Configuring DKIM for qmail

DKIMVERIFY documentation

Gabriel Torres June 6, 2020 01:22

The letters present in the DKIMVERIFY variable indicate which tests must be considered to reject an email, as follows:

A - DKIM_SUCCESS - Function executed successfully
B - DKIM_FINISHED_BODY - process result: no more message body is needed
C - DKIM_PARTIAL_SUCCESS - verify result: at least one but not all signatures verified
D - DKIM_NEUTRAL - verify result: no signatures verified but message is not suspicious
E - DKIM_SUCCESS_BUT_EXTRA - signature result: signature verified but it did not include all of the body
F - DKIM_3PS_SIGNATURE - 3rd-party signature
G - DKIM_FAIL - Function failed to execute
H - DKIM_BAD_SYNTAX - signature error: DKIM-Signature could not parse or has bad tags/values
I - DKIM_SIGNATURE_BAD - signature error: RSA verify failed
J - DKIM_SIGNATURE_BAD_BUT_TESTING - signature error: RSA verify failed but testing
K - DKIM_SIGNATURE_EXPIRED - signature error: x= is old
L - DKIM_SELECTOR_INVALID - signature error: selector doesn't parse or contains invalid values
M - DKIM_SELECTOR_GRANULARITY_MISMATCH - signature error: selector g= doesn't match i=
N - DKIM_SELECTOR_KEY_REVOKED - signature error: selector p= empty
O - DKIM_SELECTOR_DOMAIN_NAME_TOO_LONG - signature error: selector domain name too long to request
P - DKIM_SELECTOR_DNS_TEMP_FAILURE - signature error: temporary dns failure requesting selector
Q - DKIM_SELECTOR_DNS_PERM_FAILURE - signature error: permanent dns failure requesting selector
R - DKIM_SELECTOR_PUBLIC_KEY_INVALID - signature error: selector p= value invalid or wrong format
S - DKIM_NO_SIGNATURES - no signatures
T - DKIM_NO_VALID_SIGNATURES - no valid signatures
U - DKIM_BODY_HASH_MISMATCH - sigature verify error: message body does not hash to bh value
V - DKIM_SELECTOR_ALGORITHM_MISMATCH - signature error: selector h= doesn't match signature a=
W - DKIM_STAT_INCOMPAT - signature error: incompatible v=
X - DKIM_UNSIGNED_FROM - signature error: not all message's From headers in signature

For example, if you want to permanently reject messages that have a signature that is expired, include the letter 'K' in the DKIMVERIFY environment variable.

A conservative set of letters is FGHIKLMNOQRTUVWjp. Reject permanently 3PS, FAILURE, SYNTAX, SIGNATURE_BAD, SIGNATURE_EXPIRED, SELECTOR_INVALID, GRANULARITY_MISMATCH, SELECTOR_KEY_REVOKED, DOMAIN_NAME_TOO_LONG, SELECTOR_PUBLIC_KEY_INVALID, NO_VALID_SIGNATURES and BODY_HASH_MISMATCH errors, and temporarily SIGNATURE_BAD_BUT_TESTING and DNS_TEMP_FAILURE.

Add in S if you want to reject messages that do not have a DKIM signature. You can use the control files signaturedomains and nosignature domains (See Below) to further fine tune the action to be taken when a mail arrives with no DKIM signature. Note that qmail-dkim always inserts the DKIM-Status header, so that messages can be rejected later at delivery time, or in the mail reader. In that case you may set DKIMVERIFY to an empty string. If you want to check all message's From header in signature set the UNSIGNED_FROM environment variable to an empty string. If you want to check messages without signed subject header, set UNSIGNED_SUBJECT environment variable. If you want to honor body lengh tag (l=), set HONOR_BODYLENGTHTAG environment variable.

Reply | Permalink

DKIMVERIFY documentation

Roberto Puzzanghera Gabriel Torres June 6, 2020 09:54

man qmail-dkim for latest documentation on the purpose

Reply | Permalink

djbdns and DKIM recorder builder

Marco Varanda February 23, 2020 13:22

Hello again Roberto,

Google is my friend !
;-)

I found Recorder Builder for djbdns https://andersbrownworth.com/projects/sysadmin/djbdnsRecordBuilder/

We can give djbdns sintax for DKIM

Marco Varanda

(Brazil)

Reply | Permalink

SPF, DKIM and DMARC

Christian October 28, 2019 08:25

I would really recommend to set up the full stack: SPF, DKIM, and DMARC. No one should send emails without having this configuration ready. The mentions tools in the article to verify DKIM are great, but for this purpose, I use another free tool from https://www.emailchecky.com/en/ because it has more features and also offers a very handy all-in-one analysis for emails.

Reply | Permalink

SPF, DKIM and DMARC

Roberto Puzzanghera Christian October 28, 2019 10:09

These topics are all covered here, DMARC is presented in the spamassassin section, SPF is inside the Configuring page.

If I understand the scarse documentation of the page you suggest, this tool seems just like an external tool where to redirect private msg and personal data in order to validate the email. Not a  good idea.

Reply | Permalink

DMARC

Iulian August 12, 2019 11:24

Hello,

I know this topic is reserved for DKIM but do you intend to write something about DMARC as well?

Did you found any posibility to implement DMARC? Apparently there is something possible with qpsmtp and opendmarc , a plugin support in spamassassin(i find it in a very incipent way) or implemented via spamassassin AskDNS like it's presented on my blog.

Do you have any other ideeas?

Reply | Permalink

DMARC

Roberto Puzzanghera Iulian September 18, 2019 17:05

Finally I added a page on DMARC with AskDNS here. Thanks for your contribution

Reply | Permalink

DMARC

Martin Iulian August 12, 2019 22:57

Hi Iulian,

I implemented a DMARC filter for incoming mails; maybe it's of use to you: https://github.com/fany/App-Qmail-DMARC

Regards
Martin

Reply | Permalink

DMARC

Roberto Puzzanghera Iulian August 12, 2019 17:24

I don't have plans to write anything concerning DMARC filters, as I'm not familiar with them yet.

Anyway I would not consider qpsmtp as a good option, since I don't like the idea of completely replace my qmail-smtpd. I would play with a spamassassin plugin like the one that you suggest in your blog, when I'll have the time

Reply | Permalink

PID Process with DKIM + Simscan

Carlos Garcia June 28, 2019 10:32

Hello,

I've noticed that when chaining dkim with simscan the pid of the process changes in simscan.

QMAILQUEUE="/var/qmail/bin/surblqueue",SURBLQUEUE="/var/qmail/bin/qmail-dkim",DKIMQUEUE="/var/qmail/bin/simscan"

This is bad when it comes to processing the logs

2019-06-24 16:23:35.203214500 tcpserver: pid 2639 from 192.168.200.164 - Procedencia:
2019-06-24 16:23:35.203215500 tcpserver: ok 2639 desmx1.mydomain.com:192.168.200.165:25 :192.168.200.164::38536
2019-06-24 16:23:35.205136500 qmail-smtpd 2639: connection from 192.168.200.164 (unknown) to desmx1.mydomain.com
2019-06-24 16:23:35.205137500 qmail-smtpd 2639: enabled options: max msg size: 25000000 starttls relayclient sanitycheck sendercheck qmailqueue /var/qmail/bin/simscan
2019-06-24 16:23:35.206499500 qmail-smtpd 2639: remote ehlo: friend.mydomain.com
2019-06-24 16:23:35.207420500 qmail-smtpd 2639: mail from: me@test.mydomain.com
2019-06-24 16:23:35.207420500 qmail-smtpd 2639: sender verify, sender not in goodmailaddr
2019-06-24 16:23:35.207421500 qmail-smtpd 2639: sender verify, sender is local
2019-06-24 16:23:35.215157500 qmail-smtpd 2639: sender verify OK
2019-06-24 16:23:35.216389500 qmail-smtpd 2639: rcpt to: someaccount@gmail.com
2019-06-24 16:23:35.218563500 qmail-smtpd 2639: go ahead
2019-06-24 16:23:35.220986500 simscan:[2642]: calling clamdscan
2019-06-24 16:23:35.232338500 simscan:[2642]: normal clamdscan return code: 0
2019-06-24 16:23:35.232340500 simscan:[2642]: calling /home/vmail/spam/Mail-SpamAssassin/bin/spamc -d localhost -p 10783 -u simscan@test.mydomain.com -c -s 5000000
2019-06-24 16:23:35.359233500 simscan:[2642]:Mensaje en Salida ==> NO SPAM: [0.000000,8.000000]
2019-06-24 16:23:35.359235500 simscan:[2642]:CLEAN (0.00/8.00):0.1407s::192.168.200.164:me@test.mydomain.com:someaccount@gmail.com
2019-06-24 16:23:35.366057500 simscan:[2642]: qmail-queue exited 0
2019-06-24 16:23:35.366342500 qmail-smtpd 2639: message queued: 1561386215 qp 2641 size 287 bytes
2019-06-24 16:23:35.366890500 qmail-smtpd 2639: quit, closing connection
2019-06-24 16:23:35.367126500 tcpserver: end 2639 status 0

Any ideas?

Regards

Reply | Permalink

PID Process with DKIM + Simscan

Roberto Puzzanghera Carlos Garcia June 28, 2019 18:02

This is because simscan goes in a sub-process. the simscan pid is bounded to its parent ppid in the email header, for example

Received: (simscan 1.4.0 ppid 8424 pid 8429 t 0.1287s) (scanners:

Reply | Permalink

dk-filter: choosing the signing domain

Martin Sluka June 23, 2019 19:33

I don't get it: dk-filter states: "dk-filter uses the domain found in the Sender: header to set the domain tag. If not it uses the From: header."

But when I test it and also when reading its code, I find no evidence that the From: header would ever be considered. Thus, bounce messages do not get signed, which according to my understanding of RFC 7489 they should for a correct DMARC alignment.

In fact, when _SENDER is empty, dk-filter seems to use /var/qmail/control/domainkeys/default if present. However, this also does not work as intended, because "d=" has en empty value then, and forwarded bounce messages from foreign domains will also get signed, which is obviously not desirable.

Am I holding it wrong, or is the documentation / code just incorrect?

Regards
Martin

Reply | Permalink

dk-filter: choosing the signing domain

Manvendra Bhangui Martin Sluka June 24, 2019 15:54

Ah. I see what you meant by the following

"I don't get it: dk-filter states: "dk-filter uses the domain found in the Sender: header to set the domain tag. If not it uses the From: header."

But when I test it and also when reading its code, I find no evidence that the From: header would ever be considered. Thus, bounce messages do not get signed, which according to my understanding of RFC 7489 they should for a correct DMARC alignment."

For bounce messages, since the from/sender will be null, you can set the DKIMDOMAIN environment variable in the script which starts up qmail-send. DKIMDOMAIN also overrides anyting in the From: or Sender: header.

Reply | Permalink

dk-filter: choosing the signing domain

Manvendra Bhangui Manvendra Bhangui June 24, 2019 16:05

I am wrong about DKIMDOMAIN in my earlier reply. DKIMDOMAIN env variable doesn't override the From: or Sender: header value. It is used only if From and Sender are both null (like in case of bounce). Here is the code in dkimsign.cpp

if (sDomain.empty()) {
  p = getenv("DKIMDOMAIN");
  if (p && *p)
  { 
    if (!(at = strchr(p, '@')))
      at = p;
    else
      at++;
    sDomain.assign(at);
  } else
    sDomain.assign(sAddress.c_str() + pos + 1);
  RemoveSWSP(sDomain);
 }

Reply | Permalink

dk-filter: choosing the signing domain

Manvendra Bhangui Martin Sluka June 24, 2019 12:41

dk-filter uses _SENDER, _RECIPIENT env variable which is set by spawn-filter. spawn-filter is a program that gets called by qmail-lspawn when QMAILLOCAL is set to /var/qmail/bin/spawn-filter for local deliveries. It also gets called by qmail-rspawn for remote deliveries when you set QMAILREMOTE env variable to /var/qmail/bin/spawn-filter. the spawn-filter than gathers all information like the sender and recipient. It then calls whatever program is defined by FILTERARGS env variable. The input to FILTERARGS is the original email and the output of the FILTERARGS is fed to qmail-local for local deliveries and qmail-remote for remote deliveries. The real workhorse for DKIM verfication and signing is not the dk-filter program. It is actually the binary /var/qmail/bin/dkim which does the actual work using the libdkim library.

Check out the man pages for spawn-filter, dkim, dk-filter, qmail-lspawn, qmail-rspawn to know more. My documenation may not be good and could use some help there (especially things that you find it wrong or do not understand).

If you set DKIMVERIFY env variable for qmail-send, then dk-filter will not do signing. Hence bounce messages will not get signed. But one can do the following - do DKIM verification for local deliveries and DKIM Signing for remote deliveries by having two entires in /var/qmail/control/filterargs

*:remote:env DKIMSIGN=/var/qmail/control/domainkeys/%/default /var/qmail/bin/dk-filter
*:local:env DKIMVERIFY=1 /var/qmail/bin/dk-filter

In my setup, I do DKIM verification during the SMTP transaction and DKIM signing during remote deliveries.

Maybe you could describle what you want to achieve with examples and I could work out a solution which will work for you

Reply | Permalink

dk-filter: choosing the signing domain

Martin Sluka Manvendra Bhangui June 24, 2019 21:10

Hi Mandreva,

thanks for your answers!

What I am trying to achieve is that all outgoing e-mail which has our domain in its RFC5322.From address (and thus a corresponding /var/qmail/control/domainkeys/$domain/default key file exists) gets a DKIM signature, whereas other messages (e.g. those which came from remote and get forwarded to other remote addresses) are left untouched.

In /var/qmail/supervise/qmail-send/run I have:

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

In practice this works for "normal" messages, but only because their RFC5322.From is usually identical to their RFC5321.MailFrom address, and the latter is contained in the environment variable _SENDER when dk-filter gets invoked. For bounce messages however, the RFC5321.MailFrom address is empty, thus _SENDER is empty, which causes dk-filter to fall back to /var/qmail/control/domainkeys/default – but then, it cannot correctly distinguish between bounce messages generated by our system and foreign bounce messages which should only get forwarded, but not signed.

So, to cut it short, the IMHO correct solution would be to use the RFC5322.From address for choosing the key, either always or at least when the RFC5321.MailFrom is empty.

According to dk-filter(8), "dk-filter uses the domain found in the Sender: header to set the domain
tag. If not it uses the From: header." What is meant by "If not it uses the From: header"? I understand it as: If there is no sender, then it uses the From: header, that is the RFC5322.From (for choosing the signing key to use). But I cannot see that it would really do that. So either I misunderstand the documentation, or the documentation does not match the actual behaviour of dk-filter.

Or are you trying to explain that the _SENDER environment variable which dk-filter uses to select the key should already be set to the RFC5322.From by a component earlier in the call chain? If yes, which component would that be and how would one achieve this?

BTW, in the meantime I've patched dk-filter to do an appropriate lookup, so it works for me now. I just wonder if there is a better solution.

Reply | Permalink

dk-filter: choosing the signing domain

Manvendra Bhangui Martin Sluka June 26, 2019 10:19

Yes. The _SENDER environment variable which dk-filter uses is already set by spawn-filter earlier in the call chain.

Howerver this is NULL for bounces, eventhough the RFC5233.From will be mailer-daemon@bounce_domain. The bounce_domain will be a value set by qmail-send from /var/qmail/control/me

Looks like I have understood your problem and that problem will be there for all users. There are two issues. The first issue isn't really the blocker. The blocker is the wrong key being used for signing by the dk-filter script when the _SENDER env variable is NULL.

1. the libdkim library uses the following logic

  if (!sReturnPath.empty())
    sAddress.assign(sReturnPath);
  else
  if (!sSender.empty())
    sAddress.assign(sSender);
  else
  if (!sFrom.empty())
    sAddress.assign(sFrom);
  else
   return false;

This implies that it uses the envelope from address first for signing the domain. This should be like this

  if (!sSender.empty())
   sAddress.assign(sSender);
  else
  if (!sFrom.empty())
    sAddress.assign(sFrom);
  else
  if (!sReturnPath.empty())
    sAddress.assign(sReturnPath);
  else
    return false;

2. The sender/from address comes from the _SENDER environment variable. This variable is set by spawn-filter program

The spawn-filter gets this from the command line arguments passed to qmail-local / qmail-remote by qmail-lspawn, qmail-rspawn respectively. For bounces, this will be NULL. The problem is that dk-filter falls back to using /var/qmail/control/domainkeys/default.

One way to solve this is to use /var/qmail/control/me as the signing domain for bounces as the bounce will be from MAILER-Daemon@. The other solution is to define your default DKIM key in dk-filter rather than using a hardcoded  var/qmail/control/domainkeys/default

I am contemplating at using an environment variable DEFAULT_DKIM_KEY which dk-filter will use in such cases. You can set DEFAULT_DKIM_KEY like this

 exec env - PATH="/var/qmail/bin:$PATH" \
  QMAILREMOTE=/var/qmail/bin/spawn-filter \
  FILTERARGS=/var/qmail/bin/dk-filter \
  DEFAULT_DKIM_KEY=/var/qmail/control/domainkeys/abcd.com \
  qmail-start "`cat /var/qmail/control/defaultdelivery`"

Reply | Permalink

Problem using a selector different than default

Pablo Murillo February 14, 2019 06:01

Hi

Finally I have all working, but I decided not to use "default" as "default" selector
I used domainkey to generate the key

# domainkey my_domain.com MYdkim

I have in usr/local/etc/domainkeys/my_domain.com

default -> /usr/local/etc/domainkeys/my_domain.com/rsa.private_MYdkim
rsa.private_MYdkim
rsa.public_MYdkim
selector

# cat /usr/local/etc/domainkeys/my_domain.com/selector
MYdkim

Inside the DNS I added a txt as folow

MYdkim._domainkey.my_domain.com. IN TXT "v=DKIM1; k=rsa; t=y; p=xxxxxxxxxx"

I'm using qmail-smtpd for signing outgoing messages
The messages are signed, but with the wrong "CNAME"

I sent an email to "auth-results@verifier.port25.com" and I have this answer

DKIM check details:
----------------------------------------------------------
Result: permerror (key "default._domainkey.mydomain.com" doesn't exist)

Any idea where is the error ?

Reply | Permalink

Problem using a selector different than default

Roberto Puzzanghera Pablo Murillo February 14, 2019 09:38

strange... what happens if you verify your own message with gmail or even your own server?

Reply | Permalink

Problem using a selector different than default

Manvendra Bhangui Roberto Puzzanghera February 14, 2019 18:26

Thank you for bringing this to my attention. I will work on this and provide a fix ASAP. Give me some time till weekend.

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Manvendra Bhangui February 15, 2019 04:19

Hi

Finally I found a solution, not the best, but ...

Check then next post

https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html#comment1231

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Roberto Puzzanghera February 14, 2019 17:29

More tests
Now, with my domain
I made few changes to fit my configurations

I changed the location for domainkeys to other folder where I have all the configs
I made a ln -s for /usr/local/etc/domainkeys to the new domainkeys folder
I configured qmail-smtpd for signing outgoing messages

/var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/web/conf/domainkeys/%/default

I created a new domainkey for pablomurillo.com.ar with RNAdkim as "selector"

# ls -l /web/conf/domainkeys/pablomurillo.com.ar/
total 12
lrwxr-xr-x 1 vpopmail vchkpw 60 Feb 14 12:41 default -> /web/conf/domainkeys/pablomurillo.com.ar/rsa.private_RNAdkim
-rw------- 1 vpopmail vchkpw 887 Feb 14 12:41 rsa.private_RNAdkim
-rw------- 1 vpopmail vchkpw 272 Feb 14 12:41 rsa.public_RNAdkim
-rw------- 1 vpopmail vchkpw 8 Feb 14 12:41 selector

# cat /web/conf/domainkeys/pablomurillo.com.ar/selector
RNAdkim

Test to check-auth@verifier.port25.com

DKIM check details:

Result: permerror (key "default._domainkey.pablomurillo.com.ar" doesn't exist)
ID(s) verified:

Canonicalized Headers:
 message-id:<C39E4713200C4EC8801981F69B885FE3@killer1>'0D''0A'
 from:"Pablo'20'Murillo"'20'<info@pablomurillo.com.ar>'0D''0A'
 to:<check-auth@verifier.port25.com>'0D''0A'
 subject:test'0D''0A'
 date:Thu,'20'14'20'Feb'20'2019'20'12:52:18'20'-0300'0D''0A'
 mime-version:1.0'0D''0A'
 content-type:text/plain;'20'format=flowed;'20'charset="iso-8859-1";'20'reply-type=original'0D''0A'
 content-transfer-encoding:7bit'0D''0A'
 x-mailer:Microsoft'20'Outlook'20'Express'20'6.00.2900.5931'0D''0A'
 dkim-signature:v=1;'20'a=rsa-sha1;'20'c=relaxed/relaxed;'20'd=pablomurillo.com.ar;'20's=default;'20'x=1550764320;'20'h=Message-ID:'20'From:To:Subject:Date:MIME-Version:Content-Type:'20'Content-Transfer-Encoding:X-Mailer;'20'bh=2jmj7l5rSw0yVb/vlWAYkK/YB'20'wk=;'20'b=

Canonicalized Body:

DNS record(s):
 default._domainkey.pablomurillo.com.ar. TXT (NXDOMAIN)

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

-------------------------------------------------------------------------------------------------------------------

Test to gmail:
-------------------------------------------------------------------------------------------------------------------

Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@pablomurillo.com.ar header.s=default header.b=uEm6qI0Z;
spf=pass (google.com: domain of info@pablomurillo.com.ar designates 190.224.160.64 as permitted sender) smtp.mailfrom=info@pablomurillo.com.ar
Received: (qmail 24866 invoked by uid 0); 14 Feb 2019 12:52:00 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=pablomurillo.com.ar; s=default; x=1550764320; h=Message-ID:
From:To:Subject:Date:MIME-Version:Content-Type:
Content-Transfer-Encoding:X-Mailer; bh=/edzoYuyn17WXm8KeqcX/R+kh
dQ=; b=uEm6qI0ZdhmeJ3mEdyjl62sLwHk23D9mpcD07AoNw39Hg8pXx+oBkL/sV
r8iTGVLz+irfaRXCDrfa57421fLrgGUgMaxkFjVvqqUii6UQVmXknCTwT9mlSAIV
feFvejzyC2Mz90vIdA4gESV/Bd6xYsdPb64yDseZ1ZMcHqqq1U=

If I use something different as default for selector don´t work

I checked DKIM on DNS with : https://dkimcore.org/tools/keycheck.html and it's OK

I think that qmail-dkim is not "reading" the selector file to make de DKIM signature

"DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=pablomurillo.com.ar; s=default; x=1550765686; h=Message-ID:"

"s=" is allways "default"

Reply | Permalink

Problem using a selector different than default

ChangHo.Na Pablo Murillo April 21, 2019 07:43

Hi,

file: /var/qmail/bin/dk-filter

modify #90 line:

dkselector=`basename $dkkeyfn`  => dkimselector=$(<"${dkimkeyfn/default/selector}")

and rebulid domainkeys

Reply | Permalink

Problem using a selector different than default

ChangHo.Na ChangHo.Na April 21, 2019 11:27

Sorry!

file: /var/qmail/bin/dk-filter

modify #124 line:

dkimselector=`basename $dkimkeyfn`  => dkimselector=$(<"${dkimkeyfn/default/selector}")

You don't need to rebuild domainkeys.

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Roberto Puzzanghera February 14, 2019 16:00

The result for gmail es a failure too

Authentication-Results: mx.google.com;
 dkim=temperror (no key for signature) header.i=@my_domain.com header.s=default header.b=Kf3SBDLh;

Received: (qmail 51868 invoked by uid 0); 14 Feb 2019 01:38:29 -0300
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=my_domain.com;
 s=default; x=1550723909; h=MIME-Version:Content-Type:Date:From:
 To:Subject:Message-ID:User-Agent; bh=Kxb4hoiPtpyfLSNHnDfG2he0CLo
 =; b=Kf3SBDLhRSnVuRb8tOJxpuTvbGO7/iX6Sl8zlNiSKbitvLQ+CUfPvc3K9Tr
 thoKI7qrGgLQAl/0/k8WEyqdSaZi+VanX852bYnnAqhrOilo396xZqHJghhI+oML
 mVZ9WgIjOhspY8X5NIStKcmy/Om+4+5JyoATS9BWjqbVVTco=

I created a new domainkey with "default" as selector, and everything works good

Authentication-Results: mx.google.com;
dkim=pass (test mode)

I wil made more test with more domains to see if the problem persist

Reply | Permalink

Problem using a selector different than default

Anonymous Pablo Murillo February 15, 2019 06:52

So you want your selector to be MYdkim

This is what you should do. Remember that the selector is always taken from the basename of the file that the environment variable DKIMKEY is set to.

If the last component of the path is 'default', the selector will be default. If the last component is MYdkim, the selector will by MYdkim.

So your private key should be named MYdkim. i.e.

/web/conf/domainkeys/pablomurillo.com.ar/MYdkim

The file MYdkim can be a symbolic link too to the filename of your choice.

and your public key could be named anything as it is not used internally by qmail-dkim

/var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/web/conf/domainkeys/%/MYdkim

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Anonymous February 15, 2019 23:12

Hi

I'm doing that
After read a little I discovered the "problem"
Is not the best way if you need to use more than one "selectors"
The right solution is read the selector file , but my C is not as good as I like to do this

Reply | Permalink

Problem using a selector different than default

Roberto Puzzanghera Pablo Murillo February 14, 2019 17:11

Ok, let me know. I'll do some tests when I find some time and eventually inform M.Bhangui

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Roberto Puzzanghera February 14, 2019 20:36

Finally !, I found the solution
I think, is not the best , but ...
The selector is taken from "DKIMKEY" , so I changed DKIMKEY in qmail-smptd/run to :
DKIMKEY=/web/conf/domainkeys/%/RNAdkim

Also, I changed the "ln -s" of "rsa.public_RNAdkim" from "default" to "RNAdkim"

Is a solution, not the right one for me, because if you plan to use different selectors, this will be a problem

I think that the right behavoir will be read the "selector" file, not use the "name" of the "symbolic link"

Reply | Permalink

Problem using a selector different than default

Roberto Puzzanghera Pablo Murillo February 14, 2019 20:44

Great. 

Anyway, as you may have noticed, Manvendra Bhangui will take a look at this in the w/e https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html#comment1230

Reply | Permalink

Problem using a selector different than default

Pablo Murillo Roberto Puzzanghera February 15, 2019 04:26

Yes, yes
Thanks

Reply | Permalink

usage 2038 keys

qmailing August 30, 2018 15:38

can you change script domainkey to usage 2048 keys ?

Reply | Permalink

usage 2038 keys

ChangHo.Na qmailing April 21, 2019 08:05

Hi,

1. modify domainkey file:

openssl genrsa -out $CONFIGDIR/$1/rsa.private_$SELECTOR 1024

to

openssl genrsa -out $CONFIGDIR/$1/rsa.private_$SELECTOR 2048

2. modify dk-filter file:

if [ $zopt -eq 0 ] ; then
    dkimopts="$dkimopts -z 1"
fi

to 

if [ $zopt -eq 0 ] ; then
    dkimopts="$dkimopts -z 2"
fi

or use DKIMSIGNOPTIONS option

3. rebuild domainkeys

4. settings dns

Reply | Permalink

usage 2038 keys

Roberto Puzzanghera ChangHo.Na April 22, 2019 19:44

thank you

to have such a long dns record under bind I had to split the domainkey as follows

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQZJmKV9pModJLj0fWPTYV8JTYkqp8Jb+nxSGmYjKvdDNgk26Uc7GYghF/lWxa8kXBxfbYmtr1vBUi2BIOK3ijIDntKqGJaljSyJSAh7SESbG6ob+45uF1V9gYMA4Lk1x/pMeExLR6f7qfKwoT"
"dRRw4BVs1aHy2iUZOJpHXD1hWG99AhbozhZVTgdCopqU3lFEYlpVQ/YdqiNmZpc04BVyOTG71VOCdm+MuCFpQYckWmxJIh8WFhaCDlIByE88uAupp+28538V9HSWIi3CIigQmD/OIQ/XwaXA7uO0VBEWw7+F1cAfvPdTTl/gal1EMg1FXdBq2ZVJVxHyZZs4H5KQIDAQAB")

so that each line doesn't exceed 256 chars lenght

I tested this sending a test mail to check-auth@verifier.port25.com and the verification was good. Unfortunaly a test against gmail failed (verification failure) so I'm sticking with 1024 keys.

Any hint would be appreciated

Reply | Permalink

usage 2038 keys

ChangHo.Na Roberto Puzzanghera April 25, 2019 06:32

Hi,

Gmail is no problem!

My dns:

20190420._domainkey.chcode.com. IN TXT "v=DKIM1\; k=rsa\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsDfmZGeRoC3QINDAeTm5P8YPgRPsBu/9puMaF6kUj7M47iJqmN8S6B60vvBCr0HOCqhiTnrq7hBdf+c3BjG8YKWcQMfFy6UqaBipm3crjwQ++4Vgg4t38T0SZ88" "FoI1AUw7RZYbixAE0DbSzZ Ur5cHUGwV/t5GnWekDvwadiEp1T87xZdBEU7XHELR+d0Wq7PbnQVdybWL+bqxpYsclbYacxtxSNCUlOC6vSdQBinJ6JCr/8o9xg00C/jNC+ZOdLBIi6AOIH+tBVPnos0DE1UVzZhK4iXALxTZAQ4cpBSqOJqACSMo6JGaWikb15ow/HQEXYC6gW/DCM8T1CQ1SlLQIDAQAB"

Reply | Permalink

usage 2038 keys

ChangHo.Na Roberto Puzzanghera April 25, 2019 06:24

Hi,

How to Split DNS DKIM Records Properly.

http://hack.limbicmedia.ca/how-to-split-dns-dkim-records-properly/

Reply | Permalink

usage 2038 keys

Roberto Puzzanghera ChangHo.Na April 25, 2019 17:32

I've followed this howto concerning the long dns splitting and I'm still unable to pass the gmail dkim test.

In addition, sending a test mail to check-auth@verifier.port25.com results in a wrong dns record interpretation (note the default._domainkey.mydomain.tld. IN TXT inside):

default._domainkey.mydomain.tld. 60 IN TXT "v=DKIM1; k=rsa; t=y; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3default._domainkey.pacinotti.edu.it.INTXT5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB"

while my dkim record(s) is

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
default._domainkey.mydomain.tld. IN TXT "5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

Note that check-auth@verifier.port25.com was not complaining when setting my dns like this

default._domainkey.mydomain.tld. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
"5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

On the contrary mxtoolbox.com tests are ok

Reply | Permalink

usage 2038 keys

ChangHo.Na Roberto Puzzanghera April 26, 2019 20:02

Hi,

My case:

send mail to gmail: fail

after 10minutes: fail

after 30minutes: pass

after 1hour: pass

after 1day: pass

I think, you're dns is correct.

Reply | Permalink

usage 2038 keys

Roberto Puzzanghera ChangHo.Na April 27, 2019 12:40

Great, gmail verification passed!

My dns is like this:

default._domainkey.mydomain.it. IN TXT ("v=DKIM1\; k=rsa\; t=y\; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopYfx74JYL12O5i8RJ1GqYxkbkTf9MXkeJ/4RLxJGrKLpGlYnFuKfAH8dZAtIqOpvaai9ipG/6kw2Sj7Ss6/qkutvdbfnKIl/9RsGws/xq3jCf9Zc19V0Zeo96FZI0PuvKqAKKxQar4j8WJ+eN1ahxe3"
"5hUIiYCnmx3Y80JXj89Qwie1l5G5xDl7jLICXa+kZJF+orfQ8KH0HURCmUCrRwJTvuTHI+zSgUcrjgrJnQjCkqkMhy3LAy/ybfAZnaYozloaqIoGZOeas4+X/O97OHhSq5EIRPLtJtyEFJ8WMbpDD7kql8ztS6jMulhIUjHZNBwcgnU0bSw2mO9nu8uxLwIDAQAB")

I'm signing at qmail-remote level adding DKIMSIGNOPTIONS="-z 2" in my /var/qmail/rc

#!/bin/sh

# Using stdout for logging
# Using control/defaultdelivery from qmail-local to deliver messages by default

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter \
DKIMSIGNOPTIONS="-z 2" \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

Reply | Permalink

usage 2038 keys

Roberto Puzzanghera Roberto Puzzanghera April 27, 2019 12:43

At this point having a modified domainkey script file, which outputs a splitted dns record in case of 2048 key, from someone who have shell skills better than mine would be very much appreciated... :-)

Reply | Permalink

usage 2038 keys

Roberto Puzzanghera qmailing August 31, 2018 21:55

upgraded. thanks

Reply | Permalink

usage 2048 keys

Roberto Puzzanghera Roberto Puzzanghera September 22, 2018 11:20

I restored the 1024 key, because my bind server was failing to load zones with such a long line. Any comment would be appreciated

Reply | Permalink

usage 2048 keys

Me Roberto Puzzanghera October 12, 2018 11:17

you must separate long key with more than 255 charset " (quotation marks)

Reply | Permalink

usage 2048 keys

Tatsuya Yokota Me December 7, 2019 05:33

github

https://github.com/kotaroman/domainkey

thank you.

Reply | Permalink

usage 2048 keys

Tatsuya Yokota Me December 7, 2019 05:28

I tried to support the domainkey command for 2048bit.
TXT record for BIND is automatically set to 2 lines.

modified
https://acoustype.com/domainkey

original
https://notes.sagredo.eu/files/qmail/domainkey

thank you.

Reply | Permalink

usage 2048 keys

Roberto Puzzanghera Tatsuya Yokota December 8, 2019 14:06

I published your modified script. Thanks again

Reply | Permalink

usage 2048 keys

Tatsuya Yokota Roberto Puzzanghera December 13, 2019 16:07

I was very surprised.
Thank you very much.

Reply | Permalink

usage 2048 keys

Roberto Puzzanghera Tatsuya Yokota December 7, 2019 07:54

Great contribution, very much appreciated. I'm going to make tests as soon as possible

Reply | Permalink

Improvement

Mirko Buffoni August 17, 2018 14:13

Thank you Roberto for such a good and clear guide to DKIM and qmail.

I've made a little improvement that I want to share. I've made it to solve my need to sign messages sent by authenticated users, and to verify all non authenticated ones.

With the current code, it is not possible to achieve this. However with a little modification, it can be done pretty easily. I changed the behavior of RELAYCLIENT_NODKIMVERIFY (which IMHO is wrong at the moment, since it will skip verification, but also any eventual signing that may have been requested).

I've added a check for env variable RELAYCLIENT_NODKIM, which if present, will skip verification and signing step, going on directly with the next QUEUE command (like the current behavior).

Instead, if RELAYCLIENT_NODKIMVERIFY is present, it will void any DKIMVERIFY, and will go on with the code, allowing to sign a message if DKIMKEY is specified or a default domainkey is available for that domain (!DKIMSIGN && !DKIMVERIFY && RELAYCLIENT).

Pheww, too much words. The patch is simpler and easier to read, though ;) 

/etc/tcprules.d/tcp.smtp:

:allow,QMAILQUEUE="/var/qmail/bin/qmail-dkim",DKIMVERIFY="FGHKLMNOQRTVWjpu",DKIMKEY="/etc/domainkeys/%/private",RELAYCLIENT_NODKIMVERIFY="1"

Patch:

--- netqmail-1.06/qmail-dkim.c 2018-08-17 13:42:40.000000000 +0200
+++ netqmail-1.06.relaynoverify.patch/qmail-dkim.c 2018-08-17 13:44:11.000000000 +0200
@@ -1115,10 +1115,13 @@
 dkimsign = env_get("DKIMSIGN");
 dkimverify = env_get("DKIMVERIFY");
 p = (env_get("RELAYCLIENT") || env_get("AUTHINFO")) ? "" : 0;
- if (dkimverify && p && env_get("RELAYCLIENT_NODKIMVERIFY")) {
+ if (p && env_get("RELAYCLIENT_NODKIM")) {
 execv(*binqqargs, binqqargs);
 die(120, 0);
 }
+ if (dkimverify && p && env_get("RELAYCLIENT_NODKIMVERIFY")) {
+ dkimverify = 0;
+ }
 if (!dkimsign && !dkimverify && p) {
 if (!(dkimsign = env_get("DKIMKEY"))) {
 if (!stralloc_copys(&dkimfn, "domainkeys/%/default"))

Ciao!

Reply | Permalink

Improvement

Roberto Puzzanghera Mirko Buffoni August 17, 2018 14:33

Actually the logic behind the RELAYCLIENT_NODKIMVERIFY variable is to avoid that the outgoing messages will be verified as well

Reply | Permalink

Improvement

Anonymous Roberto Puzzanghera August 17, 2018 14:57

Ok, but the name _NODKIMVERIFY misleaded me to think that only the verification step was skipped.

Reply | Permalink

Improvement

Roberto Puzzanghera Anonymous August 17, 2018 15:02

This is what actually does... that variable is there to avoid that outgoing msg could be verified before getting the queue and be signed via qmail-remote

Reply | Permalink

Improvement

Roberto Puzzanghera Mirko Buffoni August 17, 2018 14:23

Great! Thank you

Reply | Permalink

mails do not have a signature via php

Chava2b September 20, 2017 18:00

Hi,

I have in the file /var/qmail/supervise/qmail-smtpd/run

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/etc/domainkeys/my_domain/default

The dkim signature is present if I use outlook for example (relay) but is not present if I send a mail by a php script from the mail server.

Have I forgotten anything? Thank you for your help

regards

Reply | Permalink

Re: mails do not have a signature via php

Roberto Puzzanghera Chava2b September 20, 2017 21:49

I have never tested this, as I usually run php in a server that is separated from qmail. As you know, the php mailer calls the sendmail program, which is an alias of /var/qmail/bin/sendmail. Perhaps the qmail's sendmail program injects the message directly via qmail-inject without opening a connection to qmail-smtpd on port 25 and without the call of any filter like qmail-dkim, but I admit that I didn't look at the code, so any other explaination would be welcome

Reply | Permalink

How can I use this patch only and not all the package ?

Pablo Murillo March 2, 2017 00:34

Hi

I'm FreeBSD user, and I don't use netqmail, Is there a way to only implement DKIM patch and not all the others ?

Reply | Permalink

Sorry Pablo, I can't get what

roberto puzzanghera Pablo Murillo March 7, 2017 22:36

Sorry Pablo, I can't get what you mean.. you say that you don't use netqmail but that is a patch for netqmail... 

Reply | Permalink

How to sign with algorithm rsa-sha256

Daniel Prosser August 23, 2016 03:19

I hope this isn't a stupid question.  I've got qmail signing outgoing email, but they're all using  rsa-sha1.  How can get it to use rsa-sha256?

Reply | Permalink

As I suspected, it was a

Daniel Prosser Daniel Prosser August 23, 2016 19:09

As I suspected, it was a stupid question.  I checked out my version of openssl and it didn't have sha256 available.  The man page for openssl dgst recommended using SHA1, it was so old.   I'm currently building a newer version from source.

Reply | Permalink

Fails to verify if subject not in h= list

C Pitchford February 16, 2016 14:16

I've noticed that Sky UK is sending out legitimate emails including a dkim signature that does NOT include the subject:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skymail.sky.com;
    s=20141008185601; t=1455627787; x=1471352587;
    bh=..........; h=From:Reply-To;

I don't think excluding the subject from the signature is against the spec, even if it is silly. It does, however, fail verification

I've added this option to qmail-dkim.c to relax this restriction:

        if (env_get("UNSIGNED_FROM"))
                vopts.nAllowUnsignedFromHeaders = 1;
        vopts.nSubjectRequired = 1;
        DKIMVerifyInit(&ctxt, &vopts);          /*- this is always successful */

This value ensures it will permit a signature that does not include the subject

It may be worth making this configurable (with an environment variable or a switch to DKIMVERIFY?)

Reply | Permalink

Re: Fails to verify if subject not in h= list

Manvendra C Pitchford February 17, 2016 05:47

Thank you. It is a simple fix. Will have the environment variable UNSIGNED_SUBJECt and let Robert know the url for the latest patch

Reply | Permalink

Re: Fails to verify if subject not in h= list

Manvendra Manvendra March 7, 2016 07:59

Two New patch uploaded to https://sourceforge.net/projects/indimail/files/netqmail-addons/qmail-dkim-1.0/

One which includes spf + ipv6 + dkim

and one which has only dkim

Reply | Permalink

Re: Fails to verify if subject not in h= list

roberto puzzanghera Manvendra March 10, 2016 12:37

Thank you Manvendra. I have updated my combined patch accordingly

Reply | Permalink

I will ask Manvendra Bhangui

roberto puzzanghera C Pitchford February 16, 2016 22:11

I will ask Manvendra Bhangui to look at your comment. Thank you

Reply | Permalink

qmail-dkim: signature error: RSA verify failed but testing

Marcello Lupo roberto puzzanghera March 24, 2017 18:02

Hi,

even if I installed the latest patch on my system I'm not able to receive password reset email from GitHub.

I created another account on GitHub using a Gmail account and on that account I receive the email correctly.

Can you help me to understand why on my server it is failing?

These are the DKIM headers i receive on Gmail account for the pasword reset email:

Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2-ext6.iad.github.net. [192.30.252.197])
        by mx.google.com with ESMTPS id 139si3247415ion.136.2017.03.24.09.52.24
        for <hunters14473@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 24 Mar 2017 09:52:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of noreply@github.com designates 192.30.252.197 as permitted sender) client-ip=192.30.252.197;
Authentication-Results: mx.google.com;
       dkim=pass (test mode) header.i=@github.com;
       spf=pass (google.com: domain of noreply@github.com designates 192.30.252.197 as permitted sender) smtp.mailfrom=noreply@github.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=github.com
Date: Fri, 24 Mar 2017 09:52:24 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com;
s=pf2014; t=1490374344;
bh=SMIcRquEv41jyIeUc9eCvSloLz6xCzCOEK8yKIKvhHg=;
h=From:To:Subject:From;
b=mFmuh44xku3V+DMvHmrjdar3DaXkqcbLvZG7FhGDmW5PTKbObbOfdf2lcstEMquq+
  5Jool/dRJERdbTCrhl9ovA2LRGr/5JtLgELbNviqXh/9Ciab4D1lDE+IDE+R3AQvRu
  BPz8JTvYVjEvouFf0ZovoaaS+MLzlja1Ehuxo5no=
From: GitHub <noreply@github.com>
To: hunters144732 <hunters14473@gmail.com>
Message-ID: <58d54ec84991a_2a2bf3ff8981afc2c88634@github-fe-54106a2.cp1-iad.github.net.mail>
Subject: [GitHub] Please reset your password

Thank you

Regards

Marcello

Reply | Permalink

Re: qmail-dkim: signature error: RSA verify failed but testing

Manvendra Marcello Lupo March 25, 2017 04:30

What is the value of your DKIMVERIFY envrionment variable?

In DKIMVERIFY have the letter 'j' included in lower case. Once you have the email in your system, you can test it by supplying the raw text on stdin to dkimtest.

Reply | Permalink

No Output and Exit status 53

Marcello Lupo Manvendra March 27, 2017 16:22

Hi Manvendra,

if I disable the DKIM on the system the email is received perfectly.

If i pass the raw email to DKIM on the shell i get no output and the exit code is 53 .

If i make the same with a normal gmail email recevide from the server i get the the complete Email on the output with the DKIM-Status: good Header.

Have you any suggestion?

Thank you

Bye

Marcello

Reply | Permalink

DKIM Failing [SOLVED]

Marcello Lupo Marcello Lupo March 27, 2017 17:46

Hi,

I found the problem. It was a Baesyan filter on a FortiMail system in front of my server that was recognizing that email as SPAM and was altering the Subject. When the email reach my server with the Subject altered it fail the DKIM Check. Now without the Subject altered it works perfectly.

Thank you for your availability and sorry if i make you loose some time.

Bye

Marcello

Reply | Permalink

This example implies qmail-dkim man page to be corrected.

Manvendra Marcello Lupo March 27, 2017 19:00

Problem: Marcelo was receiving an email where the content of the email was changed (in particular the Subject header).

This caused qmail-dkim to issue the following error

J - DKIM_SIGNATURE_BAD_BUT_TESTING      - signature error: RSA verify failed but testing

The man page states that DKIMVERIFY should have the letter j for returning temporary error and the letter J for issuing permanent error.

It does not mention that if you omit the letter 'j' or the letter 'J', the email will successfully pass through the queue and get delivered.

So should I modify the qmail-dkim patch for this change in the man page. Most of the dkim verification error results because the message gets modified by some filter before qmail-dkim and you could potentially lose email, like Marcelo.

The troubleshooting test that Marcelo was doing also failed because DKIMVERIFY had the small letter 'j'. If he omits the leter 'j', he should get the output along with the DKIM-Status header. My view is that if you do not want to lose emails and you do not have the habit of looking at the logs for temporary errors, the letters 'j' or 'J' should be completely omitted from DKIMVERIFY

Reply | Permalink

glad to know that your problem got fixed

Manvendra Marcello Lupo March 27, 2017 18:17

That's good news.

However I was surrprised when you were getting error code 53. Maybe you were piping the output to less or more.

if you use the following script as cat instead of /bin/cat then the troubleshooting always works

#!/bin/sh
exec 1>/dev/tty
exec /bin/cat

Reply | Permalink

exit code 53 means that qmail

Manvendra Marcello Lupo March 27, 2017 17:36

exit code 53 means that qmail-dkim was not able to write to either stdout or stderr. The function die_write() exits with 53. Is it possible to attach the raw email and send it to my private email address? I shoudl be able to debug. I hope there is nothing sensitive in the email.

Reply | Permalink

it seems like you don't have

roberto puzzanghera Marcello Lupo March 24, 2017 20:42

it seems like you don't have the DKIM correctly configured. Did you perform all the tests suggested in this page? Which one eventually failed?

Please post your run file

Reply | Permalink

I had the DKIM working for

Marcello Lupo roberto puzzanghera March 24, 2017 23:43

I had the DKIM working for years and due to this error i was getting i made the update to your latest patch on today but the problem still persist.

I'm able to receive mail from gmail and other DKIM enabled servers but not this one. I was thinking the it can be related to the UNSIGNED_SUBJECT but i seems not to be this the issue.

Here my run file:

QMAILDUID=`id -u vpopmail`
NOFILESGID=`id -g vpopmail`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
LOCAL=`head -1 /var/qmail/control/me`

export SMTPAUTH="-"

export SMTPD_GREETDELAY=15
export DROP_PRE_GREET=1


export CHKUSER_START=ALWAYS

export SURBL=1 # Comment out to enable SURBL filtering
export QMAILQUEUE=/var/qmail/bin/surblqueue # executes surblfilter
export SURBLQUEUE=/var/qmail/bin/qmail-dkim # executes qmail-dkim after sublfilter
export DKIMQUEUE=/var/qmail/bin/qmail-scanner-queue     # qmail-scanner-queue is executed after qmail-dkim
export DKIMVERIFY="FGHIKLMNOQRTUVWjp"

if [ -z "$QMAILDUID" -o -z "$NOFILESGID" -o -z "$MAXSMTPD" -o -z "$LOCAL" ];
then
    echo QMAILDUID, NOFILESGID, MAXSMTPD, or LOCAL is unset in
    echo /var/qmail/supervise/qmail-smtpd/run
    exit 1
fi

if [ ! -f /var/qmail/control/rcpthosts ]; then
    echo "No /var/qmail/control/rcpthosts!"
    echo "Refusing to start SMTP listener because it'll create an open relay"
    exit 1
fi

exec /usr/local/bin/softlimit -m 100000000 \
    /usr/local/bin/tcpserver -v -R -H -l "$LOCAL" -x /home/vpopmail/etc/tcp.smtp.cdb -c "$MAXSMTPD" \
    -u "$QMAILDUID" -g "$NOFILESGID" 0.0.0.0 smtp \
    /var/qmail/bin/qgreylistrbl.pl /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true 2>&1

Thank you

Bye

Reply | Permalink

You have the letter 'j' in

Manvendra Marcello Lupo March 25, 2017 10:52

You have the letter 'j' in DKIMVERIFY. So qmail-dkim will not exit with 100. Have QMAILQUEUE changed temporarily  to bypass qmail-dkim and check. If you still do not receive email then it could be something else. If you receive the qmail

export QMAILQUEUE=/var/qmail/bin/qmail-scanner-queue

After making the above change, save the incoming email to /tmp/mail.txt and you can do the following to troubleshoot

cat mail.txt | env - \
DKIMVERIFY="FGHIKLMNOQRTUVWjp" \
DKIMQUEUE=/bin/cat \
/var/qmail/bin/qmail-dkim

Reply | Permalink

I've been running with the

C Pitchford roberto puzzanghera February 17, 2016 01:19

I've been running with the patch for a few days. Here are some of the domains that seem to be sending these problem signature:

• @email.barclaycard.co.uk
• @b.e.disneyinteractive.com
• @m.email.sonyentertainmentnetwork.com
• @b.skymail.sky.com
• @emea.e.paypal.com

These emails are now being accepted and validated. It looks like a fairly new trend to exclude the subject from the list of headers. I guess paypal is probably the most serious on the list

Reply | Permalink

DKIM DNS Long records Issue

Marcello Lupo November 5, 2015 14:41

Hi,

I found that apple.com, for example, use DNS long records that are splitted in TXT chunks. You can try it doing "dig -t txt mailout2048s._domainkey.apple.com" . My qmail-dkim is failing to check this DKIM signature (google.com is working instead).

Is it possible that qmail-dkim module have problems dealing with this kind of DNS records?

I hope Manvendra Bhangui or someone else can address on this issue.

Thank you

Regards,

Marcello

Reply | Permalink

DKIM DNS Long record issue

Manvendra Marcello Lupo December 13, 2015 04:58

qmail-dkim does not have an issue with assembling long text records. e.g.

$ dig -t txt insideapple2048._domainkey.insideapple.apple.com

; <<>> DiG 9.9.6-P1-RedHat-9.9.6-11.P1.fc21 <<>> -t txt insideapple2048._domainkey.insideapple.apple.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49080
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;insideapple2048._domainkey.insideapple.apple.com. IN TXT

;; ANSWER SECTION:
insideapple2048._domainkey.insideapple.apple.com. 8034 IN TXT "v=DKIM1\;" "k=rsa\;" "h=sha1\;" "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoo2sqljdU766Eq9AqRGm" "aGd2YN784ATBBikYAhl9VxY8Ji3xMU4DAyD3QSZGvKpk5qOIG+1GBWxKVRk3jlvp" "TuaAQuGdKPkcgvRTeb31BzAltWwGvtzsLxiLQGUPFzbv81XomOWemC9QCIYWcddr" "v9CD7PDV1K8sV2BTrfIe9iKspcjia1D9wLgzYg1OU99202DHhRTcE6PucxUtXDgh" "za3pu4FTddllhMJ5eeGCk4z2ctZFCe1SRMtRbaLpDV3yET2icAjTV4w8xhEFuC64" "K0auCaYVWS1rldfV4+jt2A/9RmB7jho2H31XbDm9JqCflMKfoQeHCNQwwJGCRxzq" "eQIDAQAB"

;; Query time: 1 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sun Dec 13 09:24:37 IST 2015
;; MSG SIZE  rcvd: 503

The same result from indimail's dnstxt program (qmail-dkim uses the same function)

$ dnstxt insideapple2048._domainkey.insideapple.apple.com

v=DKIM1;k=rsa;h=sha1;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoo2sqljdU766Eq9AqRGmaGd2YN784ATBBikYAhl9VxY8Ji3xMU4DAyD3QSZGvKpk5qOIG+1GBWxKVRk3jlvpTuaAQuGdKPkcgvRTeb31BzAltWwGvtzsLxiLQGUPFzbv81XomOWemC9QCIYWcddrv9CD7PDV1K8sV2BTrfIe9iKspcjia1D9wLgzYg1OU99202DHhRTcE6PucxUtXDghza3pu4FTddllhMJ5eeGCk4z2ctZFCe1SRMtRbaLpDV3yET2icAjTV4w8xhEFuC64K0auCaYVWS1rldfV4+jt2A/9RmB7jho2H31XbDm9JqCflMKfoQeHCNQwwJGCRxzqeQIDAQAB
record length 415

Also all emails from apple.com seems to be getting verified. You can send me a raw text of any one email that is not getting verified so that I can investigate. 

Reply | Permalink

Raw text

Marcello Lupo Manvendra December 13, 2015 13:53

Hi Manvendra,

yes I can send raw text email to you but prefer to do it in a PM.

Can you send me you email or let Roberto to give it to me?

Thank you,

Regards,

Bye

Marcello

Reply | Permalink

DKIM Signature problem with emails received from apple.com

Manvendra Marcello Lupo December 15, 2015 05:42

I have debugged the issue with help of the raw email. There were two issues. The first issue is verifiying if the signature has expired. This is done by using t= and x= tags. Unfortunately, one of the funtions is using an integer variable to compare the timestamps and due to this, the signature is shown as expired. This issue was easy to fix and I have made the changes

The second problem is X-Brightmail-Tracker header inserted below the DKIM-Signature. This causes the signature not to verify. After removing the X-Brightmail-Tracker, I am able to verify the signature as good. This issue can be solved by ignoring headers not present in the h= tag. However, since this part of the code is from ALT-N technologies, I might take some time to add some code to skip such headers. I will get back as soon as possible with a fix. If I cannot find a way to fix this, I can always put a wrapper before calling qmail-dkim to skip headers not present in the h= tag.

Reply | Permalink

Re: DKIM DNS Long records Issue

Manvendra Bhangui Marcello Lupo November 6, 2015 02:01

Thanks for pointing this out. WIll investigate this during the weekend and come up with a fix in case there is a bug.

Reply | Permalink

qmail-dkim: signature error: permanent dns failure

nic September 8, 2015 12:19

Dear Roberto,

I had just recieved an error "qmail-dkim: signature error: permanent dns failure requesting selector (#5.7.0)" from a remote domain. That domain does not publish any domainkey. My configure is like so

export DKIMVERIFY="FGHIKLMNOQRTVWjpu"

Any idea where i should start to look?

Thanks
nic

Reply | Permalink

the answer is in the qmail-dkim man page

roberto puzzanghera nic September 30, 2015 19:30

Nic, the answer is in the qmail-dkim man page.. you have to relax the filter if you don't want to reject those kind of msg. The Q letter should be lowercase, but I'm not sure that doing so is a good idea..

Reply | Permalink

wrong password logs

nic June 24, 2015 18:14

Hi Roberto,

I remembered when i was still using Bill's toaster, i have a log of wrong password logins. Is this log available in your version?

It was in /var/log/maillog in Bill's version.

Thanks

nic

Reply | Permalink

yes it is /var/log/maillog

roberto puzzanghera nic June 24, 2015 18:58

yes it is /var/log/maillog

Reply | Permalink

Many thanks =)

nic roberto puzzanghera June 24, 2015 22:29

Many thanks =)

Reply | Permalink

Authentication-Results

Behnam December 26, 2014 11:40

Hi

I have some questions

Do you know any solution or patch to add Authentication-Results header for dkim and spf to your combind patch?

how can I sign and verify my local mails?

when I set QMAILLOCAL and set the proper permission to private key and public key, I can sucssesfuly sign local mails but I can not verify that mails and it has DKIM-Status: no signatures ( I comment "export RELAYCLIENT_NODKIMVERIFY=1" to verify local mails ).

Thanks

Behnam

Reply | Permalink

I don't know of any patch to

roberto puzzanghera Behnam December 26, 2014 12:02

I don't know of any patch to write dkim and/or spf results into that field, but you can see their response in "DKIM-status" and "Received-SPF" respectively.

Reply | Permalink

dkim for local mails not work

Behnam December 25, 2014 20:52

even with set QMAILLOCAL to /var/qmail/bin/spawn-filter   in /var/qmail/rc , I can not sign local mails.

and if I set QMAILQUEUE=/var/qmail/bin/qmail-dkim I received "qq temporary problem (#4.3.0)" when sending local mails.

/var/qmail/rc :

exec env - PATH="/var/qmail/bin:$PATH" \
QMAILREMOTE=/var/qmail/bin/spawn-filter  \
QMAILLOCAL=/var/qmail/bin/spawn-filter  \
DKIMKEY=/usr/local/etc/domainkeys/%/default \
FILTERARGS=/var/qmail/bin/dk-filter \
qmail-start "`cat /var/qmail/control/defaultdelivery`"

qmail-smtpd/run

...
export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMVERIFY="FGHKLMNOQRTVWjpu"
#export RELAYCLIENT_NODKIMVERIFY=1
...

/var/qmail/control/defaultdelivery

| /home/vpopmail/bin/vdelivermail '' bounce-no-mailbox

Reply | Permalink

dkim for local mails not work

Gabriel Torres Behnam June 6, 2020 06:15

Had the same problem here today, and it was a permission issue. In our case, /var/qmail/control/cache was incorrectly configured. Fixed it with:

chown vpopmail:vchkpw /var/qmail/control/cache

It sounds simple, but it took me several hours to fix this as I was thinking that it was a DKIM configuration/permission issue.

Reply | Permalink

dkim for local mails not work

Roberto Puzzanghera Gabriel Torres June 6, 2020 09:57

This should have already been done by the time you installed my patch....

Reply | Permalink

I don't know... your config

roberto puzzanghera Behnam December 26, 2014 11:52

It's strange... your config seems to be correct, but there's no need of declaring QMAILLOCAL to have local mails signed.

Have you done the tests suggested toward the bottom of this page? If yes you should try to debug with strace

Reply | Permalink

now sign but not verify

Behnam roberto puzzanghera December 26, 2014 13:09

Thanks for your reply :-)

I found the problem was permission of private key that root user ( owner of qmail-lspawn ) can not read that file.

now my local mails is somethins like this :

 ( when DKIMVERIFY="FGHKLMNOQRTVWjpu" is set )

Return-Path: <behnam@example.com>
Delivered-To: example.com-postmaster@example.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; h=DKIM-Status:MIME-Version:Content-Type:
        Content-Transfer-Encoding:Date:From:To:Subject:Message-ID:
        User-Agent; bh=SSDFuMUWjUihK52L1yEyQKqsfM=; b=JkjuEmSVhW6IBTj2W
        DkVA+sKtbrFaasdSEO2yLsVEisCZ01KL3I5kQmypl06is6F42bQ+64d+vlNxdwSb
        eg7AH6yoVWO+h57F6iBKKDSJIEKSLAOWKSOras5Mlqvy9zDVECzvzZUlotSd7PfF
        ctDc9PGdO4EEm4WehmZNsSVRPw=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=default; d=example.com;
  b=XVH2sA9Tj1TQY6is9i4e7NpHNyjYcuKhaJ58Hl2O5UHUPX9yqVq62RailJgCgZVWEIeAX1M2TPT/b2CKqqTGJjQEOQwr8TC7HJKDxQYUEWgNe4jiu6lvU7o9se8HcOT5XbnSKFgMqXwfwIOQNoitt+SqKtlGHFpy9PIk3UvoffY=;
Received: (qmail 50945 invoked by uid 89); 26 Dec 2014 15:00:23 +0000
Received: by simscan 1.4.0 ppid: 50912, pid: 50916, t: 3.7977s
         scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19840 spam: 3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=4.5 tests=ALL_TRUSTED,AWL,
        TVD_SPACE_RATIO autolearn=ham autolearn_force=no version=3.4.0
DKIM-Status: no signatures
Received: from unknown (HELO mail.example.com) (behnam@example.com)

 ( when DKIMVERIFY="FGHKLMNOQRTVWjpu" is not set )

Return-Path: <example@example.com>
Delivered-To: example.com-postmaster@example.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; h=MIME-Version:Content-Type:Content-Transfer-Encoding:
        Date:From:To:Subject:Message-ID:User-Agent; bh=+Y1O6gkU5mqhqyI0b
        Y/c1ISV2qA=; b=psfLDKIRmdkdlW<fkespHN/srbgZuUXSOb8l0wI2zgpWsj1SZ
        ewrk3r3KJDIEMF3K/2xCfRnpJGCxVJuyiLehLXwrEWZ/Rc2h4enbtP6qOp4gGOt/
        zR/x5kuURD9zq8EUFa94igRHJigKxjkUn2/M3eVR26wn0CJ+HnVd+UAFZQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple;
  s=default; d=example.com;
  nVoQP2iXnFn1yNbbNn/dyWSqoCCF/UlaoimqzTrKi6/RCKSImskeowk83ukwjsuje83jswoqke8w839skwikbfVcDucbnpf5DFZHp7eZRGQEzwXBsNOg=;
Received: (qmail 49537 invoked by uid 89); 26 Dec 2014 14:55:12 +0000
Received: by simscan 1.4.0 ppid: 49511, pid: 49515, t: 22.2933s
         scanners: attach: 1.4.0 clamav: 0.98.5/m:55/d:19840 spam: 3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mail.example.com
X-Spam-Level:
X-Spam-Status: No, score=-1.0 required=4.5 tests=ALL_TRUSTED,AWL,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU autolearn=ham autolearn_force=no version=3.4.0
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=example.com;
        s=default; x=1420197890; h=MIME-Version:Content-Type:
        Content-Transfer-Encoding:Date:From:To:Subject:Message-ID:
        User-Agent; bh=+Y1O6gkU5mqhqyI0bY/c1ISV2qA=; b=Cm4zaswMi5MPTBgr8
        SKIEMSnhsmdkwKDjUKDjKSJDKiPKAKWiJSUEKSMAhNAQQBMXikssoaMKS4zas3wd
        M8Lupl4uNZTGe17U8WP8xLm9BEpjUfhJ4kQ1aCiehbKl3+zo+h04cfc4AEpDn1gs
        avWNu9ZYlUKRW4kyPp8f+yR6yA=
Received: from unknown (HELO mail.example.com) (behnam@example.com)
  by 0 with ESMTPA; 26 Dec 2014 14:54:50 +0000

and I hadn't any DKIM-Status in the second mail 

Reply | Permalink

can you post your smtpd

roberto puzzanghera Behnam December 26, 2014 15:49

can you post your smtpd run file, or at least confirm that DKIMVERIFY and DKIMSIGN are NOT both defined there?

Reply | Permalink

sorry, I see know that the

roberto puzzanghera roberto puzzanghera December 27, 2014 10:02

sorry, I see now that the verification is done, but for an unknown reason the sign is not matched into the message...

The DKIM verification inside the X-Spam-Status field has nothing to do with the qmail patch, as it's written by spamassassin. So you have to declare DKIMVERIFY

Reply | Permalink

Question about run scripts config with simscan

Marc August 21, 2014 17:48

Hello,

after using your guide to install simscan i am a little bit confused about the config of the qmail-smtpd/run and qmail-submission/run scripts. Before Simscan installation you wrote in the DKIM tutorial:

Insert the two following environment variables in your /var/qmail/supervise/qmail-smtpd/run script:

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMVERIFY="FGHKLMNOQRTVWjpu"

In the description Making qmail-dkim and simscan live together you wrote:

You have to modify like this your /var/qmail/supervise/qmail-smtpd/run script (and /var/qmail/supervise/qmail-submission/run as well)

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default
export DKIMQUEUE=/var/qmail/bin/simscan

The question is, why i have to add in the simscan configuration the parameter export DKIMKEY=/usr/local/etc/domainkeys/%/default. I thougt this was covered with the /var/qmail/rc script. Maybe i miss something in my understanding of the how the things work together.

And another question: The export parameters in the qmail-submission/run script should match with all the Export settings in the qmail-submission/run script?

Thanks for helping.
cheers

Reply | Permalink

Hi Marc, thanks for your

roberto puzzanghera Marc August 22, 2014 10:23

Hi Marc, thanks for your contribution.

You can do in both ways. That was the old method, when the signing had to be done at qmail-smtpd level with all the variables declared in the qmail-smtpd run file. But now I'm signing at qmail-remote level, so the variables have to be declared in the rc file.

I'm going to correct this. Thank you

Reply | Permalink

Contents of DKIMSIGN environment variable

Otto Dandenell August 21, 2014 02:04

Hi Roberto,

You should probably make all examples consistent with the default key locations.

In your /var/qmail/rc example script, you have:

DKIMSIGN=/var/qmail/control/domainkeys/%/default

But this should instead be:

DKIMKEY=/usr/local/etc/domainkeys/%/default

Same with the Signing test example.

Or as an alternative, point out to the reader that the keys are generated in one path but the script examples assume they have been copied to another path.

I think this is probably what went wrong for the reader who couldn't get his signing to work.

Regards

/ Otto

Reply | Permalink

thanks

roberto puzzanghera Otto Dandenell August 21, 2014 12:57

Hi Otto, thanks for your contribution.

Corrected. Of course it was a not wanted error and there will surely be other :)

Reply | Permalink

White List form DKIM

Arturo June 5, 2014 18:12

Hi,

I have the following error and would need to receive these e mails.

Jun  5 18:07:09 mail spamdyke[10900]: DENIED_OTHER from: XXXX@undelivered.ovh.net to: ME_MAIL origin_ip: 178.32.228.195 origin_rdns: mo195.mail-out.ovh.net auth: (unknown) encryption: (none) reason: 554_qmail-dkim:_signature_error:_permanent_dns_failure_requesting_selector_(#5.7.0)

Is there any way to include a whitelist domains?

Thanksss :)

Reply | Permalink

unfortunately there's no

roberto puzzanghera Arturo June 5, 2014 22:07

unfortunately there's no whitelist functionality in the dkim program. The error suggests a permanent dns error

Reply | Permalink

invalid structure

ss January 22, 2014 08:56

found the solution to the problem, was an issue with the ticketing system

please discard previous comment

thanks

Reply | Permalink

Invalid structure

ss January 22, 2014 08:14

Hello,

First let me thank you for the excellent write up on the qmail installation guide.

I am having a problem where sending mail to only certain users on my mail server are being rejected with the following error:

451 qmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)

The mails are being sent from a ticketing system and the problem started to occur recently.

Regards,

ss

Reply | Permalink

qmail-dkim error

Nicholas October 19, 2013 10:01

Hi Roberto,
 
I am getting alot of the errors below. Seems like the receiving mail server cannot verify the DKIM of the incoming email. Is it right to say that? What can i do to allow this coming email?

 message delayed (qmail-dkim: DKIMContext structure invalid for this operation (#4.3.0)): investigations@FBI.GOV from 194.50.9.6
 
 Thanks
 nic

Reply | Permalink

what do you have in your

roberto puzzanghera Nicholas October 19, 2013 13:13

what do you have in your DKIMVERIFY?

Reply | Permalink

export DKIMVERIFY="DEGIJKfh"

Nicholas roberto puzzanghera October 19, 2013 13:37

export DKIMVERIFY="DEGIJKfh"

Reply | Permalink

I don't know exactly what is

roberto puzzanghera Nicholas October 19, 2013 14:43

I don't know exactly what is causing the error and I'm not sure that it's a regular rejection.

To make tests we need a raw message like that, but in this case you should temporarily disable the verification. Send me it in private if you like

Reply | Permalink

DKIM not sign

Nicholas July 1, 2013 13:09

I had tried to use verifier-feedback@port25.com to check, it came with a neutral result.

DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)

In my named.conf i had also added the TXT record

default._domainkey.domain.com. IN TXT "v=DKIM1\; k=rsa\; t=y\; o=-; p=MIGfMA0GCSqG..........................."

dig default._domainkey.domain.com TXT
default._domainkey.domain.com. 86400 IN TXT "v=DKIM1\; k=rsa\; t=y\; o=-\; p=MIGfMA0GCSqG..........................."

My run file i have

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMQUEUE=/var/qmail/bin/simscan
export DKIMKEY=/var/qmail/control/domainkeys/%/default
export DKIMVERIFY="DEGIJKfh"

In /var/qmail/control/domainkeys/domain.com folder i have

default -> /var/qmail/control/domainkeys/domain.com/rsa.private_default
rsa.private_default
rsa.public_default
selector

Am I missing out anything?

Thanks
Nic

Reply | Permalink

RE: DKIM do not sign

roberto puzzanghera Nicholas July 1, 2013 13:27

Nick, the config seems ok. Did you remember to set the variable RELAYCLIENT in your tcp.smtp?

Reply | Permalink

Thanks for your reply

Nicholas roberto puzzanghera July 3, 2013 09:47

Thanks for your reply.

I have

127.:allow,RELAYCLIENT=""
:allow,CHKUSER_WRONGRCPTLIMIT="3",QMAILQUEUE="/var/qmail/bin/qmail-dkim"

regards
nic

Reply | Permalink

Apparently your config is

roberto puzzanghera Nicholas July 3, 2013 10:01

Apparently your config is ok.. are you sure that your loopback IP is working? Try to assing RELAYCLIENT to your LAN and to your public IP as well.

In addition, but that's not so important, you have already exported QMAILQUEUE in your run file, so declaring it in the last line is redundant.

Reply | Permalink

Many thanks again.This box

Nicholas roberto puzzanghera July 3, 2013 12:16

Many thanks again.

This box has only a public IP.

Do i replace 127 with my public IP to do testing?
127.:allow,RELAYCLIENT=""

I had also removed QMAILQUEUE

Reply | Permalink

No, just add one more line

roberto puzzanghera Nicholas July 3, 2013 12:20

No, just to add add one more line like this:

127.:allow,RELAYCLIENT=""
123.456.789.123:allow,RELAYCLIENT="" (LAN Address)
11.11.11.11:allow,RELAYCLIENT="" (public IP)
:allow ...................... (others)

This will work in case  your loopback is not working (just a guess)

Reply | Permalink

Thanks roberto.I had done

Nicholas roberto puzzanghera July 3, 2013 13:12

Thanks roberto.

I had done what you had sugguested. But it is still not working

Thanks
nic

Reply | Permalink

What the tests from the

roberto puzzanghera Nicholas July 3, 2013 14:11

What the tests from the command line say? Did you check the priviledges of the domain key? I everything is ok I would try to debug with strace. That will show everything

Reply | Permalink

Hi,The tests are identical to

Nicholas roberto puzzanghera July 3, 2013 17:21

Hi,

The tests are identical to your tutorial.

/var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
        d=domain.com; s=default; x=1373469291; h=To:From:Subject;
        bh=WwQSWknnZ1oltdz9LF0JNbJjHdQ=; b=yg0/TKU/xOJ1lmmLZ1NU538rIH/Ri
        Zbyv4h41Vpa8dQhR7YL28uEpl0egvzGBsUL4FnI0QkK1KgXiaaNRdfb0YKCwbk2C
        PcH0rMWZHyG5a4eFeIsLsOguUGefQLs5iiw5zwk63w8uU8muudJMeoB8LC5NHQQL
        Rd+6M03M2cghl8=
To: postmaster@domain.com
From: postmaster@domain.com
Subject: Test Message

/var/qmail/bin/qmail-dkim < /tmp/testmail.txt
DKIM-Status: no signatures
To: postmaster@domain.com
From: postmaster@domain.com
Subject: Test Message

ls -la /var/qmail/control/
drwx------  3 vpopmail vchkpw 4096 May 10 14:46 domainkeys

How do i use strace to debug?

Thanks
nic

Reply | Permalink

Tests from the command line

roberto puzzanghera Nicholas July 3, 2013 22:10

Tests from the command line are ok. It must be a tcp.smtp/QMAILQUEUE issue..

You can save the strace log in this way:

strace -Ff -o /tmp/test.log -p <pid_of_tcpserver>

But do not post the log as a comment, because it will be very long. Feel free to contact me in private instead

Reply | Permalink

Thanks.Am i right to strace

Nicholas roberto puzzanghera July 3, 2013 22:39

Thanks.

Am i right to strace /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb ?

regards

nic

Reply | Permalink

No, simply the process id of

roberto puzzanghera Nicholas July 3, 2013 22:51

No, simply the process id of qmai-smtpd

Reply | Permalink

HiI had strace pid 994 which

Nicholas roberto puzzanghera July 3, 2013 23:08

Hi

I had strace pid 994 which is running the process  "supervise qmail-smtpd"
I tried sending out an email to gmail. Received the email but nothing is logged.

994   restart_syscall(<... resuming interrupted call ...> <unfinished ...>

Many thanks again
nic

Reply | Permalink

Actually you have to strace

roberto puzzanghera Nicholas July 3, 2013 23:14

Actually you have to strace the tcpserver process_id which belongs to qmail-smtpd..

Reply | Permalink

Ok.Nothing is logged

Nicholas roberto puzzanghera July 4, 2013 00:35

Ok.

Nothing is logged. Send out a few mails to gmail account and the log shows

27792 accept(3,

regards
nic

Reply | Permalink

Try this way

roberto puzzanghera Nicholas July 4, 2013 09:39

18008 ?        S      0:00  |   \_ supervise qmail-smtpd                                                                                                                                      
26888 ?        S      0:00  |   |   \_ /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 25 /usr/local/bin/rblsmtpd -w 30 -r zen.spamhaus.org -r b

root@qmail:/# strace -Ff -o /tmp/test.log -p 26888

Also remember that you have to wait for the greetdelay, so don't stop strace immediately..

Reply | Permalink

Nothing at all.. Weird.

Nicholas roberto puzzanghera July 4, 2013 10:10

Nothing at all.. Weird. Outgoing is not stracable? But incoming does. I had send out 5 test mails to gmail and make sure they are delivered before stopping the strace.

19151 ?        S      0:00 /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 smtp /usr/local/bin/rblsmtpd -t 300 -b -r psbl.surriel.com /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true

The log reads 19151 accept(3,

regards

Reply | Permalink

you have a 300s timeout in

roberto puzzanghera Nicholas July 4, 2013 10:18

you have a 300s timeout in the rblsmtpd..

Reply | Permalink

Ok.I remove all other

Nicholas roberto puzzanghera July 4, 2013 10:33

Ok.

I remove all other additional.

23694 ?        S      0:00 /usr/local/bin/tcpserver -v -H -R -l 0 -x /home/vpopmail/etc/tcp.smtp.cdb -c 20 -u 89 -g 89 0 smtp /var/qmail/bin/qmail-smtpd /home/vpopmail/bin/vchkpw /bin/true

This time round, i sent out 5 test mails each to yahoo and gmail and made sure all 10 mails are received before checking the log

log file reads
23694 accept(3,

If outgoing is not logging, will incoming log helps in my case?

regards
nic

Reply | Permalink

and how you are using strace?

roberto puzzanghera Nicholas July 4, 2013 10:38

and how you are using strace? I mean which process id?

PS Nic, can we continue this conversation as a private msg? This thread is going to be so long...

Reply | Permalink

qmail-dkim not sign the mail

Jacekalex October 2, 2011 19:57

Hi

I have a problem with qmail-dkim.
The program mails from RELAYCLIENT signs, but not signed messages sent from other hosts that are not in RELAYCLIENT, and were sent using SMTP-AUTH.

I found the solution to the problem at:
http://qmail.jms1.net/patches/combined-details.shtml

Specifically:
"An example of a patch which needs this functionality, and in fact the initial reason for writing this patch, is the domainkeys patch. In order to verify a signature for an incoming message, it requires that a variable DKVERIFY exist, which contains a list of letters telling which domainkeys results should be considered hard or soft errors. However, in order to sign outgoing messages, it requires that DKVERIFY should NOT exist.

This patch allows me to create an AUTH_SET_DKSIGN environment variable, and when the user AUTH's, it adds a DKSIGN variable to the environment, which forces the qmail-dk program to sign the message instead of verifying it. Without this, the only way to make domainkeys work was to enable it for certain IP addresses in the /etc/tcp/smtp.cdb file, which was no good for clients who used AUTH in order to relay."

Can I count on the fact that a similar mechanism appears in Your patch?

Cheers
:)

Reply | Permalink

qmail-dkim not sign the mail

Cprogrammer Jacekalex August 15, 2013 15:06

Jacekalex ,

you could do the following. Write a dkim shell wrapper as below

#!/bin/sh
if [ "$AUTH_SET_DKSIGN" != "" ] ; then
DKIMSIGN="whatever you want it to be"
fi
exec /var/qmail/bin/qmail-dkim

and have the above shell script defined in QMAILQUEUE instead of qmail-dkim

Reply | Permalink

Re: qmail-dkim

roberto puzzanghera Jacekalex October 2, 2011 20:27

Hi Jacekalex,

qmail-dkim will sign your messages if the variable RELAYCLIENT is set and will verify all messages from IPs where RELAYCLIENT is not set (but only if you set DKVERIFY). So this is exactly how it should work.

The mechanism of the patch included in the John Simpson's combined patch is different from the one of the DKIM patch authored by Manvendra Bangui and embedded in my big one, as the signing is not triggered by the authentication here.

For any further info and/or troubleshooting do not hesitate to contact me in private, in you like.

Cheers

Edit:

I assume, if you are using my patch, that you have

export QMAILQUEUE=/var/qmail/bin/qmail-dkim
export DKIMKEY=/usr/local/etc/domainkeys/%/default

in your supervise/qmail-submission/run script as well

Concerning the signing after the smtp-auth, it's not clear to me what you mean by "sent by hosts that are not in RELAYCLIENT". Infact, once authenticated, the sender has the IP of the server, so if 127.0.0.1 has RELAYCLIENT it is going to sign the email..

Reply | Permalink

Hi   I have a different,

Jacekalex roberto puzzanghera October 3, 2011 20:28

Hi

I have a different, simpler idea.

Why qmail-dkim should check and parse RELAYCLIENT 5 or ~ 20 different IP addresses, since exactly the same thing does qmail-smtpd?

I have 2 questions:
I'm not a C programmer, all my experience, this short script in the shell or perl.
Where - where in the qmail-smtpd.c, and in what form (int, void, other), add a piece of code:

if ((flagauth = 1) | | RELAYCLIENT) (env_put2 ("SIGNMAIL", 1));
else (env_put2 ("SIGNMAIL", 0));
return;

Why this code?
Depending on the AUTH ||  RELAYCLIENT,  SIGNMAIL variable will have value 1 or 0

Then in the qmail-dkim going to remove a function

* Revision 1.14 2009-03-31 08:21:58 +05:30 Cprogrammer
* When set dkimsign RELAYCLIENT is defined dkimsign When Both are undefined and dkimverify

and give their own in the shape similar to:

if AUTH then dkimsign;
if RELAYCLIENT then dkimsign;
else dkimverify

A precisely if $SIGNMAIL = 1 then dkimsign else dkimverify.

In my opinion a much simpler solution, and certainly feasible.

Any suggestions very welcome.

Cheers ;)

Reply | Permalink

Hey Jacekalex, I double

roberto puzzanghera Jacekalex October 4, 2011 18:03

Hey Jacekalex, I double checked my configuration and inside my tcp.submission I simply have:

:allow

and my outgoing emails from submission port 587 are signed. No need to put RELAYCLIENT if the client is authenticated.

I don't have the time to study qmail-dkim.c to see where it happens, but the program proves to act as you like.. :-)

Reply | Permalink

Thanks For me I do not want

Jacekalex roberto puzzanghera October 4, 2011 18:21

Thanks

For me I do not want at this moment to sign mail with the authorization of the hosts! RELAYCLIENT, try again to compile the entire qmail, if this does not help, then he'll write a function to the Qmail-scanner, which will sign a check and mails, if need be, then I'll be able to sign up to create a rule in the sql;)
I'm not a C programmer, but in Perl I can cope quite well, and such a function to check or signing with the use of / var / qmail / bin / dkimtest - these are just a few (maybe several) lines of fairly simple code in qmail-scanner, and a little in qmail . c (qq error status).

Cheers
;)

Reply | Permalink

Why qmail-dkim should check

roberto puzzanghera Jacekalex October 4, 2011 00:29

thanks for the contribution, Jacekalex. Unfortunately I've never inspected the code of the DKIM patch. You may want to refer to the author

Why qmail-dkim should check and parse RELAYCLIENT 5 or ~ 20 different IP addresses, since exactly the same thing does qmail-smtpd?

Concerning the first part of your question, you can include just the 127.0.0.1 which counts for all the IPs which do the smtp-auth and use subnets..

cheers

Reply | Permalink

Let me know what change I should make

Cprogrammer roberto puzzanghera July 8, 2013 06:04

Just stumbled upon this post. The thread is long and I will read all the posts when I get time.

Reply | Permalink