DKIM problems
kirk
http://www.memoryhole.net/qmail/#dkim
I've successfully installed libdomainkeys from sourceforge as well as Mal::DKIM which provides "dktest" and dkimsign.pl (although I've replaced the perl script with the one recommended to accept the --key argument). I've also swapped out qmail-remote and replaced it with the wrapper version, moved the original to qmail-remote.orig as well as "chmod 777 qmail-remote" as recommended.
I've placed the two programs here as well as showing the qmail-remote(s):
cd /var/qmail/bin
-rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
-rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
-rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
-rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig
I've also installed the public/private keys by using these instructions:
mkdir -p /etc/domainkeys/example.com/ cd /etc/domainkeys/example.com/ /usr/local/ssl/bin/openssl genrsa -out rsa.private 768 /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM mv rsa.private default chown -R qmailq /etc/domainkeys chmod 0600 default cd /etc/domainkeys/example.com -rw-------. 1 qmailq qmail 692 Jun 1 15:56 default -rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.publicWhen i send a test message from the server itself:
mail -s test m...@example.com
from what i can tell so far (after some hacking in the qmail-remote wrapper) the file "/etc/domainkeys/example.com/default" isn't being detected by the wrapper script from what appears to be a permissions issue. I "chmod 0640 default", rerun the mail test and I at least get to the "dktest" line in the wrapper, but that fails most likely from the "default" file having incorrect permissions?
Can someone provide a little insight to how this should be setup?
Thanks
Kirk
Cagri Ersen
I'm attempting to enable DKIM (first attempt, never have tried this before) from these simple instructions:
http://www.memoryhole.net/qmail/#dkim
I've successfully installed libdomainkeys from sourceforge as well as Mal::DKIM which provides "dktest" and dkimsign.pl (although I've replaced the perl script with the one recommended to accept the --key argument). I've also swapped out qmail-remote and replaced it with the wrapper version, moved the original to qmail-remote.orig as well as "chmod 777 qmail-remote" as recommended.
I've placed the two programs here as well as showing the qmail-remote(s):
cd /var/qmail/bin
-rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
-rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
-rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
-rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig
I've also installed the public/private keys by using these instructions:
mkdir -p /etc/domainkeys/example.com/ cd /etc/domainkeys/example.com/ /usr/local/ssl/bin/openssl genrsa -out rsa.private 768 /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM mv rsa.private default chown -R qmailq /etc/domainkeys chmod 0600 default cd /etc/domainkeys/example.com -rw-------. 1 qmailq qmail 692 Jun 1 15:56 default -rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public
When i send a test message from the server itself:
mail -s test m...@example.com
from what i can tell so far (after some hacking in the qmail-remote wrapper) the file "/etc/domainkeys/example.com/default" isn't being detected by the wrapper script from what appears to be a permissions issue. I "chmod 0640 default", rerun the mail test and I at least get to the "dktest" line in the wrapper, but that fails most likely from the "default" file having incorrect permissions?
Can someone provide a little insight to how this should be setup?
Thanks
Kirk
Thibault Richard
----- Original Message -----From: Cagri ErsenTo: kirkSent: Thursday, June 02, 2011 3:53 PMSubject: Re: DKIM problems
On Thu, Jun 2, 2011 at 4:35 PM, kirk <ki...@icapsolutions.com> wrote:
I'm attempting to enable DKIM (first attempt, never have tried this before) from these simple instructions:
http://www.memoryhole.net/qmail/#dkim
I've successfully installed libdomainkeys from sourceforge as well as Mal::DKIM which provides "dktest" and dkimsign.pl (although I've replaced the perl script with the one recommended to accept the --key argument). I've also swapped out qmail-remote and replaced it with the wrapper version, moved the original to qmail-remote.orig as well as "chmod 777 qmail-remote" as recommended.
I've placed the two programs here as well as showing the qmail-remote(s):
cd /var/qmail/bin
-rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
-rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
-rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
-rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig
I've also installed the public/private keys by using these instructions:mkdir -p /etc/domainkeys/example.com/ cd /etc/domainkeys/example.com/ /usr/local/ssl/bin/openssl genrsa -out rsa.private 768 /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM mv rsa.private default chown -R qmailq /etc/domainkeys chmod 0600 default cd /etc/domainkeys/example.com -rw-------. 1 qmailq qmail 692 Jun 1 15:56 default -rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public
I think the owner of the files should be qmailr.chow -fR qmailr etc/domainkeys/
When i send a test message from the server itself:
mail -s test m...@example.com
from what i can tell so far (after some hacking in the qmail-remote wrapper) the file "/etc/domainkeys/example.com/default" isn't being detected by the wrapper script from what appears to be a permissions issue. I "chmod 0640 default", rerun the mail test and I at least get to the "dktest" line in the wrapper, but that fails most likely from the "default" file having incorrect permissions?
Can someone provide a little insight to how this should be setup?
Thanks
Kirk
kirk
http://manuel.mausz.at/coding/qmail-dkim
but not until after i set "chmod 0777 /var/qmail/bin/qmail-remote" as well as "chmod 0777 /var/qmail/control/dkim".
I don't mind doing this unless this presents some kind of security issue?
Kirk
John Levine
qmail-queue. It works well for me, was short and easy to code, and it
has the advantage that applications that are inclined to be helpful
(list managers and web mail) can pass environment variables to tell
the signer what identity to use in the signature.
If people are interested I can package it up. I also have a little
script to generate signing keys and tinydns verification keys that
rotate each month. And as an evil hack, I can use wildcard selectors
so each message has a different selector and I can do traffic analysis
on the DNS queries.
Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-...@muc.de
Joerg Backschues
> Can someone provide a little insight to how this should be setup?
If you are interested in a native C implementation please have a look at:
<http://www.backschues.net/qmail/>
--
Greetings
Jörg Backschues
kirk
# make LINUX=y
g++ -c -c dkim.cpp
In file included from dkim.h:163,
from dkim.cpp:23:
macros.h:17:1: warning: "MAKELONG" redefined
In file included from dkim.cpp:23:
dkim.h:22:1: warning: this is the location of the previous definition
dkim.cpp: In function ‘int DKIMVerifyGetDetails(DKIMContext*, int*,
DKIMVerifyDetails**, char*)’:
dkim.cpp:204: error: ‘strcpy’ was not declared in this scope
dkim.cpp: In function ‘char* DKIMVersion()’:
dkim.cpp:226: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp: At global scope:
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp:249: warning: deprecated conversion from string constant to ‘char*’
dkim.cpp: In function ‘char* DKIMGetErrorString(int)’:
dkim.cpp:255: warning: deprecated conversion from string constant to ‘char*’
make: *** [dkim.o] Error 1
?
k
On 6/2/2011 12:56 PM, Joerg Backschues wrote:
> On 02.06.2011 15:35 wrotr kirk:
>
>> Can someone provide a little insight to how this should be setup?
> If you are interested in a native C implementation please have a look at:
>
> <http://www.backschues.net/qmail/>
>
--
Erwin Hoffmann
On 2 Jun 2011 16:22:58 -0000
"John Levine" <jo...@iecc.com> wrote:
> I've been doing my DKIM signing with a perl wrapper around
> qmail-queue. It works well for me, was short and easy to code, and it
> has the advantage that applications that are inclined to be helpful
> (list managers and web mail) can pass environment variables to tell
> the signer what identity to use in the signature.
This sounds to fit with SMTP authentication as well.
Though I was initially not inclined to include DKIM in my Spamcontrol patch, however I see a growing need to support DKIM as well (SPF is already on my development list).
If you dont't mind sending me your code, I could have a look at it and perhaps provide a combined solution.
> If people are interested I can package it up. I also have a little
> script to generate signing keys and tinydns verification keys that
> rotate each month. And as an evil hack, I can use wildcard selectors
> so each message has a different selector and I can do traffic analysis
> on the DNS queries.
regards.
--eh.
> Regards,
> John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. http://jl.ly
>
--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE
Manvendra Bhangui
>
> libdkim doesn't compile:
>
Looks like you need #include <string.h>.
I had the same set of issues with libdkim. Have fixed most of the
issues. You can use libdkim-1.3.tar.gz which I have modified at
http://sourceforge.net/projects/indimail/files/mailpack/mailpack-1.1/
You just need to do the usual ./configure ; make ; make install. Also
I have renamed dkimtest with dkim in libdkim-1.3
I also have a patch for netqmail-1.06 which gives you a total C
implementation to sign or verify at SMTP, local or remote delivery. It
includes the above libdkim code and additionally gives you
1. qmail-dkim - a QMAILQUEUE replacement which allows you to sign at
SMTP. This works similarly to Russ Nelson's qmail-dk
2. dkim - which allows you to sign/verify during remote/local delivery
3. spawn-filter - which allows you to put any filter of your choice
during remote/local delivery. It allows you to seamlessly to do dkim
signing/verification without having to rename qmail-remote or
qmail-local. spawn-filter allows you to insert your own scripts before
local/remote deliveries. If you want to put a fliter just put an entry
in the control file /var/qmail/control/filterargs. e.g. to do dkim
signing only for remote deliveries to gmail.com, you just need to have
the following entry in /var/indimail/control/filterargs
gmail.com:remote:/var/indimail/bin/dk-filter
You can use Roberto Puzzanghera's notes for configuring DKIM for qmail at
http://notes.sagredo.eu/node/92
You can also look at my tutorial at (just replace indimail with qmail)
http://indimail.blogspot.com/2009/04/how-to-set-dkim-signature-in-indimail.html
kirk
http://manuel.mausz.at/coding/qmail-dkim
Very simple setup, nicely packaged, but it's causing the server to work entirely too hard, somewhere in the magnitude of about 10X as seen by the CPU usage, too expensive.
I tried the all C solution from here:
http://www.backschues.net/qmail
This most likely would solve the CPU issues seeing as Perl is a CPU hog, but it didn't compile.
Any chance of any other all C or sh solution that would improve, perhaps not relying on firing up ans instance of Perl for each and every outgoing message?
Kirk
On 6/3/2011 12:55 AM, Erwin Hoffmann wrote:
Hi John, On 2 Jun 2011 16:22:58 -0000 "John Levine" <jo...@iecc.com> wrote:
I've been doing my DKIM signing with a perl wrapper around qmail-queue. It works well for me, was short and easy to code, and it has the advantage that applications that are inclined to be helpful (list managers and web mail) can pass environment variables to tell the signer what identity to use in the signature.
This sounds to fit with SMTP authentication as well. Though I was initially not inclined to include DKIM in my Spamcontrol patch, however I see a growing need to support DKIM as well (SPF is already on my development list). If you dont't mind sending me your code, I could have a look at it and perhaps provide a combined solution.If people are interested I can package it up. I also have a little script to generate signing keys and tinydns verification keys that rotate each month. And as an evil hack, I can use wildcard selectors so each message has a different selector and I can do traffic analysis on the DNS queries.regards. --eh.
Kevin Chadwick
kirk wrote:
> Any chance of any other all C or sh solution that would improve, perhaps
> not relying on firing up ans instance of Perl for each and every
> outgoing message?
Don't know but perl should have more potential of being easier on the
cpu than sh but obviously not c.
There's an implementaion at "www.memoryhole.net/qmail/#dkim" which uses
a mix of perl and shell scripts which use Mail::DKIM and which is
maintained and also supports yahoos original domainkeys, if you like. I
modded them for BSD compatiblity, I'll share them but your using Linux
aren't you?
I have no performance comparison though, but with qmail your usually
limited by the disks, not the cpu.
John Levine
>> qmail-queue. It works well for me, was short and easy to code, and it
>> has the advantage that applications that are inclined to be helpful
>> (list managers and web mail) can pass environment variables to tell
>> the signer what identity to use in the signature.
>
>This sounds to fit with SMTP authentication as well.
Yes, when called from ofmipd it uses TCPREMOTEINFO which has the
authenticated user name to set the i= value.
R's,
John
Manuel Mausz
> FYI, I've implemented the all perl solution as provided here:
> http://manuel.mausz.at/coding/qmail-dkim
> Very simple setup, nicely packaged, but it's causing the server to work
> entirely too hard, somewhere in the magnitude of about 10X as seen by
> the CPU usage, too expensive.
Mail::DKIM needs to split the mail into subject/body and this is also
what is a cpu hog.
from a simple dprof:
%Time ExclSec CumulS #Calls sec/call Csec/c Name
22.3 1.566 2.224 62001 0.0000 0.0000 Mail::DKIM::MessageParser::PRINT
13.5 0.946 1.864 61997 0.0000 0.0000
Mail::DKIM::Canonicalization::DkimCommon::add_header
13.1 0.918 0.918 61998 0.0000 0.0000
Mail::DKIM::Canonicalization::relaxed::canonicalize_header
12.1 0.850 0.850 1 0.8500 0.8499
Mail::DKIM::Canonicalization::DkimCommon::finish_header
11.8 0.826 2.690 61997 0.0000 0.0000
Mail::DKIM::Algorithm::Base::add_header
9.41 0.658 0.658 61997 0.0000 0.0000 Mail::DKIM::Common::add_header
7.69 0.538 4.078 1 0.5380 4.0778
Mail::DKIM::Signer::finish_header
I've done some quick ~20mins testing with swig and libdkim and the
result is much faster:
0m2.671s (Mail::DKIM) vs 0m0.155s (libdkim + swig)
... both with 4.4mb mail
As soon as I find some spare time I'll try to write a better swig
interface for libdkim and see if I can pull out qmail-dkim-0.3.pl :)
/ manuel