DomainKeys Identified Mail (DKIM) is a method for validating the identity associated with a message using using public-key cryptography and key server technology. DKIM is an enhanced version of Yahoo's Domain Keys and Cisco's Identified Internet Mail methods. As of February 2007 an IETF draft was accepted as "Proposed standard", it may take some more time till this will be a standard but the current version is stable ( according to dkim.org ).
Implementations of DKIM in email servers is not available as much as DomainKeys.
For qmail there is a patch that uses libdomainkeys to implement a replacement for qmail-queue that will verify and sign messages but this only works for DomainKeys not DKIM. I have developed a solution for qmail to be able to verify and sign messages with DKIM.
My solution was inspired by a post on the qmail list http://article.gmane.org/gmane.mail.qmail.general/52049 that used two shell scripts one as a qmail-queue wrapper for verifying the messages and one as a qmail-remote wrapper for signing the messages. Both scripts call dktest, a test program that comes with libdomainkeys, to do the signing and verification.
Libdkim is a portable implementation of the DKIM drafts and it comes with a test program, libdkimtest somehow similar to dktest so I'm using this to do the signing and verification.
Although libdkim developers claim it is portable it needed some patching to make it compile on Linux, mainly some macro definitions that are only available in windows header files. I found those definitions in a file macros.h from mono and I added it to libdkim's source and included it in dkim.h .
I also added some small features and enhancements like a help / usage message for libdkimtest, the ability to specify the domain and selector in the command line. I removed some hard coded defaults that blocked options specified on the command line and I made it be able to process messages that had bare LF as line terminators instead of CR/LF.
The shell scripts that used dktest also needed some small modifications because libdkimtest does not read the message on it's standard input and it does not output the message to the standard output.
Here is the shell script that does the verification:
span style="color: #ff0000;">"$DKIMQUEUE" ] || DKIMQUEUE="/var/qmail/bin/qmail-dk"'^DKIMVERIFY='"$tmp""$tmp" > "$tmp2""$(cat "$tmp2"|grep "")" != """DKIM-Status: good""$(cat "$tmp2"|grep "Fail")" != """DKIM-Status: failed""$tmp""$tmp" "$tmp2"
This should replace qmail-queue and to make it verify the messages you have to set the DKIMVERIFY environmental variable. This script calls qmail-dk because I want to also verify the DomainKeys signature.
and here is the script that should replace qmail-remote:
span style="color: #ff0000;">"$DKSIGN" ] || DKSIGN="/etc/domainkeys/%/default" [ "$DKREMOTE" ] || DKREMOTE="/var/qmail/bin/qmail-remote.orig""${DKSIGN%%%*}${DOMAIN}${DKSIGN#*%}""$DKSIGN""$tmp""$tmp" "$DKSIGN" "$tmp2""$tmp2""\\015") | "$DKREMOTE" "$@""$tmp" "$tmp2""$DKREMOTE" "$@"
copy qmail-remote to qmail-remote.orig and then name this script qmail-remote
get libdkim, unzip it, get these patches : libdkim linux compile patch and libdkim extra options patch
and apply then like this
If you had qmail-dk working before then the scripts will just use the private keys in /etc/domainkeys/{domain_name}/default just like qmail-dk .
Update:
because some people had troubles applying the patches to newer versions of libdkim I have added the patched source code here: libdkim-patched.tar.gz
It would still be a good idea to patch the newer versions and I might do that when I find some time.
hi
i test on your dkim script in my server,
but i have error when compile , can you help ?
make
g++ -c -c dkimsign.cpp
dkimsign.cpp: In constructor `CDKIMSign::CDKIMSign()’:
dkimsign.cpp:39: error: `EVP_sha256′ undeclared (first use this function)
dkimsign.cpp:39: error: (Each undeclared identifier is reported only once for each function it appears in.)
make: *** [dkimsign.o] Error 1
thanks
EVP_sha256 should be defined in openssl/evp.h . If you don’t have that file in your include path , then you have to install it ( it should be in some openssl-dev package, if you tell me what os you use I may be able to help you with that ) . If you already have that file but the function EVP_sha256 is not defined, then I guess you have to install a different ( newer ? ) version of openssl.
I just did grep -r EVP_sha256 /usr/include and it showed up in /usr/include/openssl/evp.h . I’m using 0.9.8e on gentoo.
hi
thanks for reply
i using fedora3, and openssl 0.8.9e tar version too
still get this error
any idea ?
Do you have openssl-devel intalled ?
rpm -q openssl-devel
if not then install it and try again
Hi, there. I found these scripts hard to run. The libdkim compiled succesfully but I cannot use it with qmail-dk. Even I change the inbound script:
) | /bin/cat – “$tmp” | $DKIMQUEUE
to:
) | /bin/cat – “$tmp” | $DKIMQUEUE –
it works when I change:
[ “$DKIMQUEUE” ] || DKIMQUEUE=”/var/qmail/bin/qmail-dk”
to
[ “$DKIMQUEUE” ] || DKIMQUEUE=”/var/qmail/bin/qmail-queue.orig”
If I leave the DKIMQUEUE to qmail-dk, qmail-dk seems to call the qmail-queue not the qmail-queue.orig as originally and it loops endlessly 🙁
Another issue is that the verify functionality can be found in Spamassassin with plugin dkim. The pro is that based on the verifying the mail it can score it different.
And last the qmail-remote script is not run! I don’t know why 🙁 So I can’t sign the mails..
Can you shed some light on this?
THX
You can tell qmail-dk to run qmail-queue.orig by setting the DKQUEUE environment variable.
If you plan to use the dkim plugin for spamassassin you should disable verification from qmail-queue.
🙂 THX It works. My mail server is QMT. DKQUEUE made it working 🙂
What are the pro/cons using the spamassassin for verifying DKIM?
Glad to hear it works.
Spamassassin is written in perl and perl code is usually slower then compiled C++ code ( libdkimtest ) so the verification might take longer and use more resources. This is just theory I didn’t do any benchmarks.
Yeah it works for verifying but not for signing 🙁 It was too early I was happy.
I have:
_line_26:_17959_Segmentation_fault_____/usr/local/bin/libdkimtest …..
🙁
It never happened to me. I tested it on my gentoo system as well on a freebsd 5.3
Can you use gdb to send me a back trace for libdkimtest ?
Here it is:
Program received signal SIGSEGV, Segmentation fault.
0x42eabe20 in strcpy () from /lib/libc.so.6
(gdb) backtrace
#0 0x42eabe20 in strcpy () from /lib/libc.so.6
#1 0x0804a256 in main (argc=7, argv=0xbfeea8e4) at libdkimtest.cpp:250
the gdb log.
And with my collegue we discovered:
char* pSig = NULL;^
^
n = DKIMSignGetSig2( &ctxt, PrivKey, &pSig );^
^
strcpy( szSignature, pSig );^
^^^^^^^^^^^^^^^^^^^^^^ Lince 250
That line 250 is the “bad” one 🙂
nice one, I’ll get that fixed shortly. If you know and can fix it feel free to send me a patch or the guys at libdkim , cause I’m not sure that my patch to libdkimtest introduced that bug.
I had some weird character instead of the domain name in the DKIM signature of the email..
I fixed the situation by adding a -d “$DOMAIN” on the /usr/local/bin/libdkimtest line in qmil-remote..
After applying both patch, I had to “patch” a bit the libdkimtest.cpp and change the following line :
—vopts.pfnPolicyCallback = NULL; //PolicyCallback;
by
+++vopts.pfnPracticesCallback = NULL; //PolicyCallback;
in order to compile properly.
(using libdkim-1.0.17)
I downloaded libdkim 1.0.17 and tried to apply the first patch but it says…
penguin ~ # patch -p1 < libdkim.patch
can’t find file to patch at input line 4
Perhaps you used the wrong -p or –strip option?
The text leading up to this was:
————————–
|diff -ur –new-file libdkim/src/Makefile libdkim-patched/src/Makefile
|— libdkim/src/Makefile 2007-02-22 13:40:30.000000000 +0200
|+++ libdkim-patched/src/Makefile 2007-05-03 21:41:30.000000000 +0300
————————–
File to patch:
are you patching it from inside the libdkim folder ?
I’ve tried patching it from both inside and outside the libdkim folder. When I patch outside the libdkim folder I get the error I originally posted. When I patch inside the libdkim folder I get the following error…
penguin libdkim # patch -p1 < libdkim.patch
patching file src/Makefile
Hunk #1 FAILED at 1.
1 out of 1 hunk FAILED — saving rejects to file src/Makefile.rej
patching file src/dkim.h
Hunk #1 FAILED at 156.
1 out of 1 hunk FAILED — saving rejects to file src/dkim.h.rej
patching file src/macros.h
The patch was designed for libdkim 1.0.14. The modifications added up untill 1.0.17 is what makes this patch not apply anymore. You will have to look into the .rej file and the original files and then apply the diffs manually . Then recompile.
If you manage to make it work feel free to post the patch in the comments. you should also look at this comment: http://patchlog.com/security/qmail-and-dkim/#comment-6090
ok, I downloaded libdkim 1.0.14 and am still having the same problems. Any ideas why?
You might wanna try 1.0.13 . It was a long time and I can’t remember exactly. I wish I had written the version I used at the time in the post.
ok, I tried 1.0.10/12/13/14/17 and none of them work so I give up.
I managed to find the patched source code that I used when i wrote the post. I have attached at the end of the post. This should just compile without any problems
I think there is a problem with you qmail-queue and qmail-remote scripts. Where it says…
/usr/local/bin/libdkimtest -v “$tmp” > “$tmp2” 2>/dev/null
The > should be a , don’t know which one?
nevermind, It looks good now
yes of course . Stupid wordpress messing up with the tags . It’s fixed now
/bin/cat – & g t;”$tmp”
This line looks like it needs to be fixed
Should be fixed now
OK, I got downloaded your patched file and it compiled. I followed the rest of your instructions and everything looks good. But when I try and send an email I get the following error…
554 mail server permanently rejected message (#5.3.0)
Any ideas why?
ok, I have narrowed it down. This problem (error 554) is happening because of the qmail-queue file but I don’t know what is causing it.
When I use the default qmail-queue file and the modified qmail-remote as posted above I no longer get the 554 error but instead get the following error even though qmail-remote is executable, the error says
“Unable to run qmail-remote.”
If I figure out the answers to these problems I will post them here.
the new qmail-queue must have the exact ownership and permissions as the old one. Just making it executable is not enough.
The script will eventually forward the message to the real qmail-queue
the path to the real qmail-queue must be set in the DKIMQUEUE env variable or else it will use qmail-dk ( which is a domainkeys wrapper for qmail-queue ). If you don’t have qmail-dk on your system and you have not set DKIMQUEUE the script will most likely fail.
You should test the script before trying to run it as qmail queue.You can simply try to pipe a message into it and see what you get in response.
If qmail-queue is correctly set up then it should just complain that it cannot run when not called by qmail.
If you set DKIMQUEUE=/bin/cat then the script should just output the message with a line that will say DKIM-Status: good or DKIM-Status: failed in front of the message . I hope this helps.
ok, I set the permissions of qmail-queue to what they should be but now I am getting this error…
Requested action aborted: error in processing
451 qq write error or disk full (#4.3.0)
My disk isn’t full so what could the write error be?
It can still be a permission problem
In my logs it says the following…
@4000000047f65caf258f3624 /bin/sh: bin/qmail-queue: Permission denied
Do you know what I should do?
ok, I changed the permissions of qmail-queue but now I am getting this error again so I give up on this..
554 mail server permanently rejected message (#5.3.0)
I’ve got the same problem with the qmail-remote replacement:
failure: Unable_to_run_qmail-remote./
Are there any solutions?
do you have the qmail-remote.orig file with the same permissions as the original qmail-remote. Does your script have the same permissions ? Does you script run without throwing any error? You can test this by modifying the script a bit to not call qmail-remote.orig anymore but something like /bin/cat and then just piping the message to it .
If you try to run the script like this: ./qmail-remote I get this message:
bash: ./qmail-remote: /usr/local/bin/bash: bad interpreter: No such file or directory So, i only copy the file missing and thats it! cp /bin/bash /usr/local/bin/ But, now I’m getting a new problem kimlibtest:_can’t_open_private_key_file 🙁
it should be fine. I think your problem was because it didn’t find bash .
the fact that it can’t open the private key file is fine because when you run qmail-remote like that it can’t figure out where the private key is but when qmail-remote runs normally it should be fine
What are your permissions for qmail-queue?
-rws–x–x 1 qmailq qmail 15368 Apr 20 2007 qmail-queue
yeah, thats what I have.
Here is how to make this work on CentOS 5.1 (and presumably Fedora & RHEL). First a few notes… The existing openssl doesn’t support sha256 and I didn’t want to trash my existing openssl rpm + huge dependency tree so I made a separate openssl build just for libdkim. I ran into a zillion errors but managed to overcome all of them. Here are my EXACT steps + comments:
cd /home/rich
wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz
tar zxvf openssl-0.9.8e.tar.gz
cd openssl-0.9.8e
vi +124 crypto/sha/sha256.c
remove the line that says “#else”
# ^^^ prevents compile error “../libcrypto.so: undefined reference to `sha256_block'”
LD_RUN_PATH=/usr/openssl-0.9.8e/lib; export LD_RUN_PATH
# ^^^ see http://www.mail-archive.com/openssl-users@openssl.org/msg43695.html
./Configure -DSSL_ALLOW_ADH -DSHA256_ASM –prefix=/usr/openssl-0.9.8e –openssldir=/usr/openssl-0.9.8e/share/openssl linux-elf shared
make install build-shared
echo “/usr/openssl-0.9.8e/lib” >> /etc/ld.so.conf.d/openssl-0.9.8e.conf
ldconfig
cd /usr/openssl-0.9.8e/lib
ldd *
cd /home/rich
wget http://superb-west.dl.sourceforge.net/libdkim/libdkim-1.0.17.zip
wget http://patchlog.com/wp-content/uploads/2007/05/libdkim.patch
wget http://patchlog.com/wp-content/uploads/2007/05/libdkim2.patch
unzip libdkim-1.0.17.zip
cd libdkim
patch -p1 < ../libdkim.patch
patch -p1 < ../libdkim2.patch
cd src
# edit Makefile so we can link dkim to our new openssl…
chmod 666 Makefile
vi Makefile
change: LIBS = -lcrypto -lresolv
to: LIBS = -lcrypto -lresolv -L/usr/openssl-0.9.8e/lib
change: INCL = -I /usr/include/openssl/
to: INCL = -I /usr/openssl-0.9.8e/include
change: g++ $(CFLAGS) -c $<
to: g++ $(CFLAGS) $(INCL) -c $<
#^^^ prevents dkimverify.cpp:1270: error: invalid conversion from `const unsigned char**’ to `unsigned char**’
# dkimverify.cpp:1270: error: initializing argument 2 of `EVP_PKEY* d2i_PUBKEY(EVP_PKEY**, unsigned char**, long int)’
#
# see http://www.exim.org/lurker/message/20070928.151653.6c8fbb50.en.html
vi dkimbase.h
change: #include
to: #include
#^^^ prevents “dkimsign.cpp:40: error: `EVP_sha256′ was not declared in this scope”
chmod 666 libdkimtest.cpp
vi +282 libdkimtest.cpp
change: vopts.pfnPolicyCallback = NULL; //PolicyCallback;
to: vopts.pfnPracticesCallback = NULL; //PolicyCallback;
# ^^^ prevents “libdkimtest.cpp:282: error: ‘struct DKIMVerifyOptions’ has no member named ‘pfnPolicyCallback'”
# see: http://patchlog.com/security/qmail-and-dkim/
make LINUX=y
cp libdkimtest /usr/local/bin
@Rich: thanks for sharing. Did you have any troubles applying my patches to libdkim 1.0.17 ?
@Jason: did you try to test libdkimtest program without the scritpts ? does it work or does it throw any errors ? Did you apply the change in libdkimtest.cpp at line 282 mentioned by rich in his comment and also in a previous comment.
What exactly do I type to test the libdkimtest program?
No I didn’t apply the changes to libdkimtest.cpp because I thought those changes were for 1.0.17 which I am not using (I am using your patched download). When I do change libdkimtest.cpp the compile ends in an error.
I get this error in my logs which is causing me problems…
@4000000047f65caf258f3624 /bin/sh: bin/qmail-queue: Permission denied
..and my permissions for qmail-queue are correct…
-rws–x–x 1 qmailq qmail 17844 Apr 3 17:38 qmail-queue
In my logs…
@4000000047f6cca537e447ec /bin/sh: bin/qmail-queue: Permission denied
Does this mean /bin/sh doesn’t have permission to run qmail-queue? If so how do I grant /bin/sh permission to run qmail-queue?
One thing didn’t display right on the last message:
vi dkimbase.h
In the #include area
change: openssl/evp.h
to: /usr/openssl-0.9.8e/include/openssl/evp.h
sorry about that !
“@Rich: thanks for sharing. Did you have any troubles applying my patches to libdkim 1.0.17 ?”
Mihai: Your patches applied to libdkim 1.0.17 without any problems. I applied them as per your instructions. Since I downloaded everything to the same directory I had to use ../ though 🙂
cd libdkim
patch -p1 < ../libdkim.patch
patch -p1 < ../libdkim2.patch
I’ve been trying to get libdkim working on an older slackware system with a version of OpenSSL which doesn’t support sha256. I started looking at Rich’s post above since I’m in the same position that I don’t want to replace the version of OpenSSL that I have installed.
I’ve created a patch to remove the need for sha256 from libdkim 1.0.17. It will no longer sign or verify using sha256, but it will do sha1. I fixed a few other things to make it compile without errors on Slackware Linux. The patch is here
Rather than re-write things totally, I simply substituted calls to the SHA1 routines where SHA256 was called, and added something to give an error if trying to verify a SHA256 message. Not the best solution, but it does work. The patch includes most of the changes applied by libdkim.patch and libdkim2.patch, so you don’t need to do these as well.
A command line test can be done like this:
libdkimtest -z1 -s email.txt priv.key email_signed.txt
If you change to z=2 or z=3 you can get 2 signatures – the code thinks it’s doing SH1 + SH256, but it does the SH1 twice. See lines around 1055 in dkimsign.cpp to understand why it runs twice. It’s not a problem if you just use z=1.
You don’t really need to modify so much of libdkim source code to remove sha256 support.
Why not install latest openssl from sources in /usr/local then modify Makefile to use that version instead of the standard version.
Something like this patch should work after you install openssl from sources in /usr/local/
Hi,
Very strange behaviour with the (/bin/cat “$tmp2” |tr -d ‘\15’) | “$DKREMOTE” “$@” part of the qmail-remote script. This was causing signing to be messed up by making these changes to the email causing the DKIM process to fail:
a=rsa-sha1; turned into a=rsa-sha;
x=1208651307; turned into x=28673;
I changed the command to
/bin/cat “$tmp2” | “$DKREMOTE” “$@”
and it works fine.
It looks like the ‘tr’ was meant to strip new lines. Is that correct? Does it matter that I remove it?
David.
the script should be (/bin/cat “$tmp2″ |tr -d ‘\\015′) | “$DKREMOTE†“$@â€
note the double slashes there
with just one slash will delete every 1 and 5 in the message . but with double slashes it will strip CR chars ( ASCII dec 13, oct 015 ) . this is required by qmail to work correctly.
Hi Mihai,
Thanks for the additional patch for the recent OpenSSL. I usually try to keep just one copy of libraries on the system to make updates and maintenance simple. I’ve had some nightmare cases in the past where I couldn’t tell what was linked to which copy, and wanted to avoid that.
For the ‘tr’ part, I found the formats below work. Double slash is needed with double quotes, otherwise single slash with single quotes:
tr -d “\15”
tr -d ’15’
David.
you are right, there should have been double quotes there because I used double slashes. I is corrected now
OK – I can see where the confusion is coming from. This comment software is taking out slashes. In my previous post the first should have 2, and the second should have one slash.
Try again:
tr -d “\\15”
tr -d ‘\15’
I’ve written a small shell script to create the keys for DKIM:
Have fun!
Anyone have any idea how to get around this ?
make[2]: Entering directory `/home/deger/openssl-0.9.8e/apps’
( :; LIBDEPS=”${LIBDEPS:–L.. -lssl -L.. -lcrypto }”; LDCMD=”${LDCMD:-cc}”; LDFLAGS=”${LDFLAGS:–O}”; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep ‘^ *-L’ > /dev/null 2>&1; then echo $x | sed -e ‘s/^ *-L//’; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e ‘s/ /:/g’`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o ${LIBDEPS} )
../libcrypto.a(sha256.o): In function `sha256_block_data_order’:
sha256.c:(.text+0xe3): undefined reference to `sha256_block’
../libcrypto.a(sha256.o): In function `sha256_block_host_order’:
sha256.c:(.text+0x12e): undefined reference to `sha256_block’
collect2: ld returned 1 exit status
make[2]: *** [link_app.] Error 1
make[2]: Leaving directory `/home/deger/openssl-0.9.8e/apps’
make[1]: *** [openssl] Error 2
make[1]: Leaving directory `/home/deger/openssl-0.9.8e/apps’
make: *** [build_apps] Error 1
Hi,
I tried this on my (french) server with libdkim 1.0.19 and i also have a error after
make LINUX=y
g++ -c -c dkim.cpp
g++ -c -c dns.cpp
g++ -c -c dkimbase.cpp
g++ -c -c dkimsign.cpp
g++ -c -c dkimverify.cpp
dkimverify.cpp: In function `unsigned int DecodeBase64(char*)’:
dkimverify.cpp:221: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned char �
(this lign is repeated about 30 times and…)
dkimverify.cpp: In function `bool ParseUnsigned(const char*, unsigned int*)’:
dkimverify.cpp:846: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
dkimverify.cpp: In member function `int CDKIMVerify::ParseDKIMSignature(const std::string&, SignatureInfo&)’:
dkimverify.cpp:1022: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
dkimverify.cpp:1050: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
dkimverify.cpp:1060: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
rm -f libdkim.a
ar cr libdkim.a dkim.o dns.o dkimbase.o dkimsign.o dkimverify.o
ranlib libdkim.a
g++ -c -c libdkimtest.cpp
g++ -olibdkimtest \
-L . libdkimtest.o -lcrypto -ldkim
./libdkim.a(dns.o): dans la fonction � _DNSGetTXT(char const*, char*, int)�:
dns.cpp:(.text+0x32): r�f�rence ind�finie vers � __res_query �
dns.cpp:(.text+0x14d): r�f�rence ind�finie vers � __dn_expand �
dns.cpp:(.text+0x1dd): r�f�rence ind�finie vers � __dn_expand �
collect2: ld a retourn� 1 code d’�tat d’ex�cution
make: *** [libdkimtest] Erreur 1
Also tried with 1.0.17 but the error is it can’t find getcwd.
First question : do i have to patch this version 1.0.19 ?
2nd : Have i missed something or am I doing something wrong ?
Hope you could help.
alex
it seems like it’s not using -lresolv
your Makefile should look like this :
# libdkim makefile for UNIX
#
ifdef LINUX
CFLAGS = -c
LFLAGS =
LIBS = -lcrypto -lresolv
else
…
well, it’s my first time with make…
1. my makefile does look like this.
2. i browse the web and found that -lresolv searches for the library libresolv.so and that i have that libresolv-2.3.6.so in my /lib
3. I also have libcrypto, /usr/include/openssl…
4. I tried to go further with the error message and it says in (bad) english there’s a problem converting negative value to unsigned int or char…
I look in dkimverify.cpp and all lines that are mentionned in my error message refer contains a “-1″… Hope this could help.
i forgot to say i am under Gentoo Linux.
Don’t know if it really maters.
What can i check / do next ?
you can create a symlink from libresolv-2.3.6.so to libresolv.so then run ldconfig and try to compile again
performance tip: you can append “-p /dev/shm” to the mktemp command, it will reduce disk IO
Very dangerous, if your small device get´s out of memory while running more than one signing processes.
i’m having a very difficult time implimenting DKIM into my FreeBSD 6.2 server with OpenSSL 0.9.7, i’ve installed 0.9.8 from ports to /usr/local and have tried all of the above.. but no luck. DKIM/QMAIL/FREEBSD has 0 documentation..
I have this running without any problems on a freebsd 5.3
Mihai, could i get your contact info? real time chat? email?
I patched the latest version of libdkim ( 1.10.19 ) with the 2 patched from above
You can download the complete patched source from : http://dkim.moogly.nl/libdkim-1.0.19-patched.tgz
more info for this: http://forum.lxlabs.com/index.php?t=msg&th=6074…
Hi Mihai,
I followed all your steps to setup DKIM with libdkim-patched.
But i am getting error while sending mail.
“Transaction failed
Server replied: 554 mail server permanently rejected message (#5.3.0)”
and the mails which were in queue before returned undelivered by mentioning
“Unable to run qmail-remote.”
-rwxr-xr-x 1 qmailq qmail 554 Jul 5 08:25 qmail-queue
-rwx–x–x 1 qmailq qmail 586 Jul 5 04:49 qmail-remote
-rwx–x–x 1 root qmail 30956 Jun 28 06:42 qmail-remote.orig
can u help me to go further?
qmail-queue should be -rws–x–x
It might not be your only problem but you should try to fix this one for now.
I’m guessing you’re getting that error message in the smtp session.
you should try to trace it ( the qmail-smtpd process ) with strace , you might get some ideas about where the problem might be
hello,
i keep getting “DI (qmail-remote) was invoked improperly. (#5.3.5)”
Any ideas? need more info?
Forgot, my permissons are as follows:
-rwxr-xr-x 1 root qmail 561 Feb 21 02:41 qmail-remote
-rwxr-xr-x 1 root qmail 34K Feb 17 10:30 qmail-remote.orig
The errors i get are:
qmail-send – delivery 1: failure: Unable_to_run_qmail-remote./
And my previous message shows the error when i run ./qmail-remote (your script)
Here’s a better solution that I’m using now:
http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/
will this interfier with my qmailrocks install?
No idea, I’m not using qmailrocks. Just try it and see how it goes, then maybe come back and let us know 🙂
Actually it worked with a qmailrocks install!!!
Do not use the patches that come with qmailrocks.
The ones that come with http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/ are enough.
If you get an error:
[root@mnmail qmail-1.03-jms1.7.08]# sudo make setup check
./install
install: fatal: unable to write …/bin/qmail-lspawn: text busy
make: *** [setup] Error 111
Just stop qmail and rerun “sudo make setup check” (dhuuu)
Thx so much for your help.
Good to know. Thanks 🙂
Hi,
Managed to follow Rich step-by-step guide without error but when I tried to send a test mail I received “451 qq crashed (#4.3.0)” error.
Appreciate very much if anyone could help.
TIA
It’s probably a permission problem. Try to strace it and see where the error is.
Mihai, I’ve been using your script ever since freebsd 7.3 was released, and I’m curious since I’ve upgrade it to freebsd 8.0 I’m getting unable to run qmail-remote with the same working environment, just freebsd update. I’ve recompiled libdkim and libdomainkey just to fit the new environment.
Also the jm combined patch works perfect on bsd, but brandon’s patch needs modifications regarding libs locations and includes.
Have you faced the same problem as I’m getting here ? I know that eventually I will fix it anyway because it cannot run my system without dk / dkim, just curious if you had it already fixed.
Thank you.
I’m not using FreeBSD anymore so I have no way of testing it on freebsd 8.
if libdkimtest and libdomainkeystest work correctly you should try to run my wrapper script directly and try to figure what the problem is .
As for brandon’s patch modifying the libs locations and includes shouldn’t be such a big deal.
having a problem here I only need to sign outgoing mail as this is a relay server only with controlled input and not MX. I downloaded the patch libdkim source and it compiled ok, I modified the shell script because it will only sign from one domain here and I just get
delivery 4: failure: DUnable_to_run_qmail-remote./
the permissions and owner on the script are same as original qmail-remote, libdkintest is executable …. what could be the problem?
here’s my modified shell script wrapper:
#!/bin//bash
DKSIGN=”/etc/domainkeys/mydomain.com/wnews1″
DKREMOTE=”/var/qmail/bin/qmail-remote.orig”
DOMAIN=”mydomain.com”
tmp=`mktemp -t dkim.sign.XXXXXXXXXXXXXXX`
tmp2=`mktemp -t dkim.sign.XXXXXXXXXXXXXXX`
/bin/cat – > “$tmp”
/usr/local/bin/libdkimtest -ydefault -s “$tmp” “$DKSIGN” “$tmp2” 2> /dev/null
(/bin/cat “$tmp2” |tr -d “\15”) | “$DKREMOTE” “$@”
retval=$?
rm “$tmp” “$tmp2”
exit $retval
I don’t know if it will fix your problem but this line:
(/bin/cat “$tmp2″ |tr -d “\15″) | “$DKREMOTE†“$@â€
should be :
(/bin/cat “$tmp2” |tr -d “\\015”) | “$DKREMOTE” “$@”
see the difference ?
it copy pasted weird that was not the issue.
strace shows it’s a permissions issue
[pid 25908] open(“/var/qmail/bin/qmail-remote”, O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
but qmail-remote works
-rwx–x–x 1 root qmail 25508 2010-11-22 10:08 qmail-remote
and this doesn’t
-rwx–x–x 1 root qmail 548 2010-11-22 10:10 qmail-remote
bizarre
try giving 755 permissions to qmail-remote
didn’t help.
this is bad, I need to get dkim working by march and I’d hate to have to rebuild 3 email servers to do it 🙁 (when mail is 1% of my job)
Are you on linux or FreeBSD? What versions? How have you installed your current qmail version ( premade package or build from source ) ?
Do you have any special security mechanisms enabled ( selinux, apparmor, anything else ) ?
Linux.
I built it from source, it was 4 years ago in january and I haven’t touched it much since.
never heard of apparmor and selinux is disabled.
looking around at this again I can’t find the original source. I usually keep it in /root somewhere but it’s gone on both of the relay machines, I think I’m going to have to take one offline and rebuild it. Probably use a different DKIM method in that case.
I’m sorry. Not sure how I could help you…unless maybe if you want to give me access to one of the servers.
Anyway If you’re going to rebuild you should use this patch http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/
instead of the scripts.
I ended up getting it mostly working on another machine but when I test signing messages with various services online it fails and I noticed this which I am not sure if this is a problem but I get 3 DKIM-Signature: headers
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=xxxx.com;
s=wnews1; x=1295645608; i=news@xxx.com; h=Received:From;
b=XCWXYSap5868xcp6pkKOO3bFS1L8lq5S7ejgCp80N1rwNBIQ6RBgQspNojn6Ni
ZN0rvOlYJ2CgWPhI31D3Mbp3T3Y4jdBZN+G858IO9Uvj7FNvjDT7qcje885UqpR7
cq
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
d=xxx.com; s=wnews1; x=1295645608; i=news@xxx.com;
h=Received:From; bh=2jmj7l5rSw0yVb/vlWAYkK/YBwk=; b=Yf7GE8ep7pk9
uRKDfXYT/zZ/TafUWMFlzwbNlkQxmG54GKUH+MbMAFIPDu/AiH0TWnmY+MgkrEqY
JJIA6yx2o0HNtZWFyn+0C1Y5zsSQqtioa4nJlQQMDAVCyKefrJ7o
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=xxx.com; s=wnews1; x=1295645608; i=news@xxx.com;
h=Received:From; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=glzCBumolUOl8gjFDIoXrL2FJFbOJuDhlCsVOfYolCRW/Z2Olr5SHTJ9R/z8QL
9k2a0Yf/Sd9DeInXWiJT3bK9721NUyDCri36Zoj7KKKvzuRlDXXIIVIbmzyA1UpW
+/
what could cause this? I first noticed it looking at delivered mail headers then I just didn’t remove $tmp at the end of the shell script and looked at that and it is indeed giving me 3 lines like that. I added a line to the script to echo the date to a file each time it’s invoked and it’s not being called 3 times … any idea?