New feature DKIM

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

New feature DKIM

Post by Libelle » 2009-02-03 12:29

Hi everybody!

I love this new feature DKIM and I am looking forward to get this running in my productive environment. Unfortunately DKIM is may not so easy to implement as SPF. So I would suggest to collect tips and tricks to get this running with hmailserver.
I like to start with a good reference how to implement DKIM:
http://www.heise-online.co.uk/networks/ ... res/112001

Best regards

Libelle

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-03 12:39

Yes, DKIM is more complicated than SPF in many ways. I'm guessing 60% of the people who voted for the feature will consider it to complex and skip using it. :?
  • A general tip would be to always choose relaxed as canonicalization method unless you're very paranoid. I'm not sure but I'm guessing the simple canonicalization method is to simple to work in practice (due to header modification made by virus scanners, spam protection and so on).
  • When you set up DKIM records in the DNS, enable the test-mode in the start. Otherwise if you screw up mail from you may be dropped.
  • Also, when you've set up DKIM records, use a DKIM test reflector to test that your configuration is correct. There's one here:
    http://testing.dkim.org/reflector.html
  • I would also recommend sending messages to gmail and yahoo to confirm that their DKIM tests doesn't drop your email.
I haven't set it up myself yet so I'm not sure the DKIM operations in hMailServer fully works yet. (It's of course tested but haven't run it live myself). :)

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-05 02:19

Selector:

This field is mandatory and you must put in the name of the used key in there. The same name must be used as an TXT entry in your DNS server.

Example:

Maildomain: "YourDomain.com"
Keyname: "MyFirstDKIMKey" -> put this in the selector field
TXT-Entry: "MyFirstDKIMKey._domainkey.YourDomain.com" ("._domainkey." is mandatory and case sensitive)
MyFirstDKIMKey._domainkey.YourDomain.com IN TXT "v=DKIM1\; k=rsa\; t=y\; p=###############"
v=DKIM1\; -> Version is DKIM 1
k=rsa\; -> used key is type RSA
p=##### -> ##### represents the public key corresponding to the used private key "MyFirstDKIMKey"

Please report errors.
Best regards

Libelle aka Georg

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-06 11:42

Hi now I have my DNS ready. Unfortunately there is an issue with an old Plesk version where you are not allowed to create a subdomain with an underscore (_domainkey) so my provider has now to do some work by hands... :-)

Next problem is that the testing E-Mail seems to be overloaded...
---
<<< 452 4.4.5 Insufficient disk space; try again later
<dkim-test@testing.dkim.org>... Deferred: 452 4.4.5 Insufficient disk space; try again later
---

Has anybody the some problem?

Best regards

Libelle aka georg

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-06 11:43

The reflectors are typically down. Send an email to all 5 listed on the page and hope that one responds...

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-06 15:14

Next Results:

Reflector Blackops: dktest (at) blackops (dot) org working but:

Code: Select all

"DEBUG" 1932 "2009-02-06 13:43:25.191" "DKIM: Domain is in test mode. Results of test won't have any effect."
"DEBUG" 1932 "2009-02-06 13:43:25.191" "DKIM: Header verification failed."
"DEBUG" 1932 "2009-02-06 13:43:25.191" "Spam test: SpamTestDKIM, Score: 0"
Does that mean, that the Header verification failed and it will not count, or is the header verification is fail because it does not count?

Here the body of the result mail:

Code: Select all

From dkimtestXgeorg.net Fri Feb  6 04:43:18 2009
Received: from pop.nethinks.com (relay.nethinks.com [212.218.18.103])
	by medusa.blackops.org (8.14.2/8.14.2) with ESMTP id n16ChCSA057898
	for <dktestXblackops.org>; Fri, 6 Feb 2009 04:43:15 -0800 (PST)
	(envelope-from dkimtestXgeorg.net)
X-SenderID: Sendmail Sender-ID Filter v1.0.0 medusa.blackops.org n16ChCSA057898
Authentication-Results: medusa.blackops.org; sender-id=pass header.from=dkimtestXgeorg.net; spf=pass smtp.mfrom=dkimtestXgeorg.net
Received: from mail.georg.net ([81.210.222.45])
	(authenticated bits=0)
	by pop.nethinks.com (8.13.4/8.13.4/Debian-3) with ESMTP id n16CgtYH006457
	for <dktestXblackops.org>; Fri, 6 Feb 2009 13:42:57 +0100
dkim-signature: a=rsa-sha256; d=georg.net; s=mail200901;
	c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	bh=jWV0hmb67okgiIHq3O6cF/NtnIE4Jbz5fHPyEh8OfQs=;
	b=JiEgY3ibtlOPyF2eKdu9dN1mBvs83bDEqOBXRnmTDlDwBhZHWaHyw0MB8JA86RB65NKLs+OECPs1RIj50SDOwmybPwo3+EkzAq1nZpmzpXuBz21Kyp4iHnbvLGN4kXeDnNrrhoNqdxuZsfv69DLbUMsM++awXtWDGkBI4gfLUh0=
Received: from [192.168.55.10] ([192.168.55.10])
	by mail.georg.net
	; Fri, 6 Feb 2009 13:43:05 +0100
Message-ID: <498C3059.4020401Xgeorg.net>
Date: Fri, 06 Feb 2009 13:43:05 +0100
From: DKIM TEST <dkimtestXgeorg.net>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: dktestXblackops.org
Subject: DKIM TEST 1
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=1.8 required=5.0 tests=SUBJ_ALL_CAPS autolearn=no
	version=3.2.5
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on medusa.blackops.org

DKIM TEST 1
There is no pass or fail for the DKIM check. What is the problem here?

The same DKIM incommingcheck problem with sa-test (at) sendmail (dot) net:

Code: Select all

"DEBUG" 1924 "2009-02-06 13:47:48.951" "DKIM: Domain is in test mode. Results of test won't have any effect."
"DEBUG" 1924 "2009-02-06 13:47:48.967" "DKIM: Validation of body hash failed."
"DEBUG" 1924 "2009-02-06 13:47:48.967" "Spam test: SpamTestDKIM, Score: 0"
And here the body of the answer:

Code: Select all

sendmail.net Sender Authentication Auto-Responder $Revision: 1.6 $

This service runs at <sa-test@sendmail.net> and allows remote users
to perform a simple, automated test to see if different Sender
Authentication schemes are working.  Mail sent to this service
is checked by our Sender Authentication filters for any valid
credentials or signatures.  A script receives the message, checks
for a special header with the results of the tests, and composes
this response message based on what it finds.  This response is also
signed with DomainKeys and DomainKeys Identified Mail (DKIM).

Please note that the DKIM filter signing this reply message conforms
to the latest IETF draft version, and thus may not be successfully
verified by older implementations.  If you are using dkim-filter from
Sendmail, Inc., upgrade to at least version 1.0.0 to be compatible
with the most recent version of DKIM.

We hope this service has been helpful to you.

Authentication System:       DomainKeys Identified Mail
   Result:                   (no result present) 
   Reporting host:                               
   More information:         http://mipassoc.org/dkim/
   Sendmail milter:          https://sourceforge.net/projects/dkim-milter/

Authentication System:       Domain Keys         
   Result:                   (no result present) 
   Reporting host:                               
   More information:         http://antispam.yahoo.com/domainkeys
   Sendmail milter:          https://sourceforge.net/projects/domainkeys-milter/

Authentication System:       Sender ID           
   Result:                   SID data confirmed GOOD
   Description:              Sending host is authorized for sending domain
   Reporting host:           sendmail.net        
   More information:         http://www.microsoft.com/senderid
   Sendmail milter:          https://sourceforge.net/projects/sid-milter/

Authentication System:       Sender Permitted From (SPF)
   Result:                   SPF data confirmed GOOD
   Description:              Sending host is authorized for sending domain
   Reporting host:           sendmail.net        
   More information:         http://spf.pobox.com/
No result for DKIM.... argl.... Anybody an idea?

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: New feature DKIM

Post by MP3Freak » 2009-02-06 15:16

Martin,

as for the DIKM topic in general: shall I include the generation of the keys within this one:
http://www.hmailserver.com/forum/viewto ... 12&t=13953
at some point, so folks could prepare for DKIM in the same easy way?

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: New feature DKIM

Post by GlenC » 2009-02-06 15:17

I can't seem to get this working... I've tried several reflectors, and each seems to give somewhat different fail messages but this one seems most clear:

Code: Select all

Note: The authentication results are not available as
there was no signature header or the signature could
not be verified
Yet, below that is the header which in part shows:

Code: Select all

dkim-signature: a=rsa-sha256; d=mydomain.com; s=dkim1;
So, it appears to me that I do have a signature but maybe it doesn't recognize it? I tested the same reflector with gmail and the only difference I could see is that their signature header starts with "DKIM-Signature:" (caps). Is this possibly the source of my problem or am I just looking in the wrong area?

Other results from different reflectors:

Code: Select all

Authentication System:       DomainKeys Identified Mail
   Result:                   (no result present)
and

Code: Select all

    RSA-128 err: me@mydomain.com hdrdiffs=none; bodyvfy=yes; openssl=error:04077068:lib(4):func(119):reason(104);
Any pointers from someone having it working?

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-06 15:25

On reason for DKIM errors:

Wrong settings in your DNS... You may have to recheck weather your DNS is sending to correct keys on the correct query.

Your sending e-mail adresse is myemail at mydomain dot tld
Your key name / number is mydkimkey01 (selector field)
The checking system will query: TXT from mydkimkey dot _domainkey dot mydomain dot tld

You can check the answer with several website like:
http://www.heise.de/netze/tools/dns-abfrage

Best regards

Libelle aka Georg

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-06 15:26

I haven't spent much time testing DKIM myself. I just confirmed that I was able to get a pass on the reflectors I tested with and run the verifier on around 50 different test messages with correct result. Could very well be that some adjustments are needed.

When I run my tests, DKIM-Signature was in lover case and I had no problems with this. :-\ I haven't seen anything indicating that the DKIM-Signature field should be case sensitive. If you hold on for a day or two I may be able to have time to run some more tests on it myself. :-\

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-06 15:28

Libelle,
Does that mean, that the Header verification failed and it will not count
Correct...

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-06 15:45

martin wrote:Libelle,
Does that mean, that the Header verification failed and it will not count
Correct...
Sorry??? What... This the question of what is the reason and what is the result. May I have made my self not clear.
The header verification failed because of the test mode or because of bad data? :?:

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-06 15:49

The test failed because of bad data. But that won't have any effect on the spam score since the domain is in test mode.

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: New feature DKIM

Post by GlenC » 2009-02-06 15:54

martin wrote:When I run my tests, DKIM-Signature was in lover case and I had no problems with this. :-\ I haven't seen anything indicating that the DKIM-Signature field should be case sensitive. If you hold on for a day or two I may be able to have time to run some more tests on it myself. :-\
Ok, thanks for clarifying that. I used Libelle's DNS checker and I suppose part of the problem could be that my dns changes haven't promulgated completely yet. But I think I have other issues too. I'll pick it up at a later time and see what changes.

Libelle
New user
New user
Posts: 19
Joined: 2006-02-02 20:41

Re: New feature DKIM

Post by Libelle » 2009-02-06 16:00

martin wrote:The test failed because of bad data. But that won't have any effect on the spam score since the domain is in test mode.
Thank you for the clarification. I am aware, that a domain in test mode will not result in a negative SPAM score. I just want make sure that the error is not on my side and we going to get a false negative in the moment the domain is removing the test mode flag.

Now I am seeking for positive results....

Best regards

Libelle aka Georg

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: New feature DKIM

Post by GlenC » 2009-02-06 23:14

Martin, either I'm being incredibly dense and missing something very simple or I've got one of those one-off cases I'm famous for :) I still can't seem to get a good test. Finally I decided that I would try the dkim perl script that I used long ago (quit using because it was very resource intensive) and to my surprise, it works. Using the same private and public key... no change to dns settings and it passes. I notice some difference in the signatures but can't I tell anything from them. I'll post the sigs here for you to look at... maybe you see something I don't. These are emails sent to my gmail account.

This one works (perl script):

Code: Select all

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com;
 h=message-id:date:from:mime-version:to:subject:content-type:content-transfer-encoding; s=dkim1; bh=YHaGoKKf5Be5Zagmud5y2RYtSPs=; b=FG1uW3ZB0yAvmV---cut
This one does not work (hmail internal):

Code: Select all

dkim-signature: a=rsa-sha1; d=mydomain.com; s=dkim1;
	c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding;
	bh=YHaGoKKf5Be5Zagmud5y2RYtSPs=;
	b=kLl2OCHHCFKd3Cy97DK9+smxKLgkC/olnGUX---cut
I don't guess the line breaks are going to show properly here, but the first one spanned 2 lines and was not indented whereas the second one spanned 4 and was indented. Any ideas?


EDIT: After doing some more testing, I find that it only fails if I set the header method to "relaxed". However, the perl script still works with the relaxed setting.

Also, isn't the dkim-signature supposed to have "v=1" I think it is required (not that this has anything to do with my issue).

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-07 19:52

How does one create the public and private keys? Do we have some step by step instructions somewhere? Do we need a thrid party product?

DeanoX
Senior user
Senior user
Posts: 480
Joined: 2005-11-05 00:07
Location: Michigan

Re: New feature DKIM

Post by DeanoX » 2009-02-07 20:46

bigcrawdaddy,

Check out the link, in the first message of this thread.

Thanks,
-Dean
hMailServer 5.4.2-1964, mysql, ClamAV, SpamAssassin, SquirrelMail, GeoIP.
hMailServer Support Services for US Based Clients.
Low Rates, Quick Service. Send a Private Message for More Information.

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-07 21:53

Sorry, I looked at that and left me very confused. It talked about unix and bind and I run windows and simpledns. Is there not just a online form one can enter the needed info into and get the keys needed and the correct info for the dns server?

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: New feature DKIM

Post by GlenC » 2009-02-08 00:07

There is an online one here: http://www.socketlabs.com/services/dkwiz

But it's best to make your own. You'll need to install openssl for win32 and then generate the public private keypair like so:

Code: Select all

openssl genrsa -out rsa.private 1024
openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM
How to get the public key into SimpleDNS I can't help with, but it's just a TXT record so you should be able to find an example on the web somewhere.

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-08 00:26

GlenC

Thank you very very much that is very clear and very helpful to this old blind guy. :)

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-08 20:23

Test result from auth-results@verifier.port25.com:

----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result: neutral (message not signed)
ID(s) verified: header.From=*@*.*
DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: neutral (unsupported DKIM version)
ID(s) verified:
DNS record(s):

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.
By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-08 20:25

dj02, without knowing how you've set up your corresponding DNS record, it's not possible to say where it's wrong..

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-08 21:32

Domain: dj02net.com
Selector: dj02net

_domainkey.dj02net.com "t=y; o=~; n=Currently testing DKIM"
dj02net._domainkey.dj02net.com "k=rsa; p=MIGfMA0GCSqGSIb3DQEBA........................."
By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-08 22:20

Why have you added one _domainkey record and one selector record? As far as I know, you should only have the selector record?

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-08 22:49

By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-09 00:41

Thanks for the SimpleDNS link it was very helpful. I got the keys made and entered into my nameserver. The DKIM sig appears in each message sent but fails every test. Every test returns (unsupported DKIM version)
Any ideas anyone?

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-09 01:11

My guess is that at least the o= tag in the TXT record is not supported cording the DKIM RFC 4871. But I'm still reading through all those stupid docs. :wink:
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-09 01:27

The more I read the more confused I get. So will wait to see what you find out

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-09 09:47

Should i add: v=DKIM1

to

dj02net._domainkey.dj02net.com "k=rsa; p=MIGfMA0GCSqGSIb3DQEBA........................."

like

dj02net._domainkey.dj02net.com "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA........................."?
By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-09 10:21

dj02,

I think that that webpage maybe is incorrect. When I read the RFC I interpreted it as if there should just be one DNS record, not two.

Take gmail.com for example. Here's a signature they have created:

Code: Select all

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=zmT0ISTjUFf76OKr9Mlh7h8PngSor9KWUQE6pGXB7GA=; b=stzXWPpbhRK5ve9VD2Boau2+CEw+YVqNDLcyydou9Im8PQzSjwyWbjSVgLpCorimEV RMWpOyXvZn2fhxEjMffMc/km1rPcRep7RrICc3EZLKYmC+6hBlijlLriA94kw5WXSd50 FjDaMt0u7zvd06v56+Kva71a8uDjgcrl+uuQE=
If I do a DNS/TXT lookup for _domainkey.gmail.com it gives no results. If I do the same query for gamma._domainkey.gmail.com, the response is:

Code: Select all

k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIhyR3oItOy22ZOaBrI
Ve9m/iME3RqOJeasANSpg2YTHTYV+Xtp4xwf5gTjCmHQEMOs0qYu0FYiNQPQogJ2t0Mfx9zNu06rfRBD
jiIU9tpx2T+NGlWZ8qhbiLo5By8apJavLyqTLavyPSrvsx0B3YzC63T4Age2CDqZYA+OwSMWQIDAQAB"
Note here that the t-parameter is included in this result. You added this paramter to _domainkey.yourdomain.com which I think is incorrect.

If the page you're referring to were correct, every server always have to do two DNS lookups which I believe is incorrect. :-\

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Re: New feature DKIM

Post by GlenC » 2009-02-09 13:22

My understanding of the _domainkey record is that it is (or was) used with DomainKeys, and not DKIM. Of course I could be wrong.

Martin,
Can I refer you back to this post, which got lost in the chatter over the weekend?
http://www.hmailserver.com/forum/viewto ... 941#p78941

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-09 13:39

You're right, it should have the v= flag. That's probably why some report unsupported DKIM version. Kind of strange that reflectors I've tested with have said "pass" even though this was missing. :-\

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-09 16:20

Weird, still:

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result: neutral (unsupported DKIM version)
ID(s) verified:
DNS record(s):

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions. If you are using Port25's PowerMTA, you need to u


tried few testers. I'm getting out of my mind. :D I deleted now not necessary records. Left only:

dj02net._domainkey.dj02net.com:
v=DKIM1; k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQ...........

selector: dj02net
By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-09 16:26

dj02, you may want to read the message just above yours - there's an error in hMailServer which I'm working on.

dj02
Normal user
Normal user
Posts: 54
Joined: 2006-11-29 19:44
Location: Helsinki - Finland
Contact:

Re: New feature DKIM

Post by dj02 » 2009-02-09 19:55

Oh, sorry. :) I misunderstanded your message.
By,

Mika (Finland)
_________________
hMailServer 5.3.3 B1879, External MySQL 5.1.54 | SpamAssassin 3 |
Win 7 SP0 x64 | Apache 2.2.17 | F-Secure IS 10 | PHP/PECL 5.3.5 | RoundCube 0.5

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-09 22:22

martin wrote:You're right, it should have the v= flag. That's probably why some report unsupported DKIM version. Kind of strange that reflectors I've tested with have said "pass" even though this was missing. :-\
According to the rfc the default value is DKIM1. If I remember correct verifiers have to asume the default and only ignore the tag when it has a wrong value. So in my opinion the verifiers is not rfc compliant. I'm still reading, though... ;-)
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-09 22:23

I'm talking about the MIME header, you're talking about the DNS record...

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-09 22:29

Wow, you're so fast. I just saw it on page 18 of the rfc.
Btw, thanks to this discussion DKIM is almost clear to me. The only thing left now is to let my hoster allow the underscore in DNS records. Until now its impossible to me to add the _domainkey record, or everything else with an underscore. :x

-edit- btw, any plans to add the bodylenght tag in future releases?
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-09 23:26

bigcrawdaddy wrote:The more I read the more confused I get. So will wait to see what you find out
Ok, call me a n00b, but I just noticed that the RFC isn't so confusing as I thought it was. Because of all the double tags I almost lost my mind. That is until I noticed that 'header tags' are starting with "sig-" and DNS tags are starting with "tag-". Perhaps this makes it more clear to you too, daddy. ;-)
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-10 00:03

rjvrijn may I ask where I can get a copy of what your reading? I'm sure Martin will get it all corrected on his end and then it will be just up to us to get the correct DNS records. Hopefully someone will create a HOWTO entry with step by step instructsions for others.

Thanks

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-10 00:24

bigcrawdaddy, I think I must disapoint you, its just the RFC 4871 that I'm reading. This is far from a simple Howto manual. But if you know which part is for the header and which part for DNS, it will read a littlebit more easy.
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-10 00:27

I plan to write a tutorial on the subject.

In (very) short, what you need to do is:
  1. Generate a private key and a public key using OpenSSL
  2. In your DNS, add a TXT record with the following details. Replace <something> with a string of your choice, such as "beer", "dkim1", "myselector". Don't use any special characters, just use a-z 0-9. This part of the string is called the selector. After that, replace <your-public-key> with your public key. Make sure to remove any newline characters from the public key.

    Code: Select all

    Name:
    <something>._domainkey.example.com
    Value:
    k=rsa; t=y; p=<your-public-key>
    
    This is how it's set up on my server. The name of my selector is yk9b and my public key is MIGfMA0GCSqG.....

    Code: Select all

    Name:
    yk9b._domainkey.hmailserver.com 
    Value:
    k=rsa; t=y; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDcn7Zkqgbpd9yU/9
    PoGmJvCTV5JMQKHadq6oElAUca1UAtN3Sccaf0m+KYxoKnDLDofsS3h4fyzlBrUUTs79D8
    EggjLku9IDLdhiRa5wnkqPZA4MMMZuVoKBU5TdnqgFaR/pQAAXpcow9irvUxBXIuvV5/oth7KsU9Dm8rGhfwIDAQAB
    (note that newline characters should be removed from the public key)
    
  3. In hMailServer Administrator, enable DKIM in the domain in question. Select the primary key file, and enter the name of the selector ("beer", "dkim1", "myselector" in the example above).
This is the "minimal" set up to get the reflectors to accept your messages, assuming you're using a build of hMailServer which works properly. ;-)

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-10 00:33

Martin, since bigcrawdaddy uses openssl, am I correct that it is important to remove the linefeeds from the resulting public key before pasting it in the DNS record and do the same in the private keyfile including deleting the header and footer?
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-10 00:35

That's correct. I've edited my post.

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-10 00:44

I did too and I think after you'd edited yours. Perhaps its good to confirm or deny my assumption about the private keyfile also? Just because I don't know myself what type of layout hmailserver expect, I'm very curious on this one. :wink:
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-10 00:51

You don't need to remove linefeeds or edit the private key file in anyway. A private key file generated by OpenSSL should work as-is.

(hMailServer internally uses OpenSSL to parse the content of the private key file and since the file is created by OpenSSL I assume OpenSSL has no problems reading it either)

rjvrijn
Normal user
Normal user
Posts: 161
Joined: 2008-03-31 22:13
Location: NL

Re: New feature DKIM

Post by rjvrijn » 2009-02-10 01:13

Thanks Martin! It is all clear to me now. I guess I now have to wait for my hosting company to allow the underscore in my DNS records. Or move my domain to another hoster. Can't wait to test. <grlmbl>
WXP x32 - hMailServer v5.3.2 B1769 / MySQL
Horde Groupware Webmail Edition 3.3.6 / SquirrelMail 1.4.17

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-10 01:26

Martin,

You say hmailserver uses openssl I'm again a bit confused where in the install of hmailserver is openssl installed?
I'm doing my testing from my backup server and I put it together this way.
1. I installed the last stable build of version 4 because I wanted to use the mssql.
2. I installed the last stable build of version 5
3. I installed the 5.1 330 build

I don't see anything anywhere in the tree about openssl at all.

Boy did I open a can of worms or what LOL

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: New feature DKIM

Post by martin » 2009-02-10 01:43

The hMailServer executable (hMailServer.exe) contains the OpenSSL functionality hMailServer needs to run. The OpenSSL functionality in hMailServer is not meant (and cannot) be used externally.

You can download OpenSSL here (if you haven't already):
http://www.slproweb.com/products/Win32OpenSSL.html

If you don't want to spend time on this you can wait for the tutorial. It will probably be another week or two before it's up but.. up to you. :)

bigcrawdaddy
Normal user
Normal user
Posts: 53
Joined: 2008-02-19 14:41

Re: New feature DKIM

Post by bigcrawdaddy » 2009-02-10 01:54

Martin thanks it was me being confused again LOL I have downloaded the openssl and already created my keys and so I guess I'm just waiting for you to put up the next build that will have the fix for the header entry.
I think I have everything I need then. :)

Thanks again

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: New feature DKIM

Post by MP3Freak » 2009-04-24 16:06

I'm currently extending my known SSL Package for HMS in order to allow the generation of the DKIM stuff as well, including the complete prefabricated DNS zone entry for BIND servers.

For this purpose, I'd need a few people testing that to make sure it works correctly before I'm going to relese it here:
http://www.hmailserver.com/forum/viewto ... 12&t=13953

Just to show you, how easy this will be:

In the OpenSSL Directory start the following command:

Code: Select all

GenDKIM {selector key} {domain name}
You will have ready the private key file to be specified in HMS in that domain, and you will be presented with a ready-to-copy DNS entry in BIND format to be added to the zone file of that domain. All that will be done in some 2-3 seconds.... ;-)


Interested people who want to help me out in this, please contact me at:

admin@handymail.ch

THANK YOU!!

MP3Freak
Normal user
Normal user
Posts: 221
Joined: 2007-06-13 22:19

Re: New feature DKIM

Post by MP3Freak » 2009-04-25 17:31

I extended the popular package I already published for creation of the SSL stuff for HMS, in order to also create the data needed for using HMS' DKIM feature.

INSTRUCTIONS:
1. First download the package that's already specified here:
http://www.hmailserver.com/forum/viewto ... 12&t=13953

2. If you did not do before, install the VC2008 library and the OpenSSL package contained in that ZIP.

3. Copy the *.bat and *.exe files (also in the ZIP) to the OpenSSL\bin directory.

4. Open a CMD-Box and change there to the OpenSSL\bin directory

5. Issue the following command at the command line:

Code: Select all

GenDKIM {selector name} {domain name}
Whereas:
{selector name} is an identification of the key to be used by HMS to encrypt the DKIM key, and to be used by the receiver to fetch the corresponding public key from your DNS server.
{domain name} is the mail domain, for which you want to generate the DKIM data.

6. Once the command execution completed, a Notepad window should appear, with a complete DNS entry that must be added to your BIND DNS server. If you use another DNS server, those data can be filled into it depending on the respective requirements.

The process generated the following files in the OpenSSL\bin directory:

dkim.{domain name}.{selector name}.key - this is the one you'll have to specify when you configure a HMS mail domain for DKIM signing. You may copy/move that files elsewhere prior to specifiying it in HMS of course.

dkim.{domain name}.{selector name}.public - this is the public key as generated by OpenSSL. No actual usage here.

dkim.{domain name}.{selector name}.public.txt - this contains the generated DNS zone file entry in BIND format to be added to your DNS server.

Note that the selector name you specify should only have alpha-numeric characters, and must match the one you specify in the "Selector:" field in the DKIM domain configuration settings in HMS!

Post Reply