DKeyEvent - DomainKeys and DKIM for MailEnable [v 0.4.8]

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

...

Postby someone_else » Thu Jun 28, 2007 12:09 pm

Well, DomainKeys and DKIM are mechanisms which rely on hashing; this means that such a signature will no longer be valid if the message is altered in any way (and this is, after all, one of the main purposes of these technologies).

Now this means that if signatures are to be correctly processed, DKeyEvent should run on the outermost level of the MTA. The problem, of course, is that as long as you do everything on one MTA, you do not have an 'outermost level', so you will indeed need to have DKeyEvent run either before or after your application, depending on whether the message is incoming or outgoing.

You need to sign a message after all modifications have been done, and authenticate it before any modifications have been done. You could do this by creating an 'envelope' pickup event, which checks whether a message is incoming or outgoing, and then invokes the rest of the pickup events in the proper order.
MailEnable plugins:
DKeyEvent - DomainKeys/DKIM
MESpamC - SpamAssassin integration

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

DKeyEvent 0.4.7

Postby someone_else » Tue Jul 24, 2007 9:11 pm

DKeyEvent 0.4.7 has been released.

Changes in this version:
- added: option to define the TempFolder
- fixed: bug with DKIM timestamps
- improved: DomainKeys signing mechanism
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Salubritas
Posts: 6
Joined: Wed Jun 06, 2007 7:40 pm

DKIM Failures

Postby Salubritas » Thu Jul 26, 2007 3:09 pm

Hi, any idea why my DKIM signatures have started failing? I didn't keep the email from the first time I got the failure, but I think it was 6 to 8 weeks ago.

I tried updating to DKeyEvent 0.4.7 (ran the installer then rebooted) but am still getting the same failure.

SKYLIST says "DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)" (http://www.skylist.net/resources/authentication.php)

sa-test@sendmail.net responds with "Signature verification failed, message may have been tampered with or corrupted"

Thank you in advance.

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

bad signature verification

Postby someone_else » Thu Jul 26, 2007 3:47 pm

If you receive a 'bad' authentication result from the verifier at sendmail.net, be sure to check the attached message. The headers of that message will usually give you a more precise reason for why your signature failed verification.
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Salubritas
Posts: 6
Joined: Wed Jun 06, 2007 7:40 pm

Postby Salubritas » Thu Jul 26, 2007 4:38 pm

Ah, yes, it says "dkim=fail (verification error: signature timestamp in the future)"

Should that have been fixed in the new release?

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

...

Postby someone_else » Thu Jul 26, 2007 5:22 pm

Yes, the timestamp bug has been fixed in the latest release. Please verify that you are using the latest version (right click on dkeyevent.exe and go to Properties; the file version should be 0.4.7.0).
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Salubritas
Posts: 6
Joined: Wed Jun 06, 2007 7:40 pm

Postby Salubritas » Thu Jul 26, 2007 7:44 pm

Hi, I have checked the properties and they look OK:

Version: 0.4.7.0
Size: 714 KB (731,136 bytes)
Modified: 24 July 2007, 21:17:56

I am using Windows 2003 Server, Web Edition.

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

...

Postby someone_else » Thu Jul 26, 2007 8:26 pm

Well, that's strange. I tested the new version in a few different environments, and there were no problems in either. Are you sure that your time and regional settings (in Windows) are correct? Because if your time zone is not properly set, then the timestamp in your messages might be off.
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Salubritas
Posts: 6
Joined: Wed Jun 06, 2007 7:40 pm

Postby Salubritas » Thu Jul 26, 2007 9:52 pm

I did check that before and the clock was a few minutes behind (the time sync service has not been getting through to time.windows.com).

I thought I had tested after correcting the time, but I just re-tested and it is now coming back OK. It seems strange that the clock running behind (as opposed to ahead) would give that error.

I suppose if I can get the time-sync working properly it should stop this re-occuring?

Thanks very much for your help again!

rhaynes
Posts: 26
Joined: Fri Jul 01, 2005 10:51 pm

dkeyevent.exe not doing anything?

Postby rhaynes » Thu Aug 09, 2007 3:45 pm

(Oops... I accidentally started a new topic when I merely meant to reply here!)

We have the latest, patched MailEnable Standard. We use it only for outgoing mail, and want DKeyEvent to only add stuff to outgoing mail.

This is on a test server (Windows 2003 Server), so there are no security issues at all.

DKeyEvent is not adding anything to the email at all. The emails are being delivered, and the MTA logs show that DKeyEvent.exe is being invoked. We are not using any other MTA events, so is is using only the DKeyEvent.exe.

I've tried everything to debug this. There are no error logs or logs in our Application Events in Windows.

We had only DomainKeys outgoing on one domain. I then turned on and configured DKIM on another. Both are doing nothing.

How do I even begin to debug?

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

troubleshooting

Postby someone_else » Tue Aug 14, 2007 6:53 am

Well, there are a couple of troubleshooting steps you can take:

- first, try to isolate the problem: enable everything (both DomainKeys and DKIM, signing and verification) and see what, if anything, works

- check the Windows EventLog to make sure DKeyEvent doesn't raise any errors

- check the MailEnable logs for anything strange related to the spool executable

- if you have any real-time antivirus, try temporarily disabling it

- try reinstalling DKeyEvent

- try restarting the server


Your outgoing mail is not getting signed?

There are cases when DKeyEvent will refuse to sign mail. If you are certain that you have properly configured DKeyEvent to sign outgoing mail for your domain, and there are no errors reported in the Event Log, then it could be that DKeyEvent has refused to sign the message. There are multiple reasons why this might happen, though they are all related to sender authentication; basically, DKeyEvent considers that the sender of a message does not have the authority to have that particular message signed. For example, unless domain impersonation is enabled, messages from senders who did not use SMTP authentication (such as automated scripts) will not be signed. Neither, again, will messages whose envelope entities do not match those in the header.

A quick test to see if authentication is the problem is to edit the dkeyevent.ini file, and set 'IgnoreMESenderAuth=1'. If, in testing, you are using some form of script or non-standard software to send messages, you might also want to try a standard email client (such as Thunderbird or Outlook) with SMTP authentication enabled, to see if that works.
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Fred
Posts: 132
Joined: Sat Mar 20, 2004 10:23 am

Postby Fred » Sat Sep 01, 2007 12:16 pm

When I go to: http://www.skylist.net/resources/authentication.php I get a DomainKey and DKIM failure. Yet if I use sa-test@sendmail.net everything comes back as good?? Below is the test from skylist...

Skylist:

DomainKey-Status: bad: Signature failed verification

DKIM-Status: Unrecognized version 1 (This signature appears to be from an older draft of the standard)
Return-Path: xxxx@xxxxxxx.net
Received: from xx.xxx.xx.xxx
by www.skylist.net
for <3MuV@www.skylist.net>; Sat, 1 Sep 2007 07:09:36 -0500

DKIM-Signature: v=1; t=1188648574; a=rsa-sha1; q=dns/txt; s=master;
d=xxxxxxx.net; i=xxxx@xxxxxxx.net; c=relaxed/simple; bh=N6gm19LJ4umaLweoN
hm4HG3hs6E=; h=DomainKey-Signature:X-MEFilter-Version:From:To:Subject:
Date:Message-ID:Content-Transfer-Encoding:MIME-Version:Content-Type:
X-Mailer:Thread-Index:X-MimeOLE:Content-Class:Importance:X-ME-Bayesian:
Priority; b=dMU6cNLKQdAKnXb25JXsgM9yQK3PQ1Sb4SxovejSph+71TgdegpsacKI4+pF2
cM4z5OaA+jO9h6SuoDTlJaNNb9vVse7u7QfoVXphizIVg9vEcIeziqw/1P95Gn3oOr3


DomainKey-Signature: a=rsa-sha1; q=dns; s=master; d=xxxxxxx.net; c=simple;
h=X-MEFilter-Version:Received:From:To:Subject:Date:Message-ID:Content-Tra
nsfer-Encoding:MIME-Version:Content-Type:X-Mailer:Thread-Index:X-MimeOLE:
Content-Class:Importance:X-ME-Bayesian:Priority; b=J0mp4i6OsLvhoIuUZlouwt
NyXA7qaSa+Yf5+GZDgUHYd3or8oozc8eGGciU1SyR+QsF0lO+rpioGGk0tLK1jjJGaMHXV3JE
vmsEKPChcIj7WpiJkBHsMcVyqXzIPZO67;




And this is the result from sendmail.net:

Authentication System: DomainKeys Identified Mail
Result: DKIM signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://mipassoc.org/dkim/
Sendmail milter: https://sourceforge.net/projects/dkim-milter/

Authentication System: Domain Keys
Result: DK signature confirmed GOOD
Description: Signature verified, message arrived intact
Reporting host: sendmail.net
More information: http://antispam.yahoo.com/domainkeys
Sendmail milter: https://sourceforge.net/projects/domainkeys-milter/

Authentication System: Sender ID
Result: SID data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://www.microsoft.com/senderid
Sendmail milter: https://sourceforge.net/projects/sid-milter/

Authentication System: Sender Permitted From (SPF)
Result: SPF data confirmed GOOD
Description: Sending host is authorized for sending domain
Reporting host: sendmail.net
More information: http://spf.pobox.com/

someone_else
Posts: 302
Joined: Tue Jul 19, 2005 1:12 pm
Location: 404

outdated verifiers

Postby someone_else » Sat Sep 01, 2007 2:15 pm

Fred wrote:When I go to: http://www.skylist.net/resources/authentication.php I get a DomainKey and DKIM failure. Yet if I use sa-test@sendmail.net everything comes back as good??


Skylist is outdated, i.e. it does not support the latest specification. You'll find that there are quite a few online verifiers that are outdated, so your best bet is to use the ones mentioned in this topic or on the DKIM website.
MailEnable plugins:

DKeyEvent - DomainKeys/DKIM

MESpamC - SpamAssassin integration

Fred
Posts: 132
Joined: Sat Mar 20, 2004 10:23 am

Postby Fred » Sun Sep 02, 2007 11:14 am

Thanks. Is there a good list of places you recommend for testing?

Fred
Posts: 132
Joined: Sat Mar 20, 2004 10:23 am

Postby Fred » Sun Sep 02, 2007 1:14 pm

Does anyone know the best way to use this with MEfilter?

Who is online

Users browsing this forum: No registered users and 2 guests