DKeyEvent - DomainKeys and DKIM for MailEnable [v 0.4.8]
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
...
Well, DomainKeys and DKIM are mechanisms which rely on hashing; this means that such a signature will no longer be valid if the message is altered in any way (and this is, after all, one of the main purposes of these technologies).
Now this means that if signatures are to be correctly processed, DKeyEvent should run on the outermost level of the MTA. The problem, of course, is that as long as you do everything on one MTA, you do not have an 'outermost level', so you will indeed need to have DKeyEvent run either before or after your application, depending on whether the message is incoming or outgoing.
You need to sign a message after all modifications have been done, and authenticate it before any modifications have been done. You could do this by creating an 'envelope' pickup event, which checks whether a message is incoming or outgoing, and then invokes the rest of the pickup events in the proper order.
Now this means that if signatures are to be correctly processed, DKeyEvent should run on the outermost level of the MTA. The problem, of course, is that as long as you do everything on one MTA, you do not have an 'outermost level', so you will indeed need to have DKeyEvent run either before or after your application, depending on whether the message is incoming or outgoing.
You need to sign a message after all modifications have been done, and authenticate it before any modifications have been done. You could do this by creating an 'envelope' pickup event, which checks whether a message is incoming or outgoing, and then invokes the rest of the pickup events in the proper order.
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
DKeyEvent 0.4.7
DKeyEvent 0.4.7 has been released.
Changes in this version:
- added: option to define the TempFolder
- fixed: bug with DKIM timestamps
- improved: DomainKeys signing mechanism
Changes in this version:
- added: option to define the TempFolder
- fixed: bug with DKIM timestamps
- improved: DomainKeys signing mechanism
-
- Posts: 6
- Joined: Wed Jun 06, 2007 7:40 pm
DKIM Failures
Hi, any idea why my DKIM signatures have started failing? I didn't keep the email from the first time I got the failure, but I think it was 6 to 8 weeks ago.
I tried updating to DKeyEvent 0.4.7 (ran the installer then rebooted) but am still getting the same failure.
SKYLIST says "DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)" (http://www.skylist.net/resources/authentication.php)
sa-test@sendmail.net responds with "Signature verification failed, message may have been tampered with or corrupted"
Thank you in advance.
I tried updating to DKeyEvent 0.4.7 (ran the installer then rebooted) but am still getting the same failure.
SKYLIST says "DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)" (http://www.skylist.net/resources/authentication.php)
sa-test@sendmail.net responds with "Signature verification failed, message may have been tampered with or corrupted"
Thank you in advance.
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
bad signature verification
If you receive a 'bad' authentication result from the verifier at sendmail.net, be sure to check the attached message. The headers of that message will usually give you a more precise reason for why your signature failed verification.
-
- Posts: 6
- Joined: Wed Jun 06, 2007 7:40 pm
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
-
- Posts: 6
- Joined: Wed Jun 06, 2007 7:40 pm
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
...
Well, that's strange. I tested the new version in a few different environments, and there were no problems in either. Are you sure that your time and regional settings (in Windows) are correct? Because if your time zone is not properly set, then the timestamp in your messages might be off.
-
- Posts: 6
- Joined: Wed Jun 06, 2007 7:40 pm
I did check that before and the clock was a few minutes behind (the time sync service has not been getting through to time.windows.com).
I thought I had tested after correcting the time, but I just re-tested and it is now coming back OK. It seems strange that the clock running behind (as opposed to ahead) would give that error.
I suppose if I can get the time-sync working properly it should stop this re-occuring?
Thanks very much for your help again!
I thought I had tested after correcting the time, but I just re-tested and it is now coming back OK. It seems strange that the clock running behind (as opposed to ahead) would give that error.
I suppose if I can get the time-sync working properly it should stop this re-occuring?
Thanks very much for your help again!
dkeyevent.exe not doing anything?
(Oops... I accidentally started a new topic when I merely meant to reply here!)
We have the latest, patched MailEnable Standard. We use it only for outgoing mail, and want DKeyEvent to only add stuff to outgoing mail.
This is on a test server (Windows 2003 Server), so there are no security issues at all.
DKeyEvent is not adding anything to the email at all. The emails are being delivered, and the MTA logs show that DKeyEvent.exe is being invoked. We are not using any other MTA events, so is is using only the DKeyEvent.exe.
I've tried everything to debug this. There are no error logs or logs in our Application Events in Windows.
We had only DomainKeys outgoing on one domain. I then turned on and configured DKIM on another. Both are doing nothing.
How do I even begin to debug?
We have the latest, patched MailEnable Standard. We use it only for outgoing mail, and want DKeyEvent to only add stuff to outgoing mail.
This is on a test server (Windows 2003 Server), so there are no security issues at all.
DKeyEvent is not adding anything to the email at all. The emails are being delivered, and the MTA logs show that DKeyEvent.exe is being invoked. We are not using any other MTA events, so is is using only the DKeyEvent.exe.
I've tried everything to debug this. There are no error logs or logs in our Application Events in Windows.
We had only DomainKeys outgoing on one domain. I then turned on and configured DKIM on another. Both are doing nothing.
How do I even begin to debug?
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
troubleshooting
Well, there are a couple of troubleshooting steps you can take:
- first, try to isolate the problem: enable everything (both DomainKeys and DKIM, signing and verification) and see what, if anything, works
- check the Windows EventLog to make sure DKeyEvent doesn't raise any errors
- check the MailEnable logs for anything strange related to the spool executable
- if you have any real-time antivirus, try temporarily disabling it
- try reinstalling DKeyEvent
- try restarting the server
Your outgoing mail is not getting signed?
There are cases when DKeyEvent will refuse to sign mail. If you are certain that you have properly configured DKeyEvent to sign outgoing mail for your domain, and there are no errors reported in the Event Log, then it could be that DKeyEvent has refused to sign the message. There are multiple reasons why this might happen, though they are all related to sender authentication; basically, DKeyEvent considers that the sender of a message does not have the authority to have that particular message signed. For example, unless domain impersonation is enabled, messages from senders who did not use SMTP authentication (such as automated scripts) will not be signed. Neither, again, will messages whose envelope entities do not match those in the header.
A quick test to see if authentication is the problem is to edit the dkeyevent.ini file, and set 'IgnoreMESenderAuth=1'. If, in testing, you are using some form of script or non-standard software to send messages, you might also want to try a standard email client (such as Thunderbird or Outlook) with SMTP authentication enabled, to see if that works.
- first, try to isolate the problem: enable everything (both DomainKeys and DKIM, signing and verification) and see what, if anything, works
- check the Windows EventLog to make sure DKeyEvent doesn't raise any errors
- check the MailEnable logs for anything strange related to the spool executable
- if you have any real-time antivirus, try temporarily disabling it
- try reinstalling DKeyEvent
- try restarting the server
Your outgoing mail is not getting signed?
There are cases when DKeyEvent will refuse to sign mail. If you are certain that you have properly configured DKeyEvent to sign outgoing mail for your domain, and there are no errors reported in the Event Log, then it could be that DKeyEvent has refused to sign the message. There are multiple reasons why this might happen, though they are all related to sender authentication; basically, DKeyEvent considers that the sender of a message does not have the authority to have that particular message signed. For example, unless domain impersonation is enabled, messages from senders who did not use SMTP authentication (such as automated scripts) will not be signed. Neither, again, will messages whose envelope entities do not match those in the header.
A quick test to see if authentication is the problem is to edit the dkeyevent.ini file, and set 'IgnoreMESenderAuth=1'. If, in testing, you are using some form of script or non-standard software to send messages, you might also want to try a standard email client (such as Thunderbird or Outlook) with SMTP authentication enabled, to see if that works.
When I go to: http://www.skylist.net/resources/authentication.php I get a DomainKey and DKIM failure. Yet if I use sa-test@sendmail.net everything comes back as good?? Below is the test from skylist...
Skylist:
DomainKey-Status: bad: Signature failed verification
DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)
Return-Path: xxxx@xxxxxxx.net
Received: from xx.xxx.xx.xxx
by www.skylist.net
for <3MuV@www.skylist.net>; Sat, 1 Sep 2007 07:09:36 -0500
DKIM-Signature: v=1; t=1188648574; a=rsa-sha1; q=dns/txt; s=master;
d=xxxxxxx.net; i=xxxx@xxxxxxx.net; c=relaxed/simple; bh=N6gm19LJ4umaLweoN
hm4HG3hs6E=; h=DomainKey-Signature:X-MEFilter-Version:From:To:Subject:
Date:Message-ID:Content-Transfer-Encoding:MIME-Version:Content-Type:
X-Mailer:Thread-Index:X-MimeOLE:Content-Class:Importance:X-ME-Bayesian:
Priority; b=dMU6cNLKQdAKnXb25JXsgM9yQK3PQ1Sb4SxovejSph+71TgdegpsacKI4+pF2
cM4z5OaA+jO9h6SuoDTlJaNNb9vVse7u7QfoVXphizIVg9vEcIeziqw/1P95Gn3oOr3
DomainKey-Signature: a=rsa-sha1; q=dns; s=master; d=xxxxxxx.net; c=simple;
h=X-MEFilter-Version:Received:From:To:Subject:Date:Message-ID:Content-Tra
nsfer-Encoding:MIME-Version:Content-Type:X-Mailer:Thread-Index:X-MimeOLE:
Content-Class:Importance:X-ME-Bayesian:Priority; b=J0mp4i6OsLvhoIuUZlouwt
NyXA7qaSa+Yf5+GZDgUHYd3or8oozc8eGGciU1SyR+QsF0lO+rpioGGk0tLK1jjJGaMHXV3JE
vmsEKPChcIj7WpiJkBHsMcVyqXzIPZO67;
And this is the result from sendmail.net:
Authentication System: DomainKeys Identified Mail
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/
Authentication System: Domain Keys
Result: DK signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://antispam.yahoo.com/domainkeys
Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/
Authentication System: Sender ID
Result: SID data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://www.microsoft.com/senderid
Sendmail milter: https://sourceforge.net/projects/sid-milter/
Authentication System: Sender Permitted From (SPF)
Result: SPF data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://spf.pobox.com/
Skylist:
DomainKey-Status: bad: Signature failed verification
DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)
Return-Path: xxxx@xxxxxxx.net
Received: from xx.xxx.xx.xxx
by www.skylist.net
for <3MuV@www.skylist.net>; Sat, 1 Sep 2007 07:09:36 -0500
DKIM-Signature: v=1; t=1188648574; a=rsa-sha1; q=dns/txt; s=master;
d=xxxxxxx.net; i=xxxx@xxxxxxx.net; c=relaxed/simple; bh=N6gm19LJ4umaLweoN
hm4HG3hs6E=; h=DomainKey-Signature:X-MEFilter-Version:From:To:Subject:
Date:Message-ID:Content-Transfer-Encoding:MIME-Version:Content-Type:
X-Mailer:Thread-Index:X-MimeOLE:Content-Class:Importance:X-ME-Bayesian:
Priority; b=dMU6cNLKQdAKnXb25JXsgM9yQK3PQ1Sb4SxovejSph+71TgdegpsacKI4+pF2
cM4z5OaA+jO9h6SuoDTlJaNNb9vVse7u7QfoVXphizIVg9vEcIeziqw/1P95Gn3oOr3
DomainKey-Signature: a=rsa-sha1; q=dns; s=master; d=xxxxxxx.net; c=simple;
h=X-MEFilter-Version:Received:From:To:Subject:Date:Message-ID:Content-Tra
nsfer-Encoding:MIME-Version:Content-Type:X-Mailer:Thread-Index:X-MimeOLE:
Content-Class:Importance:X-ME-Bayesian:Priority; b=J0mp4i6OsLvhoIuUZlouwt
NyXA7qaSa+Yf5+GZDgUHYd3or8oozc8eGGciU1SyR+QsF0lO+rpioGGk0tLK1jjJGaMHXV3JE
vmsEKPChcIj7WpiJkBHsMcVyqXzIPZO67;
And this is the result from sendmail.net:
Authentication System: DomainKeys Identified Mail
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/
Authentication System: Domain Keys
Result: DK signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://antispam.yahoo.com/domainkeys
Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/
Authentication System: Sender ID
Result: SID data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://www.microsoft.com/senderid
Sendmail milter: https://sourceforge.net/projects/sid-milter/
Authentication System: Sender Permitted From (SPF)
Result: SPF data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://spf.pobox.com/
-
- Posts: 302
- Joined: Tue Jul 19, 2005 1:12 pm
- Location: 404
outdated verifiers
Skylist is outdated, i.e. it does not support the latest specification. You'll find that there are quite a few online verifiers that are outdated, so your best bet is to use the ones mentioned in this topic or on the DKIM website.Fred wrote:When I go to: http://www.skylist.net/resources/authentication.php I get a DomainKey and DKIM failure. Yet if I use sa-test@sendmail.net everything comes back as good??