Koozali.org: home of the SME Server

DKIM Question

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #15 on: April 26, 2018, 06:18:06 PM »
qpsmtpd or sqpsmtpd - there is a difference :-)

It does look like it is signing it (or thinks that it is)

Can you send yourself a mail to say a gmail account or elsewhere and check the header?

Or send one to me at gmail via j h crisp

Without spaces & all that jazz....

The port verifier mail should show you the headers it received as well ?

Look for:

Canonicalized Headers

dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed; blah blah





...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #16 on: April 27, 2018, 12:35:23 PM »
When I looked at /var/log/sqpsmtpd/current via the Server Manager panel, I get the same response as via the terminal:

Displaying lines matching: "dkim".

No matching lines displayed.


There's plenty of outgoing mail on this machine as it hosts quite a few busy Mailman lists, so if there was something in the logs, it would show up.

Per your suggestion, I sent an email from the server to my gmail address and sifted through the email header to see if  "dkim-signature" was anywhere to be found. Here are the relevant authentication values:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) smtp.mailfrom=root@lists.roe3.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.roe3.org

Received-SPF: pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) client-ip=216.125.212.237;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) smtp.mailfrom=root@lists.roe3.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.roe3.org


Nothing.  :sad:

Ever more interesting results from the verifier.port25.com mail header (relevant authentication sections below) . . .

Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=root@lists.roe3.org;
 iprev=pass (matches lists.roe3.org)  policy.iprev=216.125.212.237;
 dkim=none reason="message not signed"

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@port25.com header.s=verifier201208 header.b=eVuTRfxA;
       spf=fail (google.com: domain of auth-results@verifier.port25.com does not designate 216.125.212.237 as permitted sender) smtp.mailfrom=auth-results@verifier.port25.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=port25.com

Authentication-Results: mx.google.com;
       dkim=pass header.i=@port25.com header.s=verifier201208 header.b=eVuTRfxA;
       spf=fail (google.com: domain of auth-results@verifier.port25.com does not designate 216.125.212.237 as permitted sender) smtp.mailfrom=auth-results@verifier.port25.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=port25.com


I wonder if there's an emoticon for "baffled"?

Thanks again for your assistance and suggestions.
-MD

qpsmtpd or sqpsmtpd - there is a difference :-)

It does look like it is signing it (or thinks that it is)

Can you send yourself a mail to say a gmail account or elsewhere and check the header?

Or send one to me at gmail via j h crisp

Without spaces & all that jazz....

The port verifier mail should show you the headers it received as well ?

Look for:

Canonicalized Headers

dkim-signature:v=1;'20'a=rsa-sha256;'20'c=relaxed; blah blah

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #17 on: April 27, 2018, 02:17:07 PM »
On a whim, I decided to look at the mail headers on a standard message from one of the mailing lists.  It appears that dkim information is being attached after all . . .

Authentication-Results: lists.roe3.org; auth=none
Received: from localhost (HELO esmith.lists.roe3.org) (127.0.0.1)
 by lists.roe3.org (qpsmtpd/0.96) with ESMTP ; Thu, 26 Apr 2018 12:07:27 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=lists.roe3.org; h=mime-version:from:date:message-id:to:subject:list-id:list-unsubscribe:list-archive:list-post:list-help:list-subscribe:reply-to:content-type:sender; s=default; bh=26niY0kw/z2ngO7R6rSUfBa69dDp6nUvdnNrzoiNbCw=; b=YhsHF7EsUbmMG3xXsumg2zWgpPnfrYlf4ZX9eNHoKOeg07SQrtiGIWYCZ4Ijrn009jZ3683iFMit3HK/uiq0/SNxU/6hRHrQ/GA/gWFNROqIz9Atd8fPkT58Gb8xCtT9JbdkcHLAGoch4sT0zYfZKP3vEi5tJ7Kr2kW3a4hKFSQ=


Take a look: https://lists.roe3.org/mdrone/txt/original_msg.txt

OK . . . I'm feeling better about this, but why does the server appear to add DKIM signatures to mail that "passes through" it (listserv), but doesn't sign mail that originates from it?

When I looked at /var/log/sqpsmtpd/current via the Server Manager panel, I get the same response as via the terminal:

Displaying lines matching: "dkim".

No matching lines displayed.


There's plenty of outgoing mail on this machine as it hosts quite a few busy Mailman lists, so if there was something in the logs, it would show up.

Per your suggestion, I sent an email from the server to my gmail address and sifted through the email header to see if  "dkim-signature" was anywhere to be found. Here are the relevant authentication values:

ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) smtp.mailfrom=root@lists.roe3.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.roe3.org

Received-SPF: pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) client-ip=216.125.212.237;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of root@lists.roe3.org designates 216.125.212.237 as permitted sender) smtp.mailfrom=root@lists.roe3.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=lists.roe3.org


Nothing.  :sad:

Ever more interesting results from the verifier.port25.com mail header (relevant authentication sections below) . . .

Authentication-Results: verifier.port25.com; spf=pass  smtp.mailfrom=root@lists.roe3.org;
 iprev=pass (matches lists.roe3.org)  policy.iprev=216.125.212.237;
 dkim=none reason="message not signed"

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@port25.com header.s=verifier201208 header.b=eVuTRfxA;
       spf=fail (google.com: domain of auth-results@verifier.port25.com does not designate 216.125.212.237 as permitted sender) smtp.mailfrom=auth-results@verifier.port25.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=port25.com

Authentication-Results: mx.google.com;
       dkim=pass header.i=@port25.com header.s=verifier201208 header.b=eVuTRfxA;
       spf=fail (google.com: domain of auth-results@verifier.port25.com does not designate 216.125.212.237 as permitted sender) smtp.mailfrom=auth-results@verifier.port25.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=port25.com


I wonder if there's an emoticon for "baffled"?

Thanks again for your assistance and suggestions.
-MD

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #18 on: April 27, 2018, 02:32:38 PM »
One more DKIM verification (screenshot) from a listserv post using Gmail's handy "Show Original" feature:

https://lists.roe3.org/mdrone/images/listserver-DKIM-PASS.png

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #19 on: April 27, 2018, 04:36:51 PM »
Hmm.

Which is your domain?

eoe3.org
lists.eoe3.org
emith.lists.eor3.org

Just wondering if it is to do with which host or domain the mail comes from.

You set up for multi domains. What about reverting it to 'default' which should sign everything.

Currently it will only sign from @lists.eoe3.org I think?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #20 on: April 27, 2018, 04:37:58 PM »
PS nore that Daniel is the guru on this but he is away for a few days.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #21 on: April 27, 2018, 04:40:22 PM »
The domain is lists.roe3.org

I'll switch it back to the 'default' schema and see what shakes out.

Hmm.

Which is your domain?

eoe3.org
lists.eoe3.org
emith.lists.eor3.org

Just wondering if it is to do with which host or domain the mail comes from.

You set up for multi domains. What about reverting it to 'default' which should sign everything.

Currently it will only sign from @lists.eoe3.org I think?

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #22 on: April 27, 2018, 05:10:11 PM »
Take a look at this.  Changed the DKIM settings back to 'default' on the server, sent email to verifier.port25.com and got the standard response (DKIM check:  none). Yet take a look at the mail header from Gmail:

https://lists.roe3.org/mdrone/images/listserver-DKIM-PASS.png
https://lists.roe3.org/mdrone/txt/email-header-from-verifier.port25.com.txt

Everything in the header appears to show that the server is sending dkim or am I reading it wrong?



The domain is lists.roe3.org

I'll switch it back to the 'default' schema and see what shakes out.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: DKIM Question
« Reply #23 on: April 27, 2018, 06:03:37 PM »
Just mailed your gmail.
Have a look at my headers.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #24 on: April 27, 2018, 06:19:31 PM »
Your dkim headers match pretty closely in structure and content what I'm seeing in the mail from my list server. Leads me to believe that the response I'm receiving from verifier.port25.com could be false (?) I should look for another verification service to test against.

Just mailed your gmail.
Have a look at my headers.

Offline mdrone

  • 19
  • +0/-0
Re: DKIM Question
« Reply #25 on: May 01, 2018, 02:38:49 PM »
Decided to create a standard user on my dev box (cloud.roe3.org).  Once that was done and IMAP was allowed, I set up Thunderbird and sent an email to my Gmail account. Upon examining the header, here's what I discovered:

Received: (qmail 14327 invoked by uid 453); 1 May 2018 12:18:07 -0000
X-Virus-Checked: by ClamAV 0.99.3 on cloud.roe3.org
X-Virus-Found: No
Authentication-Results: cloud.roe3.org; auth=pass (plain) smtp.auth=mdrone
Received: from 40-128-0-8.static.hofnet.net (HELO [192.168.1.6]) (40.128.0.8) by cloud.roe3.org (qpsmtpd/0.96) with ESMTPSA (ECDHE-RSA-AES256-GCM-SHA384 encrypted); Tue, 01 May 2018 07:18:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=cloud.roe3.org; h=to:from:subject:message-id:date:mime-version:content-type:content-transfer-encoding; s=default; bh=RcNhfDAnlpYIdmP4zcB61d8herkrDXBrkvNLjo+pZgs=; b=rg6RZ4YnrizqHh8VgH8sd4XWrY4x3U1uEo6wahZIiWxCXwpDvvgOH9a41qwBuTCcGaFw70W4xZMSN5ns+zYEEMV0k149eu1LzMhaeK0xyUPjAH0Zwv76Zl+bh84vGqyv7pV3lObmdtOFK6HWnkgwgIcYDCcrtUjZEpd1JUXhfB4=
To: mdrone@gmail.com
From: MD <mdrone@cloud.roe3.org>
Subject: Test message
Message-ID: <765c53fe-1c22-1b66-8be6-9b29368d8c49@cloud.roe3.org>
Date: Tue, 1 May 2018 07:18:05 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US


It appears that the DKIM signature is being sent with email that passes through the server. That's a good sign.