bool bRet = true;

if (_strnicmp(sTag.c_str(), "X-", 2) == 0
|| _stricmp(sTag.c_str(), "Authentication-Results:") == 0
|| _stricmp(sTag.c_str(), "DKIM-Signature:") == 0
|| _stricmp(sTag.c_str(), "Domainkey-Signature:") == 0
|| _stricmp(sTag.c_str(), "Received:") == 0
|| _stricmp(sTag.c_str(), "Return-Path:") == 0)
{
bRet = false;
}
return bRet;
}

Today I stumbled across a curious error when sending a mail from my private mail to our mail server.

The mail gets rejected with detail

qmail-dkim:_signature_error:_DKIM-Signature_could_not_parse_or_has_bad_tags/values_(#5.7.5)

When sending the very same email to auth-results@verifier.port25.com from my private mail it passes all tests.

Receiving mail from i.e. GMail, Outlook and several others on our mail server works just fine.

Any leads what I could check?

Sorry, I'm realizing that I have misunderstood your previous message. I think that your "private mail" is intended to be sent TO your email server, right?

In that case please post your dkim configuration

PS are you using my latest patch?

That is correct.

By DKIM config do you think of the private mails DNS record?

uberspace._domainkey.blackblizzard.org. 3600 IN TXT "v=DKIM1;t=s;n=core;p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8gFgGJLv7j0dI3yvyb9t/epY1S4VTYK5jhanOF31mg43ipIwm26y07C/4PvgR9wgwHILTDXJ1E41uDujf+sQW7hd8IEbMwXRgeiQbOEyr29y6IR3MDQyD36PiVfWAwuPMfmnaE7qkhOZHBv8ybo/hGzYxHUP0o5JD/AjoYAZnwxdeaJ3zAYbCuEmkdLV/V" "VqYWjNy4L5RgVscgHPVcuBjWkscYFleFD5l0FNlLtqux890WfocyT7c4r1PSvs3kpkYBw41o+pyDA/fGLeaui1OBnfEjL303sauzCS5VSKfPlRVM0lonnWJ3ivsM1zQcZCeVQI5eEXAHE7a2NxcdOYw62KVlDDFfLYumBNO7VEkyl2ervGe1pyuAe91U9AdYctnwqds9633KtAZMLMV1Eis9ydO+EVUawDyzQO4r5niTY2hwXm+va3RwXv0JD86" "Kz6ttAQ3Wk3yKCVi2DruJRAA1quUjEZkiJqTgN3qUNZNQCMfqrCYKyGxCOX4q6moLlBFIQGGilKs8/mHzulDZ5SJLQdynCOh6dv7TKcikpJuNpqbEeqr4vgrx8WuIxplMqasyx8h3J2xo37kgCWUo7T2tk4xDkp51YLX0lzhg5kZKuRmy51hGbZnY24LsD+gE7q6BSJb5noSTn9Fnh+KUTgI948cs8y8rSmvXbliqY163UCAwEAAQ=="

The k tag is missing in the DNS record. Did you update the qmail patch?

The server my private mail is from does not run your patch (it's not mine), only our server does :D

Besides the k tag is optional with a default value of rsa (https://www.rfc-editor.org/rfc/rfc4870#page-13), so that causing a syntax error is a bug, isn't it?

If you can tell us the value of DKIM-Signature header it could give a clue. Using your mail client you can save the email as test.eml. Gmail has 'show original' option. Once you have save the content of the mail with all the headers, one can do the following to test it

> $ dkim -v < test.eml

Of course. As the original message contains provate info I sent a new one just for test. This is the message source as returned by our mail server

Return-Path: <xxxxxxxx@blackblizzard.org>
Received: (qmail 31870 invoked by uid 500); 15 May 2023 13:11:57 -0000
Authentication-Results: borrelly.uberspace.de;
 auth=pass (plain)
MIME-Version: 1.0
Date: Mon, 15 May 2023 13:11:57 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: xxxxxx@blackblizzard.org
Message-ID: <cde3ad50799195bf0f5d1711b2631d833aebfbc1@blackblizzard.org>
TLS-Required: No
Subject: DKIM-Test#1
To: xxxxxxxxxxxxxx@as-trainer.com
X-Rspamd-Bar: /
X-Rspamd-Report: MIME_GOOD(-0.1)
X-Rspamd-Score: -0.1
Received: from unknown (HELO unkown) (::1)
 by borrelly.uberspace.de (Haraka/3.0.1) with ESMTPSA; Mon, 15 May 2023 15:11:57 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=blackblizzard.org; s=uberspace;
 h=from;
 bh=fdkeB/A0FkbVP2k4J4pNPoeWH6vqBm9+b0C3OY87Cw8=;
 b=hBlW17MYT9K/jz2H1xWojtote/8t7vm5fyf25DTAjloSTjcQ5GQn1xTOfNVePIg89YhqZRVtih
 OOzGHb8FHF4l/B5OsnbXHdBb7ouap+x+Uw+AoGk5YlJjIhxfSj9Wrg3cyyMIP6neRJlDkfAQYiFy
 pBWPQgJQvDMVZsBUmS33LwD9v8RIZWJhH1R/llfDgXFohQgd6maKtqJhjiP0W41mx77ru7u4Xzct
 aakXRmAu+YXcqbXrHYanD/cvJmh0KOkvPieibaBi11w3X8dy0TkZ4WfEEAkz68PcVnOhy/OpHEkd
 UdnmsaXYfnHoVCVYhuTa+9A2scp//VIQNeZAoLvBwNEp3t6NfpjJqHgxIOg+KL60vaVEyDYuFjKq
 UZZMO7aXhwQ92Vt/YV3YE79GXaKRlZkSTB6yBhl1PWNdkJfIDUAPJ8QiWXiitQNELBaYaEmSzPi8
 4A52y0RX3njPKsNKGECoWR0F/AiBNmLIfrCTLgOLQd/I8+zN1f1Y5T7mY399E807TMOjkeVJCF/R
 8CGz5wgbo3UdALq2T46PUXftm6KmJljGqXdPgz1v5wibro25Nw0mSYZf3C5BHP7Bk4UgCrvOcWl4
 ClcXHDaiGWs48AqyosAWVR/4guMdHwXD4/Citx//bKhwGLlzAfGhsqW44CapzebMOQ0U8lxnePZx
 w=

Test

$ /var/qmail/bin/dkim -v < /home/administrator/test-email_2.eml

on our server yields

signature error: DKIM-Signature could not parse or has bad tags/values
DKIM-Status: signature error: DKIM-Signature could not parse or has bad tags/values

The DKIM-Signature doesn't include the Subject as part of the signed headers. Your DKIM signature just has

h=from

In such a case, you must set the environment variable UNSIGNED_SUBJECT to anything. So just set this environment variable in your run script. You can also execute dkim like this (to allow unsigned subject)

dkim -S -v < /tmp/email2.eml

Section 5.4

> INFORMATIVE IMPLEMENTER'S NOTE: Although not required by this specification, all end-user visible header fields should be signed to avoid possible "indirect spamming". For example, if the Subject header field is not signed, a spammer can resend a previously signed mail, replacing the legitimate subject with a one-line spam.

Section 5.5

5.5 Recommended Signature Content

In order to maximize compatibility with a variety of verifiers, it is recommended that signers follow the practices outlined in this section when signing a message. However, these are generic recommendations applying to the general case; specific senders may wish to modify these guidelines as required by their unique situations. Verifiers MUST be capable of verifying signatures even if one or more of the recommended header fields is not signed (with the exception of From, which must always be signed) or if one or more of the disrecommended header fields is signed. Note that verifiers do have the option of ignoring signatures that do not cover a sufficient portion of the header or body, just as they may ignore signatures from an identity they do not trust.

The following header fields SHOULD be included in the signature, if they are present in the message being signed:

• From (REQUIRED in all signatures)
• Sender, Reply-To
• Subject
• Date, Message-ID
• To, Cc
• MIME-Version
• Content-Type, Content-Transfer-Encoding, Content-ID, Content-Description
• Resent-Date, Resent-From, Resent-Sender, Resent-To, Resent-Cc, Resent-Message-ID
• In-Reply-To, References
• List-Id, List-Help, List-Unsubscribe, List-Subscribe, List-Post, List-Owner, List-Archive

Thank you very much, this did it!

> The server my private mail is from does not run your patch (it's not mine), only our server does :D

I know, but you are verifing the signature with your qmail server, and I guess that server is not able to manage the missing k tag

> Besides the k tag is optional with a default value of rsa (https://www.rfc-editor.org/rfc/rfc4870#page-13), so that causing a syntax error is a bug, isn't it?

correct. It has been fixed it in a previuos release.

So, again, are you using my latest patch?

Sorry, for missing that info.

As far as I know, yes. To verify, I am currently using the 2023.04.26 combined patch.

I cannot retrieve your dns dkim record belonging to the domain of the email that you have registered in your comment. I assume that you use a non conventional descriptor.

Can you send me a private message so that I can try to test your signature and dkim record?

Howdy,

All of a sudden I got the qqinternal-bug as well.
Been working fine, but all of a sudden on 2 may 2023 I got the following in my logs:

@400000006450df932d64a0dc qlogreceived: result=rejected code=451 reason=queue_delay detail=qq_internal_bug_(#4.3.0) helo=56-dmta.msdp1.com mailfrom=bounce-4WGM6ogHtCNRnOsqsK227oL2eSLEu6DyjNY-_UW3lLc4@e.kaartje2go.nl rcptto= relay=no rcpthosts= size=44201 authuser= authtype= encrypted=tls sslverified=no localip= localport=25 remoteip= remoteport=56867 remotehost=56-dmta.msdp1.com qp=53110 pid=53103

I couldn't find any in the logs, so I rebooted but that didn't work as well.

For now I disabled the DKIM checks and it's working but of course without the DKIM check.

Have also a look to this thread https://notes.sagredo.eu/en/qmail-notes-185/testing-qmail-smtp-and-auth-22.html#comment2960. That issue is solved in the latest patch

Hi, do you have a copy of that email? We should do an strace against it. If there are not privacy issues feel free to send it via mail to me, or at least the strace where you perform the qmail-dkim test together with the header of the message 

Hi Roberto,

After installing everything I've got a strange error in my smtpd. I assume it got something to do with 'unable_to_exec_qq'. But I can't find any reason what's failing. The DNS is working fine, that I checked.
Do you maybe have an idea as where to look?

@400000006446aa7736fb477c Zqmail-dkim: signature error: temporary dns failure requesting selector (#4.7.0)
qlogreceived: result=rejected code=451 reason=queue_delay detail=unable_to_exec_qq_(#4.3.0) helo=xtrwnvrh.outbound-mail.sendgrid.net mailfrom=bounces+27743972-ef7b-=@em3306.railsport.nl rcptto=@ relay=no rcpthosts= size=29669 authuser= authtype= encrypted=tls sslverified=no localip= localport=25 remoteip=167.89.40.80 remoteport=40386 remotehost=xtrwnvrh.outbound-mail.sendgrid.net qp=27451 pid=27448

I'm not familiar with the qlog patch, but it looks like there are two different errors in the log. One is a temporary dns error for fetching the selector record from the DNS  and the other is the error reported by the below line in the qlog patch, when qmail_close returns an error.

+    qlogreceived("rejected","queuedelay",qqx + 1,"451");

In the above case, qmail-dkim has exited with a temporary error and qqx + 1 is as shown below. So to to me it looks like something else happened after the qmail-dkim error. Probably an strace -f -p tcpserver_pid will reveal what is happening.

qmail-dkim: signature error: temporary dns failure requesting selector (#4.7.0)

Hi Goofy,

the dkim verification went wrong because of a DNS problem while resolving the dkim record of the sender, so it is not your server's fault.

Hi Roberto,

With the help of strace it turns out simscan is treating 88 which qmail-dkim returns for (custom error patch) as unable_to_exec_qq error as default. Now your combined patch uses CUSTOM_ERR_FD as 4 and qmail-dkim uses 2 as the descriptor. However one can change that for qmail-dkim by setting the environment variable ERROR_FD=4 in the run script to send the error to descriptor 4 instead. Hopefully that should solve the ambiguous error being reported by qmail-smtpd.

qmail.h:#define CUSTOM_ERR_FD 4

Great! Thanks for pointing out that. I'll update my notes accordingly

With the help of Manvendra I t-shooted the issue further. Also came to the conclusion that Ubuntu 22.04 does not understand 'declare -x'.

I also had to patch and recompile qmail-dkim.c. I assume Manvendra will come back to that.

For people having simular issues:

find the errfd = 2;  in qmail.dkim & change to:

erffd = CUSTOM_ERR_FD;

Hi Roberto,

Also in qmail-dkim.c it will be the right thing to do if we change

errfd = 2;

to

errfd = CUSTOM_ERR_FD;

If we do that, we will not require to set the environment variable ERROR_FD. This change is in the custom_error() function.

I'll do it. It's even simpler. Thank you

The following command creates a private key correctly but fails to output corresponding public key.

# dknewkey -d domain.tld -t rsa -b 2048 default

It generates one line of public key without any public key.

# cat default.pub
default._domainkey.domain.tld. IN TXT (
#

I cannot reproduce the problem. Can you show how are you using dknewkey in order to create the key?

The script seems to print the first line then stops but does not generate any error. I tried with default selector and different domain names but results are same. I am running Debian 11.

# dknewkey -d abcd.com -t rsa -b 2048 asdf1
Generating rsa DKIM private key keysize=2048, file /var/qmail/control/domainkeys/abcd.com/asdf1
Generating rsa DKIM public key for asdf1.domainkey.abcd.com, file /var/qmail/control/domainkeys/abcd.com/asdf1.pub, keysize=2048
# cat /var/qmail/control/domainkeys/abcd.com/asdf1
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAw931TJiXXM3I30va2hCs+sNmUR5ZJ0DU5yZVFOfuDEJPauB5
HBN5hUqpyK2p9cccuEBJToiUk6fVP6MiO0hXACbsTGhEAodq7Id1xZzs+tWuFz8y
ZnO5d7ZylMEtS0p3xhRTGrTCYlq7QkX44Jk9xJCJFG50/hv9Y1wMtxhM/XsWPj0w
2A0SpgfgTaH26xQYvqyhr6q1pE1cH4DDF8C7LHDWUcm0LudNx9xt3LUDFtUbHdLt
BWzJHtZa6FEN55UQx1ql1t7dB5VbF2CBFPFMcsIxOPUhxnCegyTw5vHRf9ooMTCo
MUptoeALDoM9HsFj48/ONhgP3/BzCT5N2b4gswIDAQABAoIBAQC1rtKWHUjx/bSh
.......
/+I91+oas+DhOqtgdJqf6QJnMyk1FKB0oZhO8dxIM/m/pMpfAuLnLCdZfyqvv+XA
Wj9d7JiaNHktCeDJZOZxGldjirRchbG50qVdyv/l1KvI4ZD7Au+A/UIa/7/UcU0g
qD272h8CgYEA10LxYhZ+MnHJMOlzSXS0ya7rsxOrTvnXuoFv91umn8aw/pxWqp87
VWBPJQYtMdag+ftYbAVpDbpIIKsHf6zQR+a2eGfVnepoMwAWYpwl63ZRTfRtkXnJ
cAagUSnHbemvt/bsIeT8ChuFMym3hqeU1LiPZF40OfbzEldd6k7Af+Y=
-----END RSA PRIVATE KEY-----
# cat /var/qmail/control/domainkeys/abcd.com/asdf1.pub
asdf1._domainkey.abcd.com. IN TXT (#

Does this command work

cd /var/qmail/control/domainkeys/abcd.com/
openssl  rsa -in asdf1 -pubout -outform PEM | grep -v '^--' | tr -d '\n'

The command

openssl  rsa -in default -pubout -outform PEM | grep -v '^--' | tr -d '\n'

seems to work on debian as it prints the rsa key. But the key was not printed at all when it was created and the default.pub file is broken

default._domainkey.test.com. IN TXT (

I can confirm that patching as suggested below solves.

I have been unable to simulate this. But I believe the split_str function is bash specific and maybe giving problems on systems where /bin/sh doesn't have BASH extensions. A portable way to split a string longer than 255 characters is to use the fold -w255 command. That's what I have done in the new patch

6b50946f7fe5c9dc5761f56118be2bcb  dkim-netqmail-1.06.patch-1.38.gz

https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/dkim-netqmail-1.06.patch-1.38.gz

split_str() works when using my old program with the same split_str() function by Tatsuya Yokota https://github.com/kotaroman/domainkey but I cannot figure out what's causing the problem in your modified version

Yes, it works!
I think there is an issue with split_str function in the dknewkey script. It works well after changing as per below:

65c65
< split_str "v=DKIM1; k=$ktype;$t p=$pubkey"
---
> printf "v=DKIM1; k=$ktype;$t p=$pubkey"

I will try to simulate this and fix the split_str function. The split function is needed to split the text records into multiple strings smaller than 255 bytes for some dns service providers.

I have modified split_str() so it works in Debian 11.

--- dknewkey.orig 2023-03-14 21:09:35.306738818 +1300
+++ dknewkey 2023-03-14 21:36:54.068728994 +1300
@@ -25,26 +25,19 @@
# of length 255 or less
split_str()
{
- local STR="$1"
- local START=0
- local STR_COUNT=0
- local LINE=""
- local SPLIT=255
+ local INPUT="$1"
+ local LEN=$(echo "$INPUT" | wc -c)
+ local COUNT=$((LEN / 255))

- while true
- do
- START=$STR_COUNT
- LINE=${STR:$START:$SPLIT}
- if [ ${#LINE} -eq 0 ]; then
- break
- fi
- if [ $START -eq 0 ]; then
- printf "\"${LINE}\"" # first line
- else
- printf " \"${LINE}\""
- fi
- STR_COUNT=$(expr $STR_COUNT + $SPLIT)
- done
+ for i in `seq 0 $COUNT`
+ do
+ LINE=`echo "$INPUT" | cut -c $((i * 255 + 1))-$(((i + 1) * 255))`
+ if [ $COUNT -eq 0 ]; then
+ echo "\"${LINE}\"" # first line
+ else
+ echo " \"${LINE}\""
+ fi
+ done
}

write_pub_key()

Hi J,

Can you let me know your name (or first name) so that I can credit you for the new split_str function in the dknewkey code.

Regards Manvendra

Thank you. That was nice of you. I will leave it to Roberto to include this version in his combined patch. Will apply the same changes at my end.

Thank you. Appreciated

Thanks to you and Manvendra for the patch. However, I have a problem with dk-filter when using DKIMDOMAIN for bounces with empty sender. I get the following error:

% export QMAILREMOTE=/var/lib/qmail/bin/spawn-filter
% export DKIMSIGNOPTIONS="-z 2"
% export DKIMDOMAIN=`cat /var/lib/qmail/control/dkimdomain`
% unset _SENDER
% var/lib/qmail/bin/dk-filter < testmail.txt
/var/lib/qmail/bin/dk-filter: 135: strip_default: not found
basename: missing operand
Try 'basename --help' for more information.
Private Key not provided
usage: dkim [-lqthvH] [-p <0|1|2>] [-b <1|2|3>] [-c <r|s|t|u>]
[-d domain] [-i you@domain] [-x expire_time] [-z hash] [-y selector] -s privkeyfile
....

I looked at the dk-filter script, and it does seem to try to call a strip_default function that is never defined. 

I also question why it is calling this function. Assuming it says what it is supposed to do, I don't see a reason to strip the 'default' selector part of the key file path, otherwise the file would not be found. 

As such, I assume the following patch should fix it (it seems to do so for me), but not sure whether that is the right fix. 

--- /usr/sbin/dk-filter.orig 2023-01-01 00:28:45.000000000 +0000
+++ /usr/sbin/dk-filter 2023-01-01 00:35:39.000000000 +0000
@@ -132,7 +132,7 @@
 fi
 if [ $percent_found -eq 1 ] ; then
  if [ -n "$DKIMDOMAIN" -a -z "$_SENDER" ] ; then
-  dkimkeyfn=$(strip_default $(echo $DKIMSIGN | sed "s{%{$DKIMDOMAIN{g"))
+  dkimkeyfn=$(echo $DKIMSIGN | sed "s{%{$DKIMDOMAIN{g")
   if [ ! -f $dkimkeyfn ] ; then # remove % and check if file exists
    t=$(echo $DKIMSIGN | sed "s{/%{{g")
     if [ -f $t ] ; then

Hi Andreas,

Thank you for posting the fix. The fix is correct. The strip_default was supposed to be removed but somehow it escaped my eyes.

Ok, great. I assume the patch really needs to be applied to the .sh file in the sources. Sorry also for the typo in the subject. And I assume that you will incorporate that into the next version of the patch, right? 

Happy new year to everybody!

Andreas

Happy new year!

Combined patch updated

Good Day!

I worked through this page but could not get a custom selector working for signing.  I note that some have previoulsy commented on this issue, but the listed solutions and workarounds didn't solve the issue for me.

I traced through things until I found that the dk-filter script was not properly stripping the word default from the domainkeys strings. The file claims to be auto-generated, so clearly that file is not the correct place to fix the problem permanently, presumably this will need to be fixed in the patch. 

This is still in my sandbox, so not tested in production and may need some further tweaking, and only tested with DKIM, not DK (but I put the changes for DK as well so presumably will work), but the following patch updates the dk-filter file so that it properly detects the selector, generates the keys, and outputs the correct headers:

--- /root/dk-filter 2022-09-26 15:08:30.492717661 -0400
+++ /var/qmail/bin/dk-filter 2022-09-26 17:17:42.888588987 -0400
@@ -88,17 +88,21 @@
fi
if [ -z "$NODK" -a -x /var/qmail/bin/dktest -a -z "$DKVERIFY" ] ; then
if [ -z "$DKSIGN" ] ; then
- DKSIGN=/var/qmail/control/domainkeys/%/default
+# DKSIGN=/var/qmail/control/domainkeys/%/default
+ DKSIGN=/var/qmail/control/domainkeys/%
dksign=2
- elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+# elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+ elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%" ] ; then
dksign=2
fi
fi
if [ -z "$NODKIM" -a -x /var/qmail/bin/dkim -a -z "$DKIMVERIFY" ] ; then
if [ -z "$DKIMSIGN" ] ; then
- DKIMSIGN=/var/qmail/control/domainkeys/%/default
+# DKIMSIGN=/var/qmail/control/domainkeys/%/default
+ DKIMSIGN=/var/qmail/control/domainkeys/%
dkimsign=2
- elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+# elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+ elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%" ] ; then
dkimsign=2
fi
fi
@@ -132,7 +136,8 @@
if [ $dksign -eq 0 -a $percent_found -ne 1 ] ; then
exit 32
fi
- dkselector=`basename $dkkeyfn`
+# dkselector=`basename $dkkeyfn`
+ dkselector=$(cat $dkkeyfn/selector)
fi
if [ -z "$NODKIM" -a -n "$DKIMSIGN" ] ; then
if [ ! -f /var/qmail/bin/dkim ] ; then
@@ -153,10 +158,11 @@
else
dkimkeyfn=$DKIMSIGN
fi
- if [ $dkimsign -eq 2 -a ! -f $dkimkeyfn ] ; then
+ if [ $dkimsign -eq 2 -a ! -d $dkimkeyfn ] ; then
+ echo "here is $default_key"
dkimkeyfn=$default_key
fi
- if [ -f $dkimkeyfn ] ; then
+ if [ -d $dkimkeyfn ] ; then
dkimsign=1
else
dkimsign=0
@@ -164,7 +170,8 @@
if [ $dkimsign -eq 0 -a $percent_found -ne 1 ] ; then
exit 32 # private key does not exist
fi
- dkimselector=`basename $dkimkeyfn`
+# dkimselector=`basename $dkimkeyfn`
+ dkimselector=$(cat $dkimkeyfn/selector)
fi
if [ -z "$NODK" -a -n "$DKVERIFY" ] ; then
if [ ! -f /var/qmail/bin/dktest ] ; then
@@ -266,7 +273,8 @@
dkimopts="$dkimopts -y $dkimselector"
fi
if [ $sopt -eq 0 ] ; then
- dkimopts="$dkimopts -s $dkimkeyfn"
+# dkimopts="$dkimopts -s $dkimkeyfn"
+ dkimopts="$dkimopts -s $dkimkeyfn/$dkimselector"
fi
exec 0</tmp/dk.$$
eval $dkimopts
@@ -310,7 +318,8 @@
shift # next flag
done
if [ $sopt -eq 0 ] ; then
- dkopts="$dkopts -s $dkkeyfn"
+# dkopts="$dkopts -s $dkkeyfn"
+ dkopts="$dkopts -s $dkkeyfn/$dkselector"
fi
exec 0</tmp/dk.$$
eval $dkopts
root@postmanlian:/var/qmail/man/man8# --- /root/dk-filter 2022-09-26 15:08:30.492717661 -0400
+++ /var/qmail/bin/dk-filter 2022-09-26 17:17:42.888588987 -0400
@@ -88,17 +88,21 @@
fi
if [ -z "$NODK" -a -x /var/qmail/bin/dktest -a -z "$DKVERIFY" ] ; then
if [ -z "$DKSIGN" ] ; then
- DKSIGN=/var/qmail/control/domainkeys/%/default
+# DKSIGN=/var/qmail/control/domainkeys/%/default
+ DKSIGN=/var/qmail/control/domainkeys/%
dksign=2
- elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+# elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+ elif [ " $DKSIGN" = " /var/qmail/control/domainkeys/%" ] ; then
dksign=2
fi
fi
if [ -z "$NODKIM" -a -x /var/qmail/bin/dkim -a -z "$DKIMVERIFY" ] ; then
if [ -z "$DKIMSIGN" ] ; then
- DKIMSIGN=/var/qmail/control/domainkeys/%/default
+# DKIMSIGN=/var/qmail/control/domainkeys/%/default
+ DKIMSIGN=/var/qmail/control/domainkeys/%
dkimsign=2
- elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+# elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%/default" ] ; then
+ elif [ " $DKIMSIGN" = " /var/qmail/control/domainkeys/%" ] ; then
dkimsign=2
fi
fi
@@ -132,7 +136,8 @@
if [ $dksign -eq 0 -a $percent_found -ne 1 ] ; then
exit 32
fi
- dkselector=`basename $dkkeyfn`
+# dkselector=`basename $dkkeyfn`
+ dkselector=$(cat $dkkeyfn/selector)
fi
if [ -z "$NODKIM" -a -n "$DKIMSIGN" ] ; then
if [ ! -f /var/qmail/bin/dkim ] ; then
@@ -153,10 +158,11 @@
else

New combined patch with Manvendra's fresh fix published

Thanks to you both!!  will test later this week.

The correct file to change would be dk-filter.sh. dk-filter is auto-generated from dk-filter.sh after replacing QMAILHOME with value in conf-qmail.

You are right about the string 'default' is not getting stripped when a dkim key exists with the domain name in /var/qmail/control/domainkeys/yourdomain. This is what qmail-dkim does, but somehow I have missed this part in the shell version dk-filter.sh.

Thank you for bringing this to my attention. This is a bug. I will fix it by weekend and submit the fix to Roberto.

Thank you Manvendra,

Glad my diagnosis is correct.

In my research I note that DKIM is supposed to allow for multiple selectors per domain name, and I don't see a way to do that with dk-filter either.  I don't foresee needing this in my case, but I did put some thought into how to adjust the script to accommodate it just in case I ever need it.  Unfortunately, I don't really see a straightforward way, but might be worth considering if you are fixing things.

your work is admired and appreciated, thank you!

Take a look at having /var/qmail/control/dkimkeys. The format of this file is

domain:private_key_file_path

I find that I have not updated the dk-filter and qmail-dkim with dkimkeys control file.  This will be fixed in the next path that I will submit to Roberto by this weekend.

The basename of the private_key_file_path will be used as selector. dkim keys are supposed to be rotated/generated. You can have a cron script to generate new keys and and also generate the file /var/qmail/control/dkimkeys

Regarding the first issue that you reported, I did some testing and did find issues. I have fixed it and currently testing the script. 

I'm putting below the description of dkimkeys control file. I feel that will satisfy your requirement

       To sign a message, set the DKIMSIGN environment variable to the pathname of the private key that will be used to sign the message. If there is  a

       %  character in the environment variable, it is removed and replaced by the domain name in the From: header. The selector (s=) will be taken from

       the basename of the file. If, after substituting the %, that file does not exist, the % character will be removed to check if the file exists. In

       addition to DKIMSIGN environment variable, you can have the domain and the pathname of the private key in the control file dkimkeys which has the

       following format

       domain:private_key_path

       If an entry for domain exists in dkimkeys, the value of DKIMSIGN environment variable is ignored. domain can be a regular expression.

Hi Manvendra,

Okay, if I understand correctly, setting the DKIMSIGN variable requires that all domains use the same selector, as the only thing that can be substituted in the varilable is the domain name?  Different selectors for each domain name will require the control file?

I also understand that I will wait till next week so I can use the dkimkeys control file.  I am not clear from the example format; I think the format requires a full absolute path, like so:

testdomain.tld:/var/qmail/control/domainkeys/testdomain.tld/customselector

Is that correct?

Also; will using a control file require restarting the qmail service when it is updated?  or does it get read on the fly when dk-filter is executed?

> Okay, if I understand correctly, setting the DKIMSIGN variable requires that all domains use the same selector, as the only thing that can be substituted in  the varilable is the domain name?  Different selectors for each domain name will require the control file?

Correct

> I also understand that I will wait till next week so I can use the dkimkeys control file.  I am not clear from the example format; I think the format requires a full absolute path, like so:

testdomain.tld:/var/qmail/control/domainkeys/testdomain.tld/customselector

> Is that correct?t

Correct

Also; will using a control file require restarting the qmail service when it is updated?  or does it get read on the fly when dk-filter is executed?

You don't have to restart anything. It will be read on the fly when dk-filter is executed.

Hi Manvendra,

Understood, thank you.  I will wait till next week and talk to you then.

I just took a look at the code. The string default is never supposed to be removed. It is just the name of the selector.

So if I have DKIMSIGN=/var/qmail/control/domainkeys/%/myselector

Then if the domain is abcd.com following should happen

First the key /var/qmail/control/domainkeys/abcd.com/myselector will be checked. If it exists then the private key /var/qmail/control/domainkeys/abcd.com/myselector will be used. The selector will be myselector

If the file /var/qmail/control/domainkeys/abcd.com/myselector doesn't exist then the private key /var/qmail/control/domainkeys/myselector will be used as the private key file with the selector named as myselector.

If that too doesn't exist then /var/qmail/control/domainkeys/default will be used as the private key file with the selector named as default.

If you want specific keys for your domains you have to use the control file /var/qmail/control/dkimkeys. But unlike the DKIMSIGN variable, one has to have all your domains in this control file. Format of this control file is

domain:private_key_file_path

I will test all of these situations. Maybe something is wrong because of which it is not working for @computerisms

Hi, thanks for your contribution. Can you confirm that the solution described here (defining DKIMKEY) didn't work for you?

Hi Roberto,

To be honest, I didn't try the DIMKEY variable, because if I understand correclty it will still hardcode the selector, in that case as MyDKIM instead of as default, but please correct me if I am wrong.  In turn, that presumes that I will want the same selector across all domains, which if possible I won't.

If my patch is correct, the script will pull the value from the selector file, which allows for individual/unique selectors per domain, and should also allow scripted rotation of the selector if I want to do that, as well. 

But as mentioned, this is only in my sandbox, will see if I encounter problems once I add a few dozen domains.  In reading over my patch, I see I could have cleaned it up a bit more, will send a better copy in the future.

I got following error from qmail-send with DKIM 

/var/qmail/bin/dk-filter:_(spawn-filter)_exit_code:_127:_IndiMailfilter:_applet_not_found/._(#4.3.0)spawn-filter_said:_Message_deferred

and It seems spawn-filter.c is trying to call "IndiMailfilter" comand that standard linux would not have.

# find . -type f | xargs grep -n "IndiMail"
./spawn-filter.c:267: execl("/bin/sh", "IndiMailfilter", "-c", filterargs, (char *) 0);

Is the command from https://github.com/mbhangui/indimail-virtualdomains?

I've just asked Manvendra to take a look at this.

This is Manvendra's reply:

IndiMailFilter is just argv[0]. It is not an actual program that is being called. It is what will appear in the ps -ef output. The actual program being executed is /bin/sh. I searched for the error applet not found and it is something to do if busybox is the shell. i.e. /bin/sh is linked to busybox. Ask the person to do

ls -l /bin/sh /usr/bin/sh

The output of the above command might give a clue.

Thanks for replay. Indeed, my system is AlpineLInux Docker image that uses busybox.

# ls -l /bin/sh /usr/bin/sh
ls: /usr/bin/sh: No such file or directory
lrwxrwxrwx 1 root root 12 May 23 16:51 /bin/sh -> /bin/busybox

So the dkim filter cannot work. I suggest to link another shell like bash, but I don't know if your system will be ok after that, or disable dkim

Hi Roberto

Actually dkim filter can work with busybox. The problem is the "IndiMailfilter" argument,

which does not make any sense in spawn-filter.c. Busybox relies on argv[0] to be "/bin/sh".

The patch below is tested by myself, and works like a charm on busybox.

Based on your latest patch (2023.01.31), so it should cleanly apply.

--- netqmail-1.06-original/spawn-filter.c
+++ netqmail-1.06/spawn-filter.c
@@ -264,7 +264,7 @@
/*- Avoid loop if program(s) defined by FILTERARGS call qmail-inject, etc */
if (!env_unset("FILTERARGS") || !env_unset("SPAMFILTER"))
report(111, "spawn-filter: out of mem: ", error_str(errno), ". (#4.3.0)", 0, 0, 0);
- execl("/bin/sh", "IndiMailfilter", "-c", filterargs, (char *) 0);
+ execl("/bin/sh", "/bin/sh", "-c", filterargs, (char *) 0);
report(111, "spawn-filter: could not exec /bin/sh: ", filterargs, ": ", error_str(errno), ". (#4.3.0)", 0);
default:
close(pipefe[1]);

Thank you for the hint.

btw I would stick with Manvendra's original patch, just to avoid patching a patch all the time

As you wish. Maybe we can ask Manvendra to revise his code.

"IndiMailfilter" argument really does not make sense in spawn-filter.c.

Just search it in your combined patch, and you will see that it only appears once.

Therefore changing it to /bin/sh will not make things worse than they were before,

but it certainly fixes the problem in my Alpine docker image.

Regards

Ali Erturk TURKER

yes, I'll ask him. Anyway I know that he is receiving these comments. These days I'm in touch with him because his new patch is on the way and he is looking for testers

I'm getting the comments. The IndiMailfilter is actuall just the argv[0] which shows up in ps -ef listing. It is not the actuall command. The command is just /bin/sh. So if it is failing, it is probably because of /bin/sh is missing. On many systems, there is a move to remove /bin/sh. In fact when you generate RPMs on fedora, the RPM package creation replaces #!/bin/sh in shell scripts with #!/usr/bin/sh

If /bin/sh is missing just create a link to /usr/bin/sh or to busybox and you should be fine. Meanwhile I will test this on alpine and see what the issue is.

Hİ Manvendra

Trust me /bin/sh is there, and is a symbolic link to /bin/busybox:

/ # file /bin/sh
/bin/sh: symbolic link to /bin/busybox

After hours of searching, I found that busybox relies on argv[0] to be "/bin/sh"

from this email. Then I checked the function arguments from this link

and tried the patch below and it solved the "applet" error:

--- netqmail-1.06-original/spawn-filter.c
+++ netqmail-1.06/spawn-filter.c
@@ -264,7 +264,7 @@
/*- Avoid loop if program(s) defined by FILTERARGS call qmail-inject, etc */
if (!env_unset("FILTERARGS") || !env_unset("SPAMFILTER"))
report(111, "spawn-filter: out of mem: ", error_str(errno), ". (#4.3.0)", 0, 0, 0);
- execl("/bin/sh", "IndiMailfilter", "-c", filterargs, (char *) 0);
+ execl("/bin/sh", "/bin/sh", "-c", filterargs, (char *) 0);
report(111, "spawn-filter: could not exec /bin/sh: ", filterargs, ": ", error_str(errno), ". (#4.3.0)", 0);
default:
close(pipefe[1]);

So, we can either ignore this issue and force Alpine users to install bash for no reason and bloat their docker images, or we can apply this simple patch and save many people from wasting hours like me.

I trust your common sense.

Regards,

Ali Erturk TURKER

Thank you for letting me know that busybox returns error when argv[0] is not /bin/sh. I will make a change so that it works on the alpine docker image.

Hi Roberto,

I have been reviewing your combined patch since last week.

It is really a masterpiece, but there is always room for improvement.

I'll be more than happy to test his code.

Regards,

Ali Erturk TURKER

Thank you, Ali. It would be of no value without users' contributions and people like Manvendra and all the others. So feel free to post further fixes.

Manvendra will have the test patch ready in a couple of days and I'll let you know here. He is working on making the patch RFC 8463 compliant and testers are needed before final release

I have uploaded the latest patch. This has the updated man page and should work for alpine docker images that has /bin/sh linked to busybox.

1. The testqmail-dks script tests signing + verification for both rsa and ed25519 signatures

2. The man pages have been updated

3. dkimkeys control file has been enhanced. You can set any environment variable using this control file. The format of this file is

regex_pattern_for_domain:private_key_file_path:comma_separated_env_variables

e.g. The below entry will make qmail-dkim use /var/qmail/control/domainkeys/example.org/dkimkeys2 as the private key file and set the hash encryption method to ed25519. It will unset env variable ABCD and set env variable EFGH=2

ex.*.org:/var/qmail/control/domainkeys/%/dkimkeys2:QREGEX=1,DKIMSIGNOPTIONS=-z 4,ABCD=,EFGH=2

https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/dkim-netqmail-1.06.patch-1.33.gz

CAUTION: qmail-dkim.c has significant changes and I forsee few bugs. Please let me know. Also If you can review the man pages for dkim and qmail-dkim it will be appreciated

Thank you Manvendra. 

Combined patch follows (testing) https://notes.sagredo.eu/files/qmail/patches/roberto-netqmail-1.06/roberto-netqmail-1.06.patch-2023.02.01-testing.gz

Hi All,

I have uploaded the latest patch as https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/dkim-netqmail-1.06.patch-1.32.gz

The patch also comes with testqmail-dks to test multiple methods and mixed signatures. You don't have to deply the DNS records to use testqmail-dks. The verification process in testqmail-dks directly uses the selector from the public key file.

I still have 2 things pending. I have to update the qmail-dkim and dkim man page. I will do it tomorrow. This patch adds new cryptographic method for DKIM-Signature. Earlier we just had RSA. This patch adds ED25519 method as detailed in https://www.rfc-editor.org/rfc/rfc8463.

AFAIK no one at present is signing using this method.

Ed25519 public keys are 256 bits long, the base64-encoded
   key is only 44 octets, so DNS key record data will generally fit in a
   single 255-byte TXT string and work even with DNS provisioning
   software that doesn't handle multistring TXT records.

Signers SHOULD implement and verifiers MUST implement the
   Ed25519-SHA256 algorithm

For backward compatibility, signers can add multiple signatures that
   use old and new signing algorithms.  Since there can only be a single
   key record in the DNS for each selector, the signatures have to use
   different selectors, although they can use the same d= and i=
   identifiers.

qmail-dkim can add signatures for both. You will have to set DKIMSIGNEXTRA and DKIMSIGNOPTIONSEXTRA. The updated man pages are available for reading below. I will update the same on the patch as soon as possible

https://github.com/mbhangui/indimail-mta/wiki/qmail-dkim.8 

and

https://github.com/mbhangui/indimail-mta/wiki/dkim.8 

Installing bash and link /bin/sh to /bin/bash solved this issue. Thanks.

hello guys, I'm trying to compile netqmail by applying the tls and dkim patch, I'm using the following patches

https://notes.sagredo.eu/files/qmail/patches/dkim/dkim-netqmail-1.06.patch-1.28 
https://notes.sagredo.eu/files/qmail/patches/tls/netqmail-1.06-tls-20200107.patch

I applied the tls patch first and then fixed the dkim patch to work on the netqmail code patched with the tls patch. However when executing make it generates the following error

https://paste.ubuntu.com/p/k6jv42gyvK

```
./load ipmeprint ipme.o ip.o ipalloc.o stralloc.a alloc.a \
substdio.a error.a str.a fs.a `cat socket.lib`
./compile qreceipt.c
./load qreceipt headerbody.o hfield.o quote.o token822.o \
qmail.o getln.a fd.a wait.a sig.a env.a stralloc.a alloc.a \
substdio.a error.a str.a auto_qmail.o 
qmail.o: In function `qmail_open':
/packages/v2/libdomainkeys-0.69/netqmail-1.06/qmail.c:50: undefined reference to `scan_int'
collect2: error: ld returned 1 exit status
make: *** [Makefile:1737: qreceipt] Error 1
[root@qmail netqmail-1.06]# 
```

Any idea?

Hi, i have the following issue for the last few days. It appeared after I tried to install simscan. Can you advise? It used to work before.

@400000005f1744850b64bd8c qlogreceived: result=rejected code=451 reason=queuedelay detail=qmail-dkim:_Unable_to_read_private_key._(#4.3.0) 
helo=Sags-MacBook-Pro-A1990.local mailfrom=kliment.toshkov@netfinity.bg rcptto=kt@netfinity.bg relay=yes rcpthosts= size=1016 
authuser=kliment.toshkov@netfinity.bg authtype=plain encrypted=tls sslverified=no localip=194.153.118.30 localport=587 
remoteip=10.6.6.8 remoteport=62916 remotehost= qp=29305 pid=29301

Hi, check the owner of /usr/local/etc/domainkeys/netfinity.bg/ folder. If you are signing at qmail-remote level it should be owned by qmailr:qmail, if you are signing at qmail-smtpd level it should be owned by vpopmail:vchkpw

The letters present in the DKIMVERIFY variable indicate which tests must be considered to reject an email, as follows:

A - DKIM_SUCCESS - Function executed successfully
B - DKIM_FINISHED_BODY - process result: no more message body is needed
C - DKIM_PARTIAL_SUCCESS - verify result: at least one but not all signatures verified
D - DKIM_NEUTRAL - verify result: no signatures verified but message is not suspicious
E - DKIM_SUCCESS_BUT_EXTRA - signature result: signature verified but it did not include all of the body
F - DKIM_3PS_SIGNATURE - 3rd-party signature
G - DKIM_FAIL - Function failed to execute
H - DKIM_BAD_SYNTAX - signature error: DKIM-Signature could not parse or has bad tags/values
I - DKIM_SIGNATURE_BAD - signature error: RSA verify failed
J - DKIM_SIGNATURE_BAD_BUT_TESTING - signature error: RSA verify failed but testing
K - DKIM_SIGNATURE_EXPIRED - signature error: x= is old
L - DKIM_SELECTOR_INVALID - signature error: selector doesn't parse or contains invalid values
M - DKIM_SELECTOR_GRANULARITY_MISMATCH - signature error: selector g= doesn't match i=
N - DKIM_SELECTOR_KEY_REVOKED - signature error: selector p= empty
O - DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG - signature error: selector domain name too long to request
P - DKIM_SELECTOR_DNS_TEMP_FAILURE - signature error: temporary dns failure requesting selector
Q - DKIM_SELECTOR_DNS_PERM_FAILURE - signature error: permanent dns failure requesting selector
R - DKIM_SELECTOR_PUBLIC_KEY_INVALID - signature error: selector p= value invalid or wrong format
S - DKIM_NO_SIGNATURES - no signatures
T - DKIM_NO_VALID_SIGNATURES - no valid signatures
U - DKIM_BODY_HASH_MISMATCH - sigature verify error: message body does not hash to bh value
V - DKIM_SELECTOR_ALGORITHM_MISMATCH - signature error: selector h= doesn't match signature a=
W - DKIM_STAT_INCOMPAT - signature error: incompatible v=
X - DKIM_UNSIGNED_FROM - signature error: not all message's From headers in signature

For example, if you want to permanently reject messages that have a signature that is expired, include the letter 'K' in the DKIMVERIFY environment variable.

A conservative set of letters is FGHIKLMNOQRTUVWjp. Reject permanently 3PS, FAILURE, SYNTAX, SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH, SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID, NO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE.

Add in S if you want to reject messages that do not have a DKIM signature. You can use the control files signaturedomains and nosignature domains (See Below) to further fine tune the action to be taken when a mail arrives with no DKIM signature. Note that qmail-dkim always inserts the DKIM-Status header, so that messages can be rejected later at delivery time, or in the mail reader. In that case you may set DKIMVERIFY to an empty string. If you want to check all message's From header in signature set the UNSIGNED_FROM environment variable to an empty string. If you want to check messages without signed subject header, set UNSIGNED_SUBJECT environment variable. If you want to honor body lengh tag (l=), set HONOR_BODYLENGTHTAG environment variable.

man qmail-dkim for latest documentation on the purpose

Hello again Roberto,

Google is my friend !
;-)

I found Recorder Builder for djbdns https://andersbrownworth.com/projects/sysadmin/djbdnsRecordBuilder/

We can give djbdns sintax for DKIM

Marco Varanda

(Brazil)

I would really recommend to set up the full stack: SPF, DKIM, and DMARC. No one should send emails without having this configuration ready. The mentions tools in the article to verify DKIM are great, but for this purpose, I use another free tool from https://www.emailchecky.com/en/ because it has more features and also offers a very handy all-in-one analysis for emails.

These topics are all covered here, DMARC is presented in the spamassassin section, SPF is inside the Configuring page.

If I understand the scarse documentation of the page you suggest, this tool seems just like an external tool where to redirect private msg and personal data in order to validate the email. Not a  good idea.

Hello,

I know this topic is reserved for DKIM but do you intend to write something about DMARC as well?

Did you found any posibility to implement DMARC? Apparently there is something possible with qpsmtp and opendmarc , a plugin support in spamassassin(i find it in a very incipent way) or implemented via spamassassin AskDNS like it's presented on my blog.

Do you have any other ideeas?

Iulian, you may want to take a look at this fix for the askDNS rule here

Finally I added a page on DMARC with AskDNS here. Thanks for your contribution

Hi Iulian,

I implemented a DMARC filter for incoming mails; maybe it's of use to you: https://github.com/fany/App-Qmail-DMARC

Regards
Martin

I don't have plans to write anything concerning DMARC filters, as I'm not familiar with them yet.

Anyway I would not consider qpsmtp as a good option, since I don't like the idea of completely replace my qmail-smtpd. I would play with a spamassassin plugin like the one that you suggest in your blog, when I'll have the time

Hello,

I've noticed that when chaining dkim with simscan the pid of the process changes in simscan.

QMAILQUEUE="/var/qmail/bin/surblqueue",SURBLQUEUE="/var/qmail/bin/qmail-dkim",DKIMQUEUE="/var/qmail/bin/simscan"

This is bad when it comes to processing the logs

2019-06-24 16:23:35.203214500 tcpserver: pid 2639 from 192.168.200.164 - Procedencia:
2019-06-24 16:23:35.203215500 tcpserver: ok 2639 desmx1.mydomain.com:192.168.200.165:25 :192.168.200.164::38536
2019-06-24 16:23:35.205136500 qmail-smtpd 2639: connection from 192.168.200.164 (unknown) to desmx1.mydomain.com
2019-06-24 16:23:35.205137500 qmail-smtpd 2639: enabled options: max msg size: 25000000 starttls relayclient sanitycheck sendercheck qmailqueue /var/qmail/bin/simscan
2019-06-24 16:23:35.206499500 qmail-smtpd 2639: remote ehlo: friend.mydomain.com
2019-06-24 16:23:35.207420500 qmail-smtpd 2639: mail from: me@test.mydomain.com
2019-06-24 16:23:35.207420500 qmail-smtpd 2639: sender verify, sender not in goodmailaddr
2019-06-24 16:23:35.207421500 qmail-smtpd 2639: sender verify, sender is local
2019-06-24 16:23:35.215157500 qmail-smtpd 2639: sender verify OK
2019-06-24 16:23:35.216389500 qmail-smtpd 2639: rcpt to: someaccount@gmail.com
2019-06-24 16:23:35.218563500 qmail-smtpd 2639: go ahead
2019-06-24 16:23:35.220986500 simscan:[2642]: calling clamdscan
2019-06-24 16:23:35.232338500 simscan:[2642]: normal clamdscan return code: 0
2019-06-24 16:23:35.232340500 simscan:[2642]: calling /home/vmail/spam/Mail-SpamAssassin/bin/spamc -d localhost -p 10783 -u simscan@test.mydomain.com -c -s 5000000
2019-06-24 16:23:35.359233500 simscan:[2642]:Mensaje en Salida ==> NO SPAM: [0.000000,8.000000]
2019-06-24 16:23:35.359235500 simscan:[2642]:CLEAN (0.00/8.00):0.1407s::192.168.200.164:me@test.mydomain.com:someaccount@gmail.com
2019-06-24 16:23:35.366057500 simscan:[2642]: qmail-queue exited 0
2019-06-24 16:23:35.366342500 qmail-smtpd 2639: message queued: 1561386215 qp 2641 size 287 bytes
2019-06-24 16:23:35.366890500 qmail-smtpd 2639: quit, closing connection
2019-06-24 16:23:35.367126500 tcpserver: end 2639 status 0

Any ideas?

Regards

This is because simscan goes in a sub-process. the simscan pid is bounded to its parent ppid in the email header, for example

Received: (simscan 1.4.0 ppid 8424 pid 8429 t 0.1287s) (scanners:

I don't get it: dk-filter states: "dk-filter uses the domain found in the Sender: header to set the domain tag. If not it uses the From: header."

But when I test it and also when reading its code, I find no evidence that the From: header would ever be considered. Thus, bounce messages do not get signed, which according to my understanding of RFC 7489 they should for a correct DMARC alignment.

In fact, when _SENDER is empty, dk-filter seems to use /var/qmail/control/domainkeys/default if present. However, this also does not work as intended, because "d=" has an empty value then, and forwarded bounce messages from foreign domains will also get signed, which is obviously not desirable.

Am I holding it wrong, or is the documentation / code just incorrect?

Regards
Martin

Ah. I see what you meant by the following

"I don't get it: dk-filter states: "dk-filter uses the domain found in the Sender: header to set the domain tag. If not it uses the From: header."

But when I test it and also when reading its code, I find no evidence that the From: header would ever be considered. Thus, bounce messages do not get signed, which according to my understanding of RFC 7489 they should for a correct DMARC alignment."

For bounce messages, since the from/sender will be null, you can set the DKIMDOMAIN environment variable in the script which starts up qmail-send. DKIMDOMAIN also overrides anyting in the From: or Sender: header.

I am wrong about DKIMDOMAIN in my earlier reply. DKIMDOMAIN env variable doesn't override the From: or Sender: header value. It is used only if From and Sender are both null (like in case of bounce). Here is the code in dkimsign.cpp

if (sDomain.empty()) {
  p = getenv("DKIMDOMAIN");
  if (p && *p)
  { 
    if (!(at = strchr(p, '@')))
      at = p;
    else
      at++;
    sDomain.assign(at);
  } else
    sDomain.assign(sAddress.c_str() + pos + 1);
  RemoveSWSP(sDomain);
 }

dk-filter uses _SENDER, _RECIPIENT env variable which is set by spawn-filter. spawn-filter is a program that gets called by qmail-lspawn when QMAILLOCAL is set to /var/qmail/bin/spawn-filter for local deliveries. It also gets called by qmail-rspawn for remote deliveries when you set QMAILREMOTE env variable to /var/qmail/bin/spawn-filter. The spawn-filter then gathers all information like the sender and recipient. It then calls whatever program is defined by FILTERARGS env variable. The input to FILTERARGS is the original email and the output of the FILTERARGS is fed to qmail-local for local deliveries and qmail-remote for remote deliveries. The real workhorse for DKIM verfication and signing is not the dk-filter program. It is actually the binary /var/qmail/bin/dkim which does the actual work using the libdkim library.

Check out the man pages for spawn-filter, dkim, dk-filter, qmail-lspawn, qmail-rspawn to know more. My documentation may not be good and could use some help there (especially things that you find it wrong or do not understand).

If you set DKIMVERIFY env variable for qmail-send, then dk-filter will not do signing. Hence bounce messages will not get signed. But one can do the following - do DKIM verification for local deliveries and DKIM Signing for remote deliveries by having two entries in /var/qmail/control/filterargs

*:remote:env DKIMSIGN=/var/qmail/control/domainkeys/%/default /var/qmail/bin/dk-filter
*:local:env DKIMVERIFY=1 /var/qmail/bin/dk-filter

In my setup, I do DKIM verification during the SMTP transaction and DKIM signing during remote deliveries.

Maybe you could describle what you want to achieve with examples and I could work out a solution which will work for you

Hi Mandreva,

thanks for your answers!

What I am trying to achieve is that all outgoing e-mail which has our domain in its RFC5322.From address (and thus a corresponding /var/qmail/control/domainkeys/$domain/default key file exists) gets a DKIM signature, whereas other messages (e.g. those which came from remote and get forwarded to other remote addresses) are left untouched.

In /var/qmail/supervise/qmail-send/run I have:

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

In practice this works for "normal" messages, but only because their RFC5322.From is usually identical to their RFC5321.MailFrom address, and the latter is contained in the environment variable _SENDER when dk-filter gets invoked. For bounce messages however, the RFC5321.MailFrom address is empty, thus _SENDER is empty, which causes dk-filter to fall back to /var/qmail/control/domainkeys/default – but then, it cannot correctly distinguish between bounce messages generated by our system and foreign bounce messages which should only get forwarded, but not signed.

So, to cut it short, the IMHO correct solution would be to use the RFC5322.From address for choosing the key, either always or at least when the RFC5321.MailFrom is empty.

According to dk-filter(8), "dk-filter uses the domain found in the Sender: header to set the domain
tag. If not it uses the From: header." What is meant by "If not it uses the From: header"? I understand it as: If there is no sender, then it uses the From: header, that is the RFC5322.From (for choosing the signing key to use). But I cannot see that it would really do that. So either I misunderstand the documentation, or the documentation does not match the actual behaviour of dk-filter.

Or are you trying to explain that the _SENDER environment variable which dk-filter uses to select the key should already be set to the RFC5322.From by a component earlier in the call chain? If yes, which component would that be and how would one achieve this?

BTW, in the meantime I've patched dk-filter to do an appropriate lookup, so it works for me now. I just wonder if there is a better solution.

Yes. The _SENDER environment variable which dk-filter uses is already set by spawn-filter earlier in the call chain.

Howerver this is NULL for bounces, even though the RFC5322.From will be mailer-daemon@bounce_domain. The bounce_domain will be a value set by qmail-send from /var/qmail/control/me

Looks like I have understood your problem and that problem will be there for all users. There are two issues. The first issue isn't really the blocker. The blocker is the wrong key being used for signing by the dk-filter script when the _SENDER env variable is NULL.

1. the libdkim library uses the following logic

  if (!sReturnPath.empty())
    sAddress.assign(sReturnPath);
  else
  if (!sSender.empty())
    sAddress.assign(sSender);
  else
  if (!sFrom.empty())
    sAddress.assign(sFrom);
  else
   return false;

This implies that it uses the envelope from address first for signing the domain. This should be like this

  if (!sSender.empty())
   sAddress.assign(sSender);
  else
  if (!sFrom.empty())
    sAddress.assign(sFrom);
  else
  if (!sReturnPath.empty())
    sAddress.assign(sReturnPath);
  else
    return false;

2. The sender/from address comes from the _SENDER environment variable. This variable is set by spawn-filter program

The spawn-filter gets this from the command line arguments passed to qmail-local / qmail-remote by qmail-lspawn, qmail-rspawn respectively. For bounces, this will be NULL. The problem is that dk-filter falls back to using /var/qmail/control/domainkeys/default.

One way to solve this is to use /var/qmail/control/me as the signing domain for bounces as the bounce will be from MAILER-Daemon@. The other solution is to define your default DKIM key in dk-filter rather than using a hardcoded  var/qmail/control/domainkeys/default

I am contemplating at using an environment variable DEFAULT_DKIM_KEY which dk-filter will use in such cases. You can set DEFAULT_DKIM_KEY like this

 exec env - PATH="/var/qmail/bin:$PATH" \
  QMAILREMOTE=/var/qmail/bin/spawn-filter \
  FILTERARGS=/var/qmail/bin/dk-filter \
  DEFAULT_DKIM_KEY=/var/qmail/control/domainkeys/abcd.com \
  qmail-start "`cat /var/qmail/control/defaultdelivery`"

Howerver this is NULL for bounces, eventhough the RFC5233.From will be mailer-daemon@bounce_domain. The bounce_domain will be a value set by qmail-send from /var/qmail/control/me

Actually it's /var/qmail/control/bouncehost

Edit: but it has control/me as default

Hi

Finally I have all working, but I decided not to use "default" as "default" selector
I used domainkey to generate the key

# domainkey my_domain.com MYdkim

I have in usr/local/etc/domainkeys/my_domain.com

default -> /usr/local/etc/domainkeys/my_domain.com/rsa.private_MYdkim
rsa.private_MYdkim
rsa.public_MYdkim
selector

# cat /usr/local/etc/domainkeys/my_domain.com/selector
MYdkim

Inside the DNS I added a txt as folow

MYdkim._domainkey.my_domain.com. IN TXT "v=DKIM1; k=rsa; t=y; p=xxxxxxxxxx"

I'm using qmail-smtpd for signing outgoing messages
The messages are signed, but with the wrong "CNAME"

I sent an email to "auth-results@verifier.port25.com" and I have this answer

DKIM check details:
----------------------------------------------------------
Result: permerror (key "default._domainkey.mydomain.com" doesn't exist)

Any idea where is the error ?

strange... what happens if you verify your own message with gmail or even your own server?

Thank you for bringing this to my attention. I will work on this and provide a fix ASAP. Give me some time till weekend.

Hi

Finally I found a solution, not the best, but ...

Check then next post

https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html#comment1231

More tests
Now, with my domain
I made few changes to fit my configurations

I changed the location for domainkeys to other folder where I have all the configs
I made a ln -s for /usr/local/etc/domainkeys to the new domainkeys folder
I configured qmail-smtpd for signing outgoing messages

/var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/web/conf/domainkeys/%/default

I created a new domainkey for pablomurillo.com.ar with RNAdkim as "selector"

# ls -l /web/conf/domainkeys/pablomurillo.com.ar/
total 12
lrwxr-xr-x 1 vpopmail vchkpw 60 Feb 14 12:41 default -> /web/conf/domainkeys/pablomurillo.com.ar/rsa.private_RNAdkim
-rw------- 1 vpopmail vchkpw 887 Feb 14 12:41 rsa.private_RNAdkim
-rw------- 1 vpopmail vchkpw 272 Feb 14 12:41 rsa.public_RNAdkim
-rw------- 1 vpopmail vchkpw 8 Feb 14 12:41 selector

# cat /web/conf/domainkeys/pablomurillo.com.ar/selector
RNAdkim

Test to check-auth@verifier.port25.com

DKIM check details:

Result: permerror (key "default._domainkey.pablomurillo.com.ar" doesn't exist)
ID(s) verified:

Canonicalized Headers:
 message-id:<C39E4713200C4EC8801981F69B885FE3@killer1>'0D''0A'
 from:"Pablo'20'Murillo"'20'<info@pablomurillo.com.ar>'0D''0A'
 to:<check-auth@verifier.port25.com>'0D''0A'
 subject:test'0D''0A'
 date:Thu,'20'14'20'Feb'20'2019'20'12:52:18'20'-0300'0D''0A'
 mime-version:1.0'0D''0A'
 content-type:text/plain;'20'format=flowed;'20'charset="iso-8859-1";'20'reply-type=original'0D''0A'
 content-transfer-encoding:7bit'0D''0A'
 x-mailer:Microsoft'20'Outlook'20'Express'20'6.00.2900.5931'0D''0A'
 dkim-signature:v=1;'20'a=rsa-sha1;'20'c=relaxed/relaxed;'20'd=pablomurillo.com.ar;'20's=default;'20'x=1550764320;'20'h=Message-ID:'20'From:To:Subject:Date:MIME-Version:Content-Type:'20'Content-Transfer-Encoding:X-Mailer;'20'bh=2jmj7l5rSw0yVb/vlWAYkK/YB'20'wk=;'20'b=

Canonicalized Body:

DNS record(s):
 default._domainkey.pablomurillo.com.ar. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

-------------------------------------------------------------------------------------------------------------------

Test to gmail:
-------------------------------------------------------------------------------------------------------------------

Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@pablomurillo.com.ar header.s=default header.b=uEm6qI0Z;
spf=pass (google.com: domain of info@pablomurillo.com.ar designates 190.224.160.64 as permitted sender) smtp.mailfrom=info@pablomurillo.com.ar
Received: (qmail 24866 invoked by uid 0); 14 Feb 2019 12:52:00 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=pablomurillo.com.ar; s=default; x=1550764320; h=Message-ID:
From:To:Subject:Date:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-Mailer; bh=/edzoYuyn17WXm8KeqcX/R+kh
dQ=; b=uEm6qI0ZdhmeJ3mEdyjl62sLwHk23D9mpcD07AoNw39Hg8pXx+oBkL/sV
r8iTGVLz+irfaRXCDrfa57421fLrgGUgMaxkFjVvqqUii6UQVmXknCTwT9mlSAIV
feFvejzyC2Mz90vIdA4gESV/Bd6xYsdPb64yDseZ1ZMcHqqq1U=

If I use something different as default for selector don´t work

I checked DKIM on DNS with : https://dkimcore.org/tools/keycheck.html and it's OK

I think that qmail-dkim is not "reading" the selector file to make de DKIM signature

"DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=pablomurillo.com.ar; s=default; x=1550765686; h=Message-ID:"

"s=" is allways "default"

Hi,

file: /var/qmail/bin/dk-filter

modify #90 line:

dkselector=`basename $dkkeyfn`  => dkimselector=$(<"${dkimkeyfn/default/selector}")

and rebulid domainkeys

Sorry!

file: /var/qmail/bin/dk-filter

modify #124 line:

dkimselector=`basename $dkimkeyfn`  => dkimselector=$(<"${dkimkeyfn/default/selector}")

You don't need to rebuild domainkeys.

The result for gmail es a failure too

Authentication-Results: mx.google.com;
 dkim=temperror (no key for signature) header.i=@my_domain.com header.s=default header.b=Kf3SBDLh;

Received: (qmail 51868 invoked by uid 0); 14 Feb 2019 01:38:29 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=my_domain.com;
 s=default; x=1550723909; h=MIME-Version:Content-Type:Date:From:
 To:Subject:Message-ID:User-Agent; bh=Kxb4hoiPtpyfLSNHnDfG2he0CLo
 =; b=Kf3SBDLhRSnVuRb8tOJxpuTvbGO7/iX6Sl8zlNiSKbitvLQ+CUfPvc3K9Tr
 thoKI7qrGgLQAl/0/k8WEyqdSaZi+VanX852bYnnAqhrOilo396xZqHJghhI+oML
 mVZ9WgIjOhspY8X5NIStKcmy/Om+4+5JyoATS9BWjqbVVTco=

I created a new domainkey with "default" as selector, and everything works good

Authentication-Results: mx.google.com;
dkim=pass (test mode)

I wil made more test with more domains to see if the problem persist

So you want your selector to be MYdkim

This is what you should do. Remember that the selector is always taken from the basename of the file that the environment variable DKIMKEY is set to.

If the last component of the path is 'default', the selector will be default. If the last component is MYdkim, the selector will by MYdkim.

So your private key should be named MYdkim. i.e.

/web/conf/domainkeys/pablomurillo.com.ar/MYdkim

The file MYdkim can be a symbolic link too to the filename of your choice.

and your public key could be named anything as it is not used internally by qmail-dkim

/var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/web/conf/domainkeys/%/MYdkim

Hi

I'm doing that
After read a little I discovered the "problem"
Is not the best way if you need to use more than one "selectors"
The right solution is read the selector file , but my C is not as good as I like to do this

Ok, let me know. I'll do some tests when I find some time and eventually inform M.Bhangui

Finally !, I found the solution
I think, is not the best , but ...
The selector is taken from "DKIMKEY" , so I changed DKIMKEY in qmail-smptd/run to :
DKIMKEY=/web/conf/domainkeys/%/RNAdkim

Also, I changed the "ln -s" of "rsa.public_RNAdkim" from "default" to "RNAdkim"

Is a solution, not the right one for me, because if you plan to use different selectors, this will be a problem

I think that the right behavoir will be read the "selector" file, not use the "name" of the "symbolic link"

Great. 

Anyway, as you may have noticed, Manvendra Bhangui will take a look at this in the w/e https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html#comment1230

Yes, yes
Thanks

can you change script domainkey to usage 2048 keys ?

Hi,

1. modify domainkey file:

openssl genrsa -out $CONFIGDIR/$1/rsa.private_$SELECTOR 1024

to

openssl genrsa -out $CONFIGDIR/$1/rsa.private_$SELECTOR 2048

2. modify dk-filter file:

if [ $zopt -eq 0 ] ; then
    dkimopts="$dkimopts -z 1"
fi

to 

if [ $zopt -eq 0 ] ; then
    dkimopts="$dkimopts -z 2"
fi

or use DKIMSIGNOPTIONS option

3. rebuild domainkeys

4. settings dns

thank you

to have such a long dns record under bind I had to split the domainkey as follows

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQZJmKV9pModJLj0fWPTYV8JTYkqp8Jb+nxSGmYjKvdDNgk26Uc7GYghF/lWxa8kXBxfbYmtr1vBUi2BIOK3ijIDntKqGJaljSyJSAh7SESbG6ob+45uF1V9gYMA4Lk1x/pMeExLR6f7qfKwoT"
"dRRw4BVs1aHy2iUZOJpHXD1hWG99AhbozhZVTgdCopqU3lFEYlpVQ/YdqiNmZpc04BVyOTG71VOCdm+MuCFpQYckWmxJIh8WFhaCDlIByE88uAupp+28538V9HSWIi3CIigQmD/OIQ/XwaXA7uO0VBEWw7+F1cAfvPdTTl/gal1EMg1FXdBq2ZVJVxHyZZs4H5KQIDAQAB")

so that each line doesn't exceed 256 chars lenght

I tested this sending a test mail to check-auth@verifier.port25.com and the verification was good. Unfortunately a test against gmail failed (verification failure) so I'm sticking with 1024 keys.

Any hint would be appreciated

Hi,

Gmail is no problem!

My dns:

20190420._domainkey.chcode.com. IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsDfmZGeRoC3QINDAeTm5P8YPgRPsBu/9puMaF6kUj7M47iJqmN8S6B60vvBCr0HOCqhiTnrq7hBdf+c3BjG8YKWcQMfFy6UqaBipm3crjwQ++4Vgg4t38T0SZ88" "FoI1AUw7RZYbixAE0DbSzZ Ur5cHUGwV/t5GnWekDvwadiEp1T87xZdBEU7XHELR+d0Wq7PbnQVdybWL+bqxpYsclbYacxtxSNCUlOC6vSdQBinJ6JCr/8o9xg00C/jNC+ZOdLBIi6AOIH+tBVPnos0DE1UVzZhK4iXALxTZAQ4cpBSqOJqACSMo6JGaWikb15ow/HQEXYC6gW/DCM8T1CQ1SlLQIDAQAB"

Hi,

How to Split DNS DKIM Records Properly.

http://hack.limbicmedia.ca/how-to-split-dns-dkim-records-properly/

I've followed this howto concerning the long dns splitting and I'm still unable to pass the gmail dkim test.

In addition, sending a test mail to check-auth@verifier.port25.com results in a wrong dns record interpretation (note the default._domainkey.mydomain.tld. IN TXT inside):

default._domainkey.mydomain.tld. 60 IN TXT "v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3default._domainkey.pacinotti.edu.it.INTXT5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB"

while my dkim record(s) is

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
default._domainkey.mydomain.tld. IN TXT "5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

Note that check-auth@verifier.port25.com was not complaining when setting my dns like this

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
"5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

On the contrary mxtoolbox.com tests are ok

Hi,

My case:

send mail to gmail: fail

after 10minutes: fail

after 30minutes: pass

after 1hour: pass

after 1day: pass

I think, you're dns is correct.

Great, gmail verification passed!

My dns is like this:

default._domainkey.mydomain.it. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
"5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

I'm signing at qmail-remote level adding DKIMSIGNOPTIONS="-z 2" in my /var/qmail/rc

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
DKIMSIGNOPTIONS="-z 2" \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

At this point having a modified domainkey script file, which outputs a splitted dns record in case of 2048 key, from someone who have shell skills better than mine would be very much appreciated... :-)

upgraded. thanks

I restored the 1024 key, because my bind server was failing to load zones with such a long line. Any comment would be appreciated

you must separate long key with more than 255 charset " (quotation marks)

github

https://github.com/kotaroman/domainkey

thank you.

I tried to support the domainkey command for 2048bit.
TXT record for BIND is automatically set to 2 lines.

modified
https://acoustype.com/domainkey

original
https://notes.sagredo.eu/files/qmail/domainkey

thank you.

I published your modified script. Thanks again

I was very surprised.
Thank you very much.

Great contribution, very much appreciated. I'm going to make tests as soon as possible

Thank you Roberto for such a good and clear guide to DKIM and qmail.

I've made a little improvement that I want to share. I've made it to solve my need to sign messages sent by authenticated users, and to verify all non authenticated ones.

With the current code, it is not possible to achieve this. However with a little modification, it can be done pretty easily. I changed the behavior of RELAYCLIENT_NODKIMVERIFY (which IMHO is wrong at the moment, since it will skip verification, but also any eventual signing that may have been requested).

I've added a check for env variable RELAYCLIENT_NODKIM, which if present, will skip verification and signing step, going on directly with the next QUEUE command (like the current behavior).

Instead, if RELAYCLIENT_NODKIMVERIFY is present, it will void any DKIMVERIFY, and will go on with the code, allowing to sign a message if DKIMKEY is specified or a default domainkey is available for that domain (!DKIMSIGN && !DKIMVERIFY && RELAYCLIENT).

Pheww, too much words. The patch is simpler and easier to read, though ;) 

/etc/tcprules.d/tcp.smtp:

:allow,QMAILQUEUE="/var/qmail/bin/qmail-dkim",DKIMVERIFY="FGHKLMNOQRTVWjpu",DKIMKEY="/etc/domainkeys/%/private",RELAYCLIENT_NODKIMVERIFY="1"

Patch:

--- netqmail-1.06/qmail-dkim.c 2018-08-17 13:42:40.000000000 +0200
+++ netqmail-1.06.relaynoverify.patch/qmail-dkim.c 2018-08-17 13:44:11.000000000 +0200
@@ -1115,10 +1115,13 @@
 dkimsign = env_get("DKIMSIGN");
 dkimverify = env_get("DKIMVERIFY");
 p = (env_get("RELAYCLIENT") || env_get("AUTHINFO")) ? "" : 0;
- if (dkimverify && p && env_get("RELAYCLIENT_NODKIMVERIFY")) {
+ if (p && env_get("RELAYCLIENT_NODKIM")) {
 execv(*binqqargs, binqqargs);
 die(120, 0);
 }
+ if (dkimverify && p && env_get("RELAYCLIENT_NODKIMVERIFY")) {
+ dkimverify = 0;
+ }
 if (!dkimsign && !dkimverify && p) {
 if (!(dkimsign = env_get("DKIMKEY"))) {
 if (!stralloc_copys(&dkimfn, "domainkeys/%/default"))

Ciao!

Actually the logic behind the RELAYCLIENT_NODKIMVERIFY variable is to avoid that the outgoing messages will be verified as well

Ok, but the name _NODKIMVERIFY misleaded me to think that only the verification step was skipped.

This is what actually does... that variable is there to avoid that outgoing msg could be verified before getting the queue and be signed via qmail-remote

Great! Thank you

Hi,

I have in the file /var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/etc/domainkeys/my_domain/default

The dkim signature is present if I use outlook for example (relay) but is not present if I send a mail by a php script from the mail server.

Have I forgotten anything? Thank you for your help

regards

I have never tested this, as I usually run php in a server that is separated from qmail. As you know, the php mailer calls the sendmail program, which is an alias of /var/qmail/bin/sendmail. Perhaps the qmail's sendmail program injects the message directly via qmail-inject without opening a connection to qmail-smtpd on port 25 and without the call of any filter like qmail-dkim, but I admit that I didn't look at the code, so any other explaination would be welcome

Hi

I'm FreeBSD user, and I don't use netqmail, Is there a way to only implement DKIM patch and not all the others ?

Sorry Pablo, I can't get what you mean.. you say that you don't use netqmail but that is a patch for netqmail... 

I hope this isn't a stupid question.  I've got qmail signing outgoing email, but they're all using  rsa-sha1.  How can get it to use rsa-sha256?

As I suspected, it was a stupid question.  I checked out my version of openssl and it didn't have sha256 available.  The man page for openssl dgst recommended using SHA1, it was so old.   I'm currently building a newer version from source.

I've noticed that Sky UK is sending out legitimate emails including a dkim signature that does NOT include the subject:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skymail.sky.com;
    s=20141008185601; t=1455627787; x=1471352587;
    bh=..........; h=From:Reply-To;

I don't think excluding the subject from the signature is against the spec, even if it is silly. It does, however, fail verification

I've added this option to qmail-dkim.c to relax this restriction:

        if (env_get("UNSIGNED_FROM"))
                vopts.nAllowUnsignedFromHeaders = 1;
        vopts.nSubjectRequired = 1;
        DKIMVerifyInit(&ctxt, &vopts);          /*- this is always successful */

This value ensures it will permit a signature that does not include the subject

It may be worth making this configurable (with an environment variable or a switch to DKIMVERIFY?)

Thank you. It is a simple fix. Will have the environment variable UNSIGNED_SUBJECt and let Robert know the url for the latest patch

Two New patch uploaded to https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/

One which includes spf + ipv6 + dkim

and one which has only dkim

Thank you Manvendra. I have updated my combined patch accordingly

I will ask Manvendra Bhangui to look at your comment. Thank you

Hi,

even if I installed the latest patch on my system I'm not able to receive password reset email from GitHub.

I created another account on GitHub using a Gmail account and on that account I receive the email correctly.

Can you help me to understand why on my server it is failing?

These are the DKIM headers i receive on Gmail account for the pasword reset email:

Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2-ext6.iad.github.net. [192.30.252.197])
        by mx.google.com with ESMTPS id 139si3247415ion.136.2017.03.24.09.52.24
        for <hunters14473@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 Mar 2017 09:52:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@github.com designates 192.30.252.197 as permitted sender) client-ip=192.30.252.197;
Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@github.com;
       spf=pass (google.com: domain of noreply@github.com designates 192.30.252.197 as permitted sender) smtp.mailfrom=noreply@github.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com
Date: Fri, 24 Mar 2017 09:52:24 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1490374344;
bh=SMIcRquEv41jyIeUc9eCvSloLz6xCzCOEK8yKIKvhHg=;
h=From:To:Subject:From;
b=mFmuh44xku3V+DMvHmrjdar3DaXkqcbLvZG7FhGDmW5PTKbObbOfdf2lcstEMquq+
  5Jool/dRJERdbTCrhl9ovA2LRGr/5JtLgELbNviqXh/9Ciab4D1lDE+IDE+R3AQvRu
  BPz8JTvYVjEvouFf0ZovoaaS+MLzlja1Ehuxo5no=
From: GitHub <noreply@github.com>
To: hunters144732 <hunters14473@gmail.com>
Message-ID: <58d54ec84991a_2a2bf3ff8981afc2c88634@github-fe-54106a2.cp1-iad.github.net.mail>
Subject: [GitHub] Please reset your password

Thank you

Regards

Marcello

What is the value of your DKIMVERIFY envrionment variable?

In DKIMVERIFY have the letter 'j' included in lower case. Once you have the email in your system, you can test it by supplying the raw text on stdin to dkimtest.

Hi Manvendra,

if I disable the DKIM on the system the email is received perfectly.

If i pass the raw email to DKIM on the shell i get no output and the exit code is 53 .

If i make the same with a normal gmail email recevide from the server i get the the complete Email on the output with the DKIM-Status: good Header.

Have you any suggestion?

Thank you

Bye

Marcello

Hi,

I found the problem. It was a Baesyan filter on a FortiMail system in front of my server that was recognizing that email as SPAM and was altering the Subject. When the email reach my server with the Subject altered it fail the DKIM Check. Now without the Subject altered it works perfectly.

Thank you for your availability and sorry if i make you loose some time.

Bye

Marcello

Problem: Marcelo was receiving an email where the content of the email was changed (in particular the Subject header).

This caused qmail-dkim to issue the following error

J - DKIM_SIGNATURE_BAD_BUT_TESTING      - signature error: RSA verify failed but testing

The man page states that DKIMVERIFY should have the letter j for returning temporary error and the letter J for issuing permanent error.

It does not mention that if you omit the letter 'j' or the letter 'J', the email will successfully pass through the queue and get delivered.

So should I modify the qmail-dkim patch for this change in the man page. Most of the dkim verification error results because the message gets modified by some filter before qmail-dkim and you could potentially lose email, like Marcelo.

The troubleshooting test that Marcelo was doing also failed because DKIMVERIFY had the small letter 'j'. If he omits the leter 'j', he should get the output along with the DKIM-Status header. My view is that if you do not want to lose emails and you do not have the habit of looking at the logs for temporary errors, the letters 'j' or 'J' should be completely omitted from DKIMVERIFY

That's good news.

However I was surrprised when you were getting error code 53. Maybe you were piping the output to less or more.

if you use the following script as cat instead of /bin/cat then the troubleshooting always works

#!/bin/sh
exec 1>/dev/tty
exec /bin/cat

exit code 53 means that qmail-dkim was not able to write to either stdout or stderr. The function die_write() exits with 53. Is it possible to attach the raw email and send it to my private email address? I shoudl be able to debug. I hope there is nothing sensitive in the email.

it seems like you don't have the DKIM correctly configured. Did you perform all the tests suggested in this page? Which one eventually failed?

Please post your run file

I had the DKIM working for years and due to this error i was getting i made the update to your latest patch on today but the problem still persist.

I'm able to receive mail from gmail and other DKIM enabled servers but not this one. I was thinking the it can be related to the UNSIGNED_SUBJECT but i seems not to be this the issue.

Here my run file:

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

export SMTPAUTH="-"

export SMTPD_GREETDELAY=15
export DROP_PRE_GREET=1


export CHKUSER_START=ALWAYS

export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfilter
export DKIMQUEUE=/var/qmail/bin/qmail-scanner-queue     # qmail-scanner-queue is executed after qmail-dkim
export DKIMVERIFY="FGHIKLMNOQRTUVWjp"

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ];
then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpd/run
    exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi

exec /usr/local/bin/softlimit -m 100000000 \
    /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0.0.0.0 smtp \
    /var/qmail/bin/qgreylistrbl.pl /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1

Thank you

Bye

You have the letter 'j' in DKIMVERIFY. So qmail-dkim will not exit with 100. Have QMAILQUEUE changed temporarily  to bypass qmail-dkim and check. If you still do not receive email then it could be something else. If you receive the qmail

export QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue

After making the above change, save the incoming email to /tmp/mail.txt and you can do the following to troubleshoot

cat mail.txt | env - \
DKIMVERIFY="FGHIKLMNOQRTUVWjp" \
DKIMQUEUE=/bin/cat \
/var/qmail/bin/qmail-dkim

I've been running with the patch for a few days. Here are some of the domains that seem to be sending these problem signature:

• @email.barclaycard.co.uk
• @b.e.disneyinteractive.com
• @m.email.sonyentertainmentnetwork.com
• @b.skymail.sky.com
• @emea.e.paypal.com

These emails are now being accepted and validated. It looks like a fairly new trend to exclude the subject from the list of headers. I guess paypal is probably the most serious on the list

Hi,

I found that apple.com, for example, use DNS long records that are splitted in TXT chunks. You can try it doing "dig -t txt mailout2048s._domainkey.apple.com" . My qmail-dkim is failing to check this DKIM signature (google.com is working instead).

Is it possible that qmail-dkim module have problems dealing with this kind of DNS records?

I hope Manvendra Bhangui or someone else can address on this issue.

Thank you

Regards,

Marcello

qmail-dkim does not have an issue with assembling long text records. e.g.

$ dig -t txt insideapple2048._domainkey.insideapple.apple.com

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-11.P1.fc21 <<>> -t txt insideapple2048._domainkey.insideapple.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49080
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;insideapple2048._domainkey.insideapple.apple.com. IN TXT

;; ANSWER SECTION:
insideapple2048._domainkey.insideapple.apple.com. 8034 IN TXT "v=DKIM1\;" "k=rsa\;" "h=sha1\;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoo2sqljdU766Eq9AqRGm" "aGd2YN784ATBBikYAhl9VxY8Ji3xMU4DAyD3QSZGvKpk5qOIG+1GBWxKVRk3jlvp" "TuaAQuGdKPkcgvRTeb31BzAltWwGvtzsLxiLQGUPFzbv81XomOWemC9QCIYWcddr" "v9CD7PDV1K8sV2BTrfIe9iKspcjia1D9wLgzYg1OU99202DHhRTcE6PucxUtXDgh" "za3pu4FTddllhMJ5eeGCk4z2ctZFCe1SRMtRbaLpDV3yET2icAjTV4w8xhEFuC64" "K0auCaYVWS1rldfV4+jt2A/9RmB7jho2H31XbDm9JqCflMKfoQeHCNQwwJGCRxzq" "eQIDAQAB"

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Dec 13 09:24:37 IST 2015
;; MSG SIZE  rcvd: 503

The same result from indimail's dnstxt program (qmail-dkim uses the same function)

$ dnstxt insideapple2048._domainkey.insideapple.apple.com

v=DKIM1;k=rsa;h=sha1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoo2sqljdU766Eq9AqRGmaGd2YN784ATBBikYAhl9VxY8Ji3xMU4DAyD3QSZGvKpk5qOIG+1GBWxKVRk3jlvpTuaAQuGdKPkcgvRTeb31BzAltWwGvtzsLxiLQGUPFzbv81XomOWemC9QCIYWcddrv9CD7PDV1K8sV2BTrfIe9iKspcjia1D9wLgzYg1OU99202DHhRTcE6PucxUtXDghza3pu4FTddllhMJ5eeGCk4z2ctZFCe1SRMtRbaLpDV3yET2icAjTV4w8xhEFuC64K0auCaYVWS1rldfV4+jt2A/9RmB7jho2H31XbDm9JqCflMKfoQeHCNQwwJGCRxzqeQIDAQAB
record length 415

Also all emails from apple.com seems to be getting verified. You can send me a raw text of any one email that is not getting verified so that I can investigate. 

Hi Manvendra,

yes I can send raw text email to you but prefer to do it in a PM.

Can you send me you email or let Roberto to give it to me?

Thank you,

Regards,

Bye

Marcello

I have debugged the issue with help of the raw email. There were two issues. The first issue is verifiying if the signature has expired. This is done by using t= and x= tags. Unfortunately, one of the funtions is using an integer variable to compare the timestamps and due to this, the signature is shown as expired. This issue was easy to fix and I have made the changes

The second problem is X-Brightmail-Tracker header inserted below the DKIM-Signature. This causes the signature not to verify. After removing the X-Brightmail-Tracker, I am able to verify the signature as good. This issue can be solved by ignoring headers not present in the h= tag. However, since this part of the code is from ALT-N technologies, I might take some time to add some code to skip such headers. I will get back as soon as possible with a fix. If I cannot find a way to fix this, I can always put a wrapper before calling qmail-dkim to skip headers not present in the h= tag.

Thanks for pointing this out. WIll investigate this during the weekend and come up with a fix in case there is a bug.

Dear Roberto,

I had just recieved an error "qmail-dkim: signature error: permanent dns failure requesting selector (#5.7.0)" from a remote domain. That domain does not publish any domainkey. My configure is like so

export DKIMVERIFY="FGHIKLMNOQRTVWjpu"

Any idea where i should start to look?

Thanks
nic

Nic, the answer is in the qmail-dkim man page.. you have to relax the filter if you don't want to reject those kind of msg. The Q letter should be lowercase, but I'm not sure that doing so is a good idea..

Hi Roberto,

I remembered when i was still using Bill's toaster, i have a log of wrong password logins. Is this log available in your version?

It was in /var/log/maillog in Bill's version.

Thanks

nic

yes it is /var/log/maillog

Many thanks =)

Hi

I have some questions

Do you know any solution or patch to add Authentication-Results header for dkim and spf to your combind patch?

how can I sign and verify my local mails?

when I set QMAILLOCAL and set the proper permission to private key and public key, I can sucssesfuly sign local mails but I can not verify that mails and it has DKIM-Status: no signatures ( I comment "export RELAYCLIENT_NODKIMVERIFY=1" to verify local mails ).

Thanks

Behnam

I don't know of any patch to write dkim and/or spf results into that field, but you can see their response in "DKIM-status" and "Received-SPF" respectively.

even with set QMAILLOCAL to /var/qmail/bin/spawn-filter   in /var/qmail/rc , I can not sign local mails.

and if I set QMAILQUEUE=/var/qmail/bin/qmail-dkim I received "qq temporary problem (#4.3.0)" when sending local mails.

/var/qmail/rc :

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter  \
QMAILLOCAL=/var/qmail/bin/spawn-filter  \
DKIMKEY=/usr/local/etc/domainkeys/%/default \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

qmail-smtpd/run

...
export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMVERIFY="FGHKLMNOQRTVWjpu"
#export RELAYCLIENT_NODKIMVERIFY=1
...

/var/qmail/control/defaultdelivery

| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox

Had the same problem here today, and it was a permission issue. In our case, /var/qmail/control/cache was incorrectly configured. Fixed it with:

chown vpopmail:vchkpw /var/qmail/control/cache

It sounds simple, but it took me several hours to fix this as I was thinking that it was a DKIM configuration/permission issue.

This should have already been done by the time you installed my patch....

It's strange... your config seems to be correct, but there's no need of declaring QMAILLOCAL to have local mails signed.

Have you done the tests suggested toward the bottom of this page? If yes you should try to debug with strace

Thanks for your reply :-)

I found the problem was permission of private key that root user ( owner of qmail-lspawn ) can not read that file.

now my local mails is somethins like this :

 ( when DKIMVERIFY="FGHKLMNOQRTVWjpu" is set )

Return-Path: <behnam@example.com>
Delivered-To: example.com-postmaster@example.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; h=DKIM-Status:MIME-Version:Content-Type:
        Content-Transfer-Encoding:Date:From:To:Subject:Message-ID:
        User-Agent; bh=SSDFuMUWjUihK52L1yEyQKqsfM=; b=JkjuEmSVhW6IBTj2W
        DkVA+sKtbrFaasdSEO2yLsVEisCZ01KL3I5kQmypl06is6F42bQ+64d+vlNxdwSb
        eg7AH6yoVWO+h57F6iBKKDSJIEKSLAOWKSOras5Mlqvy9zDVECzvzZUlotSd7PfF
        ctDc9PGdO4EEm4WehmZNsSVRPw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=default; d=example.com;
  b=XVH2sA9Tj1TQY6is9i4e7NpHNyjYcuKhaJ58Hl2O5UHUPX9yqVq62RailJgCgZVWEIeAX1M2TPT/b2CKqqTGJjQEOQwr8TC7HJKDxQYUEWgNe4jiu6lvU7o9se8HcOT5XbnSKFgMqXwfwIOQNoitt+SqKtlGHFpy9PIk3UvoffY=;
Received: (qmail 50945 invoked by uid 89); 26 Dec 2014 15:00:23 +0000
Received: by simscan 1.4.0 ppid: 50912, pid: 50916, t: 3.7977s
         scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19840 spam: 3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=4.5 tests=ALL_TRUSTED,AWL,
        TVD_SPACE_RATIO autolearn=ham autolearn_force=no version=3.4.0
DKIM-Status: no signatures
Received: from unknown (HELO mail.example.com) (behnam@example.com)

 ( when DKIMVERIFY="FGHKLMNOQRTVWjpu" is not set )

Return-Path: <example@example.com>
Delivered-To: example.com-postmaster@example.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; h=MIME-Version:Content-Type:Content-Transfer-Encoding:
        Date:From:To:Subject:Message-ID:User-Agent; bh=+Y1O6gkU5mqhqyI0b
        Y/c1ISV2qA=; b=psfLDKIRmdkdlW<fkespHN/srbgZuUXSOb8l0wI2zgpWsj1SZ
        ewrk3r3KJDIEMF3K/2xCfRnpJGCxVJuyiLehLXwrEWZ/Rc2h4enbtP6qOp4gGOt/
        zR/x5kuURD9zq8EUFa94igRHJigKxjkUn2/M3eVR26wn0CJ+HnVd+UAFZQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=default; d=example.com;
  nVoQP2iXnFn1yNbbNn/dyWSqoCCF/UlaoimqzTrKi6/RCKSImskeowk83ukwjsuje83jswoqke8w839skwikbfVcDucbnpf5DFZHp7eZRGQEzwXBsNOg=;
Received: (qmail 49537 invoked by uid 89); 26 Dec 2014 14:55:12 +0000
Received: by simscan 1.4.0 ppid: 49511, pid: 49515, t: 22.2933s
         scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19840 spam: 3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=4.5 tests=ALL_TRUSTED,AWL,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.0
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; x=1420197890; h=MIME-Version:Content-Type:
        Content-Transfer-Encoding:Date:From:To:Subject:Message-ID:
        User-Agent; bh=+Y1O6gkU5mqhqyI0bY/c1ISV2qA=; b=Cm4zaswMi5MPTBgr8
        SKIEMSnhsmdkwKDjUKDjKSJDKiPKAKWiJSUEKSMAhNAQQBMXikssoaMKS4zas3wd
        M8Lupl4uNZTGe17U8WP8xLm9BEpjUfhJ4kQ1aCiehbKl3+zo+h04cfc4AEpDn1gs
        avWNu9ZYlUKRW4kyPp8f+yR6yA=
Received: from unknown (HELO mail.example.com) (behnam@example.com)
  by 0 with ESMTPA; 26 Dec 2014 14:54:50 +0000

and I hadn't any DKIM-Status in the second mail 

can you post your smtpd run file, or at least confirm that DKIMVERIFY and DKIMSIGN are NOT both defined there?

sorry, I see now that the verification is done, but for an unknown reason the sign is not matched into the message...

The DKIM verification inside the X-Spam-Status field has nothing to do with the qmail patch, as it's written by spamassassin. So you have to declare DKIMVERIFY

Hello,

after using your guide to install simscan i am a little bit confused about the config of the qmail-smtpd/run and qmail-submission/run scripts. Before Simscan installation you wrote in the DKIM tutorial:

Insert the two following environment variables in your /var/qmail/supervise/qmail-smtpd/run script:

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMVERIFY="FGHKLMNOQRTVWjpu"

In the description Making qmail-dkim and simscan live together you wrote:

You have to modify like this your /var/qmail/supervise/qmail-smtpd/run script (and /var/qmail/supervise/qmail-submission/run as well)

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default
export DKIMQUEUE=/var/qmail/bin/simscan

The question is, why i have to add in the simscan configuration the parameter export DKIMKEY=/usr/local/etc/domainkeys/%/default. I thougt this was covered with the /var/qmail/rc script. Maybe i miss something in my understanding of the how the things work together.

And another question: The export parameters in the qmail-submission/run script should match with all the Export settings in the qmail-submission/run script?

Thanks for helping.
cheers

Hi Marc, thanks for your contribution.

You can do in both ways. That was the old method, when the signing had to be done at qmail-smtpd level with all the variables declared in the qmail-smtpd run file. But now I'm signing at qmail-remote level, so the variables have to be declared in the rc file.

I'm going to correct this. Thank you

Hi Roberto,

You should probably make all examples consistent with the default key locations.

In your /var/qmail/rc example script, you have:

DKIMSIGN=/var/qmail/control/domainkeys/%/default

But this should instead be:

DKIMKEY=/usr/local/etc/domainkeys/%/default

Same with the Signing test example.

Or as an alternative, point out to the reader that the keys are generated in one path but the script examples assume they have been copied to another path.

I think this is probably what went wrong for the reader who couldn't get his signing to work.

Regards

/ Otto

Hi Otto, thanks for your contribution.

Corrected. Of course it was a not wanted error and there will surely be other :)

Hi,

I have the following error and would need to receive these e mails.

Jun  5 18:07:09 mail spamdyke[10900]: DENIED_OTHER from: XXXX@undelivered.ovh.net to: ME_MAIL origin_ip: 178.32.228.195 origin_rdns: mo195.mail-out.ovh.net auth: (unknown) encryption: (none) reason: 554_qmail-dkim:_signature_error:_permanent_dns_failure_requesting_selector_(#5.7.0)

Is there any way to include a whitelist domains?

Thanksss :)

unfortunately there's no whitelist functionality in the dkim program. The error suggests a permanent dns error

found the solution to the problem, was an issue with the ticketing system

please discard previous comment

thanks

Hello,

First let me thank you for the excellent write up on the qmail installation guide.

I am having a problem where sending mail to only certain users on my mail server are being rejected with the following error:

451 qmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)

The mails are being sent from a ticketing system and the problem started to occur recently.

Regards,

ss

Hi Roberto,
 
I am getting alot of the errors below. Seems like the receiving mail server cannot verify the DKIM of the incoming email. Is it right to say that? What can i do to allow this coming email?

 message delayed (qmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)): investigations@FBI.GOV from 194.50.9.6
 
 Thanks
 nic

what do you have in your DKIMVERIFY?

export DKIMVERIFY="DEGIJKfh"

I don't know exactly what is causing the error and I'm not sure that it's a regular rejection.

To make tests we need a raw message like that, but in this case you should temporarily disable the verification. Send me it in private if you like

I had tried to use verifier-feedback@port25.com to check, it came with a neutral result.

DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)

In my named.conf i had also added the TXT record

default._domainkey.domain.com. IN TXT "v=DKIM1\; k=rsa\; t=y\; o=-; p=MIGfMA0GCSqG..........................."

dig default._domainkey.domain.com TXT
default._domainkey.domain.com. 86400 IN TXT "v=DKIM1\; k=rsa\; t=y\; o=-\; p=MIGfMA0GCSqG..........................."

My run file i have

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMQUEUE=/var/qmail/bin/simscan
export DKIMKEY=/var/qmail/control/domainkeys/%/default
export DKIMVERIFY="DEGIJKfh"

In /var/qmail/control/domainkeys/domain.com folder i have

default -> /var/qmail/control/domainkeys/domain.com/rsa.private_default
rsa.private_default
rsa.public_default
selector

Am I missing out anything?

Thanks
Nic

Nick, the config seems ok. Did you remember to set the variable RELAYCLIENT in your tcp.smtp?

Thanks for your reply.

I have

127.:allow,RELAYCLIENT=""
:allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/qmail-dkim"

regards
nic

Apparently your config is ok.. are you sure that your loopback IP is working? Try to assing RELAYCLIENT to your LAN and to your public IP as well.

In addition, but that's not so important, you have already exported QMAILQUEUE in your run file, so declaring it in the last line is redundant.

Many thanks again.

This box has only a public IP.

Do i replace 127 with my public IP to do testing?
127.:allow,RELAYCLIENT=""

I had also removed QMAILQUEUE

No, just to add add one more line like this:

127.:allow,RELAYCLIENT=""
123.456.789.123:allow,RELAYCLIENT="" (LAN Address)
11.11.11.11:allow,RELAYCLIENT="" (public IP)
:allow ...................... (others)

This will work in case  your loopback is not working (just a guess)

Thanks roberto.

I had done what you had sugguested. But it is still not working

Thanks
nic

What the tests from the command line say? Did you check the priviledges of the domain key? I everything is ok I would try to debug with strace. That will show everything

Hi,

The tests are identical to your tutorial.

/var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
        d=domain.com; s=default; x=1373469291; h=To:From:Subject;
        bh=WwQSWknnZ1oltdz9LF0JNbJjHdQ=; b=yg0/TKU/xOJ1lmmLZ1NU538rIH/Ri
        Zbyv4h41Vpa8dQhR7YL28uEpl0egvzGBsUL4FnI0QkK1KgXiaaNRdfb0YKCwbk2C
        PcH0rMWZHyG5a4eFeIsLsOguUGefQLs5iiw5zwk63w8uU8muudJMeoB8LC5NHQQL
        Rd+6M03M2cghl8=
To: postmaster@domain.com
From: postmaster@domain.com
Subject: Test Message

/var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Status: no signatures
To: postmaster@domain.com
From: postmaster@domain.com
Subject: Test Message

ls -la /var/qmail/control/
drwx------  3 vpopmail vchkpw 4096 May 10 14:46 domainkeys

How do i use strace to debug?

Thanks
nic

Tests from the command line are ok. It must be a tcp.smtp/QMAILQUEUE issue..

You can save the strace log in this way:

strace -Ff -o /tmp/test.log -p <pid_of_tcpserver>

But do not post the log as a comment, because it will be very long. Feel free to contact me in private instead

Thanks.

Am i right to strace /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb ?

regards

nic

No, simply the process id of qmai-smtpd

Hi

I had strace pid 994 which is running the process  "supervise qmail-smtpd"
I tried sending out an email to gmail. Received the email but nothing is logged.

994   restart_syscall(<... resuming interrupted call ...> <unfinished ...>

Many thanks again
nic

Actually you have to strace the tcpserver process_id which belongs to qmail-smtpd..

Ok.

Nothing is logged. Send out a few mails to gmail account and the log shows

27792 accept(3,

regards
nic

18008 ?        S      0:00  |   \_ supervise qmail-smtpd                                                                                                                                      
26888 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /usr/local/bin/rblsmtpd -w 30 -r zen.spamhaus.org -r b

root@qmail:/# strace -Ff -o /tmp/test.log -p 26888

Also remember that you have to wait for the greetdelay, so don't stop strace immediately..

Nothing at all.. Weird. Outgoing is not stracable? But incoming does. I had send out 5 test mails to gmail and make sure they are delivered before stopping the strace.

19151 ?        S      0:00 /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 smtp /usr/local/bin/rblsmtpd -t 300 -b -r psbl.surriel.com /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true

The log reads 19151 accept(3,

regards

you have a 300s timeout in the rblsmtpd..