dkim-milter verify, but don't sign.

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

dkim-milter verify, but don't sign.

Josef Karliak-2
   Good morning,
   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse  
11.4 64-bit, generated keys (named "mail"). In the dkim-milter config  
I defined my options:
DKIM_MODES="sv"
DKIM_DOMAIN="ajetaci.cz"
DKIM_SELECTOR="mail"
DKIM_CANON="simple"
DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
DKIM_EXTRA_ARGS="-l -h -D"
DKIM_SIGNALG="rsa-sha256"

and in the main.cf I've :
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_default_action = accept

   I tried this over unix socket too.

   Where is an error ? Any kicks to the right way ? :-/
   Thanks and best regards
   J.K.


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Robert Schetterer
Am 07.11.2011 10:39, schrieb Josef Karliak:

>   Good morning,
>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
> defined my options:
> DKIM_MODES="sv"
> DKIM_DOMAIN="ajetaci.cz"
> DKIM_SELECTOR="mail"
> DKIM_CANON="simple"
> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
> DKIM_EXTRA_ARGS="-l -h -D"
> DKIM_SIGNALG="rsa-sha256"
>
> and in the main.cf I've :
> milter_protocol = 2
> smtpd_milters = inet:localhost:8891
> non_smtpd_milters = inet:localhost:8891
> milter_default_action = accept
>
>   I tried this over unix socket too.
>
>   Where is an error ? Any kicks to the right way ? :-/
>   Thanks and best regards
>   J.K.
>
>

perhaps this helps

Mode (string)
              Selects operating modes.  The string is a concatenation of
characters which indicate which mode(s) of operation are desired.  Valid
modes are s  (signer)  and  v
              (verifier).  The default is sv except in test mode (see
the dkim-filter(8) man page) in which case the default is v.

so configure your

DKIM_MODES="sv" as you want it
--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Robert Schetterer
Am 07.11.2011 10:46, schrieb Robert Schetterer:

> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>   Good morning,
>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>> defined my options:
>> DKIM_MODES="sv"
>> DKIM_DOMAIN="ajetaci.cz"
>> DKIM_SELECTOR="mail"
>> DKIM_CANON="simple"
>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>> DKIM_EXTRA_ARGS="-l -h -D"
>> DKIM_SIGNALG="rsa-sha256"
>>
>> and in the main.cf I've :
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters = inet:localhost:8891
>> milter_default_action = accept
>>
>>   I tried this over unix socket too.
>>
>>   Where is an error ? Any kicks to the right way ? :-/
>>   Thanks and best regards
>>   J.K.
>>
>>
>
> perhaps this helps
>
> Mode (string)
>               Selects operating modes.  The string is a concatenation of
> characters which indicate which mode(s) of operation are desired.  Valid
> modes are s  (signer)  and  v
>               (verifier).  The default is sv except in test mode (see
> the dkim-filter(8) man page) in which case the default is v.
>
> so configure your
>
> DKIM_MODES="sv" as you want it

ups sorry, guess that was not what you asked for

what exactly does not work
do you have any logs?


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Josef Karliak-2
In reply to this post by Robert Schetterer
   Hi,
   modes "sv" is configured - see my config bellow. That's crazy on  
that. When I "ps -ef" :
/usr/bin/dkim-filter -p inet:8891@localhost -b sv -c simple -C  
bad=a,dns=t,no=a,sec=t -d ajetaci.cz -S rsa-sha256 -s mail -k  
/etc/mail/dkim/mail.private -l -h -D

   Thanks
   J.K.

Cituji Robert Schetterer <[hidden email]>:

> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>   Good morning,
>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>> defined my options:
>> DKIM_MODES="sv"
>> DKIM_DOMAIN="ajetaci.cz"
>> DKIM_SELECTOR="mail"
>> DKIM_CANON="simple"
>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>> DKIM_EXTRA_ARGS="-l -h -D"
>> DKIM_SIGNALG="rsa-sha256"
>>
>> and in the main.cf I've :
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters = inet:localhost:8891
>> milter_default_action = accept
>>
>>   I tried this over unix socket too.
>>
>>   Where is an error ? Any kicks to the right way ? :-/
>>   Thanks and best regards
>>   J.K.
>>
>>
>
> perhaps this helps
>
> Mode (string)
>               Selects operating modes.  The string is a concatenation of
> characters which indicate which mode(s) of operation are desired.  Valid
> modes are s  (signer)  and  v
>               (verifier).  The default is sv except in test mode (see
> the dkim-filter(8) man page) in which case the default is v.
>
> so configure your
>
> DKIM_MODES="sv" as you want it
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Josef Karliak-2
In reply to this post by Robert Schetterer
   Hi,
   modes "sv" is configured - see my config bellow. That's crazy on  
that. When I "ps -ef" :
/usr/bin/dkim-filter -p inet:8891@localhost -b sv -c simple -C  
bad=a,dns=t,no=a,sec=t -d ajetaci.cz -S rsa-sha256 -s mail -k  
/etc/mail/dkim/mail.private -l -h -D

   Thanks
   J.K.

Cituji Robert Schetterer <[hidden email]>:

> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>   Good morning,
>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>> defined my options:
>> DKIM_MODES="sv"
>> DKIM_DOMAIN="ajetaci.cz"
>> DKIM_SELECTOR="mail"
>> DKIM_CANON="simple"
>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>> DKIM_EXTRA_ARGS="-l -h -D"
>> DKIM_SIGNALG="rsa-sha256"
>>
>> and in the main.cf I've :
>> milter_protocol = 2
>> smtpd_milters = inet:localhost:8891
>> non_smtpd_milters = inet:localhost:8891
>> milter_default_action = accept
>>
>>   I tried this over unix socket too.
>>
>>   Where is an error ? Any kicks to the right way ? :-/
>>   Thanks and best regards
>>   J.K.
>>
>>
>
> perhaps this helps
>
> Mode (string)
>               Selects operating modes.  The string is a concatenation of
> characters which indicate which mode(s) of operation are desired.  Valid
> modes are s  (signer)  and  v
>               (verifier).  The default is sv except in test mode (see
> the dkim-filter(8) man page) in which case the default is v.
>
> so configure your
>
> DKIM_MODES="sv" as you want it
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Josef Karliak-2
In reply to this post by Robert Schetterer
   In the message header I've :
X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
  header.i=unknown; dkim-adsp=fail

  And in the mail log:
Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host  
[192.168.2.5] attempted to send as ajetaci.cz

   I've a few similar dkim installations that works (but on older opensuses..).

   Maybe some small stupid misconfig, but where. It is all simple :-/


   thanks
   J.K.

Cituji Robert Schetterer <[hidden email]>:

> Am 07.11.2011 10:46, schrieb Robert Schetterer:
>> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>>   Good morning,
>>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>>> defined my options:
>>> DKIM_MODES="sv"
>>> DKIM_DOMAIN="ajetaci.cz"
>>> DKIM_SELECTOR="mail"
>>> DKIM_CANON="simple"
>>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>>> DKIM_EXTRA_ARGS="-l -h -D"
>>> DKIM_SIGNALG="rsa-sha256"
>>>
>>> and in the main.cf I've :
>>> milter_protocol = 2
>>> smtpd_milters = inet:localhost:8891
>>> non_smtpd_milters = inet:localhost:8891
>>> milter_default_action = accept
>>>
>>>   I tried this over unix socket too.
>>>
>>>   Where is an error ? Any kicks to the right way ? :-/
>>>   Thanks and best regards
>>>   J.K.
>>>
>>>
>>
>> perhaps this helps
>>
>> Mode (string)
>>               Selects operating modes.  The string is a concatenation of
>> characters which indicate which mode(s) of operation are desired.  Valid
>> modes are s  (signer)  and  v
>>               (verifier).  The default is sv except in test mode (see
>> the dkim-filter(8) man page) in which case the default is v.
>>
>> so configure your
>>
>> DKIM_MODES="sv" as you want it
>
> ups sorry, guess that was not what you asked for
>
> what exactly does not work
> do you have any logs?
>
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Robert Schetterer
Am 07.11.2011 10:56, schrieb Josef Karliak:

>   In the message header I've :
> X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
> Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
>  header.i=unknown; dkim-adsp=fail
>
>  And in the mail log:
> Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
> [192.168.2.5] attempted to send as ajetaci.cz
>
>   I've a few similar dkim installations that works (but on older
> opensuses..).
>
>   Maybe some small stupid misconfig, but where. It is all simple :-/
>
>
>   thanks
>   J.K.


sorry i am short in time perhaps this helps

man dkim-filter.conf

 ExternalIgnoreList (string)
              Identifies a file of "external" hosts which may send mail
through the server as one of the signing domains without credentials as
such.  Basically suppresses the
              "external host (hostname) tried to send mail as (domain)"
log messages.  Entries in the file should be of the same form as those
of the  PeerList  option  below.
              The list is empty by default.

>
> Cituji Robert Schetterer <[hidden email]>:
>
>> Am 07.11.2011 10:46, schrieb Robert Schetterer:
>>> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>>>   Good morning,
>>>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>>>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>>>> defined my options:
>>>> DKIM_MODES="sv"
>>>> DKIM_DOMAIN="ajetaci.cz"
>>>> DKIM_SELECTOR="mail"
>>>> DKIM_CANON="simple"
>>>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>>>> DKIM_EXTRA_ARGS="-l -h -D"
>>>> DKIM_SIGNALG="rsa-sha256"
>>>>
>>>> and in the main.cf I've :
>>>> milter_protocol = 2
>>>> smtpd_milters = inet:localhost:8891
>>>> non_smtpd_milters = inet:localhost:8891
>>>> milter_default_action = accept
>>>>
>>>>   I tried this over unix socket too.
>>>>
>>>>   Where is an error ? Any kicks to the right way ? :-/
>>>>   Thanks and best regards
>>>>   J.K.
>>>>
>>>>
>>>
>>> perhaps this helps
>>>
>>> Mode (string)
>>>               Selects operating modes.  The string is a concatenation of
>>> characters which indicate which mode(s) of operation are desired.  Valid
>>> modes are s  (signer)  and  v
>>>               (verifier).  The default is sv except in test mode (see
>>> the dkim-filter(8) man page) in which case the default is v.
>>>
>>> so configure your
>>>
>>> DKIM_MODES="sv" as you want it
>>
>> ups sorry, guess that was not what you asked for
>>
>> what exactly does not work
>> do you have any logs?
>>
>>
>> --
>> Best Regards
>>
>> MfG Robert Schetterer
>>
>> Germany/Munich/Bavaria
>>
>
>
>


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Josef Karliak-2
   Hi,
   thanks for tips, I used "-i ilist        file containing list of  
internal (signing) hosts".
   It is signing now, but signature fails on the verifier :
Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL  
error:04077068:rsa routines:RSA_verify:bad signature
Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A: bad signature data

   In the message header :
X-DKIM: Sendmail DKIM Filter v2.7.2 celer.ajetaci.cz 5CCC8C750A
Authentication-Results: celer.ajetaci.cz; dkim=hardfail
(verification failed) header.i=@fnhk.cz; dkim-adsp=fail

   Interesting is, that verifier in the way of this email accepted it  
signing domain fnhk.cz (I don't wanna overwite domain before post it  
here anymore :)  :
X-DKIM: Sendmail DKIM Filter v2.7.2 antivir2.fnhk.cz 71EAF282B8
Authentication-Results: antivir2.fnhk.cz; dkim=pass (1024-bit key)
        header.i=@fnhk.cz; dkim-adsp=pass

   Maybe error in the adding some headers by server antivir2.fnhk.cz ? :
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fnhk.cz; s=mail;
        t=1320665813; bh=FD+AeMxIothgfnBUmgiB3BMcpAHS75XIiHCbbzJzcPg=;
        h=Subject:From:To:Content-Type:Date:Message-ID:Mime-Version:
         Content-Transfer-Encoding; b=CRNC8R1tz/4LDsr6SwSAErYvN7y7Zfa2EK6pf
        cwrtlfBBvYWRBCVr8n0doU2dAGdPVEq96q9Jf9cVf2o5deFLosOLxW/OnXuXhflWqzU
        jao6Pjw/JU5473lDWxr2tk7BzPco6N80LsjvmY3cN+4dChWhUxlnEaGVUm51PlgvU08
        =

   Thanks a lot
   J.K.

Cituji Robert Schetterer <[hidden email]>:

> Am 07.11.2011 10:56, schrieb Josef Karliak:
>>   In the message header I've :
>> X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
>> Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
>>  header.i=unknown; dkim-adsp=fail
>>
>>  And in the mail log:
>> Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
>> [192.168.2.5] attempted to send as ajetaci.cz
>>
>>   I've a few similar dkim installations that works (but on older
>> opensuses..).
>>
>>   Maybe some small stupid misconfig, but where. It is all simple :-/
>>
>>
>>   thanks
>>   J.K.
>
>
> sorry i am short in time perhaps this helps
>
> man dkim-filter.conf
>
>  ExternalIgnoreList (string)
>               Identifies a file of "external" hosts which may send mail
> through the server as one of the signing domains without credentials as
> such.  Basically suppresses the
>               "external host (hostname) tried to send mail as (domain)"
> log messages.  Entries in the file should be of the same form as those
> of the  PeerList  option  below.
>               The list is empty by default.
>
>>
>> Cituji Robert Schetterer <[hidden email]>:
>>
>>> Am 07.11.2011 10:46, schrieb Robert Schetterer:
>>>> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>>>>   Good morning,
>>>>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>>>>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter config I
>>>>> defined my options:
>>>>> DKIM_MODES="sv"
>>>>> DKIM_DOMAIN="ajetaci.cz"
>>>>> DKIM_SELECTOR="mail"
>>>>> DKIM_CANON="simple"
>>>>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>>>>> DKIM_EXTRA_ARGS="-l -h -D"
>>>>> DKIM_SIGNALG="rsa-sha256"
>>>>>
>>>>> and in the main.cf I've :
>>>>> milter_protocol = 2
>>>>> smtpd_milters = inet:localhost:8891
>>>>> non_smtpd_milters = inet:localhost:8891
>>>>> milter_default_action = accept
>>>>>
>>>>>   I tried this over unix socket too.
>>>>>
>>>>>   Where is an error ? Any kicks to the right way ? :-/
>>>>>   Thanks and best regards
>>>>>   J.K.
>>>>>
>>>>>
>>>>
>>>> perhaps this helps
>>>>
>>>> Mode (string)
>>>>               Selects operating modes.  The string is a concatenation of
>>>> characters which indicate which mode(s) of operation are desired.  Valid
>>>> modes are s  (signer)  and  v
>>>>               (verifier).  The default is sv except in test mode (see
>>>> the dkim-filter(8) man page) in which case the default is v.
>>>>
>>>> so configure your
>>>>
>>>> DKIM_MODES="sv" as you want it
>>>
>>> ups sorry, guess that was not what you asked for
>>>
>>> what exactly does not work
>>> do you have any logs?
>>>
>>>
>>> --
>>> Best Regards
>>>
>>> MfG Robert Schetterer
>>>
>>> Germany/Munich/Bavaria
>>>
>>
>>
>>
>
>
> --
> Best Regards
>
> MfG Robert Schetterer
>
> Germany/Munich/Bavaria
>


--
Ma domena pouziva zabezpeceni a kontrolu SPF (www.openspf.org) a  
DomainKeys/DKIM (with ADSP) . Pokud mate problemy s dorucenim emailu,  
zacnete pouzivat metody overeni puvody emailu zminene vyse. Dekuji.
My domain use SPF (www.openspf.org) and DomainKeys/DKIM (with ADSP)  
policy and check. If you've problem with sending emails to me, start  
using email origin methods mentioned above. Thank you.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Robert Schetterer
Am 07.11.2011 12:50, schrieb Josef Karliak:

>   Hi,
>   thanks for tips, I used "-i ilist        file containing list of
> internal (signing) hosts".
>   It is signing now, but signature fails on the verifier :
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL
> error:04077068:rsa routines:RSA_verify:bad signature
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A: bad signature data
>
>   In the message header :
> X-DKIM: Sendmail DKIM Filter v2.7.2 celer.ajetaci.cz 5CCC8C750A
> Authentication-Results: celer.ajetaci.cz; dkim=hardfail
> (verification failed) header.i=@fnhk.cz; dkim-adsp=fail
>
>   Interesting is, that verifier in the way of this email accepted it
> signing domain fnhk.cz (I don't wanna overwite domain before post it
> here anymore :)  :
> X-DKIM: Sendmail DKIM Filter v2.7.2 antivir2.fnhk.cz 71EAF282B8
> Authentication-Results: antivir2.fnhk.cz; dkim=pass (1024-bit key)
>     header.i=@fnhk.cz; dkim-adsp=pass
>
>   Maybe error in the adding some headers by server antivir2.fnhk.cz ? :
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fnhk.cz; s=mail;
>     t=1320665813; bh=FD+AeMxIothgfnBUmgiB3BMcpAHS75XIiHCbbzJzcPg=;
>     h=Subject:From:To:Content-Type:Date:Message-ID:Mime-Version:
>      Content-Transfer-Encoding; b=CRNC8R1tz/4LDsr6SwSAErYvN7y7Zfa2EK6pf
>     cwrtlfBBvYWRBCVr8n0doU2dAGdPVEq96q9Jf9cVf2o5deFLosOLxW/OnXuXhflWqzU
>     jao6Pjw/JU5473lDWxr2tk7BzPco6N80LsjvmY3cN+4dChWhUxlnEaGVUm51PlgvU08
>     =
>
>   Thanks a lot
>   J.K.

sorry no time to check that further
keep safe that nothing does change the header, after
dkim milter does ( i.e some x antivirus mail was added too etc)

verifieres sometimes need long to give right answers, about failed and
reconfigured  dkim keys
cause they use dns caching, so try a new verifier,

post your problem dkim-milter list

http://sourceforge.net/mail/?group_id=139420

>
> Cituji Robert Schetterer <[hidden email]>:
>
>> Am 07.11.2011 10:56, schrieb Josef Karliak:
>>>   In the message header I've :
>>> X-DKIM: Sendmail DKIM Filter v2.7.2 kostnew.ajetaci.cz 8840B239C3
>>> Authentication-Results: kostnew.ajetaci.cz; dkim=none (no signature)
>>>  header.i=unknown; dkim-adsp=fail
>>>
>>>  And in the mail log:
>>> Nov  7 10:48:37 kostnew dkim-filter[16623]: 8840B239C3 external host
>>> [192.168.2.5] attempted to send as ajetaci.cz
>>>
>>>   I've a few similar dkim installations that works (but on older
>>> opensuses..).
>>>
>>>   Maybe some small stupid misconfig, but where. It is all simple :-/
>>>
>>>
>>>   thanks
>>>   J.K.
>>
>>
>> sorry i am short in time perhaps this helps
>>
>> man dkim-filter.conf
>>
>>  ExternalIgnoreList (string)
>>               Identifies a file of "external" hosts which may send mail
>> through the server as one of the signing domains without credentials as
>> such.  Basically suppresses the
>>               "external host (hostname) tried to send mail as (domain)"
>> log messages.  Entries in the file should be of the same form as those
>> of the  PeerList  option  below.
>>               The list is empty by default.
>>
>>>
>>> Cituji Robert Schetterer <[hidden email]>:
>>>
>>>> Am 07.11.2011 10:46, schrieb Robert Schetterer:
>>>>> Am 07.11.2011 10:39, schrieb Josef Karliak:
>>>>>>   Good morning,
>>>>>>   I configured dkim-milter (2.7.2-x) to postfix (2.7.2-x) on opensuse
>>>>>> 11.4 64-bit, generated keys (named "mail"). In the dkim-milter
>>>>>> config I
>>>>>> defined my options:
>>>>>> DKIM_MODES="sv"
>>>>>> DKIM_DOMAIN="ajetaci.cz"
>>>>>> DKIM_SELECTOR="mail"
>>>>>> DKIM_CANON="simple"
>>>>>> DKIM_REJECTION="bad=a,dns=t,no=a,sec=t"
>>>>>> DKIM_EXTRA_ARGS="-l -h -D"
>>>>>> DKIM_SIGNALG="rsa-sha256"
>>>>>>
>>>>>> and in the main.cf I've :
>>>>>> milter_protocol = 2
>>>>>> smtpd_milters = inet:localhost:8891
>>>>>> non_smtpd_milters = inet:localhost:8891
>>>>>> milter_default_action = accept
>>>>>>
>>>>>>   I tried this over unix socket too.
>>>>>>
>>>>>>   Where is an error ? Any kicks to the right way ? :-/
>>>>>>   Thanks and best regards
>>>>>>   J.K.
>>>>>>
>>>>>>
>>>>>
>>>>> perhaps this helps
>>>>>
>>>>> Mode (string)
>>>>>               Selects operating modes.  The string is a
>>>>> concatenation of
>>>>> characters which indicate which mode(s) of operation are desired.
>>>>> Valid
>>>>> modes are s  (signer)  and  v
>>>>>               (verifier).  The default is sv except in test mode (see
>>>>> the dkim-filter(8) man page) in which case the default is v.
>>>>>
>>>>> so configure your
>>>>>
>>>>> DKIM_MODES="sv" as you want it
>>>>
>>>> ups sorry, guess that was not what you asked for
>>>>
>>>> what exactly does not work
>>>> do you have any logs?
>>>>
>>>>
>>>> --
>>>> Best Regards
>>>>
>>>> MfG Robert Schetterer
>>>>
>>>> Germany/Munich/Bavaria
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> Best Regards
>>
>> MfG Robert Schetterer
>>
>> Germany/Munich/Bavaria
>>
>
>
>


--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Steve Jenkins-3
2011/11/7 Robert Schetterer <[hidden email]>:
> post your problem dkim-milter list
>
> http://sourceforge.net/mail/?group_id=139420

FYI - that list doesn't exist any more. dkim-milter has been
deprecated in favor of OpenDKIM (http://opendkim.org/). It's an
actively-supported milter project, and switching over from dkim-milter
is painless. :)

SteveJ
Reply | Threaded
Open this post in threaded view
|

Re: dkim-milter verify, but don't sign.

Frank Bonnet
On 11/07/2011 05:15 PM, Steve Jenkins wrote:

> 2011/11/7 Robert Schetterer<[hidden email]>:
>> post your problem dkim-milter list
>>
>> http://sourceforge.net/mail/?group_id=139420
> FYI - that list doesn't exist any more. dkim-milter has been
> deprecated in favor of OpenDKIM (http://opendkim.org/). It's an
> actively-supported milter project, and switching over from dkim-milter
> is painless. :)
>
> SteveJ

+1

opendkim works fine with Postfix


Reply | Threaded
Open this post in threaded view
|

RE: dkim-milter verify, but don't sign.

Murray S. Kucherawy-2
In reply to this post by Josef Karliak-2
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Josef Karliak
> Sent: Monday, November 07, 2011 3:50 AM
> To: Robert Schetterer
> Cc: [hidden email]
> Subject: Re: dkim-milter verify, but don't sign.
>
>    Hi,
>    thanks for tips, I used "-i ilist        file containing list of
> internal (signing) hosts".
>    It is signing now, but signature fails on the verifier :
> Nov  7 12:40:54 celer dkim-filter[4888]: 5CCC8C750A SSL
> error:04077068:rsa routines:RSA_verify:bad signature Nov  7 12:40:54
> celer dkim-filter[4888]: 5CCC8C750A: bad signature data

Both dkim-filter (which is now obsolete, and 2.7.2 wasn't the most recent release anyway) and opendkim have tools to debug these problems, especially if you are both the signer and the verifier as you are in this case.

But this isn't a postfix problem.  I suggest upgrading to opendkim and then posting your question on the opendkim-users list.

-MSK