Re: DKIM signing problem
* alex : > header_checks = pcre:/etc/postfix/maps/anonymization_sender.pcre What does that do (e.g. alter the message?) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DKIM signing problem
On 09/18/2011 12:52 PM, Ralf Hildebrandt wrote: * alex: header_checks = pcre:/etc/postfix/maps/anonymization_sender.pcre What does that do (e.g. alter the message?) with both header_checks and body_checks commented same results (I also think about that two directives)
Re: DKIM signing problem
* alex : > On 09/18/2011 12:52 PM, Ralf Hildebrandt wrote: > >* alex: > > > >>header_checks = pcre:/etc/postfix/maps/anonymization_sender.pcre > > > >What does that do (e.g. alter the message?) > > > with both header_checks and body_checks commented same results (I > also think about that two directives) OK, just asking (because exactly that bit me once) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: DKIM signing problem
On Sun, 18 Sep 2011 09:29:53 +0300, alex wrote: I'am not speaking about this server. so this server is a key helper to solve the one that does not work ?, i hope
Re: DKIM signing problem
alex: > On 09/17/2011 10:34 PM, Patrick Ben Koetter wrote: > > * alex: > >> Hi > >> > >> I have a problem with messages signed by my server. All messages > >> send from any email client(tb, webmail) , fail verification with : > >>dkim=softfail (fail, message has been altered) > >> except messages send from command line (telnet, sendmail). > >> > >> Software use is: centos 6 (x86_64), postfix 2.8.0/2.8.5, > >> dkim-milter-2.8.3-8.el6.x86_64, no content filtering. > >> I can't find anything in my config that could modify the body of the > >> message after is signed. > >> > >> Any suggestions? A likely cause of breakage is that the sending application generates email that is incompatible with RFC 5322 or RFC 5321 in some respect. - Lines longer than 990. The Postfix SMTP client keeps the line length below the SMTP protocol limit of 1000 bytes including . Since this change happens after signing, it will definitely break DKIM signatures. To avoid long-line curruption problems send mail in quoted-printable or base64 encoding, with lines of at most 80 characters long. - Malformed line endings. SMTP requires line endings, and does not allow or characters in any other context. The Postfix sendmail commands expects UNIX-style line endings. It will also accept lines ending in but you can't use mixed line ending styles in the same message. And so on. If you want to ensure that DKIM signatures survive, you need to send email that is within the protocol specs; otherwise you'll have to "normalize" the message before applying the DKIM signature. Postfix is only an MTA. It is not a message normalizer. Wietse
Re: DKIM signing problem
On 09/18/2011 07:39 PM, Benny Pedersen wrote: On Sun, 18 Sep 2011 09:29:53 +0300, alex wrote: I'am not speaking about this server. so this server is a key helper to solve the one that does not work ?, i hope The server that doesn't work has nothing to do with the server I use to send this messages. The server that break the dkim signatures is a new server is just installed and is in tests.
Re: DKIM signing problem
On 09/18/2011 07:41 PM, Wietse Venema wrote:
alex:
On 09/17/2011 10:34 PM, Patrick Ben Koetter wrote:
* alex:
Hi
I have a problem with messages signed by my server. All messages
send from any email client(tb, webmail) , fail verification with :
dkim=softfail (fail, message has been altered)
except messages send from command line (telnet, sendmail).
Software use is: centos 6 (x86_64), postfix 2.8.0/2.8.5,
dkim-milter-2.8.3-8.el6.x86_64, no content filtering.
I can't find anything in my config that could modify the body of the
message after is signed.
Any suggestions?
A likely cause of breakage is that the sending application generates
email that is incompatible with RFC 5322 or RFC 5321 in some respect.
- Lines longer than 990.
The Postfix SMTP client keeps the line length below the SMTP
protocol limit of 1000 bytes including. Since this change
happens after signing, it will definitely break DKIM signatures.
To avoid long-line curruption problems send mail in quoted-printable
or base64 encoding, with lines of at most 80 characters long.
- Malformed line endings.
SMTP requires line endings, and does not allow or
characters in any other context.
The Postfix sendmail commands expects UNIX-style line endings.
It will also accept lines ending in but you can't use
mixed line ending styles in the same message.
And so on. If you want to ensure that DKIM signatures survive, you
need to send email that is within the protocol specs; otherwise
you'll have to "normalize" the message before applying the DKIM
signature.
Postfix is only an MTA. It is not a message normalizer.
Wietse
Hi
All messages used to test the dkim signatures was send with subject hhmm
and body hhmm (ex 2126 hour 21 and 26 minutes) or with empty body.
Nothing to complicated.
Also in dkim-filter.conf I have:
## FixCRLF { yes | no }
##
## Requests that the library convert "naked" CR and LF characters to
## CRLFs during canonicalization. The default is "no".
I have try this option but still get the same results.
How is say in my first post I have also try the 2.8.2 version of the
dkim-milter , but again with same results.
Alex
Re: DKIM signing problem
alex:
> On 09/18/2011 07:41 PM, Wietse Venema wrote:
> > alex:
> >> On 09/17/2011 10:34 PM, Patrick Ben Koetter wrote:
> >>> * alex:
> Hi
>
> I have a problem with messages signed by my server. All messages
> send from any email client(tb, webmail) , fail verification with :
> dkim=softfail (fail, message has been altered)
> except messages send from command line (telnet, sendmail).
>
> Software use is: centos 6 (x86_64), postfix 2.8.0/2.8.5,
> dkim-milter-2.8.3-8.el6.x86_64, no content filtering.
> I can't find anything in my config that could modify the body of the
> message after is signed.
>
> Any suggestions?
> >
> > A likely cause of breakage is that the sending application generates
> > email that is incompatible with RFC 5322 or RFC 5321 in some respect.
> >
> > - Lines longer than 990.
> >
> >The Postfix SMTP client keeps the line length below the SMTP
> >protocol limit of 1000 bytes including. Since this change
> >happens after signing, it will definitely break DKIM signatures.
> >
> >To avoid long-line curruption problems send mail in quoted-printable
> >or base64 encoding, with lines of at most 80 characters long.
> >
> > - Malformed line endings.
> >
> >SMTP requires line endings, and does not allow or
> > characters in any other context.
> >
> >The Postfix sendmail commands expects UNIX-style line endings.
> >It will also accept lines ending in but you can't use
> >mixed line ending styles in the same message.
> >
> > And so on. If you want to ensure that DKIM signatures survive, you
> > need to send email that is within the protocol specs; otherwise
> > you'll have to "normalize" the message before applying the DKIM
> > signature.
> >
> > Postfix is only an MTA. It is not a message normalizer.
> >
> > Wietse
> Hi
>
> All messages used to test the dkim signatures was send with subject hhmm
> and body hhmm (ex 2126 hour 21 and 26 minutes) or with empty body.
> Nothing to complicated.
>
> Also in dkim-filter.conf I have:
>
> ## FixCRLF { yes | no }
> ##
> ## Requests that the library convert "naked" CR and LF characters to
> ## CRLFs during canonicalization. The default is "no".
This DOES NOT change the message - it just changes the way dkim-filter
computes the signature.
Instead, send email that is within the Internet email specs, and you
won't have to worry about line endings and such.
Wietse
RE: bcc send map issue - duplication when mail sent from other host
Hi Joroen, I scratched my query out a bit quickly on a Friday afternoon - Thanks for your corrections, I am indeed looking at sender_bcc_maps and recipient_bcc_maps I agree, POP is not a mail sending protocol. I'm trying to make a distinction here between mail that is sent by a POP client via the postfix mail server, and mail that is generated by a separate server with both the from and to addresses matching the sender and recipient bcc map options. Just to explain what I'm hoping to achieve: All mail sent using POP clients is copied to crm_sys...@example.com (sender_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) All mail received is copied to crm_sys...@example.com (recipient_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) I can see why postfix is doing what it's doing - When our webshop sends an order copy email from sa...@example.com to sa...@example.com, that mail matches both the sender and recipient_bcc_maps To me this seems like a legitimate attempt for using both for the same domain. I have spent several hours reviewing the documentation and experimenting to no avail. The documentation is indeed quite clear, but I can't work out how to achieve what I require here. If I just disable 'it' (either the sender_bcc_maps or the recipient_bcc_maps entry) then I won't have all sent and received mail copied to my crm_sys...@example.com address as required. Date: Fri, 16 Sep 2011 23:30:01 +0200 From: jer...@adaptr.nl To: postfix-users@postfix.org Subject: Re: bcc send map issue - duplication when mail sent from other host On 2011-09-16 04:08, Michael Ribbons wrote: Hi, I am using bcc_send_maps No such option exists. You may be referring to sender_bcc_maps. so all mail sent by POP Ugh. Re-check your basics - POP is not a mail SENDING protocol. is BCC to a particular address. So all mail from @example.com is BCCd to crm_sys...@example.com This works fine. However when we send mail from our webshop, the mail gets BCC'd as well, eg mail from webs...@example.com, mail to: sa...@example.com I think this is because the first address matches the send map spec of @example.com However I don't want this behaviour - We are also using bcc_recipient_maps so everything coming in to @example.com already gets copied to crm_sys...@example.com Again, the option is called recipient_bcc_maps. And why use both for the same domain ? That sounds suspicously like a broken configuration attempt. Is there any way to tell postfix not to use bcc_send_maps for mail sent by other sendmails? Exclude it. Map formats and examples are documented clearly. http://www.postfix.org/postconf.5.html#recipient_bcc_maps http://www.postfix.org/postconf.5.html#sender_bcc_maps http://www.postfix.org/ADDRESS_REWRITING_README.html#overview -- J.
RE: bcc send map issue - duplication when mail sent from other host
This looks like what I want: http://www.mailinglistarchive.com/postfix-users@postfix.org/msg36244.html However it doesnt seem to do anything. I have: submission inet n - n - - smtpd -o cleanup_service_name=msa-cleanup msa-cleanup unix n - - - 0 cleanup -o sender_bcc_maps=mysql:/etc/postfix/mysql_bcc_send_maps.cf If I change mysql_bcc_send_maps.cf to a file that doesn't exist, no errors are logged when sending. Also changing to -o clean_service_name=nonexistant_service doesn't generate any errors, which makes me wonder if this option is still supported on my build. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 00:06:01 + Hi Joroen, I scratched my query out a bit quickly on a Friday afternoon - Thanks for your corrections, I am indeed looking at sender_bcc_maps and recipient_bcc_maps I agree, POP is not a mail sending protocol. I'm trying to make a distinction here between mail that is sent by a POP client via the postfix mail server, and mail that is generated by a separate server with both the from and to addresses matching the sender and recipient bcc map options. Just to explain what I'm hoping to achieve: All mail sent using POP clients is copied to crm_sys...@example.com (sender_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) All mail received is copied to crm_sys...@example.com (recipient_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) I can see why postfix is doing what it's doing - When our webshop sends an order copy email from sa...@example.com to sa...@example.com, that mail matches both the sender and recipient_bcc_maps To me this seems like a legitimate attempt for using both for the same domain. I have spent several hours reviewing the documentation and experimenting to no avail. The documentation is indeed quite clear, but I can't work out how to achieve what I require here. If I just disable 'it' (either the sender_bcc_maps or the recipient_bcc_maps entry) then I won't have all sent and received mail copied to my crm_sys...@example.com address as required. Date: Fri, 16 Sep 2011 23:30:01 +0200 From: jer...@adaptr.nl To: postfix-users@postfix.org Subject: Re: bcc send map issue - duplication when mail sent from other host On 2011-09-16 04:08, Michael Ribbons wrote: Hi, I am using bcc_send_maps No such option exists. You may be referring to sender_bcc_maps. so all mail sent by POP Ugh. Re-check your basics - POP is not a mail SENDING protocol. is BCC to a particular address. So all mail from @example.com is BCCd to crm_sys...@example.com This works fine. However when we send mail from our webshop, the mail gets BCC'd as well, eg mail from webs...@example.com, mail to: sa...@example.com I think this is because the first address matches the send map spec of @example.com However I don't want this behaviour - We are also using bcc_recipient_maps so everything coming in to @example.com already gets copied to crm_sys...@example.com Again, the option is called recipient_bcc_maps. And why use both for the same domain ? That sounds suspicously like a broken configuration attempt. Is there any way to tell postfix not to use bcc_send_maps for mail sent by other sendmails? Exclude it. Map formats and examples are documented clearly. http://www.postfix.org/postconf.5.html#recipient_bcc_maps http://www.postfix.org/postconf.5.html#sender_bcc_maps http://www.postfix.org/ADDRESS_REWRITING_README.html#overview -- J.
Tony's Quick Guide to CSA
was reading something about client smtp auth :=) http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforgery/csa.html hope it will be supported in postfix Thanks Tony for make the guide
RE: bcc send map issue - duplication when mail sent from other host
Hi Again, I think the -o cleanup_service_name option isn't doing anything for me because of my Amavis configuration. Still investigating. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 01:25:00 + This looks like what I want: http://www.mailinglistarchive.com/postfix-users@postfix.org/msg36244.html However it doesnt seem to do anything. I have: submission inet n - n - - smtpd -o cleanup_service_name=msa-cleanup msa-cleanup unix n - - - 0 cleanup -o sender_bcc_maps=mysql:/etc/postfix/mysql_bcc_send_maps.cf If I change mysql_bcc_send_maps.cf to a file that doesn't exist, no errors are logged when sending. Also changing to -o clean_service_name=nonexistant_service doesn't generate any errors, which makes me wonder if this option is still supported on my build. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 00:06:01 + Hi Joroen, I scratched my query out a bit quickly on a Friday afternoon - Thanks for your corrections, I am indeed looking at sender_bcc_maps and recipient_bcc_maps I agree, POP is not a mail sending protocol. I'm trying to make a distinction here between mail that is sent by a POP client via the postfix mail server, and mail that is generated by a separate server with both the from and to addresses matching the sender and recipient bcc map options. Just to explain what I'm hoping to achieve: All mail sent using POP clients is copied to crm_sys...@example.com (sender_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) All mail received is copied to crm_sys...@example.com (recipient_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) I can see why postfix is doing what it's doing - When our webshop sends an order copy email from sa...@example.com to sa...@example.com, that mail matches both the sender and recipient_bcc_maps To me this seems like a legitimate attempt for using both for the same domain. I have spent several hours reviewing the documentation and experimenting to no avail. The documentation is indeed quite clear, but I can't work out how to achieve what I require here. If I just disable 'it' (either the sender_bcc_maps or the recipient_bcc_maps entry) then I won't have all sent and received mail copied to my crm_sys...@example.com address as required. Date: Fri, 16 Sep 2011 23:30:01 +0200 From: jer...@adaptr.nl To: postfix-users@postfix.org Subject: Re: bcc send map issue - duplication when mail sent from other host On 2011-09-16 04:08, Michael Ribbons wrote: Hi, I am using bcc_send_maps No such option exists. You may be referring to sender_bcc_maps. so all mail sent by POP Ugh. Re-check your basics - POP is not a mail SENDING protocol. is BCC to a particular address. So all mail from @example.com is BCCd to crm_sys...@example.com This works fine. However when we send mail from our webshop, the mail gets BCC'd as well, eg mail from webs...@example.com, mail to: sa...@example.com I think this is because the first address matches the send map spec of @example.com However I don't want this behaviour - We are also using bcc_recipient_maps so everything coming in to @example.com already gets copied to crm_sys...@example.com Again, the option is called recipient_bcc_maps. And why use both for the same domain ? That sounds suspicously like a broken configuration attempt. Is there any way to tell postfix not to use bcc_send_maps for mail sent by other sendmails? Exclude it. Map formats and examples are documented clearly. http://www.postfix.org/postconf.5.html#recipient_bcc_maps http://www.postfix.org/postconf.5.html#sender_bcc_maps http://www.postfix.org/ADDRESS_REWRITING_README.html#overview -- J.
Re: Configuring null-mail machine
On Sat, Sep 17, 2011 at 8:48 PM, tmac wrote: > I Have RHEL6 and am trying to use postfix for the first time. > > My host is server1.lab.my.org > > The mail server is mailserver.my.org > > I also have an alias file being passed around via NIS. This is used > with sendmail to re-write usernames from u...@lab.my.org or > just user to u...@my.org > > I would like to have this single host (server1) running postfix > send/forward all mailto the mailserver (mailserver.my.org). > I would also like it to re-write the user names with the NIS > aliases file. If the user does not exist in NIS, append my.org to > the email address. > > I have a setup working now, as long as I specify u...@my.org. > Anything else does not work (i.e. user or u...@lab.my.org) > > Thanks! > --tmac > Hi, I think you need to setup DNS accordingly. Put the MX record for the corresponding domain in the forward zone. -- Best Regards, Suresh Kumar Prajapati Linux Security Admin E-mail: er.sureshprajap...@gmail.com Theory is when you know all and nothing works. Practice is when all works and nobody knows why. In this case we have put together theory and practice: nothing works... and nobody knows why!
RE: bcc send map issue - duplication when mail sent from other host
I have ruled out the amavis setup. What I need is a way to specify sender_bcc_maps only if the mail is sent from an authenticated user - This may be achievable by having a separate cleanup process for submission, but I don't want to use submission - The set up on the mua side should be a "normal" pop or imap setup with any special ports eg 587. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 02:05:25 + Hi Again, I think the -o cleanup_service_name option isn't doing anything for me because of my Amavis configuration. Still investigating. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 01:25:00 + This looks like what I want: http://www.mailinglistarchive.com/postfix-users@postfix.org/msg36244.html However it doesnt seem to do anything. I have: submission inet n - n - - smtpd -o cleanup_service_name=msa-cleanup msa-cleanup unix n - - - 0 cleanup -o sender_bcc_maps=mysql:/etc/postfix/mysql_bcc_send_maps.cf If I change mysql_bcc_send_maps.cf to a file that doesn't exist, no errors are logged when sending. Also changing to -o clean_service_name=nonexistant_service doesn't generate any errors, which makes me wonder if this option is still supported on my build. From: mribb...@hotmail.com To: jer...@adaptr.nl; postfix-users@postfix.org Subject: RE: bcc send map issue - duplication when mail sent from other host Date: Mon, 19 Sep 2011 00:06:01 + Hi Joroen, I scratched my query out a bit quickly on a Friday afternoon - Thanks for your corrections, I am indeed looking at sender_bcc_maps and recipient_bcc_maps I agree, POP is not a mail sending protocol. I'm trying to make a distinction here between mail that is sent by a POP client via the postfix mail server, and mail that is generated by a separate server with both the from and to addresses matching the sender and recipient bcc map options. Just to explain what I'm hoping to achieve: All mail sent using POP clients is copied to crm_sys...@example.com (sender_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) All mail received is copied to crm_sys...@example.com (recipient_bcc_map entry mail=@example.com, destination=crm_sys...@example.com) I can see why postfix is doing what it's doing - When our webshop sends an order copy email from sa...@example.com to sa...@example.com, that mail matches both the sender and recipient_bcc_maps To me this seems like a legitimate attempt for using both for the same domain. I have spent several hours reviewing the documentation and experimenting to no avail. The documentation is indeed quite clear, but I can't work out how to achieve what I require here. If I just disable 'it' (either the sender_bcc_maps or the recipient_bcc_maps entry) then I won't have all sent and received mail copied to my crm_sys...@example.com address as required. Date: Fri, 16 Sep 2011 23:30:01 +0200 From: jer...@adaptr.nl To: postfix-users@postfix.org Subject: Re: bcc send map issue - duplication when mail sent from other host On 2011-09-16 04:08, Michael Ribbons wrote: Hi, I am using bcc_send_maps No such option exists. You may be referring to sender_bcc_maps. so all mail sent by POP Ugh. Re-check your basics - POP is not a mail SENDING protocol. is BCC to a particular address. So all mail from @example.com is BCCd to crm_sys...@example.com This works fine. However when we send mail from our webshop, the mail gets BCC'd as well, eg mail from webs...@example.com, mail to: sa...@example.com I think this is because the first address matches the send map spec of @example.com However I don't want this behaviour - We are also using bcc_recipient_maps so everything coming in to @example.com already gets copied to crm_sys...@example.com Again, the option is called recipient_bcc_maps. And why use both for the same domain ? That sounds suspicously like a broken configuration attempt. Is there any way to tell postfix not to use bcc_send_maps for mail sent by other sendmails? Exclude it. Map formats and examples are documented clearly. http://www.postfix.org/postconf.5.html#recipient_bcc_maps http://www.postfix.org/postconf.5.html#sender_bcc_maps http://www.postfix.org/ADDRESS_REWRITING_README.html#overview -- J.
RE: DKIM signing problem
Wietse's advice is the first thing I would try: Eliminate anything that modifies your message after signing. The most common signature failure in our analysis apart from DNS setup problems has been a message that was malformed in the first place, so when it gets "fixed" someplace downstream, the signatures break. Interestingly, a malformed "To:" field was the biggest culprit. I suggest trying again with OpenDKIM (http://www.opendkim.org). The dkim-milter package has been unmaintained for a couple of years now. It lives on under the new name, with lots of bug fixes and new features since dkim-milter's final release. If it still fails, you can get some debugging help on the OpenDKIM support lists, including some tips for figuring out what's getting changed after signing and (possibly) where and why. -MSK
