Comment posted How to enable Domain Keys (DKIM) in Qmail toaster based mail server install on Debian Linux by .
Recent comments by
Tags: briefly, Bulk, charset, com, correct mail, Date, DKIM-Signature, dnstest, domain, Domainkeys, Emails, exit, exitdebian, form, function, Gmail, google, header, help, host, ip addresses, libdkimtest, Linux, lot, mail issues, mail message, mail server, mail servers, mail services, message headers, mx record, mxtoolbox, nameThe, none, ptr, public mail, qmailctl, reporting service, root, script, server domain, server ip, signing, soccerfame, spamhaus, spammer, SPF, test, text, toaster, TXT, website visitors, wget, wrapper, yahoo mail account
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
After setting the DKIM I’ve figured out my console mail command is not working 😐
# mail -s “testing 123” hipo@pc-freak.net
adsfadsffdsa
.
Cc:
qmail-inject: fatal: mail server permanently rejected message (#5.3.0)
Can’t send mail: sendmail process failed with error code 100
Have to google around to see if there is a fix
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Got the error:
It was /var/qmail/bin/sendmail
While I was experimenting it appears I set a sendmail wrapper script as an attempt to solve some old qmail trouble.
My /var/qmail/bin/sendmail wrapper script looked like so:
#!/bin/sh
export QMAILQUEUE=/var/qmail/bin/qmail-dk
export DKQUEUE=/var/qmail/bin/qmail-queue.orig
export DKSIGN=/etc/domainkeys/mydomain.com/default
exec /var/qmail/bin/sendmail.orig “$@”
After restoring to the original /var/qmail/bin/sendmail.orig binary all is well e.g.:
debian:~# cp -rpf /var/qmail/bin/sendmail.orig /var/qmail/bin/sendmail
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Another good howto resource, which gives some genera tips how to enable qmail DKIM Signing is found on http://jeremy.kister.net/howto/dk.html.
View CommentView CommentI have used chunks of it in order to write this tutorial
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Using the qmail-remote bash wrapper from http://www.pc-freak.net/files/qmail-remote.wrapper.old I got the following headers:
From - Wed May 25 13:13:32 2011
X-Account-Key: account11
X-UIDL: 1306318471.48009.pcfreak,S=1958
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <hipo@mydomain.com>
Delivered-To: hipo@pc-freak.net
Received: (qmail 48006 invoked by uid 1048); 25 May 2011 10:14:30 -0000
Received: from mail.mydomain.com (83.170.105.141)
by mail.pc-freak.net with SMTP; 25 May 2011 10:14:30 -0000
DKIM-Signature: a=rsa-sha1; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; b=k/hvkL
zPXS4xwYaptsg9M8r3esJzQz71q7lK4uYV29VE35qghbmlXD2ShvwwwmElGK2mLR
sFt/0b38dxjNZeu++R0UJ7jK3BJLqhbb/H3BeqdYgjnVloF693fxrwQOFxhSXk06
KTuTrFwF+sVmFvdYIRDDLcsFJo7qBVuN8LPxI=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; bh=uoq1o
CgLlTqpdDX/iUbLy7J1Wic=; b=VLw/fJAMQzI2Ba9e5EEsGcjmsDxzhmvYWuAGM
SgKmwpdfG1DXknYWs1aX1ia25dHINhPlCixhoGWBiQTHSL7hHXNaOHsFNp5wUifu
0piuBkMvsOWjZt3tf3yhdBxoQEvE2tz2f7MWSkA6QOtGznBiI4A9zjyq8/Q3FcZR
hYKSp0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; bh=frcCV
1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=Cozq+28r4hnpZ+9IfM6pt
l7vJSvRE5jsRfwMr/PyE3ubaII+LPDzcvBp4Do8UPvzQln31DM2Hkdu9uvxvh2po
Qgi+eHWN6kW2bcH2HuqnIeFdURdJMVGA946I/eFKH5AB/1bcGXEumeKC0n84H+a7
1596ArTCsGX3jRznvg/t6k=
Received: (qmail 32713 invoked by uid 89); 25 May 2011 10:13:15 -0000
Received: from unknown (HELO webmail.mydomain.com) (127.0.0.1)
by 0 with SMTP; 25 May 2011 10:13:15 -0000
Received: from 83.228.93.76
(SquirrelMail authenticated user hipo@mydomain.com)
by webmail.mydomain.com with HTTP;
Wed, 25 May 2011 11:13:15 +0100 (BST)
Message-ID: <59494.83.228.93.76.1306318395.squirrel@webmail.mydomain.com>
Date: Wed, 25 May 2011 11:13:15 +0100 (BST)
Subject: baklava
From: hipo@mydomain.com
To: hipo@pc-freak.net
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Notice the three DKIM-Signature sections in the header, this obviously means the DKIM-Signature of my outgoing mails is fine.
What is weird is that the email gets a DKIM-Signature 3 times?
I’m still investigating why is that asap as I have found why it’s like that I’ll explain it here.
I’ve figured out why the DKIM-Signature gets signed three times within the mail header after a while.
It seems the script that does the strange DKIM-Signature is signing my headers 3 times, once again script is found here http://www.pc-freak.net/files/qmail-remote.wrapper.old
I’ll fix that in the toturial, right away
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Just one more handy test which might be helpful to somebody.
In order to make sure dkimsign.pl does issue correct DKIM-Signatures, create a new file with some content for instance:
host# touch aaa
View CommentView Commenthost# echo ‘aaaaaa’ >> aaa
host# /usr/local/bin/dkimsign.pl < aaa DKIM-Signature: v=1; a=rsa-sha1; c=simple; h=; s=selector1; bh=uoq1oCgLl TqpdDX/iUbLy7J1Wic=; b=Di1wbTcT1ZFMdsrJM12z9TX23uiLNtvBTSrJZArED GinESGM1ouZkkGduuj+wVKJq3xTdQ10eo68V8Af0P7UuzPLIncO9KUhagtrRqNSi Eie15+eQXi7QGYo2eA4thvs You see the DKIM-Signature appearing, this means dkimsign.pl works fine.
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
P.S.
line:
host# /usr/local/bin/dkimsign.pl
View CommentView Commenthost# echo /usr/local/bin/dkimsign.pl < aa
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Another thing I’ve noticed is you might get troubles, where mails are not signed with DKIM-Signature or Domainkey-Signature, in case if your rsa private file (default) is missing (for example /etc/domainkeys/domainaname.com/default), where domainname.com is the vpopmail domain that physically the mail is sent from.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Also on domains not managed by a custom BIND DNS server but by some external mail reseller companies DNS servers like Godaddy.
A TXT records which are necessery to set up are:
View CommentView CommentTXT name is: _domainkey.yourdomain.com
TXT value is: t=y; o=-
TXT name is: private._domainkey.yourdomain.com
TXT value is: k=rsa; p=XXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx………
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
If you get a “DomainKey-Status: bad” in the headers in gmail.com. This means something is wrong with the configured domain key…
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Most common reason for a “Domainkey-Status: bad” is improperly configured (pasted) TXT RSA key in the DNS server.
View CommentView CommentI’ve experienced this on a couple of domains I was configuring domainkeys.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Few very handy websites, to debug if finally the configured domainkeys are working properly are:
http://www.mailradar.com/domainkeys/ (Domainkey Checker)
http://domainkeys.sourceforge.net/policycheck.html (DomainKey Policy Record Tester)
First website (Domainkey Checker) checks the header and matches against the created DNS record. If both the header values for domainkeys match certain criterias the domain key is considered valid. Many times, enabling domain keys and having a headers could still be invalid. It happened to me many times. Thus this online resource check is important indicator if DKIM is properly configured.
Second one (DomainKey Policy Record Tester), checks and assures that the domain DNS configured TXT records for domainkeys are correct.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Another good debugging tool helpful in checking domain record is correct:
View CommentView Commenthttp://domainkeys.sourceforge.net/selectorcheck.html
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Another handy source of debug is sending mail to mail:
check-auth2 [at] verifier.port25.com
In less than minute an automated mail will be returned back giving hints on what might be causing the Domain key issues:
You will get something like:
hank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: pass
DKIM check: permerror
Sender-ID check: pass
SpamAssassin check: ham
==========================================================
View CommentView CommentDetails:
==========================================================
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Hey! great article. Im looking to do the same with postfix (latest version) and exim (latest version too). Is there any possibility that you may do an article as fine and complete as this for those mta? That would be really awesome of you. Keep the great working. Thanks.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Thx,
WHen I have time I’ll write an article on how DKIM can be enabled on postfix.
thx for suggestion
best
View CommentView CommentGeorgi
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Thanks Gerogi for your reply. Do you know how to do it on exim? For people it is still needed to use both DomainKeys AND DKIM. Hope your expertice can be share to all of us with that need. 🙂
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.52 Safari/537.36
If you really want to improve your search engine rank, quality, well written
View CommentView Commentcontent should be your first priority. Buying expired domains can be a lot of work than you
initially thought, but the job can be easier if you know what you are looking
for (and how much your budget is). You can now see that ranking high on Google search engine is no longer just about the right keywords alone, but also about visitor’s participation on your site.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Hi,
I’ve a problem trying to install libdomainkeys. I’ve resolved all other problems and I’ve googled searching for mine but I cant’ find a solution for the followed error. Can you help me?
# cd /usr/src/libdomainkeys-0.69
View CommentView Comment# echo ‘-lresolv’ > dns.lib
# make clean & make
[2] 9655
rm -f *.o *.so libdomainkeys.a dns.lib dnstest socktest makeheader dktest testtrace domainkeys.h
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o makeheader makeheader.c
./makeheader domainkeys.h
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dktest.c -I.
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c domainkeys.c -I.
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dns_txt.c
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c -o dktrace.o dktrace.c
rm -f libdomainkeys.a
ar cr libdomainkeys.a domainkeys.o dns_txt.o dktrace.o
ranlib libdomainkeys.a
(if make dnstest >/dev/null 2>&1; then echo -lresolv; else echo “”; fi) >dns.lib
rm -f dnstest
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o dktest dktest.o -L. -ldomainkeys -lcrypto -lresolv `cat dns.lib` `cat socket.lib`
./libdomainkeys.a(domainkeys.o): In function `dk_getsig’:
domainkeys.c:(.text+0x621): undefined reference to `BIO_set_flags’
./libdomainkeys.a(domainkeys.o): In function `dk_end’:
domainkeys.c:(.text+0x20fd): undefined reference to `BIO_set_flags’
domainkeys.c:(.text+0x25f5): undefined reference to `BIO_set_flags’
collect2: ld returned 1 exit status
make: *** [dktest] Error 1
[2]- Done make clean
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Hi Barbara,
Probably you need to install older version of libdomainkeys (download from source) or try libdomainkeys-dev package (if it is available on your distro).
Hope this helps.
Regards,
Georgi
View CommentView CommentMozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0
Hi Georgi,
thank you very much for your answer. I’ve tried to install both version 0.67 and 0.68 but the result unfortunately doesn’t change.
I’m on Debian 3.1 with kernel 2.6.18.18 and gcc version 4.1.2
I’ve also updated openssl to the last stable but nothing change… Any other ideas?
Thanks again
View CommentView CommentBarbara
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
This is a rather old Debian, why don’t you try to update it and see whether compile will work?
View CommentView Comment