mail server Archives - Page 4 of 5 - ☩ Walking in Light with Christ - Faith, Computing, Diary ☩ Walking in Light with Christ

Posts Tagged ‘mail server’

How to fix “imapd-ssl: Maximum connection limit reached for ::ffff:xxx.xxx.xxx.xxx” imapd-ssl error

Saturday, May 28th, 2011

One of the mail server clients is running into issues with secured SSL IMAP connections ( he has to use a multiple email accounts on the same computer).
I was informed that part of the email addresses are working correctly, however the newly created ones were failing to authenticate even though all the Outlook Express email configuration was correct as well as the username and password typed in were a real existing credentials on the vpopmail server.

Initially I thought, something is wrong with his newly configured emails but it seems all the settings were perfectly correct!

After a lot of wondering what might be wrong I was dumb enough not to check my imap log files.

After checking in my /var/log/mail.log which is the default log file I’ve configured for vpopmail and some of my qmail server services, I found the following error repeating again and again:

imapd-ssl: Maximum connection limit reached for ::ffff:xxx.xxx.xxx.xxx" imapd-ssl error

where xxx.xxx.xxx.xxx was the email user computer IP address.

This issues was caused by one of my configuration settings in the imapd-ssl and imap config file:

/usr/lib/courier-imap/etc/imapd

In /usr/lib/courier-imap/etc/imapd there is a config segment called
Maximum number of connections to accept from the same IP address

Right below this commented text is the variable:

MAXPERIP=4

As you can see it seems I used some very low value for the maximum number of connections from one and the same IP address.
I suppose my logic to set such a low value was my desire to protect the IMAP server from Denial of Service attacks, however 4 is really too low and causes problem, thus to solve the mail connection issues for the user I raised the MAXPERIP value to 50:

MAXPERIP=50

Now to force the new imapd and imapd-ssl services to reload it’s config I did a restart of the courier-imap, like so:

debian:~# /etc/init.d/courier-imap restart

That’s all now the error is gone and the client could easily configure up to 50 mailbox accounts on his PC 🙂

Tags: address right, client, config, configuration settings, configure, connection, courier imap, credentials, default log, Denial, denial of service, denial of service attacks, email accounts, email addresses, errorwhere, Express, ffff, file, imap connections, imap server, init, lib, limit, mail connection, mail log, mail server, Maximum, maximum connection, maximum number, outlook, outlook express, password, quot, segment, server clients, server services, Service, something, ssl services, text, username, value
Posted in Linux, Qmail, System Administration | 2 Comments »

How to change Return Path variable in Qmail

Friday, July 1st, 2011

The Return Path variable on one of the qmail mail servers I manage was improperly set.
New newsletter mails initiated by the php scripts on the mail server had the improper return path set in the mail headers, like so:

Return-Path: <anonymous@mail.mymailserver.com>

Therefore many mail servers dropped messages as the set Return Path variable in the headers was incorrectly set to the domain mail.mymailserver.com

Thus to change the Return Path to the correct one that should have been mymailserver.com I had to include mymailserver.com in qmail’s control file /var/qmail/control/bouncehost, e.g.

root@qmail:~# echo 'mymailserver.com' > /var/qmail/control/bouncehost root@qmail:~# echo 'mymailserver.com' > /var/qmail/control/doublebouncehost

By the way the return path in qmail is set by:

> qmail-inject and qmail-send

There seems to be also some way to ovewrite the default set return-path variable with some php variables but I have never tried this one.
Cheers 😉

Tags: anonymous mail, Auto, bouncehost, Cheers, com, control, default, domain, domain mail, doublebouncehost, Draft, file, lt, mail, mail headers, mail server, mail servers, mymailserver, newsletter, ovewrite, Path, php, php scripts, php variables, Qmail, Return, return path, root, server, var, way
Posted in Linux, Qmail, System Administration | 2 Comments »

How to compile latest qmailadmin (qmailadmin 1.2.15) on Debian Squeeze Linux

Thursday, August 11th, 2011

I’ve completed a qmail installation few days ago on a fresh installed Debian Squeeze 64 bit server. All is configured and works fine, except qmailadmin and vqadmin.
As the mail server was missing any kind of web mail administration panel, I needed to make at least one of the two above to make with qmail.

I decided to concentrate on qmailadmin and took the time to make it work. I used the following command lines and got the compile failure during make compilation:

debian:/usr/local/src/qmailadmin-1.2.15# ./configure --enable-cgibindir=/usr/lib/cgi-bin --enable-htmldir=/var/www/qmailadmin/ --enable-modify-quota ... debian:/usr/local/src/qmailadmin-1.2.15# make ...

The source make failed with the following error:

In file included from template.c:45: qmailadmin.h:37:1: warning: "MAX_FILE_NAME" redefined In file included from template.c:28: /home/vpopmail/include/vpopmail.h:146:1: warning: this is the location of the previous definition template.c: In function "send_template_now": template.c:505: error: "VERSION" undeclared (first use in this function) template.c:505: error: (Each undeclared identifier is reported only once template.c:505: error: for each function it appears in.) make[1]: *** [template.o] Error 1 make[1]: Leaving directory `/usr/local/src/qmailadmin-1.2.15' make: *** [all] Error 2

To workaround these compile issues, I’ve had to modify the C source file belonging to qmailadmin ( template.c ), e.g.:

debian:/usr/local/src/qmailadmin-1.2.15# vim template.c

In the file I had to add besides the line:

#include "util.h"

The code:

#define VERSION ""

Aterwards qmailadmin’s compile and install via make && make install-strip succeeded and now works perfectly fine 😉

Tags: Administration, administration panel, amp, bit, c source, code, compilation, configure, configured, failure, few days, file, function, identifier, installation, lib, Linux, location, mail administration, mail server, make, name, oncetemplate, panel, qmail installation, qmailadmin, quot, Quota, source file, squeeze, template, template c, time, undeclared identifier, util, version, vim, vqadmin
Posted in Linux, Qmail, System Administration, Web and CMS | 13 Comments »

Fix to mail forwarding error “Received-SPF: none (domain.com: domain at maildomain does not designate permitted sender hosts)

Tuesday, October 18th, 2011

I’m Configuring a new Exim server to relay / forward mail via a remote Qmail SMTP server
Even though I configured properly the exim to forward via my relaying mail server with host mail.domain.com, still the mail forwarding from the Exim -> Qmail failed to work out with an error:

Fix to mail forwarding error "Received-SPF: none (domain.com: domain at maildomain does not designate permitted sender hosts)

I pondered for a while on what might be causing this “mysterous” error just to realize I forgot to add the IP address of my Exim mail server in the Qmail relay server

To solve the error I had to add in /etc/tcp.smtp on my Qmail server a record for my Exim server IP address xx.xx.xx.xx, like so:

debian-server:~# echo 'xx.xx.xx.xx:allow,RELAYCLIENT="",QS_SPAMASSASSIN="0"' >> /etc/tcp.smtp

The QS_SPAMASSASSIN=”0″ as you might have guessed instructs Qmail not to check the received mails originating from IP xx.xx.xx.xx with spamassassin.

Finally on the Qmail server to load up the new tcp.smtp settings I had to rebuild /etc/tcp.smtp.cdb and restart qmail :

– reload qmail cdb

linux-server:/var/qmail# qmailctl cdb Reloaded /etc/tcp.smtp. - restart qmail
linux-server:/var/qmail# qmailctl restart Restarting qmail: * Stopping qmail-smtpdssl. * Stopping qmail-smtpd. * Sending qmail-send SIGTERM and restarting. * Restarting qmail-smtpd. * Restarting qmail-smtpdssl.

This solved the issue and now mails are forwarded without problems via the Qmail SMTPD.

Tags: cdb, com, Configuring, domain, exim, forward mail, Forwarding, hosts, issue, Linux, mail, mail domain, mail server, none, Qmail, qmailctl, qs, quot, quot quot, relay, relay server, RELAYCLIENT, relaying mail, sender, Sending, server ip address, serverTo, SMTPD, smtpThe, spamassassin, SPF, var, while
Posted in Everyday Life, Linux, Qmail, System Administration, Various | No Comments »

How to exclude sorbs.net for a particular IP address in Qmail Mail server install / Fix to Thunderbird mail sent error (Exploitable Server See: http://www.sorbs.net/lookup.shtml?xx.xx.xx.xx) error

Tuesday, November 1st, 2011

In the office, some of my colleagues has started receiving error messages, while trying to send mail with Thunderbird and Outlook Express
The exact error they handed to me reads like this:

An error occured while sending mail. The mail server responded: Exploitable Server See: http://www.sorbs.net/lookup?xx.xx.xx.xx. Please check the message recipient

Here is also a screenshot, I’ve been sent via Skype with the error poping up on a Thunderbird installed on Windows host.

Typing the url http://www.sorbs.net/lookup?xx.xx.xx.xx lead me to sorbs.net to a page saying that the IP address of the mail client which is trying to send mail is blacklisted . This is not strange at all condireng that many of the office computers are running Windows and periodically get infected with Viruses and Spyware which does sent a number of Unsolicated Mail (SPAM).

The sorbs.net record for the IP seems to be an old one, since at the present time the office network was reported to be clear from malicious SMTP traffic.

The error sorbs.net disallowing the mail clients to send from the office continued for already 3 days, so something had to be done.

We asked the ISP to change the blacklisted IP address of xx.xx.xx.xx , to another one but they said it will take some time and they can’t do it in a good timely matter, hence to make mail sending work again with POP3 and IMAP protocols from the blacklisted IPs I had to set in the Qmail install to not check the xx.xx.xx.xx IP against mail blacklisting databases.

On qmail install disabling an IP check in RBLSMTPD is done through editting /etc/tcp.smtp and following recreate of /etc/tcp.smtp.cdb – red by qmailctl script start.
The exact line I put in the end of /etc/tcp.smtp to disable the RBLSMTPD check is:

xx.xx.xx.xx:allow,RBLSMTPD="",RELAYCLIENT="",QS_SPAMASSASSIN="0"

Further on to recreate /etc/tcp.smtp.cdb and reload the new cdb db records:

qmail:~# qmailctl cdb qmail:~# qmailctl restart ...

Onwards, the sorbs.net IP blacklist issue was solved and all office computers from xx.xx.xx.xx succeeded in sending mails via SMTP.

Tags: blacklisted ip address, blacklisting, client, exact error, exact line, Express, furt, host, imap protocols, ip check, ISP, lead, mail client, mail clients, mail server, mail spam, number, occured, office computers, Onwards, outlook, page, pop, present time, qmailctl, quot, rblsmtpd, RELAYCLIENT, screenshot, sending mail, Skype, smtp traffic, something, spamassassin, thunderbird mail, time, timely matter, Viruses, will take some time, work
Posted in Linux, Qmail, System Administration, Various | No Comments »

How to Prevent Server inaccessibility by using a secondary SSH Server access port

Monday, December 12th, 2011

One of the Debian servers’s SSH daemon suddenly become inaccessible today. While trying to ssh I experienced the following error:

$ ssh root@my-server.net -v OpenSSH_5.8p1 Debian-2, OpenSSL 0.9.8o 01 Jun 2010 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to mx.soccerfame.com [83.170.104.169] port 22. debug1: Connection established. debug1: identity file /home/hipo/.ssh/id_rsa type -1 debug1: identity file /home/hipo/.ssh/id_rsa-cert type -1 debug1: identity file /home/hipo/.ssh/id_dsa type -1 debug1: identity file /home/hipo/.ssh/id_dsa-cert type -1 ... Connection closed by remote host

Interestingly only the SSH server and sometimes the mail server was failing to respond and therefore any mean to access the server was lost. Anyways some of the services on the server for example Nginx continued working just fine.
Some time ago while still working for design.bg – web development company, I’ve experienced some similar errors with SSH servers, so I already had a clue, on a way to work around the issue and to secure myself against the situation to loose access to remote server because the secure shell daemon has broken up.

My work around is actually very simple, I run a secondary sshd (different sshd instance) listening on a different port number.

To do so I invoke the sshd daemon on port 2207 like so:

debian:~# /usr/sbin/sshd -p 2207 debian:~#

Besides that to ensure my sshd -p 2207 will be running on next boot I add:

/usr/sbin/sshd -p 2207

to /etc/rc.local (before the script end line exit 0 ). I do set the sshd -p 2207 to run via /etc/rc.local on purpose instead of directly adding a Port 2207 line in /etc/ssh/sshd_config. The reason, why I’m not using /etc/ssh/sshd_config is that I’m not sure if using the sshd config to set a secondary port does run the port under a different sshd parent. If using the config doesn’t run the separate ssh port under a different server parent this will mean that once the main parent hangs, the secondary port will become inaccessible as well.

Tags: bg, clue, com, company, config, configuration data, doesn, exit, file, hipo, host, instance, mail server, mx, nginx, number, openssl, parent, port 22, reason, remote server, root, RSA, script, secure shell, server, Shell, shell daemon, soccerfame, ssh port, ssh server, ssh servers, sshd daemon, time, type, usr, web development company, work
Posted in FreeBSD, Linux, System Administration | No Comments »

How to check if newly installed SSL certificate for IMAP and IMAPS is properly installed

Tuesday, June 28th, 2011

Did you have to regenerate your SSL certificate for your mail server’s IMAP and IMAP SSL service?
Did you have to find out if the newly installed certificates are fine after install?

Here is how:

root@server-hosting [/usr/local ]# openssl s_client -connect imap.example.com:993 root@server-hosting [/usr/local ]# openssl s_client -connect imap.example.com:143 -starttls imap

The output returned by this two commands will be the imap and imaps configured certificates as well as extensive info concerning the installed SSL, the last chunk of info to be spit is most crucial to know if certificate is fine.
It should be something like:

... New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0B69E91022CB56D64F56CFA08405944D9C4C0069EE4097890B98F1406CF084D5 Session-ID-ctx: Master-Key: 13745B94E0C5A0604EB7529E7409251961DFD5F4134F3A8F Key-Arg : None Start Time: 1309265383 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- . OK CAPABILITY completed closed

Tags: AES, aes256, Arg, bitSecure, capability, certificate, Certificates, chunk, Cipher, client, com, DFD, ID-ctx, imap, imaps, info, key, mail server, Master, master key, nbsp nbsp nbsp nbsp nbsp, NONESSL-Session, openssl, Protocol, public key, renegotiation, root, root server, session, session id, SHA, something, ssl certificate, ssl service, sslv3, Timeout
Posted in Linux, System Administration | 1 Comment »

How to check full mail headers in Google’s Gmail, Yahoo Mail and Hotmail

Friday, May 27th, 2011

As an administrator of few company email delivery servers, I always had to debug problems related to emails unable to drop in Yahoo’s Mail and Gmail default mail Inbox

In that reason I always need to take a close look on Email headers to try to isolate email issues.
Most often the problems with messages unable to deliver in default in Inbox are with the 3 most popular mail services:

Gmail
Live Hotmail
Yahoo

Thus I decided to explain shortly here how one can check full email headers in Gmail and Yahoo public mail services in order to be able to later derive conclusions on what is wrong with his mail server outgoing messages.

1. How to view full email headers in Gmail

It’s pretty easy, though for some reason Google decided to place the button which shows the complete email message headers in a I would say not too user friendly location.

To view email headers, login to Gmail, click over some random email in Inbox or some of the other mail folders.
Once you can read the email and you see the Reply button located on the right,next to the Reply button there is the down triangle which while pressed will display a menu.

To view the full email headers one has to press over the Show original button presented in the menu. Below you see a sample screenshot on the menu with the Show Original button.

Show complete e-mail message headers and content in Gmail

2. How to view full email headers in Yahoo Mail Classic

I use Yahoo Mail Classic, as I like old stuff, Checking the full email headers there is a bit more intuitive than with Gmail.

To check email headers, just login to Yahoo mail, click over inbox, select an email message you would like to review as text.
Further on after the end of the email, you will see the Delete, Reply, Forward, Spam and Move buttons, right below this field of buttons there is the Full Headers blue text link with very small letters.

Here is a screenshot I’ve made of a sample opened mail. On the screenshot in right bottom you see the blue Full Headers button.

Yahoo Mail Cassic View Email Full Header

3. How to view full mail headers in Hotmail

In Hotmail checking the email, headers’s button position is very similar to Gmail’s, the only difference is the exact button which shows the Full Email header is named View Message source

In order to check Email headers in Hotmail, one has to click over a desired message, click once again on the down triangle near the Reply button and press over View Message source

Here is a screenshot showing the View Message source menu

Hotmail View Full email Headers

One small note to make here is that the View source headers buttons is currently not working on Epiphany browser running on Linux.
As always Microsoft are making stuff incompatible, if it’s not used with a Microsoft product ..

Tags: bit, Button, Cassic, content, default, default mail, Delete, delivery servers, difference, e mail, email, Forward, forward spam, Gmail, google, hotmail, location, login, mail folders, mail headers, mail inbox, mail message, mail server, mail services, menu, message headers, Microsoft, move buttons, old stuff, outgoing messages, public mail, reason, reply button, right, screenshot, show, stuff, text, yahoo mail
Posted in System Administration, Various | 3 Comments »

How to enable Domain Keys (DKIM) in Qmail toaster based mail server install on Debian Linux

Wednesday, May 25th, 2011

Qmail dkim domain keys logo

Recently the Emails sent by one of the Qmail mail servers running on a Debian host started suddenly delivering in Spam folder in both Gmail.com and yahoo.com public mail services.

This is pretty nasty as many of the websites which used the local qmail server to deliver emails concerning subscriptions and other kind of services provided by the websites started ending in Span and thus many of the users who used their Yahoo Mail account and Google Mail – gmail accounts was unable to read emails mailed by the various websites forms and scripts which were sending emails.
You can imagine the negative effect all this “minor” mail issues had on website visitors count and the overall websites functionality.
To come up with some kind of solution to this mail issues, I did quite a lot of research to understand if Yahoo and Google Mail services has some kind of mail server delist form or some reporting service where one can delist a specific mail server as a spammer one or get some kind of help, but unfortunately it seems neither google nor yahoo has any kind of web based way to remove hosts or ip addresses of legit mail servers who has mistakenly been recognized as spam servers.

During my efforts to find a solution to the situation I red a lot of posts and forums online as well as Google’s Bulk Sender Guidelines, none if it was too helpful though.

The QMAIL server had a proper:
1. MX Record 2. TXT SPF records 3. PTR Record 4. There are proper correct mail message headers 5. Proper mails charset and encoding 6. The mail server IP is not listed anywhere in any mail blacklists (e.g. www.mxtoolbox.com/blacklists.aspx / spamhaus.org) 7. A correct SMTP greeting which matched the mail server domain name

The only thing which was missing on the mail server (checked against Google’s Bulk Sender Guidelines) was a properly configured DKIM and Domainkeys.

Thus in order to get around the situation I went the way and configured the qmail server to include and send in the mail header also Domain Keys

In this article I will briefly explain step by step how I configured Domain keys (DKIM) signing of my mails:

There are few ways domain keys signing can be implemented with Qmail.

1. By patching qmail binaries to support domain keys signing

I wanted to omit any interventions concerning the well running qmail install so I decided not to go this way.
Plus there are plenty of add-ons for qmail and as I have no time to test them the idea not to temper the existing qmail installation looked wise to me.
2. Use a wrapprer script around qmail-remote that invokes externally domainkeys binaries

This kind of solution was fitting me better and therefore I took this route to enable my qmail DKIM signing.

There are few approaches one can take described online:

Use a perl script wrapper which does does the DKIM signing (http://manuel.mausz.at/coding/qmail-dkim/)

I tried using the qmail-dkim-0.2.pl wrapper script following the exact steps described to be fulfilled to enable my outgoing mails dkim signature, however for some reason after substituting the qmail-remote with qmail-dkim.pl and setting the proper permissions, my outgoing mails failed completely and each mail I sent was returned back by the qmail MAILER-DAEMON

Use a bash shell script wrapper in combination with libdomainkeys‘s with a Mail-DKIM-0.39 .

I gave a try to this approach and thanksfully it worked after a bit of struggle to tune it up.

Here is what exactly I had to do to in order to have the domain keys signing to work using the above described qmail-remote.sh shell script wrapper

1. Install openssl related required debian packages

debian:~# apt-get install openssl libcrypt-openssl-rsa-perl libcrypt-openssl-bignum-perl libmail-dkim-perl ...

2. Create necessery directories and RSA key pairs for DomainKeys

debian:~# mkdir -p /etc/domainkeys/mydomain.com debian:~# cd /etc/domainkeys/mydomain.com debian:/etc/domainkeys/mydomain.com# openssl genrsa -out rsa.private_default 768 debian:/etc/domainkeys/mydomain.com# openssl rsa -in rsa.private_default -out rsa.public_default -pubout -outform PEM debian:/etc/domainkeys/mydomain.com# ln -sf rsa.private_default default debian:/etc/domainkeys/mydomain.com# touch selector debian:/etc/domainkeys/mydomain.com# echo 'default' >> selector

Where mydomain.com is the mail domain I need the DKIM signatures for.

I have written a small shell script which automates the task of adding new domainkeys directories and generating the RSA keys with openssl, you can download my generate_qmail_domainkey_rsa automator script here

3. Set proper permissions and owner to /etc/domainkeys directory

debian:~# chmod -R 0600 /etc/domainkeys debian:~# chown -R qmailr:qmail /etc/domainkeys

4. Generate public domain key for DNS TXT records

debian:/etc/domainkeys/mydomain.com# grep -v ^- rsa.public_default | perl -e 'while(<>){chop;$l.=$_;}print "k=rsa; t=y; p=$l;n";'

“k=rsa; t=y; p=MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAMlDcYMrpWP9ouQOlFVtCHcFY
+gxrSQ6SegYeP4eeG7NECT/3jBqDtxANIVhaS9ASkEO4yNisGu4yX/DRclTm
nPWknoDtCDiD7IFEzT37qn1JLzcuknTncmFBFMDRUJq6wIDAQAB;”

The above key is used in next step 5 to set it as a TXT DNS record.

5. Create the DNS records in Name server

With BIND DNS server you need to place a records like:

_domainkey.example.com. IN TXT "k=rsa; t=y; o=-;" default._domainkey.example.com. IN TXT " p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2RkvFHbhqM/bVbb kBtZ1cZUSYcjC4q+PWjd1tFopT+HXXR9Ctx7FZ1guX5fGboiwYmhCYdVroI KRM3I48/YyQoXxtn3iYZ086v8BHaNtkcBMY+68JeEQ3K0WQkbqQXp/tsnLY SQW1yXiEo9CywxVdpwH+OY94HxK4fAbw6V11cwIDAQAB"

! The above p= key specified is the one generated in step 5.

6. Download and compile & install Mail-DKIM-0.39 ‘s perl extension

As of time of writting latest Mail-DKIM is ver. 0.39, however it’s a good idea to check and install the latest available version available on http://www.cpan.org

a) Download Mail-DKIM

debian:~# cd /usr/local/src debian:/usr/local/src# wget https://www.pc-freak.net/files/Mail-DKIM-0.39.tar.gz ... 2011-05-25 15:09:37 (264 KB/s) - `Mail-DKIM-0.39.tar.gz' saved [87375/87375] ... b) Compile & Install Mail-DKIM

debian:/usr/local/src# chown -R hipo:hipo Mail-DKIM-0.39 debian:/usr/local/src# cd Mail-DKIM-0.39

debian:/usr/local/src/Mail-DKIM-0.39# su hipo
debian:/usr/local/src/Mail-DKIM-0.39$ perl Makefile.PL
debian:/usr/local/src/Mail-DKIM-0.39$ make
…
debian:/usr/local/src/Mail-DKIM-0.39$ exit
debian:/usr/local/src/Mail-DKIM-0.39# make install
debian:/usr/local/src/Mail-DKIM-0.39# cd script
debian:/usr/local/src/Mail-DKIM-0.39/script# cp -rpf * /usr/local/bin; cd /usr/local/src

Note that the dkimsign.pl which is in the Mail-DKIM-0.39 is a very important tool used later by the qmail-remote wrapper script. This perl script is copied in the last command issued in above chunk of code.
In the up-command lines I use my unprivileged username hipo to compile, here use any non-root user is appropriate.
For instance it’s possible that the cpan user is used as a compile time user, I was lazy to configure CPAN thus I choose to use my normal unprivileged user.

c) configure rsa domain key paths in dkimsing.pl

Another thing to do here is to make sure the /usr/local/bin/dkimsign.pl which was just recently installed has a correct set location for it’s KeyFile variable.
This vailable is in the script is located online 64, I changed it to include my rsa domain key file, after I changed it, now it looks like so:

KeyFile => "/etc/domainkeys/mydomain.com/default"

7. Download and install libdomainkeys

a) Download libdomainkeys
For latest version of libdomainkeys make sure you check on http://domainkeys.sourceforge.net/

debian:/usr/local/src# wget https://www.pc-freak.net/files/libdomainkeys-0.69.tar.gz debian:/usr/local/src# tar -zxvvf libdomainkeys-0.69.tar.gz ... debian:/usr/local/src# chown -R hipo:hipo libdomainkeys-0.69 debian:/usr/local/src# cd libdomainkeys-0.69; su hipo

b) Compile and install libdomainkeys binaries

debian:/usr/local/src/libdomainkeys-0.69$ echo '-lresolv' > dns.lib debian:/usr/local/src/libdomainkeys-0.69$ make clean & & make debian:/usr/local/src/libdomainkeys-0.69$ exit debian:/usr/local/src/libdomainkeys-0.69# cp -rpf dktest dknewkey expected makeheader /usr/local/bin/

There is a note to make here, one of the programs part of libdomainkeys called dnstest is not compiled while doing make for unknown reasons?!
I was not able to compile manually dnstest either using gcc like so:

debian:/usr/local/src/libdomainkeys-0.69$ gcc -o dnstest dnstest.c dnstest.c: In function 'main': dnstest.c:11: warning: incompatible implicit declaration of built-in function 'strle' /tmp/ccH78KZ1.o: In function 'main': dnstest.c:(.text+0x2b): undefined reference to 'dns_text' collect2: ld returned 1 exit status

I have absolutely no clue why it fails o_O, but it doesn’t matter since I figured out that domainkeys header signature is properly set even without dnstest.

Let me mark here that echo ‘-lresolv’ > dns.lib you see in above code chunk is absolutely necessery in order to be able to compile libdomainkeys on Debian based distributions. If the ‘-lresolv > dns.lib’ is omitted the libdomainkeys build fails with error:

gcc -DBIND_8_COMPAT -O2 -o dktest dktest.o -L. -ldomainkeys -lcrypto `cat dns.lib` `cat socket.lib` ./libdomainkeys.a(dns_txt.o): In function `dns_text': dns_txt.c:(.text+0x2d): undefined reference to `__res_query' dns_txt.c:(.text+0xc4): undefined reference to `__dn_expand' dns_txt.c:(.text+0x184): undefined reference to `__dn_expand' collect2: ld returned 1 exit status make: *** [dktest] Error 1

8. Install libdkim (source of the libdkimtest binary later used by qmail-remote wrapper script)

debian:/usr/local/src# su hipo debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19.zip debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19-linux.patch debian:/usr/local/src$ wget https://www.pc-freak.net/files/qmail/libdkim-1.0.19-extra-options.patch debian:/usr/local/src$ unzip libdkim-1.0.19.zip debian:/usr/local/src$ cd libdkim/src debian:/usr/local/src/libdkim/src$ patch -p2 < ../../libdkim-1.0.19-linux.patch debian:/usr/local/src/libdkim/src$ patch -p2 < ../../libdkim-1.0.19-extra-options.patch debian:/usr/local/src/libdkim/src$ make && exit debian:/usr/local/src/libdkim/src# make install

The above install will install libdkimtest binary, used by the wrapper script to do the actual DKIM-Signature, the binary gets installed in /usr/local/bin/libdkimtest.
Here is a link to patched version of libdkim 1.0.19 , to use it instead of patching as described above download the archive untar and do a make clean && make && install

9. Download qmail-remote.wrapper (qmail-remote wrapper shell script) and set it to wrap qmail-remote

a) Copy original qmail-remote to qmail-remote.orig

debian:~# cd /var/qmail/bin debian:/var/qmail/bin# cp -rpf qmail-remote qmail-remote.orig

b) Download qmail-remote.wrapper script

Here is the qmail-remote.sh wrapper script that worked for me
Originally the wrapper script is taken from http://www.memoryhole.net/qmail/, big thanks to Russ Nelson for writting the awesome wrapper script.

debian:~# cd /var/qmail/bin/ debian:/var/qmail/bin# wget https://www.pc-freak.net/files/qmail-remote.wrapper Saving to: `qmail-remote.wrapper'

100%[============================>] 1,164 –.-K/s in 0s

2011-05-25 15:46:54 (142 MB/s) – `qmail-remote.wrapper’ saved [1164/1164]

c) Set proper permissions to the qmail-remote.wrapper script

The permissions of qmail-remote should look like so:

-rwxr-xr-x 1 root qmail 1164 2011-05-25 11:05 /var/qmail/bin/qmail-remote*

To set this permissions I used:

debian:/var/qmail/bin# chmod 755 qmail-remote.wrapper debian:/var/qmail/bin# chown qmailq:qmail qmail-remote.wrapper

d) Create /var/domainkeys directory (necessery for proper qmail remote wrapper script operations)

debian:~# mkdir /var/domainkeys debian:~# chown -R qmailr:qmail /var/domainkeys debian:~# chmod 700 -R /var/domainkeys

e) Substitute original qmail-remote binary with the wrapper script:

debian:~# qmailctl stop Stopping qmail... qmail-send qmail-smtpd debian:/var/qmail/bin# cp -rpf qmail-remote.wrapper qmail-remote debian:/var/qmail/bin# qmailctl start Starting qmail

10. Send test email to @gmail.com or @yahoo.com to test if DKIM-Signature is included in the mail header

I used my installed webmail interface squirrelmail and send a test email to my home mail server and as well as to yahoo.com

The headers of the email looked fine, here is how my DKIM signed mail headers looked like:

From - Thu May 26 15:31:37 2011 X-Account-Key: account11 X-UIDL: 1306413169.97071.pcfreak,S=1244 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys:

Return-Path: <root@mail.mydomain.com> Delivered-To: hipo@www.pc-freak.net Received: (qmail 97068 invoked by uid 1048); 26 May 2011 12:32:49 -0000 Received: from mail.mydomain.com (83.170.100.100) by mail.www.pc-freak.net with SMTP; 26 May 2011 12:32:49 -0000 Comment: DomainKeys? See http://domainkeys.sourceforge.net/ DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=mydomain.com;

b=ZnTDdUexnt8fmuHbVNXIC+JDvNLYO1zjzlI3PODe3e1oMS5dRHzVGujrS1
Yk0qqs2oW7DseZg/iHE9KOLZBeInksOnsmLsDBq1Lvzfv2xejikR52LBg6a/uK
ewECJy4jQA4cwMJ/qUxmK8EDwbgj7jqCVB95FK3Z5EdR4HoaqGQ=;

h=Received:Date:Message-ID:From:To:Subject;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=date
:message-id:from:to:subject; s=default; q=
/etc/domainkeys/mydomain.com/default;
bh=G32d6y8oiLehRzcuIWr9s
S+Jy+g=;
b=TPW5VXq3vlOUf1T7lfxQC00MN0kPJxaASE/gq7LbHyV1Gj/Xj+GLF
UN6hYVeKnsoKKeV108JVGcfvfTaLogsxGyS9XzUXKlLtESBj4wr/DAOQy
OcHCj75
bEOOd9nv+RehOYinXGmx0JUZpCNHGndNZ1AEabbVEiX/NQAL7iKDnE
=
Received: (qmail 28771 invoked by uid 0); 26 May 2011 12:31:30 -0000
Date: 26 May 2011 12:31:30 -0000
Message-ID: <20110526123130.28770.qmail@mail.mydomain.com>
From: root@mail.mydomain.com
To: hipo@www.pc-freak.net
Subject: testing 123

baklavavav
tatta

Notice the two lines in the above pasted header:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mydomain.com; h=date

This clearly shows that now both Domainkeys and DKIM are being applied to outgoing mail messages 🙂

However to be completely 100% sure the domainkeys and DKIM signing is correct, you should check the online websites which offer a mail domainkey check and DKIM signature check, an example for such a website that I used in order to test that my SSL RSA Domainkeys and DKIM correspond correctly to the ones specified in the DNS server is:
here

The idea for writting this small guide on configuring Domainkeys with Qmail and Linux is seriously inspired by Mariuz’s Blog post dkim wrapper that works using dk Hope this is helpful to somebody, it took me quite a while until I come up with the exact steps of a workable install of Domain Keys, there are so many tutorials and ways to implement this that at a certain point it’s a hell.
Like always with Qmail, even simple things are so complex, the only good thing about qmail is once you make it work well, it works forever … until the next time you will have to spend few days trying to figure it out 😉

I’m very much looking to hear if people followed the tutorial succesfully.

Any feedback concerning the article is mostly welcome!
Cheers!

Tags: briefly, Bulk, charset, com, correct mail, Date, DKIM-Signature, dnstest, domain, Domainkeys, Emails, exit, exitdebian, form, function, Gmail, google, header, help, host, ip addresses, libdkimtest, Linux, lot, mail issues, mail message, mail server, mail servers, mail services, message headers, mx record, mxtoolbox, nameThe, none, ptr, public mail, qmailctl, reporting service, root, script, server domain, server ip, signing, soccerfame, spamhaus, spammer, SPF, test, text, toaster, TXT, website visitors, wget, wrapper, yahoo mail account
Posted in Linux, System Administration | 21 Comments »

How to fix “delivery 1: deferral: Sorry,_message_has_wrong_owner._(#4.3.5)/” qmail mail delivery failure message

Friday, May 20th, 2011

After a failed attempt to enable some wrapper scripts to enable domain keys support in a qmail powered mail server my qmail server suddenly stopped being able to normally send mail.

The exact error message which was logged in /var/log/qmail/current was:

@400000004dd66fcc16a088ac delivery 1: deferral: Sorry,_message_has_wrong_owner._(#4.3.5)/

This qmail messed happened after I substituted /var/qmail/bin/qmail-queue and /var/qmail/bin/qmail-remote with two respective wrapper shell scripts which were calling for the original qmail-queue and qmail-remote binaries under the names qmail-queue.orig and qmail-queue.orig

Restoring back qmail-queue.orig to /var/qmail/bin/qmail-queue and qmail-remote.orig to /var/qmain/bin/qmail-remote and restarting the mail server broke my qmail install.

After a bunch of nerves trying to isolate what is causing the error I found out that by mistake I forgot to copy the qmail-queue and qmail-remote permissions and ownership.

Thus I had to check another qmail working installation’s permissions for both binaries and fix the permissions to be equivalent to the permissions:

debian:~# ls -al /var/qmail/bin/qmail-remote
-rwx–x–x 1 root qmail 50464 2011-05-20 12:56 /var/qmail/bin/qmail-remote*
debian:~# ls -al /var/qmail/bin/qmail-queue
-rws–x–x 1 qmailq qmail 20392 2011-05-20 12:56 /var/qmail/bin/qmail-queue*

The exact chmod and chmod commands I issued to solve the shitty issues were as follows:

First I fixed the qmail-queue and qmail-remote ownership:

debian:~# chown qmailq:qmail /var/qmail/bin/qmail-queue debian:~# chown root:qmail /var/qmail/bin/qmail-remote

Second I set the proper file permissions:

# make the qmail-queue binary suid debian:~# chmod u+s /var/qmail/bin/qmail-queue debian:~# chmod 611 /var/qmail/bin/qmail-queue debian:~# chmod 611 /var/qmail/bin/qmail-remote

Third and last I did a restart of the qmail server and tested it sends properly

debian:~# /usr/bin/qmailctl stop Stopping qmail... qmail-send qmail-smtpd debian:~# /usr/bin/qmailctl start Starting qmail

Finally to test that the qmail server qmail-queue was queing and sending with qmail-remote I used the system mail command like so:

debian:~# mail -s "test email" testuser@www.pc-freak.net asdfafdsdf . Cc:

Afterwards the mail was properly received on my mail account testuser@www.pc-freak.net immediately.

In my /var/log/qmail/current log file all seemed fine:

@400000004dd6702a2eb2b064 starting delivery 1: msg 85281596 to remote testuser@www.pc-freak.net @400000004dd6702a2eb2b834 status: local 0/20 remote 1/20 @400000004dd6702b34cc809c delivery 1: success: 83.228.93.76_accepted_message./Remote_host_said:_250_ok_ 1305899099_qp_65293/ @400000004dd6702b34cc886c status: local 0/20 remote 0/20 @400000004dd6702b34cc8c54 end msg 85281596

The test mail was properly received on my mail account testuser@www.pc-freak.net immediately.

It took me like half an hour to figure out what exactly is wrong with the permissions in situations like this I really wanted to change all my qmail installs with postfix and forget forever I ever used qmail …

Tags: binaries, chmod commands, chown root, email, exact error message, failure, failure message, file, host, installation, log, mail delivery failure, mail server, mistake, msg, nerves, orig, ownership, properlydebian, qmailctl, queue, Remote, root, rws, rwx, Shell, shell scripts, sorry message, status, system, test, testuser, Third, wrapper, wrapper scripts
Posted in Linux, System Administration | No Comments »

☩ Walking in Light with Christ – Faith, Computing, Diary

Posts Tagged ‘mail server’

Daily Bible quote

GET ARTICLE UPDATES

Useful blog? Help it:

Links to Other Places

Recent Posts

Ads

Categories

About Myself

Recent Comments

Top Post Views

blogtopsites