[prev in list] [next in list] [prev in thread] [next in thread]
List: james-user
Subject: Re: jDKIM configuration
From: Shahid Faiz <shahid.faiz () gmail ! com>
Date: 2010-08-17 7:13:31
Message-ID: AANLkTikY0zA4szYwgARfxBEVm9KKV6LuM9JzrWN7rh2h () mail ! gmail ! com
[Download RAW message or body]
Jerry,
This works fine for me as well. After playing with this, I have figured out
that Gmail is unable to verify body hash when I add <message> tag and change
<inline>unaltered</inline> to <inline>none</inline>.
I think Stefano pointed out correctly, and may be ConvertTo7Bit is not
playing its part with default configurations.
Thanks,
Shahid
On Tue, Aug 17, 2010 at 3:45 AM, Jerry M <techstuff@malcolms.com> wrote:
> Shahid,
>
> It looks like you are using the resend for something quite different than I
> am. I'm simply using it as an auto-forrward to a second address that
> monitors all inbound email. Hence my mailet tag is:
>
> <mailet match="RecipientIs=xxxx@yyyy.com" class="Resend">
> <recipients>bbb@ccccc.com</recipients>
> <inline>unaltered</inline>
> <passThrough>TRUE</passThrough>
> </mailet>
>
> I'm not sure what all of the different options mean and what effect they
> might have. But just for fun, try my version above and see if it makes any
> difference. If it works, start adding your options in one at a time. Once
> we know the culprit, we might be able to figure out why it's trashing the
> signature.
>
> Jerry
>
>
> On 8/16/2010 4:21 AM, Shahid Faiz wrote:
>
>> Hi Jerry,
>>
>> Is there any special required for Resend configuration? I have uncommented
>> already configured file extension based Resend.
>>
>> <mailet match="AttachmentFileNameIs=-d -z *.exe *.com *.bat *.cmd *.pif
>> *.scr *.vbs *.avi *.mp3 *.mpeg *.shs" class="Resend"
>> onMatchException="error">
>> <sender>postmaster</sender>
>> <inline>heads</inline>
>> <attachment>none</attachment>
>> <passThrough>false</passThrough>
>> <debug>true</debug>
>> <reversePath>null</reversePath>
>> <recipients>sender</recipients>
>> <prefix>[REJECTED]</prefix>
>> <message>
>> test message.
>> </message>
>> </mailet>
>>
>> Thanks,
>> Shahid
>>
>>
>> On Mon, Aug 16, 2010 at 12:24 PM, Shahid Faiz<shahid.faiz@gmail.com>
>> wrote:
>>
>> I have checked resent emails with port25.com, that also displays error
>>>
>>> Result: fail (wrong body hash: expected
>>> Sp7UU11MCfYMc32P8gQRPzpZ6q6+b1lsV0oNi8Cn0Lk=)
>>>
>>> I have also removed t= tag after which resent emails are delivered to
>>> Inbox
>>> but DKIM verification is still failing.
>>>
>>> Thanks,
>>> Shahid
>>>
>>> On Mon, Aug 16, 2010 at 9:04 AM, Jerry M<techstuff@malcolms.com> wrote:
>>>
>>> I was comparing your mailet tag to mine. I noticed you added a t=
>>>> value.
>>>> You may have just dummied up the value to post on the forum as you did
>>>> the
>>>> domain name. But if that is the real value, it's very small number =
>>>> very
>>>> old time stamp (basically 40 years old). No idea if google would be
>>>> upset
>>>> with that, and even more curious why it would only affect resends. But
>>>> just
>>>> looking for anything that might be the culprit.
>>>>
>>>> Also, the 'sender' on a resent email is the original sender. So
>>>> technically, JAMES is signing an email from a domain it doesn't own.
>>>> port25.com gives me a different result when I send an email with the
>>>> from
>>>> address at the actual domain that is signing vs. when I send an email
>>>> that
>>>> is on another domain hosted on my server. They both 'pass'. But it's
>>>> noted
>>>> that the from address is different. Not sure if that could be a problem
>>>> with resends and google since the from address is completely different
>>>> than
>>>> the signing domain. But that still begs the question why it worked on
>>>> my
>>>> test. I just don't know enough about the theory of what is considered
>>>> an
>>>> acceptable signature vs. what is not. I'll keep researching.
>>>>
>>>> Jerry
>>>>
>>>>
>>>> On 8/15/2010 10:37 PM, Jerry M wrote:
>>>>
>>>> Shahid,
>>>>>
>>>>> I set up for all inbound email to one of my james accounts to resend to
>>>>> a
>>>>> gmail account. I guess it's good news for me, but bad news for you...
>>>>> gmail
>>>>> says the resend was signed correctly. This was a single test from an
>>>>> outside business email address that I have. Hardly an exhaustive test.
>>>>> As
>>>>> Stephano mentioned, it could be a formatting thing on the inbound mail,
>>>>> which I suspect can vary greatly from sender to sender. So I'm going
>>>>> to
>>>>> leave the resend active for a while and watch as I get additional real
>>>>> emails from various sources and see if I get any failures and
>>>>> subsequently
>>>>> can detect a pattern.
>>>>>
>>>>> If you can test on an email account that no 'real' traffic is coming
>>>>> into, you might try bouncing to the port25.com tester email address I
>>>>> mentioned below just to see what it tells you. You'll get more info
>>>>> than
>>>>> gmail gives regarding DKIM. The only thing is that port25.com sends
>>>>> the analysis info back to the sender. So if this is a live email and
>>>>> you
>>>>> are bouncing to port25.com test, the sender will get the analysis
>>>>> reply
>>>>> (probably not what you want..). Hence the recommendation to do it on a
>>>>> dormant/test email account.
>>>>>
>>>>> Let me know if you get any additional info.
>>>>>
>>>>> Jerry
>>>>>
>>>>>
>>>>> On 8/15/2010 10:20 PM, Shahid Faiz wrote:
>>>>>
>>>>> Hi Jerry,
>>>>>>
>>>>>> Yes, you are right. Mails which are sent directly to my gmail account
>>>>>> are
>>>>>> verified and delivered to my inbox whereas mails sent using Resend are
>>>>>> not
>>>>>> verified and thats why those mails land in Spam.
>>>>>>
>>>>>> Yes, I have also guessed that there were no parameters required. I
>>>>>> will
>>>>>> try
>>>>>> looking into ConvertTo7Bit code if that will help.
>>>>>>
>>>>>> Thank you very much for the help.
>>>>>>
>>>>>> - Shahid
>>>>>>
>>>>>> On Mon, Aug 16, 2010 at 8:12 AM, Jerry M<techstuff@malcolms.com>
>>>>>> wrote:
>>>>>>
>>>>>> So you are using resend mailet to send inbound mail that you receive
>>>>>>
>>>>>>> on to
>>>>>>> a gmail account, right? And mail you send directly is signed
>>>>>>> correctly, but
>>>>>>> inbound mail that resends to gmail is failing. Is that correct?
>>>>>>>
>>>>>>> I finally got everything up and running with DKIM. I did a direct
>>>>>>> send
>>>>>>> to
>>>>>>> gmail and to the port25.com tester (check-auth2@verifier.port25.com
>>>>>>> ).
>>>>>>> Everything looks good now. I'll try adding a resend to gmail to try
>>>>>>> to
>>>>>>> duplicate your scenario.
>>>>>>>
>>>>>>> On the advise Stephano gave you about the convertTo7Bit mailet, I
>>>>>>> added
>>>>>>> it
>>>>>>> ahead of the DKIMSign mailet. There was zero documentation on it.
>>>>>>> So
>>>>>>> I
>>>>>>> just guessed that there were no parameters. I assume it's doing it's
>>>>>>> job.
>>>>>>> But I really don't know if it's doing anything. I still don't know
>>>>>>> what
>>>>>>> that third mailet is for. But I'm not using it, and DKIM is working.
>>>>>>>
>>>>>>> I'll let you know what I find after adding the resend to gmail.
>>>>>>>
>>>>>>> Jerry
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 8/15/2010 9:32 PM, Shahid Faiz wrote:
>>>>>>>
>>>>>>> i have configured ConvertoTo7Bit but no success. following are james
>>>>>>>
>>>>>>>> configurations. Is there anything missing in ConvertTo7Bit
>>>>>>>> configuration?
>>>>>>>>
>>>>>>>> <mailet match="All" class="ConvertTo7Bit">
>>>>>>>> </mailet>
>>>>>>>> <!--<mailet match="All" class="LogMessage">
>>>>>>>> </mailet> -->
>>>>>>>>
>>>>>>>> <mailet match="All" class="DKIMSign">
>>>>>>>> <signatureTemplate>v=1; s=default; d=mydomain.com;
>>>>>>>> h=from:to:received:received; t=12345; a=rsa-sha256; bh=;
>>>>>>>> b=;</signatureTemplate>
>>>>>>>> <privateKey>
>>>>>>>> -----PRIVATE KEY IN PEM FORMAT-----
>>>>>>>> </privateKey>
>>>>>>>> </mailet>
>>>>>>>>
>>>>>>>> <!-- Attempt remote delivery using the specified repository for
>>>>>>>> the
>>>>>>>> spool, -->
>>>>>>>> <!-- using delay time to retry delivery and the maximum number of
>>>>>>>> retries -->
>>>>>>>> <mailet match="All" class="RemoteDelivery">
>>>>>>>> <outgoing> file://var/mail/outgoing/</outgoing>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Sat, Aug 14, 2010 at 11:42 PM, Shahid Faiz<shahid.faiz@gmail.com
>>>>>>>> >
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> you are right this may be the problem. i haven't configured
>>>>>>>> ConvertTo7Bit
>>>>>>>>
>>>>>>>> before DKIMSign and as James is running on linux where we have LF
>>>>>>>>> as
>>>>>>>>> EOL
>>>>>>>>> character.
>>>>>>>>>
>>>>>>>>> Thanks very much for the help. I will try this on Monday, hopefully
>>>>>>>>> this
>>>>>>>>> will solve the problem.
>>>>>>>>>
>>>>>>>>> - Shahid
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Sat, Aug 14, 2010 at 9:52 PM, Stefano Bagnara<apache@bago.org>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>> 2010/8/14 Shahid Faiz<shahid.faiz@gmail.com>:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>>> jDKIM is configured properly and works perfectly fine for emails
>>>>>>>>>>> which
>>>>>>>>>>> I
>>>>>>>>>>> sent out using any email client but when I bounce emails using
>>>>>>>>>>> Resend
>>>>>>>>>>>
>>>>>>>>>>> mailet
>>>>>>>>>>>
>>>>>>>>>> gmail says* **dkim=neutral (body hash did not verify).* DKIMSign
>>>>>>>>>>
>>>>>>>>>>> mailet
>>>>>>>>>>>
>>>>>>>>>>> is
>>>>>>>>>>>
>>>>>>>>>> configured as the last one in transport processor. any hint or
>>>>>>>>>> help
>>>>>>>>>>
>>>>>>>>>>> what
>>>>>>>>>>>
>>>>>>>>>>> is
>>>>>>>>>>>
>>>>>>>>>> missing?
>>>>>>>>>>
>>>>>>>>>>> Have you configured a ConvertTo7Bit mailet (bundled with jdkim)
>>>>>>>>>>>
>>>>>>>>>> just
>>>>>>>>>> before the DKIMSign mailet?
>>>>>>>>>>
>>>>>>>>>> DKIM may have issues with LF (\n) newlines. DKIM expects only CRLF
>>>>>>>>>> (\r\n) otherwise signing is not possible.
>>>>>>>>>>
>>>>>>>>>> Stefano
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>>>>>>>> For additional commands, e-mail:
>>>>>>>>>> server-user-help@james.apache.org
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ---------------------------------------------------------------------
>>>>>>>>>>
>>>>>>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>
>>>>
>>>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic