dkimproxy-users Mailing List for DKIMproxy

To Whom It May Concern,

My forum software has undergone an upgrade and the correct URL for the
forum about Mail::DKIM & DKIM Proxy is now:

https://forums.meulie.net/c/mail-dkim-and-dkim-proxy/

--
Greetings,
    Evert

Hi, I'v a problem to verify incoming mail with DKIMproxy with OpenSMTPD on OpenBSD 5.7, this is my configuration: (DKIMproxy outbound mail is ok)

/etc/mail $ cat smtpd.conf


  table aliases db:/etc/mail/aliases.db
  table domains file:/etc/mail/domains
  table users file:/etc/mail/users
  table blacklist-recipients file:/etc/mail/blacklist-recipients

  pki mx.muscelli.org key "/etc/ssl/private/mx.muscelli.org.key"
  pki mx.muscelli.org certificate "/etc/ssl/mx.muscelli.org.crt"

  max-message-size 50M

  listen on egress pki mx.muscelli.org smtps auth hostname muscelli.org 
  listen on egress pki mx.muscelli.org tls-require hostname muscelli.org mask-source 
  listen on egress pki mx.muscelli.org port submission tls-require hostname muscelli.org mask-source 


  accept from any \
      recipient !<blacklist-recipients> \
      for domain <domains> \
      virtual <users> \
      deliver to maildir "/var/mail/%{user.username}/Inbox"

  accept from any \
      recipient !<blacklist-recipients> \
      for local alias <aliases> \
      deliver to maildir "/var/mail/%{user.username}/Inbox"

  listen on lo0 hostname muscelli.org 
  listen on lo0 port 10028 tag DKIM hostname muscelli.org mask-source 
  listen on  egress port 10035 tag DKIM_IN hostname muscelli.org

  accept tagged DKIM \
      for any \
      relay \
      hostname muscelli.org 

  accept tagged DKIM_IN \
      for any \
      relay \
      via smtp://127.0.0.1:10036

  accept from local \
      for any \
      relay via smtp://127.0.0.1:10027

Any advice??? Thank you

Gianluca D.Muscelli
in...@mu...

MPORTANT NOTICE: This message is intended only for the use of the addressee, and may contain information that is private, confidential or otherwise restricted from disclosure. If you are not the intended recipient, any distribution or copying of this communication is strictly prohibited.  If you have received this in error, please notify immediately by contacting pos...@mu...

Question regarding this option in dkimproxy_out:

       --user=USER
           If specified, the daemonized process will setuid() to USER after
           completing any necessary privileged operations, but before
           accepting connections.

Is reading the private key one of these privileged operations? I'm
running DKIMproxy 1.4.1 on OpenBSD and see the following log line:

dkimproxy.out[16631]: signing error: Error: cannot read
/etc/ssl/private/dkim.key: Permission denied

Daemon is running as unprivileged _dkimproxy user and permissions on
the directory and key are restricted to access by root user.

Is it the case that reading the private key is not something done
prior to dropping privileges to the --user argument?

-- 
Darren Spruell
pha...@gm...

Most likely the delay is from the underlying SMTP service (e.g. Postfix),
since DKIMproxy is just a proxy. Can you try connecting to the underlying
SMTP service from localhost to see if the behavior is any different?

In any case, delays at SMTP connect time are usually due to some DNS
problem... (The SMTP service does a reverse DNS lookup to find the
connecting host name to put in syslog, or to check a dns-based blacklist.
If the DNS query times out, then that causes a delay for the SMTP greeting
to appear.)


Hope that helps.
Jason





On Fri, May 16, 2014 at 4:11 AM, Vincent Miszczak <vmi...@an...>wrote:

> Hello,
>
> My dkimproxy installation is very slow to respond to clients (all is
> running on localhost).
> I can telnet the port and TCP connection is fast, but the initial server
> greeting is (most of the time but not always) slow, it take sometimes
> several minutes before I can get :
>
> "220 mydomain.com ESMTP" response.
>
> I already changed massively the number of child process, no chance this
> does not make things better.
>
> I'm running this with Debian Wheezy packages.
>
> Any idea ?
>
> Vincent
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform
> available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> dkimproxy-users mailing list
> dki...@li...
> https://lists.sourceforge.net/lists/listinfo/dkimproxy-users
>

Hello,

My dkimproxy installation is very slow to respond to clients (all is 
running on localhost).
I can telnet the port and TCP connection is fast, but the initial server 
greeting is (most of the time but not always) slow, it take sometimes 
several minutes before I can get :

"220 mydomain.com ESMTP" response.

I already changed massively the number of child process, no chance this 
does not make things better.

I'm running this with Debian Wheezy packages.

Any idea ?

Vincent



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Hi everybody

I had a fully working config with Postfix for quite a while, today after a server restart dkimproxy.out is giving me a "421 Internal error (Next hop is down)". However, Postfix is responding at the configured relay port. How can I debug this? I suspect something with perl may has changed or could it be a newer version of OpenSSL?

Thanks in advance,
Juerg

Are we able to have dkimproxy in/out create UNIX sockets instead of 
listen on 127.0.0.1?

If so, is Postfix able to connect to UNIX sockets?

On 02/25/2013 11:51 PM, sco...@hu... wrote:
> Hello;
> I have read this article :
> dkimproxy.sourceforge.net/postfix-outbound-howto.html
> 
> I want to tell postfix to forward outbound mails into a specific proxy,
> lets say the proxy is : 82.56.23.127:3128 (can be a http, https or socks
> proxy).
> So the idea that came to my mind is to change /etc/postfix/master.cf to
> look like :

Hi,

I'm not sure about this howto (I haven't checked for it), but what is in
the Debian README has been checked for accuracy by many people. I am
sure of that because I had to close bugs on the Debian package about it.

If you use Debian, then it should be in /usr/share/doc/dkimproxy in my
Debian package. Otherwise, you can read about it here:

http://anonscm.debian.org/gitweb/?p=users/zigo/dkimproxy.git;a=blob;f=debian/README.Debian;h=881722295d9730e67f364630e1b8624bd6800539;hb=f6b036f733c65885400c30882daf9522dc6d6b56

There's 2 howtos, one if you use Amavis which is what I use - you would
send incoming emails from postifix to dkimproxy, then to amavis, then
back to postfix -, and one without it.

For my own setup, there's a schema here:
http://dtcsupport.gplhost.com/UserDoc/How-Works-The-Mail-System

I hope this helps,

Cheers,

Thomas

Hello;
I have read this article :
dkimproxy.sourceforge.net/postfix-outbound-howto.html

I want to tell postfix to forward outbound mails into a specific
proxy, lets say the proxy is : 82.56.23.127:3128 (can be a http, https
or socks proxy).
So the idea that came to my mind is to change /etc/postfix/master.cf
to look like :
	submission      inet  n       -       -       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[82.56.23.127]:3128
    -o receive_override_options=no_address_mappings
    -o
smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
dksign    unix  -       -       n       -       4       smtp
    -o smtp_send_xforward_command=yes
    -o smtp_discard_ehlo_keywords=8bitmime,starttls
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o content_filter=
    -o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
But when i send email with this configuration by connecting to
127.0.0.1:10028 I keep getting emails sent without passing through the
proxy as if i sent it directly without any modifications to
/etc/postfix/master.cf file because the original ip remain the seem.

Which modification is appropriate to make the forwarding work ?
Thank you

> Thank you for your quick reply, I am using postfix and in the message it
> does say the below, so I need to change the hostname of the server ?
> 
> Received: from mail.best-of-80s.de (root379.ip-projects.de.local
>   [127.0.0.1]) by mail.best-of-80s.de (Postfix) with ESMTP id 74CC31E41FDB

What matters is to persuade dkimproxy to use "best-of-80s.de"
in the 'd' tag of the signature, instead of "ip-projects.de".
I'm not that familiar with dkimproxy to be able to tell what
needs to be changed in its configuration.

The hostname of the server (or Postfix: myhostname, or smtp_helo_name)
need not necessarily match the signing domain (althought it's nice
if they do). Changing these may or may not help.

To provide an author-domain signature, the 'd' tag of the signature
must match exactly the domain name in a From: header field.
Other domains (like domain names found in a Received trace)
do not matter.

> In between this is a multi domain postfix. But ip-projects.de
> is not part of the domains.

I hope someone more familiar with dkimproxy will be able to
provide guidance for multi-domain setup.

Alternatively (shameless plug), you can use amavisd for DKIM
signing - it uses the same underlying perl module Mail::DKIM
as dkimproxy, and if you don't need antivirus and antispam
protection, these can be turned off entirely, leaving
just a fast SMTP proxy with multi-domain DKIM signing and
verification capability.

  Mark

In between this is a multi domain postfix. But ip-projects.de is not part
of the domains.
Regards
On Tue, Dec 11, 2012 at 1:45 PM, Ali Jawad <ali...@gm...> wrote:

> Hi Mark
> Thank you for your quick reply, I am using postfix and in the message it
> does say the below, so I need to change the hostname of the server ?
>
>
>
> Received: from mail.best-of-80s.de (root379.ip-projects.de.local [127.0.0.1])
>         by mail.best-of-80s.de (Postfix) with ESMTP id 74CC31E41FDB
>
>
>
> On Tue, Dec 11, 2012 at 1:20 PM, Mark Martinec <Mar...@ij...>wrote:
>
>> > one._domainkey.best-of-80s.de. 86400 IN       TXT     "k=rsa\; t=s\;
>> ...
>>
>> > DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=ip-projects.de; h=
>> >   message-id:date:from:mime-version:to:subject:content-type
>> >   :content-transfer-encoding; s=one; bh=/edzoYuyn17WXm8KeqcX/R+khd
>> >   Q=; b=ZeJHggyRmhO7XBUi6MfiyMuWHokgUYvR7fXyQBrGVHUpquEnKC8pw2mi3i
>> >   FkbHEcavA4V2P5YHsveIVrH2oRCQYo4v4dn+VtComFRVJOSuIX41uPGTYINZOGZm
>>
>> "ip-projects.de" is not "best-of-80s.de"
>> There is no public key record for one._domainkey.ip-projects.de.
>>
>>   Mark
>>
>>
>> ------------------------------------------------------------------------------
>> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
>> Remotely access PCs and mobile devices and provide instant support
>> Improve your efficiency, and focus on delivering more value-add services
>> Discover what IT Professionals Know. Rescue delivers
>> http://p.sf.net/sfu/logmein_12329d2d
>> _______________________________________________
>> dkimproxy-users mailing list
>> dki...@li...
>> https://lists.sourceforge.net/lists/listinfo/dkimproxy-users
>>
>
>

Hi Mark
Thank you for your quick reply, I am using postfix and in the message it
does say the below, so I need to change the hostname of the server ?


Received: from mail.best-of-80s.de (root379.ip-projects.de.local [127.0.0.1])
        by mail.best-of-80s.de (Postfix) with ESMTP id 74CC31E41FDB



On Tue, Dec 11, 2012 at 1:20 PM, Mark Martinec <Mar...@ij...> wrote:

> > one._domainkey.best-of-80s.de. 86400 IN       TXT     "k=rsa\; t=s\; ...
>
> > DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=ip-projects.de; h=
> >   message-id:date:from:mime-version:to:subject:content-type
> >   :content-transfer-encoding; s=one; bh=/edzoYuyn17WXm8KeqcX/R+khd
> >   Q=; b=ZeJHggyRmhO7XBUi6MfiyMuWHokgUYvR7fXyQBrGVHUpquEnKC8pw2mi3i
> >   FkbHEcavA4V2P5YHsveIVrH2oRCQYo4v4dn+VtComFRVJOSuIX41uPGTYINZOGZm
>
> "ip-projects.de" is not "best-of-80s.de"
> There is no public key record for one._domainkey.ip-projects.de.
>
>   Mark
>
>
> ------------------------------------------------------------------------------
> LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
> Remotely access PCs and mobile devices and provide instant support
> Improve your efficiency, and focus on delivering more value-add services
> Discover what IT Professionals Know. Rescue delivers
> http://p.sf.net/sfu/logmein_12329d2d
> _______________________________________________
> dkimproxy-users mailing list
> dki...@li...
> https://lists.sourceforge.net/lists/listinfo/dkimproxy-users
>

> one._domainkey.best-of-80s.de. 86400 IN	TXT	"k=rsa\; t=s\; ...

> DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=ip-projects.de; h=
>   message-id:date:from:mime-version:to:subject:content-type
>   :content-transfer-encoding; s=one; bh=/edzoYuyn17WXm8KeqcX/R+khd
>   Q=; b=ZeJHggyRmhO7XBUi6MfiyMuWHokgUYvR7fXyQBrGVHUpquEnKC8pw2mi3i
>   FkbHEcavA4V2P5YHsveIVrH2oRCQYo4v4dn+VtComFRVJOSuIX41uPGTYINZOGZm

"ip-projects.de" is not "best-of-80s.de"
There is no public key record for one._domainkey.ip-projects.de.

  Mark

Hi
I am running dkim-proxy and I did all the config and I am not getting any
errors in the message or mail log. I am using the selector one and domain
best-of-80s.de, if I do use
http://www.protodave.com/tools/dkim-key-checker/and enter selector one
and domain
best-of-80s.de I get the following output :

Success

one._domainkey.best-of-80s.de. 86400 IN	TXT	"k=rsa\; t=s\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiTjMqZ5nBwRyG6P4qGYHyxriKdeEshyyizffNadQ+i3d4wsSLkjcODWvvTORi01Bdlpe8mm03Dif4WvU/leBseyCyMnzpmRqqFJCV8UcMfYJER9V8U3o4q7qeRN8m3v9GCeqYvqBqJWrdXnVfVnA/r4M1/bPphSjqp+lmSIVjFQIDAQAB"


However, if I do send an email to
aaa...@ap...<http://root379.ip-projects.de/webmail/src/compose.php?send_to=aaaa3acmcwqa%40appmaildev.com>I
got a no key error, please advice .

*============================================================DKIM
result: permerror (no key)*
============================================================
Signed by: te...@be...
<http://root379.ip-projects.de/webmail/src/compose.php?send_to=tester%40best-of-80s.de>
Expected Body Hash: /edzoYuyn17WXm8KeqcX/R+khdQ=

---Original Message Header---
x-sender: te...@be...
<http://root379.ip-projects.de/webmail/src/compose.php?send_to=tester%40best-of-80s.de>
x-receiver: aaa...@ap...
<http://root379.ip-projects.de/webmail/src/compose.php?send_to=aaaa3acmcwqa%40appmaildev.com>
Received: from mail.best-of-80s.de ([84.200.74.99]) by mail.appmaildev.com with
Microsoft SMTPSVC(7.5.7600.16385);
         Tue, 11 Dec 2012 05:19:20 -0500
Received: from mail.best-of-80s.de (root379.ip-projects.de.local [127.0.0.1])
        by mail.best-of-80s.de (Postfix) with ESMTP id 74CC31E41FDB
        for <aaa...@ap...
<http://root379.ip-projects.de/webmail/src/compose.php?send_to=aaaa3acmcwqa%40appmaildev.com>>;
Tue, 11 Dec 2012 11:19:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=ip-projects.de; h=
        message-id:date:from:mime-version:to:subject:content-type
        :content-transfer-encoding; s=one; bh=/edzoYuyn17WXm8KeqcX/R+khd
        Q=; b=ZeJHggyRmhO7XBUi6MfiyMuWHokgUYvR7fXyQBrGVHUpquEnKC8pw2mi3i
        FkbHEcavA4V2P5YHsveIVrH2oRCQYo4v4dn+VtComFRVJOSuIX41uPGTYINZOGZm

On 01/16/2012 03:06 PM, Thomas Goirand wrote:
> Hi Jason,
> 
> I have receive the below bug report on the Debian bug tracker. The
> attached patch which was sent together with the bug report enables IPv6
> support for dkimproxy (so that it can also listen on v6).
> 
> 1/ What do you think of this patch?
> 2/ Can this be added upstream, and a new version of dkimproxy be
> released with it, so that I can package that in Debian?
> 
> Please let me know asap.
> 
> Cheers,
> 
> Thomas Goirand

Any update? Jason, are you at least reading your mail?

Thomas

And when I'm at it, will there be support for DMARC with dkimproxy? It
seems pretty strait forward to discard a mail not using DKIM when the
domain is requesting for it.

Thomas

Hi Jason,

I have receive the below bug report on the Debian bug tracker. The
attached patch which was sent together with the bug report enables IPv6
support for dkimproxy (so that it can also listen on v6).

1/ What do you think of this patch?
2/ Can this be added upstream, and a new version of dkimproxy be
released with it, so that I can package that in Debian?

Please let me know asap.

Cheers,

Thomas Goirand

GPLHost CEO, Debian Developer since June 2010
Debian PGP: E4F0 EDDF 374F 2C50 D473  5EC0 9783 3DC9 98EF 9A49

-------- Original Message --------
Subject: Bug#656041: dkimproxy: add IPv6 support
Resent-Date: Mon, 16 Jan 2012 05:09:01 +0000
Resent-From: Kenyon Ralph <ke...@ke...>
Resent-To: deb...@li...
Resent-CC: Thomas Goirand <zi...@de...>
Date: Sun, 15 Jan 2012 21:06:34 -0800
From: Kenyon Ralph <ke...@ke...>
Reply-To: Kenyon Ralph <ke...@ke...>, 65...@bu...
To: Debian Bug Tracking System <su...@bu...>

Package: dkimproxy
Version: 1.4.1-3
Severity: normal
Tags: ipv6 patch

Attached is a patch that allows dkimproxy to listen on IPv6, provided
that the installed version of libnet-server-perl supports IPv6, which
version 0.99-3 in Debian does. This patch depends on the package
libio-socket-inet6-perl.

I haven't tested whether it still works with a non-IPv6-patched
libnet-server-perl, but I think it should.

Without this patch, if you have libnet-server-perl 0.99-3 installed,
dkimproxy will open a socket for listening on IPv6, but upon
connection, you will get "Connection closed by foreign host."

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.4-x86_64-linode21 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages dkimproxy depends on:
ii  adduser                3.112+nmu2        add and remove users and groups
ii  liberror-perl          0.17-1            Perl module for
error/exception ha
ii  libmail-dkim-perl      0.38-1            cryptographically identify
the sen
ii  libnet-server-perl     0.99-3~bpo60+1    extensible, general perl
server en
ii  libtext-wrapper-perl   1.02-1            Simple word wrapping routine
ii  lsb-base               3.2-23.2squeeze1  Linux Standard Base 3.2
init scrip
ii  openssl                0.9.8o-4squeeze5  Secure Socket Layer (SSL)
binary a
ii  perl                   5.10.1-17squeeze2 Larry Wall's Practical
Extraction
ii  ssl-cert               1.0.28            simple debconf wrapper for
OpenSSL

Versions of packages dkimproxy recommends:
pn  amavisd-new                   <none>     (no description available)

dkimproxy suggests no packages.

-- Configuration Files:
/etc/default/dkimproxy changed:
RUN_DKIMPROXY_IN=0

/etc/dkimproxy/dkimproxy_in.conf changed:
listen    localhost:10026
relay     localhost:10024

/etc/dkimproxy/dkimproxy_out.conf changed:
listen    localhost:10028
relay     localhost:10029
domain    kenyonralph.com
signature dkim
keyfile   /var/lib/dkimproxy/private.key
selector  postfix


-- no debconf information

On Fri, Dec 23, 2011 at 7:05 PM, Nico Angenon <ni...@cr...> wrote:

>    hello
>

Hello,


> ,
>  ok, i’ll have a look on
>
> smtpd_sender_login_maps parameters on postfix...
>
> Be careful... I haven't use smtpd_sender_login_maps, but as far as I can
see, it is related to the MAIL FROM address.
Somebody may put he's own domain in MAIL FROM, and put another domain in
the "From:" header... and DKIMProxy signs de email based on the domain in
the "From:" header.

Best regards,

-- 
George Negoita
System Administrator
NGM Labs


> Thank’s a lot...
>
> nico
>
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> dkimproxy-users mailing list
> dki...@li...
> https://lists.sourceforge.net/lists/listinfo/dkimproxy-users
>
>

hello
,
ok, i’ll have a look on 
smtpd_sender_login_maps parameters on postfix...Thank’s a lot...nico

On Fri, Dec 23, 2011 at 5:33 PM, Nico Angenon <ni...@cr...> wrote:

>   Hello,
>

Hello,


>
> Sorry if i make some mistakes, i’ll try to explain my problem in english,
> english isn’t my mother language...
>
> I’m using DKIMProxy on a “public” outgoing mail server for my
> customers.... This server relays about 60 customers, so it relays about 60
> domains... 6 of those customers have asked me to implement DKIM (on
> outgoing mail only)...
>
> Those 6 customers connect to the server using SASL Auth to send mail on
> port 587... the question of one of these customers is : “what happened if
> another customers is sending a mail using my domain in the "from: " header
> via your system ?”
>
> It signs it...
>

This sounds like a limitation which should be imposed by Postfix (or the
mail server that you're using). You should not accept mail from an
authenticated user which has a different domain in the "From: " header (if
this doesn't generate other problems).
I think DKIMProxy is not the place for this.

Best regards,

-- 
George Negoita
System Administrator
NGM Labs


>
> That’s the problem : is there any way to tell DKIMProxy 'Only this SASL
> user can sign with this private key' on the sender map ?
>
> Thanks in advance.
>
> Nico
>
>
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> dkimproxy-users mailing list
> dki...@li...
> https://lists.sourceforge.net/lists/listinfo/dkimproxy-users
>
>

Hello,

Sorry if i make some mistakes, i’ll try to explain my problem in english, english isn’t my mother language...

I’m using DKIMProxy on a “public” outgoing mail server for my customers.... This server relays about 60 customers, so it relays about 60 domains... 6 of those customers have asked me to implement DKIM (on outgoing mail only)...

Those 6 customers connect to the server using SASL Auth to send mail on port 587... the question of one of these customers is : “what happened if another customers is sending a mail using my domain in the "from: " header via your system ?”

It signs it...

That’s the problem : is there any way to tell DKIMProxy 'Only this SASL user can sign with this private key' on the sender map ?

Thanks in advance.

Nico

Hi, I'm new to the list. Running dkimproxy on debian squeeze.

Just switched from opendkim (only on incoming) to dkimproxy, because I 
discovered that opendkim would treat a line with only a full stop (.) as 
end of message. :/ . Decided that i wanted to get signing working after 
several false starts with opendkim. I nailed it at last, after much 
frustration. Turns out that my relayhost (aka "smarthost") tries to be 
"helpful" and changes the content-type and content-transfer-encoding on 
my outgoing mails.

Icedove marks ALL my mail as charset iso-8859-1, but if i don't write 
any norwegian chars (æøå) it helpfully tells that I use 
"content-transfer-encoding: 7bit" . Now, iso8859-1 is impossible to 
encode in 7 bits, so my ISP helpfully changes charset to US-ASCII, and 
(as I later discovered) changes 7bit to 7BIT. This causes hardfail on 
verifying SOME mails, the ones with no æøå in them.

I coded up a small pre-emptive strike in dkimproxy, see below, replacing 
handle_end_of_data. Now, I got to thinking that a hook in a standard way 
would be nice, so that my little change would carry over to newer 
versions. Is that at all something that would be considered ? The 
alternative would be to rip out the signing logic, and run the "doctor" 
as a separate step. It is getting to be a bit too many proxy-handovers 
though, and too many convolutions in my postfix/main.cf, so I'd rather 
not :-).



-------------- Replacement sub in opendkim.out --------------

sub handle_end_of_data
{
     my $self = shift;
     my $server = $self->{smtp_server};
     my $client = $self->{smtp_client};

     my $fh = $server->{data};
     my $dkim;
     my $result;
     my $result_detail;
     eval
     {
     my $content_type = undef;
     my $content_transfer_encoding = undef;
     my $doctoredfh = IO::File->new_tmpfile;
     my $doctorstate = 0; # 0 == in head 1 == after head
     my $need_doc = 0;
     $fh->seek(0,0);
     DOCTOR: while($_ = <$fh>){
         if($doctorstate == 0){
         # headers
         if(m(^content-type: .*)i){
             $content_type = $_;
         } elsif((m(^content-transfer-encoding: .*)i)){
             $content_transfer_encoding = $_;
         } elsif((m(^\r?$))){
             if(defined($content_type) &&
                defined($content_transfer_encoding) &&
                ($content_type  =~ m(text\/plain)i) &&
                ($content_type  =~ m(charset=iso-8859-1)i) &&
                ($content_transfer_encoding =~ m(7bit)i)){
             # need doctoring
             $need_doc = 1;
             #print STDERR "need doctoring\n";
             #print STDERR $content_type;
             #print STDERR $content_transfer_encoding;
             syslog("info", '%s', "need doctoring $content_type; 
$content_transfer_encoding");
             syslog("info", '%s', "need doctoring 
$content_transfer_encoding");
             $content_transfer_encoding =~ s(7bit)(7BIT)i;
             $content_type  =~ s(charset=iso-8859-1)(CHARSET=US-ASCII)i;
             #print STDERR $content_type;
             #print STDERR $content_transfer_encoding;
             print $doctoredfh "$content_transfer_encoding";
             print $doctoredfh "$content_type";
             print $doctoredfh $_;
             } else {
             #print STDERR "no doctoring needed \n";
             last DOCTOR;
             }
             $doctorstate = 1;
         } else {
             print $doctoredfh "$_";
         }
         } else {
         # body
         print $doctoredfh "$_";
         }
     }
     if($need_doc){
         close($fh);
         $server->{data} = $doctoredfh;
         $fh = $doctoredfh;
     } else {
         undef($doctoredfh);    # automatically closes the file
     }
     $fh->seek(0,0);
     $dkim = Mail::DKIM::Signer->new(
         Policy => \&signer_policy,
         KeyFile => $keyfile,
         Selector => $selector,
         );

     $dkim->load($fh);
     $result = $dkim->result;
     $result_detail = $dkim->result_detail;

     syslog("info", '%s',
            "DKIM signing - $result_detail; "
            . join(", ", $dkim->message_attributes));
     };
     if ($@)
     {
     my $E = $@;
     chomp $E;
     $E =~ s/\n/ /gs;
     eval { syslog("warning", '%s', "signing error: $E") };
     $result = "temperror";
     $result_detail = "$result ($E)";
     }

     # check signing result
     if ($result =~ /error$/ && $reject_error)
     {
     # temporary or permanent error
     $server->fail(
         ($result eq "permerror" ? "550" : "450")
         . " DKIM - $result_detail");
     return 0;
     }

     $fh->seek(0,0);

     if ($dkim && $dkim->signature)
     {
     #    # output version info
     #    my $DKIM_PROXY_VERSION = "0.15";
     #    $client->write_data_line("X-DKIM-Proxy-Version: "
     #        . "DkimProxy $DKIM_PROXY_VERSION, "
     #        . "Mail::DKIM $Mail::DKIM::VERSION\015\012");

     # output the generated DKIM-Signature
     foreach my $dkim_signature ($dkim->signatures)
     {
         $client->write_data_line($dkim_signature->as_string . "\015\012");
     }

     # followed by the unaltered original message
     $client->yammer($fh);
     }
     else
     {
     # send the message unaltered
     $client->yammer($fh);
     }
     return 1;
}

On Thu, 02 Jun 2011 05:00:56 +0800, Thomas Goirand wrote:
> On 06/02/2011 02:45 AM, fakessh wrote:
>> hi folks
>>
>> I am having problems with multiple signatures on the same ndd (ex
>> dk._domainkey.smtp.fakessh.eu dk._domainkey.roundcube.fakessh.eu) 
>> the same
>> keys on multiple ndd
>>
>> Auto Responders do not tell me all ok tell me some multiple 
>> signatures and
>> non-secure
>>
>> what to do
>
> What to do? Well, maybe you'd better start asking in a correct 
> English?
> If I'm not mistaking, "ndd" is the French for "nom de domaine" 
> (domain
> name), and "ndd" has absolutely zero meaning in an English sentence.
> Without this explanation, I don't think our non-French reading 
> friends
> will understand... Please confirm that this is what you wanted to 
> write.
>
> Thomas

My problem occurs with multiple domain names declared with the same key

nb : I have not received a reply from the list only your reply
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7

On 06/02/2011 02:45 AM, fakessh wrote:
> hi folks
> 
> I am having problems with multiple signatures on the same ndd (ex 
> dk._domainkey.smtp.fakessh.eu dk._domainkey.roundcube.fakessh.eu) the same 
> keys on multiple ndd
> 
> Auto Responders do not tell me all ok tell me some multiple signatures and 
> non-secure
> 
> what to do

What to do? Well, maybe you'd better start asking in a correct English?
If I'm not mistaking, "ndd" is the French for "nom de domaine" (domain
name), and "ndd" has absolutely zero meaning in an English sentence.
Without this explanation, I don't think our non-French reading friends
will understand... Please confirm that this is what you wanted to write.

Thomas

hi folks

I am having problems with multiple signatures on the same ndd (ex 
dk._domainkey.smtp.fakessh.eu dk._domainkey.roundcube.fakessh.eu) the same 
keys on multiple ndd

Auto Responders do not tell me all ok tell me some multiple signatures and 
non-secure

what to do
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7