Eric Shubert wrote: > Ok, but this is going to be a bit terse. You're cutting into my programming > time. :( (I'm working on qtp-install-rpmforge script, in case anyone's > wondering) > > SPF was dreamed up by yahoo (IIRC)
This is wrong. MSN is associated with SPF/SPF2. . The configuration for this is contained > in the domain's TXT record. See http://www.openspf.org/ > > DK was dreamed up by google. This is wrong too. DK/DKIM are brainchilds of yahoo. Just thought I'd set the record straight. > The configuration for consists of the private > key used for signing and stored on the server, as well as some public > information. The public information is published in 2 DNS TXT records. One > is named "_domainkey.yourdomain.com", and contains "o=-" (and some other > optional fields). The second is named > "somekeyname._domainkey.yourdomain.com", and contains 2 fields - the key > type and the public key value. I'm guessing you've already seen the wiki, or > you probably wouldn't be this far along. > > See http://en.wikipedia.org/wiki/DomainKeys for (much) more. > > P.S. Google is your friend. > > Tek Support wrote: >> Ok, now I'm confused. A long time ago I added an SPF TXT record to >> our company's DNS. I thought that was DK. Now with the newly >> installed CentOS 5 QmailToaster near the bottom of the instructions >> (10. Add domainkeys:), I thought this was DKIM since I had already had >> the SPF. >> >> What is the difference between the SPF and DK? And then what is the >> difference between DK and DKIM? >> >> Thanks >> John >> >> >> >> >> >> On Thu, Aug 28, 2008 at 2:56 PM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>> As I understand it, a yahoo customer can mark an email coming from you as >>> spam, and whammy, just like that your server gets deferred. Kinda suks if >>> you ask me. I think you can contact them and go through some sort of process >>> to get un-deferred. I wouldn't want to try to go that route unless it was >>> absolutely necessary though (I've heard horror stories). >>> >>> And one more thing, it's DK we're talking about, *not* DKIM. DKIM is >>> different, sort of a successor to DK. DKIM is *not* implemented in the >>> toaster in any fashion (and probably won't be any time soon). >>> >>> Tek Support wrote: >>>> I appreciate you doing a test to yahoo, it gives me one more piece to >>>> the puzzle. I've never seriously considered the Mac to be any part of >>>> the real problem. But it's where I am in the process of elimination. >>>> I would like to turn off DKIM but Yahoo is so strange, the sometimes >>>> will block emails that are not spam, have the correct RDNS and also >>>> have a good DKIM signature. So I've been hopeful that as I implement >>>> each new little thing like DKIM, that yahoo will stop being so >>>> retarted on what they block/deffer and put into the spam folder. I've >>>> had valid emails from someone for months, and then all of a sudden >>>> they are put into my spam folder. But I can't expect yahoo to accept >>>> my emails if I'm using DKIM and my HASH doesn't work right. So like >>>> you've suggested, maybe I'll just turn it off. >>>> >>>> Thanks >>>> John >>>> >>>> >>>> >>>> >>>> >>>> On Thu, Aug 28, 2008 at 11:08 AM, Eric Shubert <[EMAIL PROTECTED]> wrote: >>>>> FWIW, I just had my Mac user send a test to yahoo, and it came through >>>>> just >>>>> fine: >>>>> >>>>> Authentication-Results: mta230.mail.re4.yahoo.com from=shubes.net; >>>>> domainkeys=pass (ok) >>>>> ... >>>>> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=private; d=shubes.net; >>>>> b=UncEkJWJcam4+5rGNSbusen0silI486Nm9KxTZRLuJoA5qQ55efjifjFRc6VKxQX; >>>>> Received: by simscan 1.3.1 ppid: 26131, pid: 26134, t: 0.0166s scanners: >>>>> clamav: 0.93.3 >>>>> >>>>> Eric Shubert wrote: >>>>>> I'd look very carefully at the Mac's configuration. I have a Mac user on >>>>>> a >>>>>> toaster signing with DKs, and haven't heard of any undeliverables. Not >>>>>> sure >>>>>> there's much if anything going to yahoo from there though. >>>>>> >>>>>> Then I'd consider turning off DK signatures. Not many servers actively >>>>>> use >>>>>> them. Even google groups (google 'invented' DKs) only uses DKs in test >>>>>> mode >>>>>> (last I checked, several months ago). >>>>>> >>>>>> Tek Support wrote: >>>>>>> Yes that's correct, both are in the same domain. >>>>>>> >>>>>>> Thanks >>>>>>> John >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Aug 27, 2008 at 10:24 PM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>> wrote: >>>>>>>> That's an odd one, all right. And I think you've described the >>>>>>>> situation >>>>>>>> pretty well (at least I think I understand what's happening). >>>>>>>> >>>>>>>> Both instances are sending from exactly the same domain, right? >>>>>>>> >>>>>>>> Tek Support wrote: >>>>>>>>> You know, I don't think it has anything to do with simscan. A staff >>>>>>>>> member in the office using a Mac laptop is sending mail to port 587 >>>>>>>>> (no TLS option available in her Mac - only SSL, but she is in the >>>>>>>>> local office and the Mail Server is in the local office, and she is >>>>>>>>> not sending her password over the internet, so it's probably fine to >>>>>>>>> go without TLS in her case). Anyway, when she sends an email to port >>>>>>>>> 587 into our mail server to yahoo, it fails with domainkey failed >>>>>>>>> error header. When I send via PC and Thuderbird into our external >>>>>>>>> firewall port forwarded into Mail Server port 587 with or without TLS >>>>>>>>> to yahoo (I've tried both ways), it works perfectly and the domainkey >>>>>>>>> header suceeded. >>>>>>>>> >>>>>>>>> In both instances (Mac internal office, PC external - internet), >>>>>>>>> simscan is listed below the Domainkey header. So since mine works and >>>>>>>>> her's does not, I don't think it is simscan/clamav. It's happening to >>>>>>>>> both of our emails, so that would not appear to be a problem. >>>>>>>>> >>>>>>>>> But, what in the world could it be? I'm obviously going to have to go >>>>>>>>> into the office and try sending from my Thunderbird out to yahoo and >>>>>>>>> see if that still works. But no matter if it does or does not, how >>>>>>>>> could Mac Mail or PC Thunderbird have anything to do with the headers >>>>>>>>> and HASH that would cause domainkeys to fail or suceed since they are >>>>>>>>> only calculated and added after the message has been handed off to >>>>>>>>> port 587 on the Mail Server? >>>>>>>>> >>>>>>>>> For referrence, the external firewall only does a packet forwarding >>>>>>>>> into our mail server for traffic on port 587, and does not rewrite >>>>>>>>> anything. >>>>>>>>> >>>>>>>>> Thanks >>>>>>>>> John >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Aug 27, 2008 at 9:06 PM, Tek Support <[EMAIL PROTECTED]> >>>>>>>>> wrote: >>>>>>>>>> Well, we probably don't need it that bad that then. >>>>>>>>>> >>>>>>>>>> Thanks >>>>>>>>>> John >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Aug 27, 2008 at 10:37 AM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>>> wrote: >>>>>>>>>>> I don't know, short of looking at the code. That would be in the >>>>>>>>>>> (heavily >>>>>>>>>>> patched) source code for the qmail-smtp program. Looking that up >>>>>>>>>>> would not >>>>>>>>>>> be a trivial exercise. >>>>>>>>>>> >>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>> As you said (would have to), how do I determine the order they are >>>>>>>>>>>> run? Is it simply that the DKIM header is added on top of the >>>>>>>>>>>> simscan, thus simscan first and dkim 2nd? >>>>>>>>>>>> >>>>>>>>>>>> Thanks >>>>>>>>>>>> John >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Tue, Aug 26, 2008 at 2:14 PM, Eric Shubert <[EMAIL PROTECTED]> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> Simscan does scan outbound mail, but scans only for viruses >>>>>>>>>>>>> (clamav), not >>>>>>>>>>>>> spam (spamassassin). This is consistent with the message you're >>>>>>>>>>>>> seeing. >>>>>>>>>>>>> >>>>>>>>>>>>> Adding the DK signature would (have to) happen after this scan. >>>>>>>>>>>>> >>>>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>>>> Hi Eric, thanks for the quick reply. The reason I think it's >>>>>>>>>>>>>> doing >>>>>>>>>>>>>> outbound scanning is a specific line in the header, maybe you >>>>>>>>>>>>>> can shed >>>>>>>>>>>>>> some light on it. In an email sent from mydomain to my yahoo >>>>>>>>>>>>>> accout >>>>>>>>>>>>>> these are in the headers. The line I'm interrested in, is >>>>>>>>>>>>>> possibly >>>>>>>>>>>>>> added by yahoo, but I think it's from me. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Received: by simscan 1.3.1 ppid: 4768, pid: 4895, t: 0.0658s >>>>>>>>>>>>>> scanners: attach: 1.3.1 clamav: 0.93.3 >>>>>>>>>>>>>> >>>>>>>>>>>>>> Wouldn't simscan be run on my box, and if so, would it be done >>>>>>>>>>>>>> before >>>>>>>>>>>>>> DKIM or after? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>> John >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Tue, Aug 26, 2008 at 9:42 AM, Eric Shubert <[EMAIL >>>>>>>>>>>>>> PROTECTED]> wrote: >>>>>>>>>>>>>>> Tek Support wrote: >>>>>>>>>>>>>>>> Hi all, recently I had asked if there was a reason to use the >>>>>>>>>>>>>>>> port 587 >>>>>>>>>>>>>>>> if I installed spamdyke (because spamdyke authenticated my >>>>>>>>>>>>>>>> dynamic >>>>>>>>>>>>>>>> users and ignored the rbls). Well, maybe I've found something >>>>>>>>>>>>>>>> that >>>>>>>>>>>>>>>> would still require me to use 587 instead of port 25. I would >>>>>>>>>>>>>>>> appreciate any info. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> As of right now, my staff are using port 25 for outbound - I >>>>>>>>>>>>>>>> just >>>>>>>>>>>>>>>> didn't see the need to have another port open to the outside >>>>>>>>>>>>>>>> when >>>>>>>>>>>>>>>> after installing spamdyke, they were able to send and were not >>>>>>>>>>>>>>>> blocked >>>>>>>>>>>>>>>> as "dynamic". But the staff have been having trouble sending >>>>>>>>>>>>>>>> to >>>>>>>>>>>>>>>> yahoo.com, and in looking at the headers on a message that >>>>>>>>>>>>>>>> finally >>>>>>>>>>>>>>>> arrived into yahoo (and gmail) the headers show this: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Authentication-Results: mta553.mail.mud.yahoo.com >>>>>>>>>>>>>>>> from=mydomain.com; >>>>>>>>>>>>>>>> domainkeys=fail (bad sig) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> But I had gone through the process step by step and tested my >>>>>>>>>>>>>>>> DKIM >>>>>>>>>>>>>>>> with the sourceforge.net sites, and those showed that my dkim >>>>>>>>>>>>>>>> seemed >>>>>>>>>>>>>>>> accurate. So, anyway in a brilliant flash of light I decided >>>>>>>>>>>>>>>> to try >>>>>>>>>>>>>>>> port 587, and on my first try I got these headers in an email >>>>>>>>>>>>>>>> sent to >>>>>>>>>>>>>>>> yahoo and gmail: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Received-SPF: pass .... >>>>>>>>>>>>>>>> DomainKey-Status: good >>>>>>>>>>>>>>>> Authentication-Results: mx.google.com; spf=pass ... >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So, I guess my question would be, does something in the spam >>>>>>>>>>>>>>>> checking >>>>>>>>>>>>>>>> on outbound emails from pop3/smtp users (not imap and >>>>>>>>>>>>>>>> squirrelmail) >>>>>>>>>>>>>>>> with spamdyke, rewrite the headers after the dkim has >>>>>>>>>>>>>>>> processed the >>>>>>>>>>>>>>>> email which would cause my DKIM hash to be invalid when yahoo >>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>> gmail check it? >>>>>>>>>>>>>>> I don't believe that spam checking is enabled on outgoing mail, >>>>>>>>>>>>>>> at least not >>>>>>>>>>>>>>> in the 'stock' toaster. So the answer is, not that I'm aware of. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Note, squirrelmail gets a 'free pass' (open relay), due to the >>>>>>>>>>>>>>> localhost >>>>>>>>>>>>>>> line in the /etc/tcprules/tcp.smtp file. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Also, be aware that DK and DKIM are 2 different things. The >>>>>>>>>>>>>>> toaster has a >>>>>>>>>>>>>>> (somewhat broken, at least on the incoming side) DK >>>>>>>>>>>>>>> implementation. The >>>>>>>>>>>>>>> toaster has no DKIM capability. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I suppose that DK might work (better) with the port 587 >>>>>>>>>>>>>>> configuration than >>>>>>>>>>>>>>> with port 25. I wouldn't know why though, as I'm not familiar >>>>>>>>>>>>>>> with the >>>>>>>>>>>>>>> problem(s) that DK has. We had a fellow in Russia on the list a >>>>>>>>>>>>>>> while back >>>>>>>>>>>>>>> who fixed some things with it, but we haven't heard from him in >>>>>>>>>>>>>>> quite a while. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> CentOS 5 >>>>>>>>>>>>>>>> x86_64bit >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks >>>>>>>>>>>>>>>> John >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -Eric 'shubes' >>>>>>>>>>> >>>>>>>> -- >>>>>>>> -Eric 'shubes' >>>>>>>> >>> -- >>> -Eric 'shubes' >>> >>> --------------------------------------------------------------------- >>> QmailToaster hosted by: VR Hosted <http://www.vr.org> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [EMAIL PROTECTED] >>> For additional commands, e-mail: [EMAIL PROTECTED] >>> >>> >> --------------------------------------------------------------------- >> QmailToaster hosted by: VR Hosted <http://www.vr.org> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > -- -Eric 'shubes' --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
