Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Sendmail and OpenDKIM
192 views
Skip to first unread message
mario...@gmail.com
Oct 25, 2012, 5:01:42 AM10/25/12
to
Hello,
I have run into a problem described in section Sendmail REWRITING FEATURES on http://www.opendkim.org/README:
Due to the way the milter protocol is incorporated into the MTA, opendkim sees the headers before they are modified as required by those two features (MASQUERADE_AS and FEATURE(genericstable)).
This means the DKIM signature is generated based on the headers originally
injected by the mail client and not on the headers which are actually sent
out by the MTA. As a result, the verifying agent at the receiver's side
will be unable to verify the signature as the signed data and the received
data don't match.
The suggested solutions to this problem are:
(1) Send mail with the headers already written as needed, obviating the
need for these features (or just turn them off).
(2) Have two MTAs set up, either on separate boxes or on the same box.
The first MTA should do all of the rewriting (i.e. use these two
features) and the second one should use opendkim to add the signature
and do no rewriting at all.
(3) Have multiple DaemonPortOptions lines in your configuration file. The
first daemon port (port 25) does the header rewriting and then routes
the message to the second port; the latter does no rewriting but does the
signing and then sends the message on its way.
Since I'm not an expert in Sendmail I have configured it with help of online tutorials and used masquerade to remove host from email address (to get an address to look like user@domain instead of us...@host.domain). Due to same reason (not being an expert), I have problems understanding suggestions above.
Main question: What is the most elegant way to achieve host removal from email address without breaking OpenDKIM?
Best regards,
Mario
I have run into a problem described in section Sendmail REWRITING FEATURES on http://www.opendkim.org/README:
Due to the way the milter protocol is incorporated into the MTA, opendkim sees the headers before they are modified as required by those two features (MASQUERADE_AS and FEATURE(genericstable)).
This means the DKIM signature is generated based on the headers originally
injected by the mail client and not on the headers which are actually sent
out by the MTA. As a result, the verifying agent at the receiver's side
will be unable to verify the signature as the signed data and the received
data don't match.
The suggested solutions to this problem are:
(1) Send mail with the headers already written as needed, obviating the
need for these features (or just turn them off).
(2) Have two MTAs set up, either on separate boxes or on the same box.
The first MTA should do all of the rewriting (i.e. use these two
features) and the second one should use opendkim to add the signature
and do no rewriting at all.
(3) Have multiple DaemonPortOptions lines in your configuration file. The
first daemon port (port 25) does the header rewriting and then routes
the message to the second port; the latter does no rewriting but does the
signing and then sends the message on its way.
Since I'm not an expert in Sendmail I have configured it with help of online tutorials and used masquerade to remove host from email address (to get an address to look like user@domain instead of us...@host.domain). Due to same reason (not being an expert), I have problems understanding suggestions above.
Main question: What is the most elegant way to achieve host removal from email address without breaking OpenDKIM?
Best regards,
Mario
Rob
Oct 25, 2012, 7:20:39 AM10/25/12
to
mario...@gmail.com <mario...@gmail.com> wrote:
> Hello,
>
> I have run into a problem described in section Sendmail REWRITING FEATURES on http://www.opendkim.org/README:
>
> Due to the way the milter protocol is incorporated into the MTA, opendkim sees the headers before they are modified as required by those two features (MASQUERADE_AS and FEATURE(genericstable)).
> This means the DKIM signature is generated based on the headers originally
> injected by the mail client and not on the headers which are actually sent
> out by the MTA. As a result, the verifying agent at the receiver's side
> will be unable to verify the signature as the signed data and the received
> data don't match.
>
> The suggested solutions to this problem are:
>
> (1) Send mail with the headers already written as needed, obviating the
> need for these features (or just turn them off).
>
> (2) Have two MTAs set up, either on separate boxes or on the same box.
> The first MTA should do all of the rewriting (i.e. use these two
> features) and the second one should use opendkim to add the signature
> and do no rewriting at all.
I used this solution, but it nicely fits in our existing system.
> Hello,
>
> I have run into a problem described in section Sendmail REWRITING FEATURES on http://www.opendkim.org/README:
>
> Due to the way the milter protocol is incorporated into the MTA, opendkim sees the headers before they are modified as required by those two features (MASQUERADE_AS and FEATURE(genericstable)).
> This means the DKIM signature is generated based on the headers originally
> injected by the mail client and not on the headers which are actually sent
> out by the MTA. As a result, the verifying agent at the receiver's side
> will be unable to verify the signature as the signed data and the received
> data don't match.
>
> The suggested solutions to this problem are:
>
> (1) Send mail with the headers already written as needed, obviating the
> need for these features (or just turn them off).
>
> (2) Have two MTAs set up, either on separate boxes or on the same box.
> The first MTA should do all of the rewriting (i.e. use these two
> features) and the second one should use opendkim to add the signature
> and do no rewriting at all.
There is one internal system that holds all the received mail and
makes it accessible to the users (IMAP), and the users have this
system as their default gateway. This is where all the masquerading
takes place.
This system has a "smarthost" which it sends all mail to, and it is
the system in the DMZ where internet mail is queued and incoming mail
is scanned for spam and viruses. On that system I implemented OpenDKIM.
mario...@gmail.com
Oct 25, 2012, 7:31:21 AM10/25/12
to
First of all, I'm so stupid!
As my colleague suggested, from field can be set by mail user agents to exclude host from email address.
I tried it and of course it works and I don't need masquerading nor genericstable.
As my colleague suggested, from field can be set by mail user agents to exclude host from email address.
I tried it and of course it works and I don't need masquerading nor genericstable.
0 new messages