Andrew Haveland-Robinson
2008-01-04 10:42:24 UTC
I wanted to use DKIM with Sendmail on Fedora 7. Easy, I thought, just do the
following:
1. yum install dkim-filter (+dependencies)
2. create keys
3. edit a couple of template files
4. update dns txt records
5 /etc/init.d/named reload
5 /etc/init.d/dkim-filter start
6 /etc/init.d/sendmail (or MailScanner) restart
Max 30 mins work.
However, life is rarely so simple.
yum search dkim didn't find anything.
So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff.
I just want to install, configure and run the thing!
Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied
to devtools/Site/site.config.m4 and hoped to make some intelligent decisions
on what options to enable.
# ./Build
...
a ./Build -c completed successfully.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4
./Build install was successful after manually creating dirs /usr/man/man15
and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.
Sendmail of Fedora 7 is currently 8.14.1:
# sendmail -d0.1
Version 8.14.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
I created the keys, updated the dns zone files and decided to use user smmsp
instead of creating yet another user.
I created:
/var/db/dkim :
-rw-r----- 1 smmsp smmsp 887 2008-01-01 08:30 jan2008.admin.key.pem
-rw-r--r-- 1 smmsp smmsp 272 2008-01-01 08:30 jan2008.admin.public.pem
/var/run :
drwxr-xr-x 2 smmsp smmsp 4096 2008-01-04 09:23 milter
and created this basic start/stop init script:
/etc/init.d/dkim-filter
then:
chkconfig --add dkim-filter
chkconfig dkim-filter on
/etc/mail/dkim.conf :
Canonicalization relaxed/simple
Domain /etc/mail/domains
KeyFile /var/db/dkim/jan2008.admin.key.pem
#MTA MTA
Selector jan2008.admin
SignatureAlgorithm rsa-sha256
Socket inet:***@localhost
#Socket /var/run/milter/dkim-filter.sock
Syslog Yes
SyslogSuccess Yes
Userid smmsp
PidFile /var/run/milter/dkim-filter.pid
SubDomains Yes
X-Header No
SendReports No
/etc/mail/domains contains just one domain on one line.
and added to sendmail.rc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:***@localhost')
I started the script with
/etc/init.d/dkim-filter start
crashes regularly without any indication on processing a simple locally
generated mail from a perl script and/or/exor from logwatch or virus
The only relevant information I found was Jim Hermann's useful message and
thread last month
http://www.mail-archive.com/dkim-milter-***@lists.sourceforge.net/msg00409.html
I'm disappointed, disillusioned and frustrated in trying to nail jelly to a
wall... This doesn't say anything useful at all!
as if having a Reply-To: field influenced its crash frequency, but without
real diagnostic tools, skills and a lot of time, I can't solve it. I'm an
experienced sysadmin, not a C programmer! Programmers should try to make all
our lives easier! :-)
I want to get this working reliably and dependably on a few production
systems, and know what options to compile with and what settings to use for
Fedora, but I'm now stumped.
When it does work, another gripe is this padding too short error, which may
the "i" in "header.i" ?
It was a mysql mailing list, so perhaps other headers got in the way, but
this isn't what I would call a robust solution! Omitheaders command in
dkim.conf seems to be a blanket fudge.
If we are to stand a chance of defeating spammers, then we have to make DKIM
easier to install and configure so mere mortals can install and use it, and
encourage adoption. I'm sure many would like to see dkim-filter available
in rpm for various distros.
However, Network Solutions, amongst others need to wake up and allow people
to modify their DNS TXT attributes... Here's what their completely
ridiculous FAQ says on the subject:
http://customersupport.networksolutions.com/article.php?id=369
Cheers,
Andy.
following:
1. yum install dkim-filter (+dependencies)
2. create keys
3. edit a couple of template files
4. update dns txt records
5 /etc/init.d/named reload
5 /etc/init.d/dkim-filter start
6 /etc/init.d/sendmail (or MailScanner) restart
Max 30 mins work.
However, life is rarely so simple.
yum search dkim didn't find anything.
So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff.
I just want to install, configure and run the thing!
Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied
to devtools/Site/site.config.m4 and hoped to make some intelligent decisions
on what options to enable.
# ./Build
...
/etc/mail/dkim/dkim-milter-2.4.1/dkim-filter
Configuration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2, rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized
Using M4=/usr/bin/m4
Creating /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux
Making dependencies in /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
make[1]: Entering directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
rm -f sm_os.h
ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h
cc -M -I. -I../../include -I../libdkim/ -D_REENTRANT config.c dkim-ar.c dkim-filter.c stats.c test.c util.c dkim-testkey.c dkim-testssp.c >> Makefile
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
In file included from dkim-ar.h:19,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
dkim-filter.c:59:29: error: libmilter/mfapi.h: No such file or directory
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
test.h:24:29: error: libmilter/mfapi.h: No such file or directory
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
make[1]: *** [depend] Error 1
make[1]: Leaving directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
Making in /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
make[1]: Entering directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
cc -O2 -I. -I../../include -I../libdkim/ -D_REENTRANT -DXP_MT -c -o config.o config.c
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
In file included from config.h:23,
dkim-filter.h:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_connect’
dkim-filter.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_envfrom’
dkim-filter.h:88: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_header’
dkim-filter.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_eoh’
dkim-filter.h:90: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_body’
dkim-filter.h:91: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_eom’
dkim-filter.h:92: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_abort’
dkim-filter.h:93: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_close’
make[1]: *** [config.o] Error 1
make[1]: Leaving directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
make: *** [all] Error 2
After some googling, a "yum install sendmail-devel" fixed this problem, andConfiguration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2, rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized
Using M4=/usr/bin/m4
Creating /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux
Making dependencies in /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
make[1]: Entering directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
rm -f sm_os.h
ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h
cc -M -I. -I../../include -I../libdkim/ -D_REENTRANT config.c dkim-ar.c dkim-filter.c stats.c test.c util.c dkim-testkey.c dkim-testssp.c >> Makefile
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
In file included from dkim-ar.h:19,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
dkim-filter.c:59:29: error: libmilter/mfapi.h: No such file or directory
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
test.h:24:29: error: libmilter/mfapi.h: No such file or directory
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
make[1]: *** [depend] Error 1
make[1]: Leaving directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
Making in /etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
make[1]: Entering directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
cc -O2 -I. -I../../include -I../libdkim/ -D_REENTRANT -DXP_MT -c -o config.o config.c
In file included from config.h:23,
dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
In file included from config.h:23,
dkim-filter.h:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_connect’
dkim-filter.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_envfrom’
dkim-filter.h:88: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_header’
dkim-filter.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_eoh’
dkim-filter.h:90: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_body’
dkim-filter.h:91: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_eom’
dkim-filter.h:92: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_abort’
dkim-filter.h:93: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘mlfi_close’
make[1]: *** [config.o] Error 1
make[1]: Leaving directory `/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
make: *** [all] Error 2
a ./Build -c completed successfully.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4
./Build install was successful after manually creating dirs /usr/man/man15
and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.
Sendmail of Fedora 7 is currently 8.14.1:
# sendmail -d0.1
Version 8.14.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
I created the keys, updated the dns zone files and decided to use user smmsp
instead of creating yet another user.
I created:
/var/db/dkim :
-rw-r----- 1 smmsp smmsp 887 2008-01-01 08:30 jan2008.admin.key.pem
-rw-r--r-- 1 smmsp smmsp 272 2008-01-01 08:30 jan2008.admin.public.pem
/var/run :
drwxr-xr-x 2 smmsp smmsp 4096 2008-01-04 09:23 milter
and created this basic start/stop init script:
/etc/init.d/dkim-filter
then:
chkconfig --add dkim-filter
chkconfig dkim-filter on
#
# dkim-filter Starts /usr/bin/dkim-filter
#
# chkconfig: 2345 67 33
#
# description: Domain Keys Milter
# processname: dkim-filter
#
# Source function library.
. /etc/init.d/functions
[ -f /usr/bin/dkim-filter ] || exit 0
RETVAL=0
umask 077
start() {
echo -n $"Starting dkim-filter: "
/usr/bin/dkim-filter -x /etc/mail/dkim.conf
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
echo_success
touch /var/lock/subsys/dkim-filter
else
echo_failure
fi
echo
}
stop() {
echo -n $"Shutting down dkim-filter: "
/bin/kill `cat /var/run/milter/dkim-filter.pid 2> /dev/null ` > /dev/null 2>&1
RETVAL=$?
sleep 3
if [ $RETVAL -eq 0 ]
then
echo_success
rm -f /var/lock/subsys/dkim-filter
rm -f /var/run/milter/dkim-filter.pid
else
echo_failure
fi
echo
}
rhstatus() {
status dkim-filter
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart|reload)
restart
;;
condrestart)
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?
Now for configuration files:# dkim-filter Starts /usr/bin/dkim-filter
#
# chkconfig: 2345 67 33
#
# description: Domain Keys Milter
# processname: dkim-filter
#
# Source function library.
. /etc/init.d/functions
[ -f /usr/bin/dkim-filter ] || exit 0
RETVAL=0
umask 077
start() {
echo -n $"Starting dkim-filter: "
/usr/bin/dkim-filter -x /etc/mail/dkim.conf
RETVAL=$?
if [ $RETVAL -eq 0 ]
then
echo_success
touch /var/lock/subsys/dkim-filter
else
echo_failure
fi
echo
}
stop() {
echo -n $"Shutting down dkim-filter: "
/bin/kill `cat /var/run/milter/dkim-filter.pid 2> /dev/null ` > /dev/null 2>&1
RETVAL=$?
sleep 3
if [ $RETVAL -eq 0 ]
then
echo_success
rm -f /var/lock/subsys/dkim-filter
rm -f /var/run/milter/dkim-filter.pid
else
echo_failure
fi
echo
}
rhstatus() {
status dkim-filter
}
restart() {
stop
start
}
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart|reload)
restart
;;
condrestart)
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart}"
exit 1
esac
exit $?
/etc/mail/dkim.conf :
Canonicalization relaxed/simple
Domain /etc/mail/domains
KeyFile /var/db/dkim/jan2008.admin.key.pem
#MTA MTA
Selector jan2008.admin
SignatureAlgorithm rsa-sha256
Socket inet:***@localhost
#Socket /var/run/milter/dkim-filter.sock
Syslog Yes
SyslogSuccess Yes
Userid smmsp
PidFile /var/run/milter/dkim-filter.pid
SubDomains Yes
X-Header No
SendReports No
/etc/mail/domains contains just one domain on one line.
and added to sendmail.rc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:***@localhost')
I started the script with
/etc/init.d/dkim-filter start
Jan 4 10:58:10 gaia dkim-filter[6033]: Sendmail DKIM Filter v2.4.1 starting (args: -x /etc/mail/dkim.conf)
It even adds signatures to my messages (hopefully to this one), but silentlycrashes regularly without any indication on processing a simple locally
generated mail from a perl script and/or/exor from logwatch or virus
Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 header
Jan 3 02:57:18 gaia last message repeated 6 times
Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh
Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter (dkim-filter): to error state
I have spent the last couple of days trying to solve thisJan 3 02:57:18 gaia last message repeated 6 times
Jan 3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh
Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
Jan 3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter (dkim-filter): to error state
The only relevant information I found was Jim Hermann's useful message and
thread last month
http://www.mail-archive.com/dkim-milter-***@lists.sourceforge.net/msg00409.html
I'm disappointed, disillusioned and frustrated in trying to nail jelly to a
wall... This doesn't say anything useful at all!
milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
It only seems to happen by locally generated mail, sometimes it even seemedas if having a Reply-To: field influenced its crash frequency, but without
real diagnostic tools, skills and a lot of time, I can't solve it. I'm an
experienced sysadmin, not a C programmer! Programmers should try to make all
our lives easier! :-)
I want to get this working reliably and dependably on a few production
systems, and know what options to compile with and what settings to use for
Fedora, but I'm now stumped.
When it does work, another gripe is this padding too short error, which may
Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL error:04067069:rsa routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa routines:RSA_verify:bad signature
Jan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
How can a gmail signature fail verification? What did it fail on? What isJan 4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
the "i" in "header.i" ?
It was a mysql mailing list, so perhaps other headers got in the way, but
this isn't what I would call a robust solution! Omitheaders command in
dkim.conf seems to be a blanket fudge.
If we are to stand a chance of defeating spammers, then we have to make DKIM
easier to install and configure so mere mortals can install and use it, and
encourage adoption. I'm sure many would like to see dkim-filter available
in rpm for various distros.
However, Network Solutions, amongst others need to wake up and allow people
to modify their DNS TXT attributes... Here's what their completely
ridiculous FAQ says on the subject:
http://customersupport.networksolutions.com/article.php?id=369
"Can I Make Changes To The TXT Record
Network Solutions does not currently support changes to the
TXT record for a domain name registration.
The TXT Record is strictly informational, not functional."
What planet are they living on?Network Solutions does not currently support changes to the
TXT record for a domain name registration.
The TXT Record is strictly informational, not functional."
Cheers,
Andy.