They reckoned:
I would like to know if some of you have installed domainkeys in Scalix, specifically the aggregate dk-milter. Someone has a guideline that really function, since I
have not been able to install it correctly.
Him abandonment the technical data of my server:
OS : RedHat Enterprise 4 2.6.9-11.EL
SCALIX : Server Version 11.0.4.10790
Cordial greetings
Sebastian
P.D : Sorry my English!
DomainKeys Scalix 11!
Moderator: ScalixSupport
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
Yes. I we had dk with the same configuration you have, and it works fine.
Detailed setup instructions can be found here:
http://www.elandsys.com/resources/sendm ... nkeys.html
This is my simplified steps (use above link for accurate info)
1) You need to download and compile the dk-filter. At the end you need the executable in /usr/bin/dk-filter
If you can't find the source, rpm of it doesn't compile just send me a Private message and I send you the dk-filter already compiled for RHEL4
2) The following line in /etc/mail/sendmail.mc
INPUT_MAIL_FILTER(`dk-filter', `S=inet:8891@mail.yourdomain.com'
Just before MAILER(smtp)dnl
3) A line such as the one below in DNS records for your domain (openssl generated key):
dkmail._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJuFz44JxOIjSkvZo4MPCZ2ERvL87alAr3YETRiwETrBRkCAwEAAQ==" ; ----- DomainKey dkmail for yourdomain.com
4) A user/group in /etc/passwd
domainkeys:x:302:302:DomainKeys System Account:/home/domainkeys:/bin/bash
5) A init.d script or an entry in /etc/local to start the dk-milter daemon:
/usr/bin/dk-filter -h -l -p inet:8891@mail.yourdomain.com -C bad=r,dns=t,int=t,no=a,miss=r -d yourdomain.com -u domainkeys -s /etc/mail/domainkeys/dkmail.pem -S dkmail
Detailed setup instructions can be found here:
http://www.elandsys.com/resources/sendm ... nkeys.html
This is my simplified steps (use above link for accurate info)
1) You need to download and compile the dk-filter. At the end you need the executable in /usr/bin/dk-filter
If you can't find the source, rpm of it doesn't compile just send me a Private message and I send you the dk-filter already compiled for RHEL4
2) The following line in /etc/mail/sendmail.mc
INPUT_MAIL_FILTER(`dk-filter', `S=inet:8891@mail.yourdomain.com'
Just before MAILER(smtp)dnl
3) A line such as the one below in DNS records for your domain (openssl generated key):
dkmail._domainkey IN TXT "g=; k=rsa; t=y; p=MFwwDQYJuFz44JxOIjSkvZo4MPCZ2ERvL87alAr3YETRiwETrBRkCAwEAAQ==" ; ----- DomainKey dkmail for yourdomain.com
4) A user/group in /etc/passwd
domainkeys:x:302:302:DomainKeys System Account:/home/domainkeys:/bin/bash
5) A init.d script or an entry in /etc/local to start the dk-milter daemon:
/usr/bin/dk-filter -h -l -p inet:8891@mail.yourdomain.com -C bad=r,dns=t,int=t,no=a,miss=r -d yourdomain.com -u domainkeys -s /etc/mail/domainkeys/dkmail.pem -S dkmail
Jaime||||||||||||||||||||||||||||||||||||||||
-
snrcl
Re: DK
Hello, thanks for your reply. You know, I descend a rpm of dk-milter and this installed and all, but al to send mail to yahoo.com throws me the error:
Authentication Results: mta557.mail.mud.yahoo.com from = xxxxxxxx. cl; domainkeys = fail (bad sig)
I did the registration txt with the correct name of the selector for example: secure. _domainkey.xxxxxxxxx.cl with the key RSA and the registration of politicas _domainkey.xxxxxxxx.cl in my bind-dns.
Yahoo asks me alone that you coax him dk-milter, carry out a test in sendmail.net (sa-test@sendmail.net) and the error throws me in DK, and DKIM not this installed obviously ¿is necessary that coax him it?
Authentication System: DomainKeys Identified Mail
Result: (no result present)
Reporting host:
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/
Authentication System: Domain Keys
Result: DK signature confirmed BAD
Description: Signature verification failed, message may have been tampered with or corrupted
Reporting host: sendmail.net
More information: http://antispam.yahoo.com/domainkeys
Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/
Authentication System: Sender ID
Result: SID data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://www.microsoft.com/senderid
Sendmail milter: https://sourceforge.net/projects/sid-milter/
Authentication System: Sender Permitted From (SPF)
Result: SPF data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://spf.pobox.com/
You comment that have problems with Yahoo and Hotmail since emigrate the servant since a supplier to the corporate network, I have registration SPF, IP back and all and I have not been able to solve it.
Thanks for all
Greetings
Sebastian
p.d : sorry my english!
Authentication Results: mta557.mail.mud.yahoo.com from = xxxxxxxx. cl; domainkeys = fail (bad sig)
I did the registration txt with the correct name of the selector for example: secure. _domainkey.xxxxxxxxx.cl with the key RSA and the registration of politicas _domainkey.xxxxxxxx.cl in my bind-dns.
Yahoo asks me alone that you coax him dk-milter, carry out a test in sendmail.net (sa-test@sendmail.net) and the error throws me in DK, and DKIM not this installed obviously ¿is necessary that coax him it?
Authentication System: DomainKeys Identified Mail
Result: (no result present)
Reporting host:
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/
Authentication System: Domain Keys
Result: DK signature confirmed BAD
Description: Signature verification failed, message may have been tampered with or corrupted
Reporting host: sendmail.net
More information: http://antispam.yahoo.com/domainkeys
Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/
Authentication System: Sender ID
Result: SID data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://www.microsoft.com/senderid
Sendmail milter: https://sourceforge.net/projects/sid-milter/
Authentication System: Sender Permitted From (SPF)
Result: SPF data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://spf.pobox.com/
You comment that have problems with Yahoo and Hotmail since emigrate the servant since a supplier to the corporate network, I have registration SPF, IP back and all and I have not been able to solve it.
Thanks for all
Greetings
Sebastian
p.d : sorry my english!
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
Hi Sebastian
I'm glad you found a rpm, and the executable is working. That's the hardest part.
You seem to be in the right track. The only way you could have problem with this is if the signature the milter is generating on the scalix server is not matching the public key published by the DNS server.
I suggest you retrace your steps, generate the public and private keys again on the scalix server as the domainkey user (in its home directory). Follow the instructions on the link I gave you previously to the letter, and look for the "...==" at the end of the public key.
Pay special attention to the selector name and where there are recurrences of this parameter, since that is the way the recipient side will match your signature against on the DNS server. Be mindful of the syntax.
Most importantly, be sure to have the forward and reverse DNS for your server properly configured, since in this case domainkey will be redundant. If you don't have authority over the IPs you're using, the reverse DNS will not match your domain, therefore the domainkey feature becomes very relevant and necessary. If in addition, the domainkey (which only depends on you) is not properly configured, a test email to yahoo will lend the email in the junk folder. If you make a change on the DNS, don't forget to increase the serial number and reload the service, and keep in mind that change could take a couple of hours to propagate to yahoo.
Good luck
I'm glad you found a rpm, and the executable is working. That's the hardest part.
You seem to be in the right track. The only way you could have problem with this is if the signature the milter is generating on the scalix server is not matching the public key published by the DNS server.
I suggest you retrace your steps, generate the public and private keys again on the scalix server as the domainkey user (in its home directory). Follow the instructions on the link I gave you previously to the letter, and look for the "...==" at the end of the public key.
Pay special attention to the selector name and where there are recurrences of this parameter, since that is the way the recipient side will match your signature against on the DNS server. Be mindful of the syntax.
Most importantly, be sure to have the forward and reverse DNS for your server properly configured, since in this case domainkey will be redundant. If you don't have authority over the IPs you're using, the reverse DNS will not match your domain, therefore the domainkey feature becomes very relevant and necessary. If in addition, the domainkey (which only depends on you) is not properly configured, a test email to yahoo will lend the email in the junk folder. If you make a change on the DNS, don't forget to increase the serial number and reload the service, and keep in mind that change could take a couple of hours to propagate to yahoo.
Good luck
Last edited by jaime.pinto on Thu Oct 11, 2007 11:42 pm, edited 1 time in total.
Jaime||||||||||||||||||||||||||||||||||||||||
-
snrcl
Hello Jaime, thanks for help!
I will test creating the keys RSA as the usario "dk-milter" since /home:), since the registrations are created correctly.
You enclosed file of script of start:
(extract to /etc/init.d/dk-milter)
### Default variables
USER="dk-milt"
PORT="inet:8891@localhost"
SIGNING_DOMAIN="xxxxxxxxxxxxxx.cl"
SELECTOR_NAME="secure"
KEYFILE="/etc/mail/domainkeys/secure.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=nofws
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
SYSCONFIG="/etc/sysconfig/dk-milter"
You set you that the name of the selector if coincides with the registration DNS created.
> secure._domainkey.xxxxxxxxxxxxx.cl
Servidor: alfa.dns.vtr.net
Address: 200.83.1.4
Respuesta no autoritativa:
secure._domainkey.xxxxxxxxxx.cl text =
"k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMhCTwKDCRzAccmIqwkSr395J
58pNiRg0/pnEO+Yq3M/QLLK1kwvoMryoJecL8YabnCHghxqMKdTkzZ6IgfmW6b3R49MB+/Fzm6M0I2fI
XzeQGv7nArkECN4lmSb3CUBAwIDAQAB"
> _domainkey.xxxxxxxxxx.cl
Servidor: alfa.dns.vtr.net
Address: 200.83.1.4
Respuesta no autoritativa:
_domainkey.xxxxxxxxxxxxx.cl text =
"t=y; o=~; n=http://correo.xxxxxxxxxx.cl"
Besides I confirm you that the IP-reverse if is configured correctly
Greetings and thanks again.
Sebastian
I will test creating the keys RSA as the usario "dk-milter" since /home:), since the registrations are created correctly.
You enclosed file of script of start:
(extract to /etc/init.d/dk-milter)
### Default variables
USER="dk-milt"
PORT="inet:8891@localhost"
SIGNING_DOMAIN="xxxxxxxxxxxxxx.cl"
SELECTOR_NAME="secure"
KEYFILE="/etc/mail/domainkeys/secure.key.pem"
SIGNER=yes
VERIFIER=yes
CANON=nofws
REJECTION="bad=r,dns=t,int=t,no=a,miss=r"
EXTRA_ARGS="-h -l -D"
SYSCONFIG="/etc/sysconfig/dk-milter"
You set you that the name of the selector if coincides with the registration DNS created.
> secure._domainkey.xxxxxxxxxxxxx.cl
Servidor: alfa.dns.vtr.net
Address: 200.83.1.4
Respuesta no autoritativa:
secure._domainkey.xxxxxxxxxx.cl text =
"k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMhCTwKDCRzAccmIqwkSr395J
58pNiRg0/pnEO+Yq3M/QLLK1kwvoMryoJecL8YabnCHghxqMKdTkzZ6IgfmW6b3R49MB+/Fzm6M0I2fI
XzeQGv7nArkECN4lmSb3CUBAwIDAQAB"
> _domainkey.xxxxxxxxxx.cl
Servidor: alfa.dns.vtr.net
Address: 200.83.1.4
Respuesta no autoritativa:
_domainkey.xxxxxxxxxxxxx.cl text =
"t=y; o=~; n=http://correo.xxxxxxxxxx.cl"
Besides I confirm you that the IP-reverse if is configured correctly
Greetings and thanks again.
Sebastian
Return to “Third Party Integration”
Who is online
Users browsing this forum: No registered users and 2 guests