Denie's Tech Blog

Source: [click here]

Max 30 mins work.

However, life is rarely so simple.
yum search dkim didn't find anything.

So, based on what I could find, I ended up here. Downloaded dkim-filter
2.4.1 and went on an epic voyage of discovery into the RFCs and other stuff.
I just want to install, configure and run the thing!

Anyway. I thought compilation would be straightforward, but no. More
unfamiliar stuff to read. I dutifully read the site.config.m4.dist, copied
to devtools/Site/site.config.m4 and hoped to make some intelligent decisions
on what options to enable.

 # ./Build
...
>Making all in:
>/etc/mail/dkim/dkim-milter-2.4.1/dkim-filter
>Configuration: pfx=, os=Linux, rel=2.6.23.1-10.fc7, rbase=2,
>rroot=2.6.23.1-10, arch=x86_64, sfx=, variant=optimized
>Using M4=/usr/bin/m4
>Creating
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>using /etc/mail/dkim/dkim-milter-2.4.1/devtools/OS/Linux
>Making dependencies in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>rm -f sm_os.h
>ln -f -s ../../include/sm/os/sm_os_linux.h sm_os.h
>cc -M -I. -I../../include  -I../libdkim/   -D_REENTRANT config.c dkim-ar.c
>dkim-filter.c stats.c test.c util.c   dkim-testkey.c   dkim-testssp.c    >>
>Makefile
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from dkim-ar.h:19,
>                 from dkim-ar.c:23:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>dkim-filter.c:59:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
>                 from dkim-filter.c:78:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from test.c:31:
>test.h:24:29: error: libmilter/mfapi.h: No such file or directory
>In file included from util.c:49:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>make[1]: *** [depend] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>Making in
>/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter
>make[1]: Entering directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>cc -O2 -I. -I../../include  -I../libdkim/   -D_REENTRANT -DXP_MT   -c -o
>config.o config.c
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:22:29: error: libmilter/mfapi.h: No such file or directory
>In file included from config.h:23,
>                 from config.c:20:
>dkim-filter.h:86: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_connect’
>dkim-filter.h:87: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_envfrom’
>dkim-filter.h:88: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_header’
>dkim-filter.h:89: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eoh’
>dkim-filter.h:90: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_body’
>dkim-filter.h:91: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_eom’
>dkim-filter.h:92: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_abort’
>dkim-filter.h:93: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’
>before ‘mlfi_close’
>make[1]: *** [config.o] Error 1
>make[1]: Leaving directory
>`/etc/mail/dkim/dkim-milter-2.4.1/obj.Linux.2.6.23.1-10.fc7.x86_64/dkim-filter'
>make: *** [all] Error 2

After some googling, a "yum install sendmail-devel" fixed this problem, and
a ./Build -c completed successfully.
I copied /devtools/OS/Linux to /devtools/Site/site.Linux.m4

./Build install was successful after manually creating dirs /usr/man/man15
and /usr/man/man18
Fedora manuals are in /usr/share/man
The files /usr/bin/dk* should have ownership root:root instead of bin.

Sendmail of Fedora 7 is currently 8.14.1:
# sendmail -d0.1
Version 8.14.1
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
 MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
 NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
 TCPWRAPPERS USERDB USE_LDAP_INIT

I created the keys, updated the dns zone files and decided to use user smmsp
instead of creating yet another user.

I created:
/var/db/dkim :
-rw-r----- 1 smmsp smmsp 887 2008-01-01 08:30 jan2008.admin.key.pem
-rw-r--r-- 1 smmsp smmsp 272 2008-01-01 08:30 jan2008.admin.public.pem

/var/run :
drwxr-xr-x 2 smmsp   smmsp   4096 2008-01-04 09:23 milter

and created this basic start/stop init script:
/etc/init.d/dkim-filter
then:
chkconfig --add dkim-filter
chkconfig dkim-filter on

contents:
>#
># dkim-filter        Starts /usr/bin/dkim-filter
>#
># chkconfig: 2345 67 33
>#
># description: Domain Keys Milter
># processname: dkim-filter
>#
># Source function library.
>. /etc/init.d/functions
>
>[ -f /usr/bin/dkim-filter ] || exit 0
>RETVAL=0
>
>umask 077
>
>start() {
>        echo -n $"Starting dkim-filter: "
>        /usr/bin/dkim-filter -x /etc/mail/dkim.conf
>        RETVAL=$?
>        if [ $RETVAL -eq 0 ]
>        then
>                echo_success
>                touch /var/lock/subsys/dkim-filter
>        else
>                echo_failure
>        fi
>        echo
>}
>stop() {
>        echo -n $"Shutting down dkim-filter: "
>        /bin/kill `cat /var/run/milter/dkim-filter.pid 2> /dev/null ` >
> /dev/null 2>&1
>        RETVAL=$?
>        sleep 3
>        if [ $RETVAL -eq 0 ]
>        then
>                echo_success
>                rm -f /var/lock/subsys/dkim-filter
>                rm -f /var/run/milter/dkim-filter.pid
>        else
>                echo_failure
>        fi
>        echo
>}
>rhstatus() {
>        status dkim-filter
>}
>restart() {
>        stop
>        start
>}
>
>case "$1" in
>  start)
>        start
>        ;;
>  stop)
>        stop
>        ;;
>  status)
>        rhstatus
>        ;;
>  restart|reload)
>        restart
>        ;;
>  condrestart)
>        [ -f /var/lock/subsys/dkim-filter ] && restart || :
>        ;;
>  *)
>        echo $"Usage: $0 {start|stop|status|restart|condrestart}"
>        exit 1
>esac
>
>exit $?

Now for configuration files:

/etc/mail/dkim.conf :
Canonicalization        relaxed/simple
Domain                  /etc/mail/domains
KeyFile                 /var/db/dkim/jan2008.admin.key.pem
#MTA                    MTA
Selector                jan2008.admin
SignatureAlgorithm      rsa-sha256
Socket                  inet:[EMAIL PROTECTED]
#Socket                 /var/run/milter/dkim-filter.sock
Syslog                  Yes
SyslogSuccess           Yes
Userid                  smmsp
PidFile                 /var/run/milter/dkim-filter.pid
SubDomains              Yes
X-Header                No
SendReports             No

/etc/mail/domains contains just one domain on one line.

and added to sendmail.rc:
INPUT_MAIL_FILTER(`dkim-filter', `S=inet:[EMAIL PROTECTED]')

I started the script with
/etc/init.d/dkim-filter start
and it worked, eg:
>Jan  4 10:58:10 gaia dkim-filter[6033]: Sendmail DKIM Filter v2.4.1 starting
>(args: -x /etc/mail/dkim.conf)

It even adds signatures to my messages (hopefully to this one), but silently
crashes regularly without any indication on processing a simple locally
generated mail from a perl script and/or/exor from logwatch or virus
notification from MailScanner. eg:

DKIMDEBUG=ct :
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: from=<[EMAIL
>PROTECTED]>, size=1780,, nrcpts=1, msgid=<[EMAIL PROTECTED]>,
>proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
>Jan  3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 header
>Jan  3 02:57:18 gaia last message repeated 6 times
>Jan  3 02:57:18 gaia dkim-filter[6926]: thread 0x41e02950 eoh
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260:
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: Milter (dkim-filter): to
>error state
>Jan  3 02:57:18 gaia sendmail[12260]: m031vIL6012260: to=<[EMAIL PROTECTED]>,
>delay=00:00:00, mailer=esmtp, pri=31780, stat=queued

I have spent the last couple of days trying to solve this
The only relevant information I found was Jim Hermann's useful message and
thread last month
http://www.mail-archive.com/dkim-milter-discuss@lists.sourceforge.net/msg00409.html

I'm disappointed, disillusioned and frustrated in trying to nail jelly to a
wall... This doesn't say anything useful at all!
>milter_sys_read(dkim-filter): cmd read returned 0, expecting 5

It only seems to happen by locally generated mail, sometimes it even seemed
as if having a Reply-To: field influenced its crash frequency, but without
real diagnostic tools, skills and a lot of time, I can't solve it. I'm an
experienced sysadmin, not a C programmer! Programmers should try to make all
our lives easier!  

I want to get this working reliably and dependably on a few production
systems, and know what options to compile with and what settings to use for
Fedora, but I'm now stumped.

When it does work, another gripe is this padding too short error, which may
or may not be a reason for the verification failure:
>Jan  4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080 SSL error:04067069:rsa
>routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short; error:04077068:rsa
>routines:RSA_verify:bad signature
>Jan  4 08:14:35 gaia dkim-filter[8389]: m047EY6O010080: bad signature data
>Jan  4 08:14:35 gaia sendmail[10080]: m047EY6O010080: Milter insert (1):
>header: Authentication-Results:  gaia.haveland.com; dkim=neutral (verification
>failed) [EMAIL PROTECTED]

How can a gmail signature fail verification? What did it fail on? What is
the "i" in  "header.i" ?
It was a mysql mailing list, so perhaps other headers got in the way, but
this isn't what I would call a robust solution! Omitheaders command in
dkim.conf seems to be a blanket fudge.

If we are to stand a chance of defeating spammers, then we have to make DKIM
easier to install and configure so mere mortals can install and use it, and
encourage adoption.  I'm sure many would like to see dkim-filter available
in rpm for various distros.

However, Network Solutions, amongst others need to wake up and allow people
to modify their DNS TXT attributes... Here's what their completely
ridiculous FAQ says on the subject:
http://customersupport.networksolutions.com/article.php?id=369

>"Can I Make Changes To The TXT Record
>
> Network Solutions does not currently support changes to the
> TXT record for a domain name registration.
>
> The TXT Record is strictly informational, not functional."

What planet are they living on?

Cheers,
Andy.

Bookmark This Site

Posted on August 15th, 2009 by Denie
Filed under: Linux, Sendmail