Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Domain Keys and dk-filter (on CentOS 5)

34 views
Skip to first unread message

Don Levey

unread,
Jun 8, 2009, 11:36:51 AM6/8/09
to
I hop I am not asking a common question; I've not yet found anything
which addresses the issue I'm seeing.

With a eye toward more proper identification of my mail server to the
outside world, I though to start implementing Domain Keys. To that end,
I read up on the subject (for example,
http://www.jkurtzman.com/blog/2008/06/setting-up-domainkeys-on-centos)
and then got to work. First, the basic info:

CentOS 5.3
Sendmail 8.13.8-2.el5
dk-milter 1.0.0
saslauthd 2.1.22
with: getpwent kerberos5 pam rimap shadow ldap

I followed the instructions on the blog post referenced above, saslauthd
is running, and yet I'm not getting anything in my headers to indicate
that I'm signing the messages. In my maillog I see:

Jun 8 11:21:15 dungeon dk-filter[11133]: n58FNRUB022845 external host
192.168.1.100 attempted to send as the-leveys.us
Jun 8 11:23:32 dungeon dk-filter[11133]: n58FNRUB022845 external host
gateway.example.com attempted to send as the-leveys.us

Where the former is a machine on my local (home) LAN and the latter is
the gateway machine from my company LAN. I note that if I send a
message from the mail server itself, it does NOT place a similar entry
in the maillog file, but also does not sign the message. The hosts
listed above are otherwise able to send mail, and are listed in the
access file, and the relay-domains file.

Clearly I've missed something; does anyone have any suggestions on where
to look?

Thank you, in advance,
-Don Levey

D. Stussy

unread,
Jun 8, 2009, 4:49:49 PM6/8/09
to
"Don Levey" <Don...@the-leveys.us> wrote in message
news:h0jb6k$8ps$1...@news.eternal-september.org...

Did you also tell DK to sign that domain and all hosts in each domain? If
no, then there's your problem.


Don Levey

unread,
Jun 9, 2009, 3:33:27 PM6/9/09
to
D. Stussy wrote:
> "Don Levey" <Don...@the-leveys.us> wrote in message
> news:h0jb6k$8ps$1...@news.eternal-september.org...
>>...

>>
>> Clearly I've missed something; does anyone have any suggestions on where
>> to look?
>
> Did you also tell DK to sign that domain and all hosts in each domain? If
> no, then there's your problem.
>
>
I seem to be running properly now; there were a few problems.

1) I needed an internal and host file, and to point to it with the -i
command-line switch, to make sure that internal machines were properly
accepted.

2) I needed a domains file, and to point to it with the -d switch, to
make sure that mail from my work desktop was properly signed rather than
verified.

3) I needed to use the -D switch as a supplement to -d, to ensure that
the subdomain for my gateway machine at work was recognised.

4) I needed to make sure that the selector was set properly (-S) to
match the DNS TXT record I had set up for my domain.

5) I needed to make sure that the -m switch for MTA pointed to the
proper MTA service name set up in my sendmail.mc file under
DAEMON_OPTIONS. I am running smtp on two ports; I added a second to
deal with intervening firewalls.

6) I also needed to set -H to make sure to rewrite the header lines. I
am also running clamav and spamassassin, both of which add header lines
to each message, and this seemed to be messing up verification once I
could finally sign the messages.

Thanks!
-Don

0 new messages