On Wed 24/Jul/2013 13:39:37 +0200 Anders wrote: > > I'll comment in-line.
Yup :-) > I am using zdkimfilter-1.2 , provided by gentoo ebuild/portage. Compiler > is gcc 4.7.3 I haven't been able to find that version --see below. >> I think that's because you set RELAYCLIENT based on the IP address, >> and have no authsender in the control file (a control record starting >> with 'i'). The signing domain is derived from the user id, if it has >> a '@'. Courier can work both ways, zdkimfilter should do so as well. > > I am using courier with virtual users mapped through mysql. The full > email address is the user name. So do I. > What is a control record, and where/how do I find how they are created > and looks like? Control files only exist in the mail queue. They are named Cnnnnnnn and correspond to the Dnnnnnnn mail file with the same number. They are loosely documented in http://www.courier-mta.org/queue.html >>> I run "dkimsign test.mail" and get the following output: >>> ====================== >>> WARN: zfilter: zdkimfilter[27853]:Mismatched library versions: >>> compile=0X2020200 link=0X2080400 >> (That warning is due to a mismatch between libopendkim-dev and the >> actual libopendkim library. It might cause hiccups when verifying >> signatures --not the current issue. > OK, does this happen at compile time, or is it something predefined by > zdkimfiler code? Looks like it was compiled against opendkim 2.2.2, but > I actually have only opendkim 2.8.4 installed (Gentoo > mail-filter/opendkim-2.8.4). Yes, it is a compile time conditional. I checked http://packages.gentoo.org/package/mail-filter/opendkim http://packages.gentoo.org/package/mail-filter/zdkimfilter I found opendkim-2.8.4 (that was released on the 16th this month), but zdkimfilter-1.1 not 1.2 The opendkim-2.2.2 version they used to build zdkimfilter seems to be lost. > ======================== > # ls -l /usr/lib64/libopendkim* > lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so -> > libopendkim.so.9.0.1 > lrwxrwxrwx 1 root root 20 Jul 24 12:51 /usr/lib64/libopendkim.so.9 > -> libopendkim.so.9.0.1 > -rwxr-xr-x 1 root root 136200 Jul 24 12:50 /usr/lib64/libopendkim.so.9.0.1 > ======================== > > I did notice a segmentation fault with courier/zdkimfilter once I have > started with filterctl. It happens on every received email: > ======================== > Jul 24 13:09:14 e350 courieresmtpd: started,ip=[::ffff:216.34.181.88] > Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]: started child > Jul 24 13:09:17 e350 courieresmtpd: > error,relay=::ffff:216.34.181.88,from=<courier-users-boun...@lists.sourceforge.net>: > > 432 Mail filters temporarily unavailable. > Jul 24 13:09:17 e350 submit: Bad file descriptor > Jul 24 13:09:17 e350 submit: Connection closed when processing: > Jul 24 13:09:17 e350 courierfilter: zdkimfilter[13997]:reading 2 names > completed by first call > Jul 24 13:09:17 e350 courierfilter: > zdkimfilter[13997]:id=0000000000C804F7.0000000051EFB5DC.000036A7: > verifying dkim_eoh: No signature (stat=2) > ======================== > > ...and kernel log > ======================== > [2329247.997445] zdkimfilter[12231]: segfault at e ip 00007f41ffb36411 > sp 00007fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+20000] > [2329937.290754] zdkimfilter[13997]: segfault at e ip 00007f41ffb36411 > sp 00007fff9d08ce00 error 4 in libopendkim.so.9.0.1[7f41ffb25000+20000] > ======================== We should file a bug report. I would have done it myself if the version matched. There is a function, dkim_policy(), which takes three parameters in opendkim 2.2.2, but takes four in version 2.8.4. Depending on the optimizations used at compile time, it might cause such behavior. In fact, zdkimfilter calls that function when it verifies signatures in received messages. >>> I run "dkimsign --domain lechevalier.se test.mail" >> Yes, dkimsign needs the domain to create a control file similar to >> those supplied by Courier. > OK, so all seems OK so far then? Yeah, I use dkimsign that way to sign messages going out through sqwebmail. Possibly, you could prepend it to the mail pipe, until this issue is cleared. >> You should have got at least a "not signing for /user id/: no >> /something/" message if it had entered signing mode. That's why I >> think you don't authenticate on sending. Please confirm that. I'll >> add a message for that case anyway. > > No all users must authenticate to be able to send emails (relaying > denied otherwise). It could be that my courier config is completely > wrong, should I post it here? In that case, which of the config files > are interresting for you? > > > Output from sending a test email from and...@lechevalier.se to > crimsoncott...@gmail.com. At least "from=" is clearly defined in the log > file. There is a key_choice_header parameter that can be tweaked in order to derive the signing domain. Currently, it can be derived from a header field, from the authenticated user-id, or from the default domain. Hence it misses the possibility to derive it from the envelope sender, which is what you get in the logged from= quoted below. But there is another problem: If the sender is not authenticated, the current version doesn't even enter signing mode. We'd need to change the code slightly to obtain such feature. > ==================== > Jul 24 13:33:33 e350 courierd: > newmsg,id=0000000000C804F7.0000000051EFBB8D.00004626: dns; > [IPv6:2001:16d8:ff02:0:3d19:ef23:9df5:18fe] > ([2001:16d8:ff02:0:3d19:ef23:9df5:18fe]) > Jul 24 13:33:33 e350 courierd: > started,id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,module=esmtp,host=gmail.com,addr=<crimsoncott...@gmail.com> > Jul 24 13:33:33 e350 courierd: Waiting. shutdown time=none, wakeup > time=none, queuedelivering=1, inprogress=1 > Jul 24 13:33:34 e350 courieresmtp: > id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>: > > 250 2.0.0 OK 1374665609 g5si1547113laa.79 - gsmtp > Jul 24 13:33:34 e350 courieresmtp: > id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>,size=630,success: > > delivered: gmail-smtp-in.l.google.com [173.194.71.26] > Jul 24 13:33:34 e350 courieresmtp: > id=0000000000C804F7.0000000051EFBB8D.00004626,from=<and...@lechevalier.se>,addr=<crimsoncott...@gmail.com>,size=630,status: > > success > Jul 24 13:33:34 e350 courierd: > completed,id=0000000000C804F7.0000000051EFBB8D.00004626 > Jul 24 13:33:34 e350 courierd: Waiting. shutdown time=Wed Jul 24 > 13:45:45 2013, wakeup time=Wed Jul 24 13:45:45 2013, queuedelivering=0, > inprogress=0 > ==================== > > > This is doing a simple "echo test | mail -s testmail > crimsoncott...@gmail.com" as root user: > ==================== > Jul 24 13:37:01 e350 courierd: > newmsg,id=0000000000C804F7.0000000051EFBC5D.00004851: dns; localhost > (localhost [127.0.0.1]) If you had authenticated, there would have been an additional "auth=userid@domain". The best practice for sending messages is to use submission port 587 and one of the available login features, me thinks. In order to cope with RELAYCLIENT assigned based on IP address, there are two easy possibilities that I can see: 1) Introduce a default_user, but that might be unsuitable if different IP addresses correspond to different users. 2) Deploy the identd lookup done by Courier (unless -noidentlookup is specified in TCPDOPTS), but that would impact users not having an identd server. In either case, you'd then need to compile the modified program yourself. What you think? ------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
