Recently the Emails sent by one of the Qmail mail servers running on a Debian host started suddenly delivering in Spam folder in both Gmail.com and yahoo.com public mail services.
This is pretty nasty as many of the websites which used the local qmail server to deliver emails concerning subscriptions and other kind of services provided by the websites started ending in Span and thus many of the users who used their Yahoo Mail account and Google Mail – gmail accounts was unable to read emails mailed by the various websites forms and scripts which were sending emails.
You can imagine the negative effect all this “minor” mail issues had on website visitors count and the overall websites functionality.
To come up with some kind of solution to this mail issues, I did quite a lot of research to understand if Yahoo and Google Mail services has some kind of mail server delist form or some reporting service where one can delist a specific mail server as a spammer one or get some kind of help, but unfortunately it seems neither google nor yahoo has any kind of web based way to remove hosts or ip addresses of legit mail servers who has mistakenly been recognized as spam servers.
During my efforts to find a solution to the situation I red a lot of posts and forums online as well as Google’s Bulk Sender Guidelines, none if it was too helpful though.
The QMAIL server had a proper:
1. MX Record
2. TXT SPF records
3. PTR Record
4. There are proper correct mail message headers
5. Proper mails charset and encoding
6. The mail server IP is not listed anywhere in any mail blacklists
(e.g. www.mxtoolbox.com/blacklists.aspx / spamhaus.org)
7. A correct SMTP greeting which matched the mail server domain name
The only thing which was missing on the mail server (checked against Google’s Bulk Sender Guidelines) was a properly configured DKIM and Domainkeys.
Thus in order to get around the situation I went the way and configured the qmail server to include and send in the mail header also Domain Keys
In this article I will briefly explain step by step how I configured Domain keys (DKIM) signing of my mails:
There are few ways domain keys signing can be implemented with Qmail.
1. By patching qmail binaries to support domain keys signing
I wanted to omit any interventions concerning the well running qmail install so I decided not to go this way.
Plus there are plenty of add-ons for qmail and as I have no time to test them the idea not to temper the existing qmail installation looked wise to me.
2. Use a wrapprer script around qmail-remote that invokes externally domainkeys binaries
This kind of solution was fitting me better and therefore I took this route to enable my qmail DKIM signing.
There are few approaches one can take described online:
I tried using the qmail-dkim-0.2.pl wrapper script following the exact steps described to be fulfilled to enable my outgoing mails dkim signature, however for some reason after substituting the qmail-remote with qmail-dkim.pl and setting the proper permissions, my outgoing mails failed completely and each mail I sent was returned back by the qmail MAILER-DAEMON
I gave a try to this approach and thanksfully it worked after a bit of struggle to tune it up.
Here is what exactly I had to do to in order to have the domain keys signing to work using the above described qmail-remote.sh shell script wrapper
1. Install openssl related required debian packages
debian:~# apt-get install openssl libcrypt-openssl-rsa-perl libcrypt-openssl-bignum-perl
libmail-dkim-perl
...
2. Create necessery directories and RSA key pairs for DomainKeys
debian:~# mkdir -p /etc/domainkeys/mydomain.com
debian:~# cd /etc/domainkeys/mydomain.com
debian:/etc/domainkeys/mydomain.com# openssl genrsa -out rsa.private_default 768
debian:/etc/domainkeys/mydomain.com# openssl rsa -in rsa.private_default
-out rsa.public_default -pubout -outform PEM
debian:/etc/domainkeys/mydomain.com# ln -sf rsa.private_default default
debian:/etc/domainkeys/mydomain.com# touch selector
debian:/etc/domainkeys/mydomain.com# echo 'default' >> selector
Where mydomain.com is the mail domain I need the DKIM signatures for.
I have written a small shell script which automates the task of adding new domainkeys directories and generating the RSA keys with openssl, you can download my generate_qmail_domainkey_rsa automator script here
3. Set proper permissions and owner to /etc/domainkeys directory
debian:~# chmod -R 0600 /etc/domainkeys
debian:~# chown -R qmailr:qmail /etc/domainkeys
4. Generate public domain key for DNS TXT records
debian:/etc/domainkeys/mydomain.com# grep -v ^- rsa.public_default | perl -e 'while(<>){chop;$l.=$_;}print "k=rsa; t=y; p=$l;n";'
“k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMlDcYMrpWP9ouQOlFVtCHcFY
+gxrSQ6SegYeP4eeG7NECT/3jBqDtxANIVhaS9ASkEO4yNisGu4yX/DRclTm
nPWknoDtCDiD7IFEzT37qn1JLzcuknTncmFBFMDRUJq6wIDAQAB;”
The above key is used in next step 5 to set it as a TXT DNS record.
5. Create the DNS records in Name server
With BIND DNS server you need to place a records like:
_domainkey.example.com. IN TXT "k=rsa; t=y; o=-;"
default._domainkey.example.com. IN TXT "
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2RkvFHbhqM/bVbb
kBtZ1cZUSYcjC4q+PWjd1tFopT+HXXR9Ctx7FZ1guX5fGboiwYmhCYdVroI
KRM3I48/YyQoXxtn3iYZ086v8BHaNtkcBMY+68JeEQ3K0WQkbqQXp/tsnLY
SQW1yXiEo9CywxVdpwH+OY94HxK4fAbw6V11cwIDAQAB"
! The above p= key specified is the one generated in step 5.
6. Download and compile & install Mail-DKIM-0.39 ‘s perl extension
As of time of writting latest Mail-DKIM is ver. 0.39, however it’s a good idea to check and install the latest available version available on http://www.cpan.org
a) Download Mail-DKIM
debian:~# cd /usr/local/src
b) Compile & Install Mail-DKIM
debian:/usr/local/src# wget https://www.pc-freak.net/files/Mail-DKIM-0.39.tar.gz
...
2011-05-25 15:09:37 (264 KB/s) - `Mail-DKIM-0.39.tar.gz' saved [87375/87375]
...
debian:/usr/local/src# chown -R hipo:hipo Mail-DKIM-0.39
debian:/usr/local/src# cd Mail-DKIM-0.39
debian:/usr/local/src/Mail-DKIM-0.39# su hipo
debian:/usr/local/src/Mail-DKIM-0.39$ perl Makefile.PL
debian:/usr/local/src/Mail-DKIM-0.39$ make
…
debian:/usr/local/src/Mail-DKIM-0.39$ exit
debian:/usr/local/src/Mail-DKIM-0.39# make install
debian:/usr/local/src/Mail-DKIM-0.39# cd script
debian:/usr/local/src/Mail-DKIM-0.39/script# cp -rpf * /usr/local/bin; cd /usr/local/src
Note that the dkimsign.pl which is in the Mail-DKIM-0.39 is a very important tool used later by the qmail-remote wrapper script. This perl script is copied in the last command issued in above chunk of code.
In the up-command lines I use my unprivileged username hipo to compile, here use any non-root user is appropriate.
For instance it’s possible that the cpan user is used as a compile time user, I was lazy to configure CPAN thus I choose to use my normal unprivileged user.
c) configure rsa domain key paths in dkimsing.pl
Another thing to do here is to make sure the /usr/local/bin/dkimsign.pl which was just recently installed has a correct set location for it’s KeyFile variable.
This vailable is in the script is located online 64, I changed it to include my rsa domain key file, after I changed it, now it looks like so:
KeyFile => "/etc/domainkeys/mydomain.com/default"
7. Download and install libdomainkeys
a) Download libdomainkeys
For latest version of libdomainkeys make sure you check on http://domainkeys.sourceforge.net/
debian:/usr/local/src# wget https://www.pc-freak.net/files/libdomainkeys-0.69.tar.gz
debian:/usr/local/src# tar -zxvvf libdomainkeys-0.69.tar.gz
...
debian:/usr/local/src# chown -R hipo:hipo libdomainkeys-0.69
debian:/usr/local/src# cd libdomainkeys-0.69; su hipo
b) Compile and install libdomainkeys binaries
debian:/usr/local/src/libdomainkeys-0.69$ echo '-lresolv' > dns.lib
debian:/usr/local/src/libdomainkeys-0.69$ make clean & & make
debian:/usr/local/src/libdomainkeys-0.69$ exit
debian:/usr/local/src/libdomainkeys-0.69# cp -rpf dktest dknewkey expected makeheader /usr/local/bin/
There is a note to make here, one of the programs part of libdomainkeys called dnstest is not compiled while doing make for unknown reasons?!
I was not able to compile manually dnstest either using gcc like so:
debian:/usr/local/src/libdomainkeys-0.69$ gcc -o dnstest dnstest.c dnstest.c: In function 'main':
dnstest.c:11: warning: incompatible implicit declaration of built-in function 'strle'
/tmp/ccH78KZ1.o: In function 'main':
dnstest.c:(.text+0x2b): undefined reference to 'dns_text'
collect2: ld returned 1 exit status
I have absolutely no clue why it fails o_O, but it doesn’t matter since I figured out that domainkeys header signature is properly set even without dnstest.
Let me mark here that echo ‘-lresolv’ > dns.lib you see in above code chunk is absolutely necessery in order to be able to compile libdomainkeys on Debian based distributions. If the ‘-lresolv > dns.lib’ is omitted the libdomainkeys build fails with error:
gcc -DBIND_8_COMPAT -O2 -o dktest dktest.o -L. -ldomainkeys -lcrypto
`cat dns.lib` `cat socket.lib`
./libdomainkeys.a(dns_txt.o): In function `dns_text':
dns_txt.c:(.text+0x2d): undefined reference to `__res_query'
dns_txt.c:(.text+0xc4): undefined reference to `__dn_expand'
dns_txt.c:(.text+0x184): undefined reference to `__dn_expand'
collect2: ld returned 1 exit status
make: *** [dktest] Error 1
8. Install libdkim (source of the libdkimtest binary later used by qmail-remote wrapper script)
debian:/usr/local/src# su hipo
debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19.zip
debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19-linux.patch
debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19-extra-options.patch
debian:/usr/local/src$ unzip libdkim-1.0.19.zip
debian:/usr/local/src$ cd libdkim/src
debian:/usr/local/src/libdkim/src$ patch -p2 < ../../libdkim-1.0.19-linux.patch
debian:/usr/local/src/libdkim/src$ patch -p2 < ../../libdkim-1.0.19-extra-options.patch
debian:/usr/local/src/libdkim/src$ make && exit
debian:/usr/local/src/libdkim/src# make install
The above install will install libdkimtest binary, used by the wrapper script to do the actual DKIM-Signature, the binary gets installed in /usr/local/bin/libdkimtest.
Here is a link to patched version of libdkim 1.0.19 , to use it instead of patching as described above download the archive untar and do a make clean && make && install
9. Download qmail-remote.wrapper (qmail-remote wrapper shell script) and set it to wrap qmail-remote
a) Copy original qmail-remote to qmail-remote.orig
debian:~# cd /var/qmail/bin
debian:/var/qmail/bin# cp -rpf qmail-remote qmail-remote.orig
b) Download qmail-remote.wrapper script
Here is the qmail-remote.sh wrapper script that worked for me
Originally the wrapper script is taken from http://www.memoryhole.net/qmail/, big thanks to Russ Nelson for writting the awesome wrapper script.
debian:~# cd /var/qmail/bin/
debian:/var/qmail/bin# wget https://www.pc-freak.net/files/qmail-remote.wrapper
Saving to: `qmail-remote.wrapper'
100%[============================>] 1,164 –.-K/s in 0s
2011-05-25 15:46:54 (142 MB/s) – `qmail-remote.wrapper’ saved [1164/1164]
c) Set proper permissions to the qmail-remote.wrapper script
The permissions of qmail-remote should look like so:
-rwxr-xr-x 1 root qmail 1164 2011-05-25 11:05 /var/qmail/bin/qmail-remote*
To set this permissions I used:
debian:/var/qmail/bin# chmod 755 qmail-remote.wrapper
debian:/var/qmail/bin# chown qmailq:qmail qmail-remote.wrapper
d) Create /var/domainkeys directory (necessery for proper qmail remote wrapper script operations)
debian:~# mkdir /var/domainkeys
debian:~# chown -R qmailr:qmail /var/domainkeys
debian:~# chmod 700 -R /var/domainkeys
e) Substitute original qmail-remote binary with the wrapper script:
debian:~# qmailctl stop
Stopping qmail...
qmail-send
qmail-smtpd
debian:/var/qmail/bin# cp -rpf qmail-remote.wrapper qmail-remote
debian:/var/qmail/bin# qmailctl start
Starting qmail
10. Send test email to @gmail.com or @yahoo.com to test if DKIM-Signature is included in the mail header
I used my installed webmail interface squirrelmail and send a test email to my home mail server and as well as to yahoo.com
The headers of the email looked fine, here is how my DKIM signed mail headers looked like:
From - Thu May 26 15:31:37 2011
X-Account-Key: account11
X-UIDL: 1306413169.97071.pcfreak,S=1244
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <root@mail.mydomain.com>
Delivered-To: hipo@www.pc-freak.net
Received: (qmail 97068 invoked by uid 1048); 26 May 2011 12:32:49 -0000
Received: from mail.mydomain.com (83.170.100.100)
by mail.www.pc-freak.net with SMTP; 26 May 2011 12:32:49 -0000
Comment: DomainKeys? See http://domainkeys.sourceforge.net/
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=default; d=mydomain.com;
b=ZnTDdUexnt8fmuHbVNXIC+JDvNLYO1zjzlI3PODe3e1oMS5dRHzVGujrS1
Yk0qqs2oW7DseZg/iHE9KOLZBeInksOnsmLsDBq1Lvzfv2xejikR52LBg6a/uK
ewECJy4jQA4cwMJ/qUxmK8EDwbgj7jqCVB95FK3Z5EdR4HoaqGQ=;
h=Received:Date:Message-ID:From:To:Subject;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=date
:message-id:from:to:subject; s=default; q=
/etc/domainkeys/mydomain.com/default;
bh=G32d6y8oiLehRzcuIWr9s
S+Jy+g=;
b=TPW5VXq3vlOUf1T7lfxQC00MN0kPJxaASE/gq7LbHyV1Gj/Xj+GLF
UN6hYVeKnsoKKeV108JVGcfvfTaLogsxGyS9XzUXKlLtESBj4wr/DAOQy
OcHCj75
bEOOd9nv+RehOYinXGmx0JUZpCNHGndNZ1AEabbVEiX/NQAL7iKDnE
=
Received: (qmail 28771 invoked by uid 0); 26 May 2011 12:31:30 -0000
Date: 26 May 2011 12:31:30 -0000
Message-ID: <20110526123130.28770.qmail@mail.mydomain.com>
From: root@mail.mydomain.com
To: hipo@www.pc-freak.net
Subject: testing 123
baklavavav
tatta
Notice the two lines in the above pasted header:
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=date
This clearly shows that now both Domainkeys and DKIM are being applied to outgoing mail messages 🙂
However to be completely 100% sure the domainkeys and DKIM signing is correct, you should check the online websites which offer a mail domainkey check and DKIM signature check, an example for such a website that I used in order to test that my SSL RSA Domainkeys and DKIM correspond correctly to the ones specified in the DNS server is:
here
The idea for writting this small guide on configuring Domainkeys with Qmail and Linux is seriously inspired by Mariuz’s Blog post dkim wrapper that works using dk Hope this is helpful to somebody, it took me quite a while until I come up with the exact steps of a workable install of Domain Keys, there are so many tutorials and ways to implement this that at a certain point it’s a hell.
Like always with Qmail, even simple things are so complex, the only good thing about qmail is once you make it work well, it works forever … until the next time you will have to spend few days trying to figure it out 😉
I’m very much looking to hear if people followed the tutorial succesfully.
Any feedback concerning the article is mostly welcome!
Cheers!
More helpful Articles
Tags: briefly, Bulk, charset, com, correct mail, Date, DKIM-Signature, dnstest, domain, Domainkeys, Emails, exit, exitdebian, form, function, Gmail, google, header, help, host, ip addresses, libdkimtest, Linux, lot, mail issues, mail message, mail server, mail servers, mail services, message headers, mx record, mxtoolbox, nameThe, none, ptr, public mail, qmailctl, reporting service, root, script, server domain, server ip, signing, soccerfame, spamhaus, spammer, SPF, test, text, toaster, TXT, website visitors, wget, wrapper, yahoo mail account
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
After setting the DKIM I’ve figured out my console mail command is not working 😐
# mail -s “testing 123” hipo@pc-freak.net
adsfadsffdsa
.
Cc:
qmail-inject: fatal: mail server permanently rejected message (#5.3.0)
Can’t send mail: sendmail process failed with error code 100
Have to google around to see if there is a fix
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Got the error:
It was /var/qmail/bin/sendmail
While I was experimenting it appears I set a sendmail wrapper script as an attempt to solve some old qmail trouble.
My /var/qmail/bin/sendmail wrapper script looked like so:
#!/bin/sh
export QMAILQUEUE=/var/qmail/bin/qmail-dk
export DKQUEUE=/var/qmail/bin/qmail-queue.orig
export DKSIGN=/etc/domainkeys/mydomain.com/default
exec /var/qmail/bin/sendmail.orig “$@”
After restoring to the original /var/qmail/bin/sendmail.orig binary all is well e.g.:
debian:~# cp -rpf /var/qmail/bin/sendmail.orig /var/qmail/bin/sendmail
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Another good howto resource, which gives some genera tips how to enable qmail DKIM Signing is found on http://jeremy.kister.net/howto/dk.html.
View CommentView CommentI have used chunks of it in order to write this tutorial
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Using the qmail-remote bash wrapper from http://www.pc-freak.net/files/qmail-remote.wrapper.old I got the following headers:
From - Wed May 25 13:13:32 2011
X-Account-Key: account11
X-UIDL: 1306318471.48009.pcfreak,S=1958
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <hipo@mydomain.com>
Delivered-To: hipo@pc-freak.net
Received: (qmail 48006 invoked by uid 1048); 25 May 2011 10:14:30 -0000
Received: from mail.mydomain.com (83.170.105.141)
by mail.pc-freak.net with SMTP; 25 May 2011 10:14:30 -0000
DKIM-Signature: a=rsa-sha1; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; b=k/hvkL
zPXS4xwYaptsg9M8r3esJzQz71q7lK4uYV29VE35qghbmlXD2ShvwwwmElGK2mLR
sFt/0b38dxjNZeu++R0UJ7jK3BJLqhbb/H3BeqdYgjnVloF693fxrwQOFxhSXk06
KTuTrFwF+sVmFvdYIRDDLcsFJo7qBVuN8LPxI=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; bh=uoq1o
CgLlTqpdDX/iUbLy7J1Wic=; b=VLw/fJAMQzI2Ba9e5EEsGcjmsDxzhmvYWuAGM
SgKmwpdfG1DXknYWs1aX1ia25dHINhPlCixhoGWBiQTHSL7hHXNaOHsFNp5wUifu
0piuBkMvsOWjZt3tf3yhdBxoQEvE2tz2f7MWSkA6QOtGznBiI4A9zjyq8/Q3FcZR
hYKSp0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=mydomain.com;
s=default; t=1306318395; x=1307182395; h=Received:From; bh=frcCV
1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=; b=Cozq+28r4hnpZ+9IfM6pt
l7vJSvRE5jsRfwMr/PyE3ubaII+LPDzcvBp4Do8UPvzQln31DM2Hkdu9uvxvh2po
Qgi+eHWN6kW2bcH2HuqnIeFdURdJMVGA946I/eFKH5AB/1bcGXEumeKC0n84H+a7
1596ArTCsGX3jRznvg/t6k=
Received: (qmail 32713 invoked by uid 89); 25 May 2011 10:13:15 -0000
Received: from unknown (HELO webmail.mydomain.com) (127.0.0.1)
by 0 with SMTP; 25 May 2011 10:13:15 -0000
Received: from 83.228.93.76
(SquirrelMail authenticated user hipo@mydomain.com)
by webmail.mydomain.com with HTTP;
Wed, 25 May 2011 11:13:15 +0100 (BST)
Message-ID: <59494.83.228.93.76.1306318395.squirrel@webmail.mydomain.com>
Date: Wed, 25 May 2011 11:13:15 +0100 (BST)
Subject: baklava
From: hipo@mydomain.com
To: hipo@pc-freak.net
User-Agent: SquirrelMail/1.4.9a
MIME-Version: 1.0
Content-Type: text/plain;charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Notice the three DKIM-Signature sections in the header, this obviously means the DKIM-Signature of my outgoing mails is fine.
What is weird is that the email gets a DKIM-Signature 3 times?
I’m still investigating why is that asap as I have found why it’s like that I’ll explain it here.
I’ve figured out why the DKIM-Signature gets signed three times within the mail header after a while.
It seems the script that does the strange DKIM-Signature is signing my headers 3 times, once again script is found here http://www.pc-freak.net/files/qmail-remote.wrapper.old
I’ll fix that in the toturial, right away
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Just one more handy test which might be helpful to somebody.
In order to make sure dkimsign.pl does issue correct DKIM-Signatures, create a new file with some content for instance:
host# touch aaa
View CommentView Commenthost# echo ‘aaaaaa’ >> aaa
host# /usr/local/bin/dkimsign.pl < aaa DKIM-Signature: v=1; a=rsa-sha1; c=simple; h=; s=selector1; bh=uoq1oCgLl TqpdDX/iUbLy7J1Wic=; b=Di1wbTcT1ZFMdsrJM12z9TX23uiLNtvBTSrJZArED GinESGM1ouZkkGduuj+wVKJq3xTdQ10eo68V8Af0P7UuzPLIncO9KUhagtrRqNSi Eie15+eQXi7QGYo2eA4thvs You see the DKIM-Signature appearing, this means dkimsign.pl works fine.
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
P.S.
line:
host# /usr/local/bin/dkimsign.pl
View CommentView Commenthost# echo /usr/local/bin/dkimsign.pl < aa
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Another thing I’ve noticed is you might get troubles, where mails are not signed with DKIM-Signature or Domainkey-Signature, in case if your rsa private file (default) is missing (for example /etc/domainkeys/domainaname.com/default), where domainname.com is the vpopmail domain that physically the mail is sent from.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Also on domains not managed by a custom BIND DNS server but by some external mail reseller companies DNS servers like Godaddy.
A TXT records which are necessery to set up are:
View CommentView CommentTXT name is: _domainkey.yourdomain.com
TXT value is: t=y; o=-
TXT name is: private._domainkey.yourdomain.com
TXT value is: k=rsa; p=XXXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx………
Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
If you get a “DomainKey-Status: bad” in the headers in gmail.com. This means something is wrong with the configured domain key…
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Most common reason for a “Domainkey-Status: bad” is improperly configured (pasted) TXT RSA key in the DNS server.
View CommentView CommentI’ve experienced this on a couple of domains I was configuring domainkeys.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Few very handy websites, to debug if finally the configured domainkeys are working properly are:
http://www.mailradar.com/domainkeys/ (Domainkey Checker)
http://domainkeys.sourceforge.net/policycheck.html (DomainKey Policy Record Tester)
First website (Domainkey Checker) checks the header and matches against the created DNS record. If both the header values for domainkeys match certain criterias the domain key is considered valid. Many times, enabling domain keys and having a headers could still be invalid. It happened to me many times. Thus this online resource check is important indicator if DKIM is properly configured.
Second one (DomainKey Policy Record Tester), checks and assures that the domain DNS configured TXT records for domainkeys are correct.
View CommentView CommentMozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Another good debugging tool helpful in checking domain record is correct:
View CommentView Commenthttp://domainkeys.sourceforge.net/selectorcheck.html
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/8.04 (hardy) Firefox/3.6.17
Another handy source of debug is sending mail to mail:
check-auth2 [at] verifier.port25.com
In less than minute an automated mail will be returned back giving hints on what might be causing the Domain key issues:
You will get something like:
hank you for using the verifier,
The Port25 Solutions, Inc. team
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: pass
DKIM check: permerror
Sender-ID check: pass
SpamAssassin check: ham
==========================================================
View CommentView CommentDetails:
==========================================================
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Hey! great article. Im looking to do the same with postfix (latest version) and exim (latest version too). Is there any possibility that you may do an article as fine and complete as this for those mta? That would be really awesome of you. Keep the great working. Thanks.
View CommentView CommentMozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6
Thx,
WHen I have time I’ll write an article on how DKIM can be enabled on postfix.
thx for suggestion
best
View CommentView CommentGeorgi
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Thanks Gerogi for your reply. Do you know how to do it on exim? For people it is still needed to use both DomainKeys AND DKIM. Hope your expertice can be share to all of us with that need. 🙂
View CommentView CommentMozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.52 Safari/537.36
If you really want to improve your search engine rank, quality, well written
View CommentView Commentcontent should be your first priority. Buying expired domains can be a lot of work than you
initially thought, but the job can be easier if you know what you are looking
for (and how much your budget is). You can now see that ranking high on Google search engine is no longer just about the right keywords alone, but also about visitor’s participation on your site.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36
Hi,
I’ve a problem trying to install libdomainkeys. I’ve resolved all other problems and I’ve googled searching for mine but I cant’ find a solution for the followed error. Can you help me?
# cd /usr/src/libdomainkeys-0.69
View CommentView Comment# echo ‘-lresolv’ > dns.lib
# make clean & make
[2] 9655
rm -f *.o *.so libdomainkeys.a dns.lib dnstest socktest makeheader dktest testtrace domainkeys.h
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o makeheader makeheader.c
./makeheader domainkeys.h
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dktest.c -I.
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c domainkeys.c -I.
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c dns_txt.c
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -c -o dktrace.o dktrace.c
rm -f libdomainkeys.a
ar cr libdomainkeys.a domainkeys.o dns_txt.o dktrace.o
ranlib libdomainkeys.a
(if make dnstest >/dev/null 2>&1; then echo -lresolv; else echo “”; fi) >dns.lib
rm -f dnstest
gcc -DBIND_8_COMPAT -O2 -I /usr/local/ssl/include/openssl/ -o dktest dktest.o -L. -ldomainkeys -lcrypto -lresolv `cat dns.lib` `cat socket.lib`
./libdomainkeys.a(domainkeys.o): In function `dk_getsig’:
domainkeys.c:(.text+0x621): undefined reference to `BIO_set_flags’
./libdomainkeys.a(domainkeys.o): In function `dk_end’:
domainkeys.c:(.text+0x20fd): undefined reference to `BIO_set_flags’
domainkeys.c:(.text+0x25f5): undefined reference to `BIO_set_flags’
collect2: ld returned 1 exit status
make: *** [dktest] Error 1
[2]- Done make clean
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Hi Barbara,
Probably you need to install older version of libdomainkeys (download from source) or try libdomainkeys-dev package (if it is available on your distro).
Hope this helps.
Regards,
Georgi
View CommentView CommentMozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:38.0) Gecko/20100101 Firefox/38.0
Hi Georgi,
thank you very much for your answer. I’ve tried to install both version 0.67 and 0.68 but the result unfortunately doesn’t change.
I’m on Debian 3.1 with kernel 2.6.18.18 and gcc version 4.1.2
I’ve also updated openssl to the last stable but nothing change… Any other ideas?
Thanks again
View CommentView CommentBarbara
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
This is a rather old Debian, why don’t you try to update it and see whether compile will work?
View CommentView Comment