Mailing List Archive: Qmail: users

DKIM problems

Index | Next | Previous | View Threaded

kirk at icapsolutions

Jun 2, 2011, 6:35 AM

Post #1 of 13 (2223 views)
Permalink

DKIM problems

I'm attempting to enable DKIM (first attempt, never have tried this
before) from these simple instructions:

http://www.memoryhole.net/qmail/#dkim

I've successfully installed libdomainkeys from sourceforge as well as
Mal::DKIM which provides "dktest" and dkimsign.pl (although I've
replaced the perl script with the one recommended to accept the --key
argument). I've also swapped out qmail-remote and replaced it with the
wrapper version, moved the original to qmail-remote.orig as well as
"chmod 777 qmail-remote" as recommended.

I've placed the two programs here as well as showing the qmail-remote(s):

cd /var/qmail/bin
-rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
-rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
-rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
-rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig

I've also installed the public/private keys by using these instructions:

mkdir -p /etc/domainkeys/*example.com*/
cd /etc/domainkeys/*example.com*/
/usr/local/ssl/bin/openssl genrsa -out rsa.private 768
/usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
mv rsa.private*default*
chown -R qmailq /etc/domainkeys
chmod 0600*default*

cd /etc/domainkeys/example.com
-rw-------. 1 qmailq qmail 692 Jun 1 15:56 default
-rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public

When i send a test message from the server itself:
mail -s test me [at] example

from what i can tell so far (after some hacking in the qmail-remote
wrapper) the file "/etc/domainkeys/*example.com*/default" isn't being
detected by the wrapper script from what appears to be a permissions
issue. I "chmod 0640 default", rerun the mail test and I at least get to
the "dktest" line in the wrapper, but that fails most likely from the
"default" file having incorrect permissions?

Can someone provide a little insight to how this should be setup?

Thanks
Kirk

cagri.ersen at gmail

Jun 2, 2011, 6:53 AM

Post #2 of 13 (2178 views)
Permalink

Re: DKIM problems [In reply to]

On Thu, Jun 2, 2011 at 4:35 PM, kirk <kirk [at] icapsolutions> wrote:

> I'm attempting to enable DKIM (first attempt, never have tried this
> before) from these simple instructions:
>
> http://www.memoryhole.net/qmail/#dkim
>
> I've successfully installed libdomainkeys from sourceforge as well as
> Mal::DKIM which provides "dktest" and dkimsign.pl (although I've replaced
> the perl script with the one recommended to accept the --key argument). I've
> also swapped out qmail-remote and replaced it with the wrapper version,
> moved the original to qmail-remote.orig as well as "chmod 777 qmail-remote"
> as recommended.
>
> I've placed the two programs here as well as showing the qmail-remote(s):
>
> cd /var/qmail/bin
> -rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
> -rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
> -rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
> -rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig
>
> I've also installed the public/private keys by using these instructions:
>
> mkdir -p /etc/domainkeys/*example.com*/
> cd /etc/domainkeys/*example.com*/
> /usr/local/ssl/bin/openssl genrsa -out rsa.private 768
> /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
> mv rsa.private *default*
> chown -R qmailq /etc/domainkeys
> chmod 0600 *default*
>
> cd /etc/domainkeys/example.com
> -rw-------. 1 qmailq qmail 692 Jun 1 15:56 default
> -rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public
>
>
I think the owner of the files should be qmailr.
chow -fR qmailr etc/domainkeys/

> When i send a test message from the server itself:
> mail -s test me [at] example
>
> from what i can tell so far (after some hacking in the qmail-remote
> wrapper) the file "/etc/domainkeys/*example.com*/default" isn't being
> detected by the wrapper script from what appears to be a permissions issue.
> I "chmod 0640 default", rerun the mail test and I at least get to the
> "dktest" line in the wrapper, but that fails most likely from the "default"
> file having incorrect permissions?
>
> Can someone provide a little insight to how this should be setup?
>
> Thanks
> Kirk
>
>
>
>

--
Cagri Ersen
http://www.syslogs.org

thibs at thibs

Jun 2, 2011, 7:03 AM

Post #3 of 13 (2181 views)
Permalink

Re: DKIM problems [In reply to]

Hello,

Take a look to http://manuel.mausz.at/coding/qmail-dkim/ and http://qmailrocks.thibs.com/dkim.php

Thibault
----- Original Message -----
From: Cagri Ersen
To: kirk
Cc: qmail [at] list
Sent: Thursday, June 02, 2011 3:53 PM
Subject: Re: DKIM problems

On Thu, Jun 2, 2011 at 4:35 PM, kirk <kirk [at] icapsolutions> wrote:

I'm attempting to enable DKIM (first attempt, never have tried this before) from these simple instructions:

http://www.memoryhole.net/qmail/#dkim

I've successfully installed libdomainkeys from sourceforge as well as Mal::DKIM which provides "dktest" and dkimsign.pl (although I've replaced the perl script with the one recommended to accept the --key argument). I've also swapped out qmail-remote and replaced it with the wrapper version, moved the original to qmail-remote.orig as well as "chmod 777 qmail-remote" as recommended.

I've placed the two programs here as well as showing the qmail-remote(s):

cd /var/qmail/bin
-rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
-rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
-rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
-rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig

I've also installed the public/private keys by using these instructions:

mkdir -p /etc/domainkeys/example.com/
cd /etc/domainkeys/example.com/
/usr/local/ssl/bin/openssl genrsa -out rsa.private 768
/usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
mv rsa.private default
chown -R qmailq /etc/domainkeys
chmod 0600 default

cd /etc/domainkeys/example.com
-rw-------. 1 qmailq qmail 692 Jun 1 15:56 default
-rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public

I think the owner of the files should be qmailr.
chow -fR qmailr etc/domainkeys/

When i send a test message from the server itself:
mail -s test me [at] example

from what i can tell so far (after some hacking in the qmail-remote wrapper) the file "/etc/domainkeys/example.com/default" isn't being detected by the wrapper script from what appears to be a permissions issue. I "chmod 0640 default", rerun the mail test and I at least get to the "dktest" line in the wrapper, but that fails most likely from the "default" file having incorrect permissions?

Can someone provide a little insight to how this should be setup?

Thanks
Kirk

--
Cagri Ersen
http://www.syslogs.org

kirk at icapsolutions

Jun 2, 2011, 9:06 AM

Post #4 of 13 (2235 views)
Permalink

Re: DKIM problems [In reply to]

this instruction seems to work:
http://manuel.mausz.at/coding/qmail-dkim
<http://manuel.mausz.at/coding/qmail-dkim/>

but not until after i set "chmod 0777 /var/qmail/bin/qmail-remote" as
well as "chmod 0777 /var/qmail/control/dkim".

I don't mind doing this unless this presents some kind of security issue?

Kirk

On 6/2/2011 7:03 AM, Thibault Richard wrote:
> Hello,
> Take a look to http://manuel.mausz.at/coding/qmail-dkim/ and
> http://qmailrocks.thibs.com/dkim.php
> Thibault
>
> ----- Original Message -----
> *From:* Cagri Ersen <mailto:cagri.ersen [at] gmail>
> *To:* kirk <mailto:kirk [at] icapsolutions>
> *Cc:* qmail [at] list <mailto:qmail [at] list>
> *Sent:* Thursday, June 02, 2011 3:53 PM
> *Subject:* Re: DKIM problems
>
> On Thu, Jun 2, 2011 at 4:35 PM, kirk <kirk [at] icapsolutions
> <mailto:kirk [at] icapsolutions>> wrote:
>
> I'm attempting to enable DKIM (first attempt, never have tried
> this before) from these simple instructions:
>
> http://www.memoryhole.net/qmail/#dkim
>
> I've successfully installed libdomainkeys from sourceforge as
> well as Mal::DKIM which provides "dktest" and dkimsign.pl
> <http://dkimsign.pl> (although I've replaced the perl script
> with the one recommended to accept the --key argument). I've
> also swapped out qmail-remote and replaced it with the wrapper
> version, moved the original to qmail-remote.orig as well as
> "chmod 777 qmail-remote" as recommended.
>
> I've placed the two programs here as well as showing the
> qmail-remote(s):
>
> cd /var/qmail/bin
> -rwxr-xr-x. 1 root root 4247 Jun 1 19:23 dkimsign.pl
> <http://dkimsign.pl>
> -rwxr-xr-x. 1 root root 38153 Jun 1 16:43 dktest
> -rwxrwxrwx. 1 root qmail 2250 Jun 1 20:09 qmail-remote
> -rwx--x--x. 1 root qmail 32992 May 26 09:37 qmail-remote.orig
>
> I've also installed the public/private keys by using these
> instructions:
>
> mkdir -p /etc/domainkeys/*example.com <http://example.com>*/
> cd /etc/domainkeys/*example.com <http://example.com>*/
> /usr/local/ssl/bin/openssl genrsa -out rsa.private 768
> /usr/local/ssl/bin/openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
> mv rsa.private*default*
> chown -R qmailq /etc/domainkeys
> chmod 0600*default*
>
> cd /etc/domainkeys/example.com <http://example.com>
> -rw-------. 1 qmailq qmail 692 Jun 1 15:56 default
> -rw-r--r--. 1 qmailq qmail 223 Jun 1 15:56 rsa.public
>
>
> I think the owner of the files should be qmailr.
> chow -fR qmailr etc/domainkeys/
>
> When i send a test message from the server itself:
> mail -s test me [at] example <mailto:me [at] example>
>
> from what i can tell so far (after some hacking in the
> qmail-remote wrapper) the file "/etc/domainkeys/*example.com
> <http://example.com>*/default" isn't being detected by the
> wrapper script from what appears to be a permissions issue. I
> "chmod 0640 default", rerun the mail test and I at least get
> to the "dktest" line in the wrapper, but that fails most
> likely from the "default" file having incorrect permissions?
>
> Can someone provide a little insight to how this should be setup?
>
> Thanks
> Kirk
>
>
>
>
>
> --
> Cagri Ersen
> http://www.syslogs.org
>

johnl at iecc

Jun 2, 2011, 9:22 AM

Post #5 of 13 (2176 views)
Permalink

Re: DKIM problems [In reply to]

I've been doing my DKIM signing with a perl wrapper around
qmail-queue. It works well for me, was short and easy to code, and it
has the advantage that applications that are inclined to be helpful
(list managers and web mail) can pass environment variables to tell
the signer what identity to use in the signature.

If people are interested I can package it up. I also have a little
script to generate signing keys and tinydns verification keys that
rotate each month. And as an evil hack, I can use wildcard selectors
so each message has a different selector and I can do traffic analysis
on the DNS queries.

Regards,
John Levine, johnl [at] iecc, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly

joerg at backschues

Jun 2, 2011, 12:56 PM

Post #6 of 13 (2179 views)
Permalink

Re: DKIM problems [In reply to]

On 02.06.2011 15:35 wrotr kirk:

> Can someone provide a little insight to how this should be setup?

If you are interested in a native C implementation please have a look at:

<http://www.backschues.net/qmail/>

--
Greetings
J�rg Backschues

kirk at icapsolutions

Jun 2, 2011, 5:29 PM

Post #7 of 13 (2199 views)
Permalink

Re: DKIM problems [In reply to]

libdkim doesn't compile:

# make LINUX=y
g++ -c -c dkim.cpp
In file included from dkim.h:163,
from dkim.cpp:23:
macros.h:17:1: warning: "MAKELONG" redefined
In file included from dkim.cpp:23:
dkim.h:22:1: warning: this is the location of the previous definition
dkim.cpp: In function �int DKIMVerifyGetDetails(DKIMContext*, int*,
DKIMVerifyDetails**, char*)�:
dkim.cpp:204: error: �strcpy� was not declared in this scope
dkim.cpp: In function �char* DKIMVersion()�:
dkim.cpp:226: warning: deprecated conversion from string constant to �char*�
dkim.cpp: At global scope:
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp:249: warning: deprecated conversion from string constant to �char*�
dkim.cpp: In function �char* DKIMGetErrorString(int)�:
dkim.cpp:255: warning: deprecated conversion from string constant to �char*�
make: *** [dkim.o] Error 1

?
k

On 6/2/2011 12:56 PM, Joerg Backschues wrote:
> On 02.06.2011 15:35 wrotr kirk:
>
>> Can someone provide a little insight to how this should be setup?
> If you are interested in a native C implementation please have a look at:
>
> <http://www.backschues.net/qmail/>
>

feh at fehcom

Jun 3, 2011, 12:55 AM

Post #8 of 13 (2168 views)
Permalink

Re: DKIM problems [In reply to]

Hi John,

On 2 Jun 2011 16:22:58 -0000
"John Levine" <johnl [at] iecc> wrote:

> I've been doing my DKIM signing with a perl wrapper around
> qmail-queue. It works well for me, was short and easy to code, and it
> has the advantage that applications that are inclined to be helpful
> (list managers and web mail) can pass environment variables to tell
> the signer what identity to use in the signature.

This sounds to fit with SMTP authentication as well.

Though I was initially not inclined to include DKIM in my Spamcontrol patch, however I see a growing need to support DKIM as well (SPF is already on my development list).

If you dont't mind sending me your code, I could have a look at it and perhaps provide a combined solution.

> If people are interested I can package it up. I also have a little
> script to generate signing keys and tinydns verification keys that
> rotate each month. And as an evil hack, I can use wildcard selectors
> so each message has a different selector and I can do traffic analysis
> on the DNS queries.

regards.
--eh.

> Regards,
> John Levine, johnl [at] iecc, Primary Perpetrator of "The Internet for Dummies",
> Please consider the environment before reading this e-mail. http://jl.ly
>

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de | PGP Key-Id: 7E4034BE

mbhangui at gmail

Jun 3, 2011, 6:52 AM

Post #9 of 13 (2180 views)
Permalink

Re: DKIM problems [In reply to]

On Fri, Jun 3, 2011 at 5:59 AM, kirk <kirk [at] icapsolutions> wrote:
>
> libdkim doesn't compile:
>

Looks like you need #include <string.h>.

I had the same set of issues with libdkim. Have fixed most of the
issues. You can use libdkim-1.3.tar.gz which I have modified at

http://sourceforge.net/projects/indimail/files/mailpack/mailpack-1.1/

You just need to do the usual ./configure ; make ; make install. Also
I have renamed dkimtest with dkim in libdkim-1.3

I also have a patch for netqmail-1.06 which gives you a total C
implementation to sign or verify at SMTP, local or remote delivery. It
includes the above libdkim code and additionally gives you

1. qmail-dkim - a QMAILQUEUE replacement which allows you to sign at
SMTP. This works similarly to Russ Nelson's qmail-dk

2. dkim - which allows you to sign/verify during remote/local delivery

3. spawn-filter - which allows you to put any filter of your choice
during remote/local delivery. It allows you to seamlessly to do dkim
signing/verification without having to rename qmail-remote or
qmail-local. spawn-filter allows you to insert your own scripts before
local/remote deliveries. If you want to put a fliter just put an entry
in the control file /var/qmail/control/filterargs. e.g. to do dkim
signing only for remote deliveries to gmail.com, you just need to have
the following entry in /var/indimail/control/filterargs

gmail.com:remote:/var/indimail/bin/dk-filter

You can use Roberto Puzzanghera's notes for configuring DKIM for qmail at

http://notes.sagredo.eu/node/92

You can also look at my tutorial at (just replace indimail with qmail)

http://indimail.blogspot.com/2009/04/how-to-set-dkim-signature-in-indimail.html

kirk at icapsolutions

Jun 3, 2011, 7:37 AM

Post #10 of 13 (2165 views)
Permalink

Re: DKIM problems [In reply to]

FYI, I've implemented the all perl solution as provided here:
http://manuel.mausz.at/coding/qmail-dkim
<http://manuel.mausz.at/coding/qmail-dkim/>
Very simple setup, nicely packaged, but it's causing the server to work
entirely too hard, somewhere in the magnitude of about 10X as seen by
the CPU usage, too expensive.
I tried the all C solution from here:
http://www.backschues.net/qmail
This most likely would solve the CPU issues seeing as Perl is a CPU hog,
but it didn't compile.

Any chance of any other all C or sh solution that would improve, perhaps
not relying on firing up ans instance of Perl for each and every
outgoing message?

Kirk

On 6/3/2011 12:55 AM, Erwin Hoffmann wrote:
> Hi John,
>
> On 2 Jun 2011 16:22:58 -0000
> "John Levine"<johnl [at] iecc> wrote:
>
>> I've been doing my DKIM signing with a perl wrapper around
>> qmail-queue. It works well for me, was short and easy to code, and it
>> has the advantage that applications that are inclined to be helpful
>> (list managers and web mail) can pass environment variables to tell
>> the signer what identity to use in the signature.
> This sounds to fit with SMTP authentication as well.
>
> Though I was initially not inclined to include DKIM in my Spamcontrol patch, however I see a growing need to support DKIM as well (SPF is already on my development list).
>
> If you dont't mind sending me your code, I could have a look at it and perhaps provide a combined solution.
>
>
>> If people are interested I can package it up. I also have a little
>> script to generate signing keys and tinydns verification keys that
>> rotate each month. And as an evil hack, I can use wildcard selectors
>> so each message has a different selector and I can do traffic analysis
>> on the DNS queries.
> regards.
> --eh.
>
>
>> Regards,
>> John Levine, johnl [at] iecc, Primary Perpetrator of "The Internet for Dummies",
>> Please consider the environment before reading this e-mail. http://jl.ly
>>
>

johnl at iecc

Jun 3, 2011, 8:58 AM

Post #11 of 13 (2174 views)
Permalink

Re: DKIM problems [In reply to]

>> I've been doing my DKIM signing with a perl wrapper around
>> qmail-queue. It works well for me, was short and easy to code, and it
>> has the advantage that applications that are inclined to be helpful
>> (list managers and web mail) can pass environment variables to tell
>> the signer what identity to use in the signature.
>
>This sounds to fit with SMTP authentication as well.

Yes, when called from ofmipd it uses TCPREMOTEINFO which has the
authenticated user name to set the i= value.

R's,
John

ma1l1ists at yahoo

Jun 3, 2011, 9:55 AM

Post #12 of 13 (2169 views)
Permalink

Re: [Bulk] Re: DKIM problems [In reply to]

On Fri, 03 Jun 2011 07:37:56 -0700
kirk wrote:

> Any chance of any other all C or sh solution that would improve, perhaps
> not relying on firing up ans instance of Perl for each and every
> outgoing message?

Don't know but perl should have more potential of being easier on the
cpu than sh but obviously not c.

There's an implementaion at "www.memoryhole.net/qmail/#dkim" which uses
a mix of perl and shell scripts which use Mail::DKIM and which is
maintained and also supports yahoos original domainkeys, if you like. I
modded them for BSD compatiblity, I'll share them but your using Linux
aren't you?

I have no performance comparison though, but with qmail your usually
limited by the disks, not the cpu.

manuel-qmail at mausz

Jun 3, 2011, 1:17 PM

Post #13 of 13 (2174 views)
Permalink

Re: DKIM problems [In reply to]

On 03.06.2011 16:37, kirk wrote:
> FYI, I've implemented the all perl solution as provided here:
> http://manuel.mausz.at/coding/qmail-dkim
> <http://manuel.mausz.at/coding/qmail-dkim/>
> Very simple setup, nicely packaged, but it's causing the server to work
> entirely too hard, somewhere in the magnitude of about 10X as seen by
> the CPU usage, too expensive.

Mail::DKIM needs to split the mail into subject/body and this is also
what is a cpu hog.

from a simple dprof:
%Time ExclSec CumulS #Calls sec/call Csec/c Name
22.3 1.566 2.224 62001 0.0000 0.0000 Mail::DKIM::MessageParser::PRINT
13.5 0.946 1.864 61997 0.0000 0.0000
Mail::DKIM::Canonicalization::DkimCommon::add_header
13.1 0.918 0.918 61998 0.0000 0.0000
Mail::DKIM::Canonicalization::relaxed::canonicalize_header
12.1 0.850 0.850 1 0.8500 0.8499
Mail::DKIM::Canonicalization::DkimCommon::finish_header
11.8 0.826 2.690 61997 0.0000 0.0000
Mail::DKIM::Algorithm::Base::add_header
9.41 0.658 0.658 61997 0.0000 0.0000 Mail::DKIM::Common::add_header
7.69 0.538 4.078 1 0.5380 4.0778
Mail::DKIM::Signer::finish_header

I've done some quick ~20mins testing with swig and libdkim and the
result is much faster:
0m2.671s (Mail::DKIM) vs 0m0.155s (libdkim + swig)
... both with 4.4mb mail

As soon as I find some spare time I'll try to write a better swig
interface for libdkim and see if I can pull out qmail-dkim-0.3.pl :)

/ manuel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads