qmail and DKIM

DomainKeys Identified Mail (DKIM) is a method for validating the identity associated with a message using using public-key cryptography and key server technology. DKIM is an enhanced version of Yahoo's Domain Keys and Cisco's Identified Internet Mail methods. As of February 2007 an IETF draft was accepted as "Proposed standard", it may take some more time till this will be a standard but the current version is stable ( according to dkim.org ).

Implementations of DKIM in email servers is not available as much as DomainKeys.
For qmail there is a patch that uses libdomainkeys to implement a replacement for qmail-queue that will verify and sign messages but this only works for DomainKeys not DKIM. I have developed a solution for qmail to be able to verify and sign messages with DKIM.

My solution was inspired by a post on the qmail list http://article.gmane.org/gmane.mail.qmail.general/52049 that used two shell scripts one as a qmail-queue wrapper for verifying the messages and one as a qmail-remote wrapper for signing the messages. Both scripts call dktest, a test program that comes with libdomainkeys, to do the signing and verification.

Libdkim is a portable implementation of the DKIM drafts and it comes with a test program, libdkimtest somehow similar to dktest so I'm using this to do the signing and verification.

Although libdkim developers claim it is portable it needed some patching to make it compile on Linux, mainly some macro definitions that are only available in windows header files. I found those definitions in a file macros.h from mono and I added it to libdkim's source and included it in dkim.h .

I also added some small features and enhancements like a help / usage message for libdkimtest, the ability to specify the domain and selector in the command line. I removed some hard coded defaults that blocked options specified on the command line and I made it be able to process messages that had bare LF as line terminators instead of CR/LF.

The shell scripts that used dktest also needed some small modifications because libdkimtest does not read the message on it's standard input and it does not output the message to the standard output.

Here is the shell script that does the verification:

  1. span style="color: #ff0000;">"$DKIMQUEUE" ] || DKIMQUEUE="/var/qmail/bin/qmail-dk"'^DKIMVERIFY='"$tmp""$tmp" > "$tmp2""$(cat "$tmp2"|grep "")" != """DKIM-Status: good""$(cat "$tmp2"|grep "Fail")" != """DKIM-Status: failed""$tmp""$tmp" "$tmp2"

This should replace qmail-queue and to make it verify the messages you have to set the DKIMVERIFY environmental variable. This script calls qmail-dk because I want to also verify the DomainKeys signature.

and here is the script that should replace qmail-remote:

  1. span style="color: #ff0000;">"$DKSIGN" ] || DKSIGN="/etc/domainkeys/%/default"
  2. [ "$DKREMOTE" ] || DKREMOTE="/var/qmail/bin/qmail-remote.orig""${DKSIGN%%%*}${DOMAIN}${DKSIGN#*%}""$DKSIGN""$tmp""$tmp" "$DKSIGN" "$tmp2""$tmp2""\\015") | "$DKREMOTE" "$@""$tmp" "$tmp2""$DKREMOTE" "$@"

copy qmail-remote to qmail-remote.orig and then name this script qmail-remote

get libdkim, unzip it, get these patches : libdkim linux compile patch and libdkim extra options patch

and apply then like this

  1.  

If you had qmail-dk working before then the scripts will just use the private keys in /etc/domainkeys/{domain_name}/default just like qmail-dk .

Update:

because some people had troubles applying the patches to newer versions of libdkim I have added the patched source code here: libdkim-patched.tar.gz

It would still be a good idea to patch the newer versions and I might do that when I find some time.

101 thoughts on “qmail and DKIM

  1. hi

    i test on your dkim script in my server,

    but i have error when compile , can you help ?

    make
    g++ -c -c dkimsign.cpp
    dkimsign.cpp: In constructor `CDKIMSign::CDKIMSign()’:
    dkimsign.cpp:39: error: `EVP_sha256′ undeclared (first use this function)
    dkimsign.cpp:39: error: (Each undeclared identifier is reported only once for each function it appears in.)
    make: *** [dkimsign.o] Error 1

    thanks

  2. EVP_sha256 should be defined in openssl/evp.h . If you don’t have that file in your include path , then you have to install it ( it should be in some openssl-dev package, if you tell me what os you use I may be able to help you with that ) . If you already have that file but the function EVP_sha256 is not defined, then I guess you have to install a different ( newer ? ) version of openssl.
    I just did grep -r EVP_sha256 /usr/include and it showed up in /usr/include/openssl/evp.h . I’m using 0.9.8e on gentoo.

  3. Hi, there. I found these scripts hard to run. The libdkim compiled succesfully but I cannot use it with qmail-dk. Even I change the inbound script:
    ) | /bin/cat – “$tmp” | $DKIMQUEUE
    to:
    ) | /bin/cat – “$tmp” | $DKIMQUEUE –
    it works when I change:
    [ “$DKIMQUEUE” ] || DKIMQUEUE=”/var/qmail/bin/qmail-dk”
    to
    [ “$DKIMQUEUE” ] || DKIMQUEUE=”/var/qmail/bin/qmail-queue.orig”

    If I leave the DKIMQUEUE to qmail-dk, qmail-dk seems to call the qmail-queue not the qmail-queue.orig as originally and it loops endlessly 🙁

    Another issue is that the verify functionality can be found in Spamassassin with plugin dkim. The pro is that based on the verifying the mail it can score it different.

    And last the qmail-remote script is not run! I don’t know why 🙁 So I can’t sign the mails..

    Can you shed some light on this?
    THX

  4. You can tell qmail-dk to run qmail-queue.orig by setting the DKQUEUE environment variable.
    If you plan to use the dkim plugin for spamassassin you should disable verification from qmail-queue.

  5. 🙂 THX It works. My mail server is QMT. DKQUEUE made it working 🙂
    What are the pro/cons using the spamassassin for verifying DKIM?

    1. Glad to hear it works.
      Spamassassin is written in perl and perl code is usually slower then compiled C++ code ( libdkimtest ) so the verification might take longer and use more resources. This is just theory I didn’t do any benchmarks.

  6. Yeah it works for verifying but not for signing 🙁 It was too early I was happy.

    I have:
    _line_26:_17959_Segmentation_fault_____/usr/local/bin/libdkimtest …..

    🙁

  7. Here it is:
    Program received signal SIGSEGV, Segmentation fault.
    0x42eabe20 in strcpy () from /lib/libc.so.6
    (gdb) backtrace
    #0 0x42eabe20 in strcpy () from /lib/libc.so.6
    #1 0x0804a256 in main (argc=7, argv=0xbfeea8e4) at libdkimtest.cpp:250

    the gdb log.

    And with my collegue we discovered:
    char* pSig = NULL;^
    ^
    n = DKIMSignGetSig2( &ctxt, PrivKey, &pSig );^
    ^
    strcpy( szSignature, pSig );^
    ^^^^^^^^^^^^^^^^^^^^^^ Lince 250

    That line 250 is the “bad” one 🙂

    1. nice one, I’ll get that fixed shortly. If you know and can fix it feel free to send me a patch or the guys at libdkim , cause I’m not sure that my patch to libdkimtest introduced that bug.

  8. I had some weird character instead of the domain name in the DKIM signature of the email..
    I fixed the situation by adding a -d “$DOMAIN” on the /usr/local/bin/libdkimtest line in qmil-remote..

    1. After applying both patch, I had to “patch” a bit the libdkimtest.cpp and change the following line :

      —vopts.pfnPolicyCallback = NULL; //PolicyCallback;

      by

      +++vopts.pfnPracticesCallback = NULL; //PolicyCallback;

      in order to compile properly.

      (using libdkim-1.0.17)

  9. I downloaded libdkim 1.0.17 and tried to apply the first patch but it says…

    penguin ~ # patch -p1 < libdkim.patch
    can’t find file to patch at input line 4
    Perhaps you used the wrong -p or –strip option?
    The text leading up to this was:
    ————————–
    |diff -ur –new-file libdkim/src/Makefile libdkim-patched/src/Makefile
    |— libdkim/src/Makefile 2007-02-22 13:40:30.000000000 +0200
    |+++ libdkim-patched/src/Makefile 2007-05-03 21:41:30.000000000 +0300
    ————————–
    File to patch:

      1. I’ve tried patching it from both inside and outside the libdkim folder. When I patch outside the libdkim folder I get the error I originally posted. When I patch inside the libdkim folder I get the following error…

        penguin libdkim # patch -p1 < libdkim.patch
        patching file src/Makefile
        Hunk #1 FAILED at 1.
        1 out of 1 hunk FAILED — saving rejects to file src/Makefile.rej
        patching file src/dkim.h
        Hunk #1 FAILED at 156.
        1 out of 1 hunk FAILED — saving rejects to file src/dkim.h.rej
        patching file src/macros.h

        1. The patch was designed for libdkim 1.0.14. The modifications added up untill 1.0.17 is what makes this patch not apply anymore. You will have to look into the .rej file and the original files and then apply the diffs manually . Then recompile.
          If you manage to make it work feel free to post the patch in the comments. you should also look at this comment: http://patchlog.com/security/qmail-and-dkim/#comment-6090

        2. You might wanna try 1.0.13 . It was a long time and I can’t remember exactly. I wish I had written the version I used at the time in the post.

        3. I managed to find the patched source code that I used when i wrote the post. I have attached at the end of the post. This should just compile without any problems

  10. I think there is a problem with you qmail-queue and qmail-remote scripts. Where it says…

    /usr/local/bin/libdkimtest -v “$tmp” > “$tmp2” 2>/dev/null

    The > should be a , don’t know which one?

  11. OK, I got downloaded your patched file and it compiled. I followed the rest of your instructions and everything looks good. But when I try and send an email I get the following error…

    554 mail server permanently rejected message (#5.3.0)

    Any ideas why?

    1. ok, I have narrowed it down. This problem (error 554) is happening because of the qmail-queue file but I don’t know what is causing it.

      When I use the default qmail-queue file and the modified qmail-remote as posted above I no longer get the 554 error but instead get the following error even though qmail-remote is executable, the error says

      “Unable to run qmail-remote.”

      If I figure out the answers to these problems I will post them here.

      1. The script will eventually forward the message to the real qmail-queue
        the path to the real qmail-queue must be set in the DKIMQUEUE env variable or else it will use qmail-dk ( which is a domainkeys wrapper for qmail-queue ). If you don’t have qmail-dk on your system and you have not set DKIMQUEUE the script will most likely fail.

        You should test the script before trying to run it as qmail queue.You can simply try to pipe a message into it and see what you get in response.

        If qmail-queue is correctly set up then it should just complain that it cannot run when not called by qmail.

        If you set DKIMQUEUE=/bin/cat then the script should just output the message with a line that will say DKIM-Status: good or DKIM-Status: failed in front of the message . I hope this helps.

      2. ok, I set the permissions of qmail-queue to what they should be but now I am getting this error…

        Requested action aborted: error in processing
        451 qq write error or disk full (#4.3.0)

        My disk isn’t full so what could the write error be?

        1. ok, I changed the permissions of qmail-queue but now I am getting this error again so I give up on this..

          554 mail server permanently rejected message (#5.3.0)

      3. I’ve got the same problem with the qmail-remote replacement:

        failure: Unable_to_run_qmail-remote./

        Are there any solutions?

        1. do you have the qmail-remote.orig file with the same permissions as the original qmail-remote. Does your script have the same permissions ? Does you script run without throwing any error? You can test this by modifying the script a bit to not call qmail-remote.orig anymore but something like /bin/cat and then just piping the message to it .

        2. If you try to run the script like this: ./qmail-remote I get this message:
          bash: ./qmail-remote: /usr/local/bin/bash: bad interpreter: No such file or directory So, i only copy the file missing and thats it! cp /bin/bash /usr/local/bin/ But, now I’m getting a new problem kimlibtest:_can’t_open_private_key_file 🙁

          1. it should be fine. I think your problem was because it didn’t find bash .
            the fact that it can’t open the private key file is fine because when you run qmail-remote like that it can’t figure out where the private key is but when qmail-remote runs normally it should be fine

  12. Here is how to make this work on CentOS 5.1 (and presumably Fedora & RHEL). First a few notes… The existing openssl doesn’t support sha256 and I didn’t want to trash my existing openssl rpm + huge dependency tree so I made a separate openssl build just for libdkim. I ran into a zillion errors but managed to overcome all of them. Here are my EXACT steps + comments:

    cd /home/rich
    wget http://www.openssl.org/source/openssl-0.9.8e.tar.gz
    tar zxvf openssl-0.9.8e.tar.gz
    cd openssl-0.9.8e

    vi +124 crypto/sha/sha256.c
    remove the line that says “#else”

    # ^^^ prevents compile error “../libcrypto.so: undefined reference to `sha256_block'”

    LD_RUN_PATH=/usr/openssl-0.9.8e/lib; export LD_RUN_PATH
    # ^^^ see http://www.mail-archive.com/openssl-users@openssl.org/msg43695.html

    ./Configure -DSSL_ALLOW_ADH -DSHA256_ASM –prefix=/usr/openssl-0.9.8e –openssldir=/usr/openssl-0.9.8e/share/openssl linux-elf shared
    make install build-shared

    echo “/usr/openssl-0.9.8e/lib” >> /etc/ld.so.conf.d/openssl-0.9.8e.conf
    ldconfig

    cd /usr/openssl-0.9.8e/lib
    ldd *

    cd /home/rich
    wget http://superb-west.dl.sourceforge.net/libdkim/libdkim-1.0.17.zip
    wget http://patchlog.com/wp-content/uploads/2007/05/libdkim.patch
    wget http://patchlog.com/wp-content/uploads/2007/05/libdkim2.patch
    unzip libdkim-1.0.17.zip
    cd libdkim
    patch -p1 < ../libdkim.patch
    patch -p1 < ../libdkim2.patch
    cd src

    # edit Makefile so we can link dkim to our new openssl…

    chmod 666 Makefile
    vi Makefile

    change: LIBS = -lcrypto -lresolv
    to: LIBS = -lcrypto -lresolv -L/usr/openssl-0.9.8e/lib

    change: INCL = -I /usr/include/openssl/
    to: INCL = -I /usr/openssl-0.9.8e/include

    change: g++ $(CFLAGS) -c $<
    to: g++ $(CFLAGS) $(INCL) -c $<

    #^^^ prevents dkimverify.cpp:1270: error: invalid conversion from `const unsigned char**’ to `unsigned char**’
    # dkimverify.cpp:1270: error: initializing argument 2 of `EVP_PKEY* d2i_PUBKEY(EVP_PKEY**, unsigned char**, long int)’
    #
    # see http://www.exim.org/lurker/message/20070928.151653.6c8fbb50.en.html

    vi dkimbase.h
    change: #include
    to: #include

    #^^^ prevents “dkimsign.cpp:40: error: `EVP_sha256′ was not declared in this scope”

    chmod 666 libdkimtest.cpp
    vi +282 libdkimtest.cpp
    change: vopts.pfnPolicyCallback = NULL; //PolicyCallback;
    to: vopts.pfnPracticesCallback = NULL; //PolicyCallback;

    # ^^^ prevents “libdkimtest.cpp:282: error: ‘struct DKIMVerifyOptions’ has no member named ‘pfnPolicyCallback'”
    # see: http://patchlog.com/security/qmail-and-dkim/

    make LINUX=y

    cp libdkimtest /usr/local/bin

  13. @Rich: thanks for sharing. Did you have any troubles applying my patches to libdkim 1.0.17 ?

    @Jason: did you try to test libdkimtest program without the scritpts ? does it work or does it throw any errors ? Did you apply the change in libdkimtest.cpp at line 282 mentioned by rich in his comment and also in a previous comment.

    1. What exactly do I type to test the libdkimtest program?

      No I didn’t apply the changes to libdkimtest.cpp because I thought those changes were for 1.0.17 which I am not using (I am using your patched download). When I do change libdkimtest.cpp the compile ends in an error.

      I get this error in my logs which is causing me problems…
      @4000000047f65caf258f3624 /bin/sh: bin/qmail-queue: Permission denied
      ..and my permissions for qmail-queue are correct…
      -rws–x–x 1 qmailq qmail 17844 Apr 3 17:38 qmail-queue

      1. In my logs…

        @4000000047f6cca537e447ec /bin/sh: bin/qmail-queue: Permission denied

        Does this mean /bin/sh doesn’t have permission to run qmail-queue? If so how do I grant /bin/sh permission to run qmail-queue?

  14. One thing didn’t display right on the last message:

    vi dkimbase.h

    In the #include area
    change: openssl/evp.h
    to: /usr/openssl-0.9.8e/include/openssl/evp.h

    sorry about that !

  15. “@Rich: thanks for sharing. Did you have any troubles applying my patches to libdkim 1.0.17 ?”

    Mihai: Your patches applied to libdkim 1.0.17 without any problems. I applied them as per your instructions. Since I downloaded everything to the same directory I had to use ../ though 🙂

    cd libdkim
    patch -p1 < ../libdkim.patch
    patch -p1 < ../libdkim2.patch

  16. I’ve been trying to get libdkim working on an older slackware system with a version of OpenSSL which doesn’t support sha256. I started looking at Rich’s post above since I’m in the same position that I don’t want to replace the version of OpenSSL that I have installed.

    I’ve created a patch to remove the need for sha256 from libdkim 1.0.17. It will no longer sign or verify using sha256, but it will do sha1. I fixed a few other things to make it compile without errors on Slackware Linux. The patch is here

    Rather than re-write things totally, I simply substituted calls to the SHA1 routines where SHA256 was called, and added something to give an error if trying to verify a SHA256 message. Not the best solution, but it does work. The patch includes most of the changes applied by libdkim.patch and libdkim2.patch, so you don’t need to do these as well.

    A command line test can be done like this:
    libdkimtest -z1 -s email.txt priv.key email_signed.txt

    If you change to z=2 or z=3 you can get 2 signatures – the code thinks it’s doing SH1 + SH256, but it does the SH1 twice. See lines around 1055 in dkimsign.cpp to understand why it runs twice. It’s not a problem if you just use z=1.

    1. You don’t really need to modify so much of libdkim source code to remove sha256 support.
      Why not install latest openssl from sources in /usr/local then modify Makefile to use that version instead of the standard version.

      Something like this patch should work after you install openssl from sources in /usr/local/

  17. Hi,

    Very strange behaviour with the (/bin/cat “$tmp2” |tr -d ‘\15’) | “$DKREMOTE” “$@” part of the qmail-remote script. This was causing signing to be messed up by making these changes to the email causing the DKIM process to fail:

    a=rsa-sha1; turned into a=rsa-sha;
    x=1208651307; turned into x=28673;

    I changed the command to
    /bin/cat “$tmp2” | “$DKREMOTE” “$@”
    and it works fine.

    It looks like the ‘tr’ was meant to strip new lines. Is that correct? Does it matter that I remove it?

    David.

    1. the script should be (/bin/cat “$tmp2″ |tr -d ‘\\015′) | “$DKREMOTE” “$@”

      note the double slashes there

      with just one slash will delete every 1 and 5 in the message . but with double slashes it will strip CR chars ( ASCII dec 13, oct 015 ) . this is required by qmail to work correctly.

  18. Hi Mihai,

    Thanks for the additional patch for the recent OpenSSL. I usually try to keep just one copy of libraries on the system to make updates and maintenance simple. I’ve had some nightmare cases in the past where I couldn’t tell what was linked to which copy, and wanted to avoid that.

    For the ‘tr’ part, I found the formats below work. Double slash is needed with double quotes, otherwise single slash with single quotes:

    tr -d “\15”
    tr -d ’15’

    David.

  19. OK – I can see where the confusion is coming from. This comment software is taking out slashes. In my previous post the first should have 2, and the second should have one slash.

    Try again:
    tr -d “\\15”
    tr -d ‘\15’

  20. Anyone have any idea how to get around this ?

    make[2]: Entering directory `/home/deger/openssl-0.9.8e/apps’
    ( :; LIBDEPS=”${LIBDEPS:–L.. -lssl -L.. -lcrypto }”; LDCMD=”${LDCMD:-cc}”; LDFLAGS=”${LDFLAGS:–O}”; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep ‘^ *-L’ > /dev/null 2>&1; then echo $x | sed -e ‘s/^ *-L//’; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e ‘s/ /:/g’`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o ${LIBDEPS} )
    ../libcrypto.a(sha256.o): In function `sha256_block_data_order’:
    sha256.c:(.text+0xe3): undefined reference to `sha256_block’
    ../libcrypto.a(sha256.o): In function `sha256_block_host_order’:
    sha256.c:(.text+0x12e): undefined reference to `sha256_block’
    collect2: ld returned 1 exit status
    make[2]: *** [link_app.] Error 1
    make[2]: Leaving directory `/home/deger/openssl-0.9.8e/apps’
    make[1]: *** [openssl] Error 2
    make[1]: Leaving directory `/home/deger/openssl-0.9.8e/apps’
    make: *** [build_apps] Error 1

  21. Hi,

    I tried this on my (french) server with libdkim 1.0.19 and i also have a error after
    make LINUX=y

    g++ -c -c dkim.cpp
    g++ -c -c dns.cpp
    g++ -c -c dkimbase.cpp
    g++ -c -c dkimsign.cpp
    g++ -c -c dkimverify.cpp
    dkimverify.cpp: In function `unsigned int DecodeBase64(char*)’:
    dkimverify.cpp:221: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned char �
    (this lign is repeated about 30 times and…)
    dkimverify.cpp: In function `bool ParseUnsigned(const char*, unsigned int*)’:
    dkimverify.cpp:846: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
    dkimverify.cpp: In member function `int CDKIMVerify::ParseDKIMSignature(const std::string&, SignatureInfo&)’:
    dkimverify.cpp:1022: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
    dkimverify.cpp:1050: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
    dkimverify.cpp:1060: attention : converting de valeur n�gative � -0x000000001 � vers � unsigned int �
    rm -f libdkim.a
    ar cr libdkim.a dkim.o dns.o dkimbase.o dkimsign.o dkimverify.o
    ranlib libdkim.a
    g++ -c -c libdkimtest.cpp
    g++ -olibdkimtest \
    -L . libdkimtest.o -lcrypto -ldkim
    ./libdkim.a(dns.o): dans la fonction � _DNSGetTXT(char const*, char*, int)�:
    dns.cpp:(.text+0x32): r�f�rence ind�finie vers � __res_query �
    dns.cpp:(.text+0x14d): r�f�rence ind�finie vers � __dn_expand �
    dns.cpp:(.text+0x1dd): r�f�rence ind�finie vers � __dn_expand �
    collect2: ld a retourn� 1 code d’�tat d’ex�cution
    make: *** [libdkimtest] Erreur 1

    Also tried with 1.0.17 but the error is it can’t find getcwd.

    First question : do i have to patch this version 1.0.19 ?
    2nd : Have i missed something or am I doing something wrong ?

    Hope you could help.
    alex

  22. it seems like it’s not using -lresolv
    your Makefile should look like this :
    # libdkim makefile for UNIX
    #

    ifdef LINUX
    CFLAGS = -c
    LFLAGS =
    LIBS = -lcrypto -lresolv
    else

  23. well, it’s my first time with make…

    1. my makefile does look like this.

    2. i browse the web and found that -lresolv searches for the library libresolv.so and that i have that libresolv-2.3.6.so in my /lib

    3. I also have libcrypto, /usr/include/openssl…

    4. I tried to go further with the error message and it says in (bad) english there’s a problem converting negative value to unsigned int or char…
    I look in dkimverify.cpp and all lines that are mentionned in my error message refer contains a “-1″… Hope this could help.

    i forgot to say i am under Gentoo Linux.
    Don’t know if it really maters.

    What can i check / do next ?

  24. performance tip: you can append “-p /dev/shm” to the mktemp command, it will reduce disk IO

    1. Very dangerous, if your small device get´s out of memory while running more than one signing processes.

  25. i’m having a very difficult time implimenting DKIM into my FreeBSD 6.2 server with OpenSSL 0.9.7, i’ve installed 0.9.8 from ports to /usr/local and have tried all of the above.. but no luck. DKIM/QMAIL/FREEBSD has 0 documentation..

  26. Hi Mihai,
    I followed all your steps to setup DKIM with libdkim-patched.
    But i am getting error while sending mail.

    “Transaction failed
    Server replied: 554 mail server permanently rejected message (#5.3.0)”

    and the mails which were in queue before returned undelivered by mentioning

    “Unable to run qmail-remote.”
    -rwxr-xr-x 1 qmailq qmail 554 Jul 5 08:25 qmail-queue
    -rwx–x–x 1 qmailq qmail 586 Jul 5 04:49 qmail-remote
    -rwx–x–x 1 root qmail 30956 Jun 28 06:42 qmail-remote.orig

    can u help me to go further?

    1. qmail-queue should be -rws–x–x
      It might not be your only problem but you should try to fix this one for now.
      I’m guessing you’re getting that error message in the smtp session.
      you should try to trace it ( the qmail-smtpd process ) with strace , you might get some ideas about where the problem might be

  27. Forgot, my permissons are as follows:
    -rwxr-xr-x 1 root qmail 561 Feb 21 02:41 qmail-remote
    -rwxr-xr-x 1 root qmail 34K Feb 17 10:30 qmail-remote.orig

    The errors i get are:
    qmail-send – delivery 1: failure: Unable_to_run_qmail-remote./

    And my previous message shows the error when i run ./qmail-remote (your script)

  28. Actually it worked with a qmailrocks install!!!
    Do not use the patches that come with qmailrocks.
    The ones that come with http://www.brandonturner.net/blog/2009/03/dkim-and-domainkeys-for-qmail/ are enough.

    If you get an error:
    [root@mnmail qmail-1.03-jms1.7.08]# sudo make setup check
    ./install
    install: fatal: unable to write …/bin/qmail-lspawn: text busy
    make: *** [setup] Error 111

    Just stop qmail and rerun “sudo make setup check” (dhuuu)

    Thx so much for your help.

  29. Hi,

    Managed to follow Rich step-by-step guide without error but when I tried to send a test mail I received “451 qq crashed (#4.3.0)” error.

    Appreciate very much if anyone could help.

    TIA

  30. Mihai, I’ve been using your script ever since freebsd 7.3 was released, and I’m curious since I’ve upgrade it to freebsd 8.0 I’m getting unable to run qmail-remote with the same working environment, just freebsd update. I’ve recompiled libdkim and libdomainkey just to fit the new environment.
    Also the jm combined patch works perfect on bsd, but brandon’s patch needs modifications regarding libs locations and includes.

    Have you faced the same problem as I’m getting here ? I know that eventually I will fix it anyway because it cannot run my system without dk / dkim, just curious if you had it already fixed.

    Thank you.

    1. I’m not using FreeBSD anymore so I have no way of testing it on freebsd 8.
      if libdkimtest and libdomainkeystest work correctly you should try to run my wrapper script directly and try to figure what the problem is .
      As for brandon’s patch modifying the libs locations and includes shouldn’t be such a big deal.

  31. having a problem here I only need to sign outgoing mail as this is a relay server only with controlled input and not MX. I downloaded the patch libdkim source and it compiled ok, I modified the shell script because it will only sign from one domain here and I just get

    delivery 4: failure: DUnable_to_run_qmail-remote./

    the permissions and owner on the script are same as original qmail-remote, libdkintest is executable …. what could be the problem?

    here’s my modified shell script wrapper:
    #!/bin//bash
    DKSIGN=”/etc/domainkeys/mydomain.com/wnews1″
    DKREMOTE=”/var/qmail/bin/qmail-remote.orig”

    DOMAIN=”mydomain.com”
    tmp=`mktemp -t dkim.sign.XXXXXXXXXXXXXXX`
    tmp2=`mktemp -t dkim.sign.XXXXXXXXXXXXXXX`

    /bin/cat – > “$tmp”
    /usr/local/bin/libdkimtest -ydefault -s “$tmp” “$DKSIGN” “$tmp2” 2> /dev/null

    (/bin/cat “$tmp2” |tr -d “\15”) | “$DKREMOTE” “$@”
    retval=$?
    rm “$tmp” “$tmp2”
    exit $retval

  32. I don’t know if it will fix your problem but this line:
    (/bin/cat “$tmp2″ |tr -d “\15″) | “$DKREMOTE” “$@”
    should be :
    (/bin/cat “$tmp2” |tr -d “\\015”) | “$DKREMOTE” “$@”

    see the difference ?

  33. strace shows it’s a permissions issue

    [pid 25908] open(“/var/qmail/bin/qmail-remote”, O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)

    but qmail-remote works
    -rwx–x–x 1 root qmail 25508 2010-11-22 10:08 qmail-remote

    and this doesn’t

    -rwx–x–x 1 root qmail 548 2010-11-22 10:10 qmail-remote

    bizarre

      1. didn’t help.
        this is bad, I need to get dkim working by march and I’d hate to have to rebuild 3 email servers to do it 🙁 (when mail is 1% of my job)

        1. Are you on linux or FreeBSD? What versions? How have you installed your current qmail version ( premade package or build from source ) ?
          Do you have any special security mechanisms enabled ( selinux, apparmor, anything else ) ?

          1. Linux.
            I built it from source, it was 4 years ago in january and I haven’t touched it much since.

            never heard of apparmor and selinux is disabled.

  34. looking around at this again I can’t find the original source. I usually keep it in /root somewhere but it’s gone on both of the relay machines, I think I’m going to have to take one offline and rebuild it. Probably use a different DKIM method in that case.

  35. I ended up getting it mostly working on another machine but when I test signing messages with various services online it fails and I noticed this which I am not sure if this is a problem but I get 3 DKIM-Signature: headers

    DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=xxxx.com;
    s=wnews1; x=1295645608; i=news@xxx.com; h=Received:From;
    b=XCWXYSap5868xcp6pkKOO3bFS1L8lq5S7ejgCp80N1rwNBIQ6RBgQspNojn6Ni
    ZN0rvOlYJ2CgWPhI31D3Mbp3T3Y4jdBZN+G858IO9Uvj7FNvjDT7qcje885UqpR7
    cq
    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;
    d=xxx.com; s=wnews1; x=1295645608; i=news@xxx.com;
    h=Received:From; bh=2jmj7l5rSw0yVb/vlWAYkK/YBwk=; b=Yf7GE8ep7pk9
    uRKDfXYT/zZ/TafUWMFlzwbNlkQxmG54GKUH+MbMAFIPDu/AiH0TWnmY+MgkrEqY
    JJIA6yx2o0HNtZWFyn+0C1Y5zsSQqtioa4nJlQQMDAVCyKefrJ7o
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
    d=xxx.com; s=wnews1; x=1295645608; i=news@xxx.com;
    h=Received:From; bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
    b=glzCBumolUOl8gjFDIoXrL2FJFbOJuDhlCsVOfYolCRW/Z2Olr5SHTJ9R/z8QL
    9k2a0Yf/Sd9DeInXWiJT3bK9721NUyDCri36Zoj7KKKvzuRlDXXIIVIbmzyA1UpW
    +/

    what could cause this? I first noticed it looking at delivered mail headers then I just didn’t remove $tmp at the end of the shell script and looked at that and it is indeed giving me 3 lines like that. I added a line to the script to echo the date to a file each time it’s invoked and it’s not being called 3 times … any idea?

Leave a Reply to DomnickCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.