Another question I have is what is this header for? /m:47/d: 7860
Thanks John On Thu, Aug 28, 2008 at 7:47 PM, Tek Support <[EMAIL PROTECTED]> wrote: > Ok, now I'm confused. A long time ago I added an SPF TXT record to > our company's DNS. I thought that was DK. Now with the newly > installed CentOS 5 QmailToaster near the bottom of the instructions > (10. Add domainkeys:), I thought this was DKIM since I had already had > the SPF. > > What is the difference between the SPF and DK? And then what is the > difference between DK and DKIM? > > Thanks > John > > > > > > On Thu, Aug 28, 2008 at 2:56 PM, Eric Shubert <[EMAIL PROTECTED]> wrote: >> As I understand it, a yahoo customer can mark an email coming from you as >> spam, and whammy, just like that your server gets deferred. Kinda suks if >> you ask me. I think you can contact them and go through some sort of process >> to get un-deferred. I wouldn't want to try to go that route unless it was >> absolutely necessary though (I've heard horror stories). >> >> And one more thing, it's DK we're talking about, *not* DKIM. DKIM is >> different, sort of a successor to DK. DKIM is *not* implemented in the >> toaster in any fashion (and probably won't be any time soon). >> >> Tek Support wrote: >>> I appreciate you doing a test to yahoo, it gives me one more piece to >>> the puzzle. I've never seriously considered the Mac to be any part of >>> the real problem. But it's where I am in the process of elimination. >>> I would like to turn off DKIM but Yahoo is so strange, the sometimes >>> will block emails that are not spam, have the correct RDNS and also >>> have a good DKIM signature. So I've been hopeful that as I implement >>> each new little thing like DKIM, that yahoo will stop being so >>> retarted on what they block/deffer and put into the spam folder. I've >>> had valid emails from someone for months, and then all of a sudden >>> they are put into my spam folder. But I can't expect yahoo to accept >>> my emails if I'm using DKIM and my HASH doesn't work right. So like >>> you've suggested, maybe I'll just turn it off. >>> >>> Thanks >>> John >>> >>> >>> >>> >>> >>> On Thu, Aug 28, 2008 at 11:08 AM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>>> FWIW, I just had my Mac user send a test to yahoo, and it came through just >>>> fine: >>>> >>>> Authentication-Results: mta230.mail.re4.yahoo.com from=shubes.net; >>>> domainkeys=pass (ok) >>>> ... >>>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=shubes.net; >>>> b=UncEkJWJcam4+5rGNSbusen0silI486Nm9KxTZRLuJoA5qQ55efjifjFRc6VKxQX; >>>> Received: by simscan 1.3.1 ppid: 26131, pid: 26134, t: 0.0166s scanners: >>>> clamav: 0.93.3 >>>> >>>> Eric Shubert wrote: >>>>> I'd look very carefully at the Mac's configuration. I have a Mac user on a >>>>> toaster signing with DKs, and haven't heard of any undeliverables. Not >>>>> sure >>>>> there's much if anything going to yahoo from there though. >>>>> >>>>> Then I'd consider turning off DK signatures. Not many servers actively use >>>>> them. Even google groups (google 'invented' DKs) only uses DKs in test >>>>> mode >>>>> (last I checked, several months ago). >>>>> >>>>> Tek Support wrote: >>>>>> Yes that's correct, both are in the same domain. >>>>>> >>>>>> Thanks >>>>>> John >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Aug 27, 2008 at 10:24 PM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>>>>>> That's an odd one, all right. And I think you've described the situation >>>>>>> pretty well (at least I think I understand what's happening). >>>>>>> >>>>>>> Both instances are sending from exactly the same domain, right? >>>>>>> >>>>>>> Tek Support wrote: >>>>>>>> You know, I don't think it has anything to do with simscan. A staff >>>>>>>> member in the office using a Mac laptop is sending mail to port 587 >>>>>>>> (no TLS option available in her Mac - only SSL, but she is in the >>>>>>>> local office and the Mail Server is in the local office, and she is >>>>>>>> not sending her password over the internet, so it's probably fine to >>>>>>>> go without TLS in her case). Anyway, when she sends an email to port >>>>>>>> 587 into our mail server to yahoo, it fails with domainkey failed >>>>>>>> error header. When I send via PC and Thuderbird into our external >>>>>>>> firewall port forwarded into Mail Server port 587 with or without TLS >>>>>>>> to yahoo (I've tried both ways), it works perfectly and the domainkey >>>>>>>> header suceeded. >>>>>>>> >>>>>>>> In both instances (Mac internal office, PC external - internet), >>>>>>>> simscan is listed below the Domainkey header. So since mine works and >>>>>>>> her's does not, I don't think it is simscan/clamav. It's happening to >>>>>>>> both of our emails, so that would not appear to be a problem. >>>>>>>> >>>>>>>> But, what in the world could it be? I'm obviously going to have to go >>>>>>>> into the office and try sending from my Thunderbird out to yahoo and >>>>>>>> see if that still works. But no matter if it does or does not, how >>>>>>>> could Mac Mail or PC Thunderbird have anything to do with the headers >>>>>>>> and HASH that would cause domainkeys to fail or suceed since they are >>>>>>>> only calculated and added after the message has been handed off to >>>>>>>> port 587 on the Mail Server? >>>>>>>> >>>>>>>> For referrence, the external firewall only does a packet forwarding >>>>>>>> into our mail server for traffic on port 587, and does not rewrite >>>>>>>> anything. >>>>>>>> >>>>>>>> Thanks >>>>>>>> John >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Aug 27, 2008 at 9:06 PM, Tek Support <[EMAIL PROTECTED]> wrote: >>>>>>>>> Well, we probably don't need it that bad that then. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> John >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Aug 27, 2008 at 10:37 AM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>> wrote: >>>>>>>>>> I don't know, short of looking at the code. That would be in the >>>>>>>>>> (heavily >>>>>>>>>> patched) source code for the qmail-smtp program. Looking that up >>>>>>>>>> would not >>>>>>>>>> be a trivial exercise. >>>>>>>>>> >>>>>>>>>> Tek Support wrote: >>>>>>>>>>> As you said (would have to), how do I determine the order they are >>>>>>>>>>> run? Is it simply that the DKIM header is added on top of the >>>>>>>>>>> simscan, thus simscan first and dkim 2nd? >>>>>>>>>>> >>>>>>>>>>> Thanks >>>>>>>>>>> John >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Aug 26, 2008 at 2:14 PM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>>>> wrote: >>>>>>>>>>>> Simscan does scan outbound mail, but scans only for viruses >>>>>>>>>>>> (clamav), not >>>>>>>>>>>> spam (spamassassin). This is consistent with the message you're >>>>>>>>>>>> seeing. >>>>>>>>>>>> >>>>>>>>>>>> Adding the DK signature would (have to) happen after this scan. >>>>>>>>>>>> >>>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>>> Hi Eric, thanks for the quick reply. The reason I think it's >>>>>>>>>>>>> doing >>>>>>>>>>>>> outbound scanning is a specific line in the header, maybe you can >>>>>>>>>>>>> shed >>>>>>>>>>>>> some light on it. In an email sent from mydomain to my yahoo >>>>>>>>>>>>> accout >>>>>>>>>>>>> these are in the headers. The line I'm interrested in, is >>>>>>>>>>>>> possibly >>>>>>>>>>>>> added by yahoo, but I think it's from me. >>>>>>>>>>>>> >>>>>>>>>>>>> Received: by simscan 1.3.1 ppid: 4768, pid: 4895, t: 0.0658s >>>>>>>>>>>>> scanners: attach: 1.3.1 clamav: 0.93.3 >>>>>>>>>>>>> >>>>>>>>>>>>> Wouldn't simscan be run on my box, and if so, would it be done >>>>>>>>>>>>> before >>>>>>>>>>>>> DKIM or after? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks >>>>>>>>>>>>> John >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Tue, Aug 26, 2008 at 9:42 AM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>>>>> Hi all, recently I had asked if there was a reason to use the >>>>>>>>>>>>>>> port 587 >>>>>>>>>>>>>>> if I installed spamdyke (because spamdyke authenticated my >>>>>>>>>>>>>>> dynamic >>>>>>>>>>>>>>> users and ignored the rbls). Well, maybe I've found something >>>>>>>>>>>>>>> that >>>>>>>>>>>>>>> would still require me to use 587 instead of port 25. I would >>>>>>>>>>>>>>> appreciate any info. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> As of right now, my staff are using port 25 for outbound - I >>>>>>>>>>>>>>> just >>>>>>>>>>>>>>> didn't see the need to have another port open to the outside >>>>>>>>>>>>>>> when >>>>>>>>>>>>>>> after installing spamdyke, they were able to send and were not >>>>>>>>>>>>>>> blocked >>>>>>>>>>>>>>> as "dynamic". But the staff have been having trouble sending to >>>>>>>>>>>>>>> yahoo.com, and in looking at the headers on a message that >>>>>>>>>>>>>>> finally >>>>>>>>>>>>>>> arrived into yahoo (and gmail) the headers show this: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Authentication-Results: mta553.mail.mud.yahoo.com >>>>>>>>>>>>>>> from=mydomain.com; >>>>>>>>>>>>>>> domainkeys=fail (bad sig) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> But I had gone through the process step by step and tested my >>>>>>>>>>>>>>> DKIM >>>>>>>>>>>>>>> with the sourceforge.net sites, and those showed that my dkim >>>>>>>>>>>>>>> seemed >>>>>>>>>>>>>>> accurate. So, anyway in a brilliant flash of light I decided >>>>>>>>>>>>>>> to try >>>>>>>>>>>>>>> port 587, and on my first try I got these headers in an email >>>>>>>>>>>>>>> sent to >>>>>>>>>>>>>>> yahoo and gmail: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Received-SPF: pass .... >>>>>>>>>>>>>>> DomainKey-Status: good >>>>>>>>>>>>>>> Authentication-Results: mx.google.com; spf=pass ... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So, I guess my question would be, does something in the spam >>>>>>>>>>>>>>> checking >>>>>>>>>>>>>>> on outbound emails from pop3/smtp users (not imap and >>>>>>>>>>>>>>> squirrelmail) >>>>>>>>>>>>>>> with spamdyke, rewrite the headers after the dkim has processed >>>>>>>>>>>>>>> the >>>>>>>>>>>>>>> email which would cause my DKIM hash to be invalid when yahoo >>>>>>>>>>>>>>> and >>>>>>>>>>>>>>> gmail check it? >>>>>>>>>>>>>> I don't believe that spam checking is enabled on outgoing mail, >>>>>>>>>>>>>> at least not >>>>>>>>>>>>>> in the 'stock' toaster. So the answer is, not that I'm aware of. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Note, squirrelmail gets a 'free pass' (open relay), due to the >>>>>>>>>>>>>> localhost >>>>>>>>>>>>>> line in the /etc/tcprules/tcp.smtp file. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Also, be aware that DK and DKIM are 2 different things. The >>>>>>>>>>>>>> toaster has a >>>>>>>>>>>>>> (somewhat broken, at least on the incoming side) DK >>>>>>>>>>>>>> implementation. The >>>>>>>>>>>>>> toaster has no DKIM capability. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I suppose that DK might work (better) with the port 587 >>>>>>>>>>>>>> configuration than >>>>>>>>>>>>>> with port 25. I wouldn't know why though, as I'm not familiar >>>>>>>>>>>>>> with the >>>>>>>>>>>>>> problem(s) that DK has. We had a fellow in Russia on the list a >>>>>>>>>>>>>> while back >>>>>>>>>>>>>> who fixed some things with it, but we haven't heard from him in >>>>>>>>>>>>>> quite a while. >>>>>>>>>>>>>> >>>>>>>>>>>>>>> CentOS 5 >>>>>>>>>>>>>>> x86_64bit >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>> John >>>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -Eric 'shubes' >>>>>>>>>> >>>>>>> -- >>>>>>> -Eric 'shubes' >>>>>>> >> >> >> -- >> -Eric 'shubes' >> >> --------------------------------------------------------------------- >> QmailToaster hosted by: VR Hosted <http://www.vr.org> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]