Discussion:
[dkim-milter-discuss] sendmail non-smtpd possible?
Willem Kossen
2011-08-05 12:57:00 UTC
Permalink
Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only
works when mail is delivered to it via smtp. A lot of mail however comes in
via sendmail executable for instance because of websites, webmail or
applications sending out notices. I want that mail to be signed as well. Is
it possible at all (like in postfix non-smtpd filters) or in any other way?
in fact, i would like all outgoing mail to be signed.

Thanks
--
------------
Willem Kossen
Rolf E. Sonneveld
2011-08-05 20:36:42 UTC
Permalink
Hi, Willem,
Post by Willem Kossen
Hi there,
I have succesfully implemented dkim signing in my mailserver, but it
only works when mail is delivered to it via smtp. A lot of mail
however comes in via sendmail executable for instance because of
websites, webmail or applications sending out notices. I want that
mail to be signed as well. Is it possible at all (like in postfix
non-smtpd filters) or in any other way? in fact, i would like all
outgoing mail to be signed.
I'm not sure about the exact Sendmail configuration options you will
need, but in general the following is important to keep in mind. To
minimize DKIM signature corruption, it is important to sign at the final
step before delivery of the mail to a remote SMTP server. This is true
for both mail that is to be signed and originates locally (via a web
application or a command line script), as well as for mail you receive
via SMTP which you have to sign before delivering it to its destination
(e.g. the Internet).

Having said that, you will want to look for a Sendmail configuration
that allows you to invoke the milter right before (or from within) the
_outbound_ SMTP connection. You may have to define the milter in your
ClientPortOptions setting, I'm not sure. Or switch to Postfix ;-)

BTW: I wonder whether you implemented DKIM signing using the dkim-milter
milter software or using OpenDKIM? As you post your question on the
dkim-milter-discuss list I suppose the former is true. I'd recommend to
forget about dkim-milter and start using openDKIM
(http://www.opendkim.org/) as dkim-milter is no longer maintained and
it's author dropped dkim-milter development and continued the
dkim-milter work as the opendkim project.

Regards,
/rolf
Murray S. Kucherawy
2011-08-06 07:27:33 UTC
Permalink
First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years.

I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard.

You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding.

Good luck,
-MSK

From: Willem Kossen [mailto:***@gmail.com]
Sent: Friday, August 05, 2011 5:57 AM
To: dkim-milter-***@lists.sourceforge.net
Subject: [dkim-milter-discuss] sendmail non-smtpd possible?

Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed.

Thanks

--
------------
Willem Kossen
Willem Kossen
2011-08-08 11:09:03 UTC
Permalink
Thanks for both your responses. I made the switch, which was next to
painless, but that didn't solve my problem, in fact, it seems stranger than
I thought at first.

echo test | mail ***@example.com --> no signing
echo test | sendmail ***@example.com --> no signing
squirrelmail on same host sending a mail --> no signing
changed squirrelmail config to use smtp, --> no signing (?)
telnet to mailserver from other host on smtp port --> no signing???
telnet from server itself on smtp --> no signing ???
and now thunderbird using this server as smtp --> no signing /??????
sendEmail -s localhost -f ***@example.com -t ***@example.com -u test -m
test -v --> yes, signed

now i can understand that the from addresses are different in some cases,
but even with direct telnet to smtp, when i use from-domains listed in
opendkim.conf Domain statement, no luck. It's probably something simple I'm
missing, but I'm sure missing it... any pointers?

(sendEmail is a commandline tool for sending mail over smtp which I use a
lot)

Kind regards,

Willem Kossen
Post by Murray S. Kucherawy
First, as Rolf said, you should switch to opendkim. This package has been
unmaintained for over two years.****
** **
I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!),
and it signed a message I sent using the sendmail shell interface rather
than SMTP. Since that means sendmail does provide milter service to mail
that’s piped in, you should be able to get dkim-milter to do it too unless
there was a bug in it in this regard.****
** **
You can always use LogWhy to track down why your mail isn’t being signed.
It might have something to do with a domain name mismatch in the mail you’re
feeding.****
** **
Good luck,****
-MSK****
** **
*Sent:* Friday, August 05, 2011 5:57 AM
*Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?****
** **
Hi there,****
** **
I have succesfully implemented dkim signing in my mailserver, but it only
works when mail is delivered to it via smtp. A lot of mail however comes in
via sendmail executable for instance because of websites, webmail or
applications sending out notices. I want that mail to be signed as well. Is
it possible at all (like in postfix non-smtpd filters) or in any other way?
in fact, i would like all outgoing mail to be signed.****
** **
Thanks****
--
------------
Willem Kossen****
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
dkim-milter-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
--
------------
Willem Kossen
***@gmail.com
Willem Kossen
2011-08-08 12:15:49 UTC
Permalink
Ah, I think i figured it out...
what happens in many cases is that mail originates from
***@localhost.localdomain. I didn't tell opendkim to sign mail from that
domain. Still the mail ends up as @wkossen.nl in the recipients mailbox, but
sendmail didn't know that at the time the mail was delivered to it. during
input, it was localhost.localdomain. therefor no signing. Now I told
opendkim in the config file that the domain localhost.localdomain should be
signed and it worked.

and squirrelmail delivered mail as ***@localhost (no localdomain) I added
that domain too. this is far from ideal, a bit of a hack, but I guess it
works.

thanks for the help
Post by Murray S. Kucherawy
First, as Rolf said, you should switch to opendkim. This package has been
unmaintained for over two years.****
** **
I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!),
and it signed a message I sent using the sendmail shell interface rather
than SMTP. Since that means sendmail does provide milter service to mail
that’s piped in, you should be able to get dkim-milter to do it too unless
there was a bug in it in this regard.****
** **
You can always use LogWhy to track down why your mail isn’t being signed.
It might have something to do with a domain name mismatch in the mail you’re
feeding.****
** **
Good luck,****
-MSK****
** **
*Sent:* Friday, August 05, 2011 5:57 AM
*Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?****
** **
Hi there,****
** **
I have succesfully implemented dkim signing in my mailserver, but it only
works when mail is delivered to it via smtp. A lot of mail however comes in
via sendmail executable for instance because of websites, webmail or
applications sending out notices. I want that mail to be signed as well. Is
it possible at all (like in postfix non-smtpd filters) or in any other way?
in fact, i would like all outgoing mail to be signed.****
** **
Thanks****
--
------------
Willem Kossen****
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
dkim-milter-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
--
------------
Willem Kossen
***@gmail.com
Murray S. Kucherawy
2011-08-08 17:34:41 UTC
Permalink
(Since you installed OpenDKIM instead, I'll Cc: that list and we should move this discussion over there.)

There are rewrite rules in the sendmail configuration that change the From: field (features called "masquerade" and "genericstable"). That's why it appears to be delivered with the From: field you expect. The problem is that those changes are made only after the filter has seen them, which is why you have to tell opendkim to sign for "localhost.localdomain" because that's what the filter sees.

In fact, you might want to check that the signatures are being validated, because they probably are failing since the data are essentially being changed in transit.

You will probably need either the "replace rules" feature to deal with this, or you'll need to arrange that your mail is generated with the final domain name in there and not "localhost.localdomain" to get it verifying properly.

From: Willem Kossen [mailto:***@gmail.com]
Sent: Monday, August 08, 2011 5:16 AM
To: dkim-milter general discussion
Subject: Re: [dkim-milter-discuss] sendmail non-smtpd possible?

Ah, I think i figured it out...
what happens in many cases is that mail originates from ***@localhost.localdomain. I didn't tell opendkim to sign mail from that domain. Still the mail ends up as @wkossen.nl<http://wkossen.nl> in the recipients mailbox, but sendmail didn't know that at the time the mail was delivered to it. during input, it was localhost.localdomain. therefor no signing. Now I told opendkim in the config file that the domain localhost.localdomain should be signed and it worked.

and squirrelmail delivered mail as ***@localhost (no localdomain) I added that domain too. this is far from ideal, a bit of a hack, but I guess it works.

thanks for the help
On Sat, Aug 6, 2011 at 9:27 AM, Murray S. Kucherawy <***@cloudmark.com<mailto:***@cloudmark.com>> wrote:
First, as Rolf said, you should switch to opendkim. This package has been unmaintained for over two years.

I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!), and it signed a message I sent using the sendmail shell interface rather than SMTP. Since that means sendmail does provide milter service to mail that's piped in, you should be able to get dkim-milter to do it too unless there was a bug in it in this regard.

You can always use LogWhy to track down why your mail isn't being signed. It might have something to do with a domain name mismatch in the mail you're feeding.

Good luck,
-MSK

From: Willem Kossen [mailto:***@gmail.com<mailto:***@gmail.com>]
Sent: Friday, August 05, 2011 5:57 AM
To: dkim-milter-***@lists.sourceforge.net<mailto:dkim-milter-***@lists.sourceforge.net>
Subject: [dkim-milter-discuss] sendmail non-smtpd possible?

Hi there,

I have succesfully implemented dkim signing in my mailserver, but it only works when mail is delivered to it via smtp. A lot of mail however comes in via sendmail executable for instance because of websites, webmail or applications sending out notices. I want that mail to be signed as well. Is it possible at all (like in postfix non-smtpd filters) or in any other way? in fact, i would like all outgoing mail to be signed.

Thanks

--
------------
Willem Kossen

------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
dkim-milter-discuss mailing list
dkim-milter-***@lists.sourceforge.net<mailto:dkim-milter-***@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss



--
------------
Willem Kossen
***@gmail.com<mailto:***@gmail.com>
Willem Kossen
2011-08-09 13:16:23 UTC
Permalink
I checked, the keys seem to validate (although I don't really understand
how) I used the autoresponder checking e-mail addresses on some sites. I
don't think I have feature masquerade activated in sendmail, but I'll check.

In fact it is a bit of a problem to tell daemons on ux to not use
localhost.localdomain. I solved that for squirrelmail by editing the
userprofile to show the correct reply-to address.
(Since you installed OpenDKIM instead, I’ll Cc: that list and we should
move this discussion over there.)****
** **
field (features called “masquerade” and “genericstable”). That’s why it
appears to be delivered with the From: field you expect. The problem is
that those changes are made only after the filter has seen them, which is
why you have to tell opendkim to sign for “localhost.localdomain” because
that’s what the filter sees.****
** **
In fact, you might want to check that the signatures are being validated,
because they probably are failing since the data are essentially being
changed in transit.****
** **
You will probably need either the “replace rules” feature to deal with
this, or you’ll need to arrange that your mail is generated with the final
domain name in there and not “localhost.localdomain” to get it verifying
properly.****
** **
*Sent:* Monday, August 08, 2011 5:16 AM
*To:* dkim-milter general discussion
*Subject:* Re: [dkim-milter-discuss] sendmail non-smtpd possible?****
** **
Ah, I think i figured it out...****
what happens in many cases is that mail originates from
but sendmail didn't know that at the time the mail was delivered to it.
during input, it was localhost.localdomain. therefor no signing. Now I told
opendkim in the config file that the domain localhost.localdomain should be
signed and it worked.****
** **
that domain too. this is far from ideal, a bit of a hack, but I guess it
works.****
** **
thanks for the help****
wrote:****
First, as Rolf said, you should switch to opendkim. This package has been
unmaintained for over two years.****
****
I just tried it with sendmail 8.14.4 and opendkim 2.4.2 (just released!),
and it signed a message I sent using the sendmail shell interface rather
than SMTP. Since that means sendmail does provide milter service to mail
that’s piped in, you should be able to get dkim-milter to do it too unless
there was a bug in it in this regard.****
****
You can always use LogWhy to track down why your mail isn’t being signed.
It might have something to do with a domain name mismatch in the mail you’re
feeding.****
****
Good luck,****
-MSK****
****
*Sent:* Friday, August 05, 2011 5:57 AM
*Subject:* [dkim-milter-discuss] sendmail non-smtpd possible?****
****
Hi there,****
****
I have succesfully implemented dkim signing in my mailserver, but it only
works when mail is delivered to it via smtp. A lot of mail however comes in
via sendmail executable for instance because of websites, webmail or
applications sending out notices. I want that mail to be signed as well. Is
it possible at all (like in postfix non-smtpd filters) or in any other way?
in fact, i would like all outgoing mail to be signed.****
****
Thanks****
--
------------
Willem Kossen****
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
dkim-milter-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss****
--
------------
Willem Kossen
------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
dkim-milter-discuss mailing list
https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
--
------------
Willem Kossen
***@gmail.com
Loading...