FWIW, I just had my Mac user send a test to yahoo, and it came through just
fine:
Authentication-Results: mta230.mail.re4.yahoo.com from=shubes.net;
domainkeys=pass (ok)
...
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=shubes.net;
b=UncEkJWJcam4+5rGNSbusen0silI486Nm9KxTZRLuJoA5qQ55efjifjFRc6VKxQX;
Received: by simscan 1.3.1 ppid: 26131, pid: 26134, t: 0.0166s scanners:
clamav: 0.93.3
Eric Shubert wrote:
> I'd look very carefully at the Mac's configuration. I have a Mac user on a
> toaster signing with DKs, and haven't heard of any undeliverables. Not sure
> there's much if anything going to yahoo from there though.
>
> Then I'd consider turning off DK signatures. Not many servers actively use
> them. Even google groups (google 'invented' DKs) only uses DKs in test mode
> (last I checked, several months ago).
>
> Tek Support wrote:
>> Yes that's correct, both are in the same domain.
>>
>> Thanks
>> John
>>
>>
>>
>> On Wed, Aug 27, 2008 at 10:24 PM, Eric Shubert <[EMAIL PROTECTED]> wrote:
>>> That's an odd one, all right. And I think you've described the situation
>>> pretty well (at least I think I understand what's happening).
>>>
>>> Both instances are sending from exactly the same domain, right?
>>>
>>> Tek Support wrote:
>>>> You know, I don't think it has anything to do with simscan. A staff
>>>> member in the office using a Mac laptop is sending mail to port 587
>>>> (no TLS option available in her Mac - only SSL, but she is in the
>>>> local office and the Mail Server is in the local office, and she is
>>>> not sending her password over the internet, so it's probably fine to
>>>> go without TLS in her case). Anyway, when she sends an email to port
>>>> 587 into our mail server to yahoo, it fails with domainkey failed
>>>> error header. When I send via PC and Thuderbird into our external
>>>> firewall port forwarded into Mail Server port 587 with or without TLS
>>>> to yahoo (I've tried both ways), it works perfectly and the domainkey
>>>> header suceeded.
>>>>
>>>> In both instances (Mac internal office, PC external - internet),
>>>> simscan is listed below the Domainkey header. So since mine works and
>>>> her's does not, I don't think it is simscan/clamav. It's happening to
>>>> both of our emails, so that would not appear to be a problem.
>>>>
>>>> But, what in the world could it be? I'm obviously going to have to go
>>>> into the office and try sending from my Thunderbird out to yahoo and
>>>> see if that still works. But no matter if it does or does not, how
>>>> could Mac Mail or PC Thunderbird have anything to do with the headers
>>>> and HASH that would cause domainkeys to fail or suceed since they are
>>>> only calculated and added after the message has been handed off to
>>>> port 587 on the Mail Server?
>>>>
>>>> For referrence, the external firewall only does a packet forwarding
>>>> into our mail server for traffic on port 587, and does not rewrite
>>>> anything.
>>>>
>>>> Thanks
>>>> John
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Aug 27, 2008 at 9:06 PM, Tek Support <[EMAIL PROTECTED]> wrote:
>>>>> Well, we probably don't need it that bad that then.
>>>>>
>>>>> Thanks
>>>>> John
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 27, 2008 at 10:37 AM, Eric Shubert <[EMAIL PROTECTED]> wrote:
>>>>>> I don't know, short of looking at the code. That would be in the (heavily
>>>>>> patched) source code for the qmail-smtp program. Looking that up would
>>>>>> not
>>>>>> be a trivial exercise.
>>>>>>
>>>>>> Tek Support wrote:
>>>>>>> As you said (would have to), how do I determine the order they are
>>>>>>> run? Is it simply that the DKIM header is added on top of the
>>>>>>> simscan, thus simscan first and dkim 2nd?
>>>>>>>
>>>>>>> Thanks
>>>>>>> John
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Aug 26, 2008 at 2:14 PM, Eric Shubert <[EMAIL PROTECTED]> wrote:
>>>>>>>> Simscan does scan outbound mail, but scans only for viruses (clamav),
>>>>>>>> not
>>>>>>>> spam (spamassassin). This is consistent with the message you're seeing.
>>>>>>>>
>>>>>>>> Adding the DK signature would (have to) happen after this scan.
>>>>>>>>
>>>>>>>> Tek Support wrote:
>>>>>>>>> Hi Eric, thanks for the quick reply. The reason I think it's doing
>>>>>>>>> outbound scanning is a specific line in the header, maybe you can shed
>>>>>>>>> some light on it. In an email sent from mydomain to my yahoo accout
>>>>>>>>> these are in the headers. The line I'm interrested in, is possibly
>>>>>>>>> added by yahoo, but I think it's from me.
>>>>>>>>>
>>>>>>>>> Received: by simscan 1.3.1 ppid: 4768, pid: 4895, t: 0.0658s
>>>>>>>>> scanners: attach: 1.3.1 clamav: 0.93.3
>>>>>>>>>
>>>>>>>>> Wouldn't simscan be run on my box, and if so, would it be done before
>>>>>>>>> DKIM or after?
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> John
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Aug 26, 2008 at 9:42 AM, Eric Shubert <[EMAIL PROTECTED]>
>>>>>>>>> wrote:
>>>>>>>>>> Tek Support wrote:
>>>>>>>>>>> Hi all, recently I had asked if there was a reason to use the port
>>>>>>>>>>> 587
>>>>>>>>>>> if I installed spamdyke (because spamdyke authenticated my dynamic
>>>>>>>>>>> users and ignored the rbls). Well, maybe I've found something that
>>>>>>>>>>> would still require me to use 587 instead of port 25. I would
>>>>>>>>>>> appreciate any info.
>>>>>>>>>>>
>>>>>>>>>>> As of right now, my staff are using port 25 for outbound - I just
>>>>>>>>>>> didn't see the need to have another port open to the outside when
>>>>>>>>>>> after installing spamdyke, they were able to send and were not
>>>>>>>>>>> blocked
>>>>>>>>>>> as "dynamic". But the staff have been having trouble sending to
>>>>>>>>>>> yahoo.com, and in looking at the headers on a message that finally
>>>>>>>>>>> arrived into yahoo (and gmail) the headers show this:
>>>>>>>>>>>
>>>>>>>>>>> Authentication-Results: mta553.mail.mud.yahoo.com
>>>>>>>>>>> from=mydomain.com;
>>>>>>>>>>> domainkeys=fail (bad sig)
>>>>>>>>>>>
>>>>>>>>>>> But I had gone through the process step by step and tested my DKIM
>>>>>>>>>>> with the sourceforge.net sites, and those showed that my dkim seemed
>>>>>>>>>>> accurate. So, anyway in a brilliant flash of light I decided to try
>>>>>>>>>>> port 587, and on my first try I got these headers in an email sent
>>>>>>>>>>> to
>>>>>>>>>>> yahoo and gmail:
>>>>>>>>>>>
>>>>>>>>>>> Received-SPF: pass ....
>>>>>>>>>>> DomainKey-Status: good
>>>>>>>>>>> Authentication-Results: mx.google.com; spf=pass ...
>>>>>>>>>>>
>>>>>>>>>>> So, I guess my question would be, does something in the spam
>>>>>>>>>>> checking
>>>>>>>>>>> on outbound emails from pop3/smtp users (not imap and squirrelmail)
>>>>>>>>>>> with spamdyke, rewrite the headers after the dkim has processed the
>>>>>>>>>>> email which would cause my DKIM hash to be invalid when yahoo and
>>>>>>>>>>> gmail check it?
>>>>>>>>>> I don't believe that spam checking is enabled on outgoing mail, at
>>>>>>>>>> least not
>>>>>>>>>> in the 'stock' toaster. So the answer is, not that I'm aware of.
>>>>>>>>>>
>>>>>>>>>> Note, squirrelmail gets a 'free pass' (open relay), due to the
>>>>>>>>>> localhost
>>>>>>>>>> line in the /etc/tcprules/tcp.smtp file.
>>>>>>>>>>
>>>>>>>>>> Also, be aware that DK and DKIM are 2 different things. The toaster
>>>>>>>>>> has a
>>>>>>>>>> (somewhat broken, at least on the incoming side) DK implementation.
>>>>>>>>>> The
>>>>>>>>>> toaster has no DKIM capability.
>>>>>>>>>>
>>>>>>>>>> I suppose that DK might work (better) with the port 587
>>>>>>>>>> configuration than
>>>>>>>>>> with port 25. I wouldn't know why though, as I'm not familiar with
>>>>>>>>>> the
>>>>>>>>>> problem(s) that DK has. We had a fellow in Russia on the list a
>>>>>>>>>> while back
>>>>>>>>>> who fixed some things with it, but we haven't heard from him in
>>>>>>>>>> quite a while.
>>>>>>>>>>
>>>>>>>>>>> CentOS 5
>>>>>>>>>>> x86_64bit
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> John
>>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> -Eric 'shubes'
>>>>>>>>>>
>>>>>>>> --
>>>>>>>> -Eric 'shubes'
>>>>>>>>
>>>>>> --
>>>>>> -Eric 'shubes'
>>>>>>
>>> --
>>> -Eric 'shubes'
>>>
>
>
--
-Eric 'shubes'
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
