Re: Stripping Received: headers
On 10/30/2016 5:16 AM, Den1 wrote: > > You are saying that "there is only one action allowed per header". I guess > this is the reason why it does not work. My > /^User-Agent: .*/ IGNORE triggers > > and all the other rules like > /^Received: .*/ IGNORE > /^X-Originating-IP:/IGNORE > and so on are not taken into account/consideration then and therefore do not > work, is that right? One action per header line. header_checks wouldn't be very useful if it only allowed one entry for the entire header section. Surely this is clear in the documentation. > > Plus, you mentioned in your other post that header_checks and > smtp_header_checks if used together may mangle each other and conflict? Did No, that's not what I said. header_checks work on input. smtp_header_checks work during smtp delivery to a remote system. A separate statement: don't mangle headers that aren't yours. Although I'm somewhat dismayed you can't get your header_checks working, I'll remind you that Received: headers are extremely low-value in terms of information leakage. So this isn't really worth wasting any more time on. -- Noel Jones
SV: DKIM not verifying without signature
You can add "AlwaysAddARHeader yes" Then opendkim will always add a verification header even if no signature. There is also also the following options available: On-BadSignature On-Default On-DNSError On-InternalError On-KeyNotFound On-NoSignature On-Security On-SignatureError Which can be set if you want to reject or otherwise process mail with certain signature errors. For example, rejecting mails with no DKIM sig. Bill Cole: What he is out after, is the "Theres no signature" result. Not adding a header, could mean a bogus source could insert a fake "Signature valid" header and pass DKIM validation. By always adding a verification result, even when no sig is found, a fake header would mean theres a double result, or (if opendkim is configured to remove fake headers) only the genuine header, which means it can be easily detected that somebody is attempting to cheat. -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Robert Fitzpatrick Skickat: den 30 oktober 2016 17:44 Till: PostfixÄmne: DKIM not verifying without signature The opendkim mailing lists seems not available any longer, so thought I'd try here. I'm trying to get a handle on how to setup DKIM properly on a gateway server, not even sure if what I'm trying to do is possible. This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the smarthost for the subject domain. I can get opendkim to sign when coming from a entry in the TrustedHosts file, but it is not verifying unless a signature if present. Does dkim only verify when a signature is added or can I setup so the domain is verified with or without a signature? It would be ideal to get the 'Authentication-Results' header to use in SA scoring and reject as needed. I do have an SA rule now that gives a high kill score when a message hits SPF_FAIL without hitting DKIM_VALID as well. But, it seems SPF is not enough these days. From what I understand from the opendkim man page is the 'Mode' default is 'sv' to sign and verify. Didn't think 'On-BadSignature' should be used since there is no signature. Here is my opendkim.conf: LogWhy yes Syslog yes SyslogSuccess yes Canonicalizationrelaxed/simple KeyTable/usr/local/etc/opendkim/KeyTable SigningTable/usr/local/etc/opendkim/SigningTable ExternalIgnoreList /usr/local/etc/opendkim/TrustedHosts InternalHosts /usr/local/etc/opendkim/TrustedHosts Socket inet:8891@localhost ReportAddress postmas...@webtent.net SendReports yes And the contents of my TrustedHosts file: #127.0.0.1 #localhost 208.38.145.0/26 216.139.202.0/27 I commented out the localhost portions because it was signing twice, both after the initial Received header and then again after received by the filter. The latter two networks are internal network sources I do not want to verify, only sign. I send a message hoping to be rejected and it is not, the resulting headers show nothing dkim related: > Return-Path: > Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4]) > by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106 > for ; Sun, 30 Oct 2016 11:55:23 -0400 > Received: from localhost (localhost [127.0.0.1]) > by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 5991AD7E50 > for ; Sun, 30 Oct 2016 11:55:23 -0400 (EDT) > Received: from mx2.webtent.net ([127.0.0.1]) by localhost > (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP id > 08148-06 for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) > Received-SPF: Pass (sender SPF authorized) identity=mailfrom; > client-ip=96.254.71.164; helo=[192.168.1.110]; > envelope-from=administra...@subjectdomain.com; > receiver=rob...@rfitz.com > Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164]) > by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id A11D7D7E46 > for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) > Message-ID: <581617e9.5080...@subjectdomain.com> > Date: Sun, 30 Oct 2016 11:55:21 -0400 > From: MRI Tampa > User-Agent: Postbox 4.0.8 (Windows/20151105) > MIME-Version: 1.0 > To: Rob Fitzpatrick > Subject: Test DKIM with no auth > References: <58161558.2090...@subjectdomain.com> > <58161684.7010...@subjectdomain.com> > In-Reply-To: <58161684.7010...@subjectdomain.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > X-Virus-Scanned: WebTent Mailguard 1.0.3 > X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5 > tests=BAYES_00=-1.9, SPF_PASS=-0.001 And the log entries show: > root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog Oct
Re: DKIM not verifying without signature
On 30 Oct 2016, at 12:43, Robert Fitzpatrick wrote: The opendkim mailing lists seems not available any longer, so thought I'd try here. I'm trying to get a handle on how to setup DKIM properly on a gateway server, not even sure if what I'm trying to do is possible. This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the smarthost for the subject domain. I can get opendkim to sign when coming from a entry in the TrustedHosts file, but it is not verifying unless a signature if present. Does dkim only verify when a signature is added or can I setup so the domain is verified with or without a signature? Can you set up magic? or machine telepathy? If there's no DKIM signature, what exactly do you think opendkim can use to do a verification? [snip... I'm sure it's significant, but I'm not familiar enough with opendkim to see a problem...] And the contents of my TrustedHosts file: #127.0.0.1 #localhost 208.38.145.0/26 216.139.202.0/27 I commented out the localhost portions because it was signing twice, both after the initial Received header and then again after received by the filter. The latter two networks are internal network sources I do not want to verify, only sign. The trick in preventing that is not to stop trusting localhost but rather to make the after-filter smtpd instance not use opendkim. Share your 'postconf -nf' and 'postconf -Mf' output for help on doing that. It's probably just a matter of adding no_milters to the "-o receive_override_options=" directive for the after-filter smtpd definition in master.cf. I send a message hoping to be rejected and it is not, the resulting headers show nothing dkim related: Right. It's not from a source you want opendkim to sign for and opendkim has no signature it could try to verify. DKIM can only provide a thumbs-up or a shrug, it has no useful repudiation result. Anything looking at headers afterwards can see that there's no signature, which by the definition of DKIM is logically equivalent to an invalid signature. To convert the meaning of no signature into a derogatory assertion, you would need to use something like ADSP or DMARC whereby a domain owner can assert that unsigned or mis-signed mail claiming to be from them should be deemed bogus. HOWEVER, note this: Return-Path:[...] Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=96.254.71.164; helo=[192.168.1.110]; envelope-from=administra...@subjectdomain.com; receiver=rob...@rfitz.com [...] From: MRI Tampa This means SPF has authenticated the RC5321.MailFrom (envelope sender/Return-Path) which happens in this case to match the RFC5322.From (From header) so no rational filtering system would consider it forged or reject the mail on the basis that it lacks a DKIM signature.
DKIM not verifying without signature
The opendkim mailing lists seems not available any longer, so thought I'd try here. I'm trying to get a handle on how to setup DKIM properly on a gateway server, not even sure if what I'm trying to do is possible. This gateway serves as an MX with ClamAV+Amavisd+SA filtering as well as the smarthost for the subject domain. I can get opendkim to sign when coming from a entry in the TrustedHosts file, but it is not verifying unless a signature if present. Does dkim only verify when a signature is added or can I setup so the domain is verified with or without a signature? It would be ideal to get the 'Authentication-Results' header to use in SA scoring and reject as needed. I do have an SA rule now that gives a high kill score when a message hits SPF_FAIL without hitting DKIM_VALID as well. But, it seems SPF is not enough these days. From what I understand from the opendkim man page is the 'Mode' default is 'sv' to sign and verify. Didn't think 'On-BadSignature' should be used since there is no signature. Here is my opendkim.conf: LogWhy yes Syslog yes SyslogSuccess yes Canonicalizationrelaxed/simple KeyTable/usr/local/etc/opendkim/KeyTable SigningTable/usr/local/etc/opendkim/SigningTable ExternalIgnoreList /usr/local/etc/opendkim/TrustedHosts InternalHosts /usr/local/etc/opendkim/TrustedHosts Socket inet:8891@localhost ReportAddress postmas...@webtent.net SendReports yes And the contents of my TrustedHosts file: #127.0.0.1 #localhost 208.38.145.0/26 216.139.202.0/27 I commented out the localhost portions because it was signing twice, both after the initial Received header and then again after received by the filter. The latter two networks are internal network sources I do not want to verify, only sign. I send a message hoping to be rejected and it is not, the resulting headers show nothing dkim related: Return-Path:Received: from mx2.webtent.net (mx2.webtent.net [216.139.202.4]) by www1.webtent.net (8.13.8/8.13.8) with ESMTP id u9UFtNwo025106 for ; Sun, 30 Oct 2016 11:55:23 -0400 Received: from localhost (localhost [127.0.0.1]) by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id 5991AD7E50 for ; Sun, 30 Oct 2016 11:55:23 -0400 (EDT) Received: from mx2.webtent.net ([127.0.0.1]) by localhost (mx2.webtent.net [127.0.0.1]) (maiad, port 10024) with ESMTP id 08148-06 for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=96.254.71.164; helo=[192.168.1.110]; envelope-from=administra...@subjectdomain.com; receiver=rob...@rfitz.com Received: from [192.168.1.110] (media.rfitz.com [96.254.71.164]) by mx2.webtent.net (WebTent ESMTP Postfix Internet Mail Exchange) with ESMTP id A11D7D7E46 for ; Sun, 30 Oct 2016 11:55:21 -0400 (EDT) Message-ID: <581617e9.5080...@subjectdomain.com> Date: Sun, 30 Oct 2016 11:55:21 -0400 From: MRI Tampa User-Agent: Postbox 4.0.8 (Windows/20151105) MIME-Version: 1.0 To: Rob Fitzpatrick Subject: Test DKIM with no auth References: <58161558.2090...@subjectdomain.com> <58161684.7010...@subjectdomain.com> In-Reply-To: <58161684.7010...@subjectdomain.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: WebTent Mailguard 1.0.3 X-Spam-Status: No, hits=-1.901 tagged_above=-999 required=5 tests=BAYES_00=-1.9, SPF_PASS=-0.001 And the log entries show: root@mx2:/usr/local/etc # grep A11D7D7E46 /var/log/maillog Oct 30 11:55:21 mx2 postfix/smtpd[8876]: A11D7D7E46: client=media.rfitz.com[96.254.71.164] Oct 30 11:55:21 mx2 postfix/cleanup[8818]: A11D7D7E46: message-id=<581617e9.5080...@subjectdomain.com> Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: media.rfitz.com [96.254.71.164] not internal Oct 30 11:55:21 mx2 opendkim[8799]: A11D7D7E46: not authenticated Oct 30 11:55:21 mx2 postfix/qmgr[8810]: A11D7D7E46: from= , size=954, nrcpt=1 (queue active) Oct 30 11:55:23 mx2 postfix/smtp[8901]: A11D7D7E46: to= , relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=0.5/0/0.01/1.7, dsn=2.6.0, status=sent (250 2.6.0 Ok, id=08148-06, from MTA: 250 2.0.0 Ok: queued as 5991AD7E50) Oct 30 11:55:23 mx2 postfix/qmgr[8810]: A11D7D7E46: removed -- Robert
Re: Stripping Received: headers
Noel Jones-2 wrote > On 10/29/2016 1:45 AM, Den1 wrote: >> Could you please, advise where do I exactly place those three in order >> for >> them to work (based on my postconf -n and postconf -Mf pasted here)? >> >> 1.) -o cleanup_service_name=subcleanup > > The above line may be added after any smtpd service in master.cf, > and must be indented. > http://www.postfix.org/smtpd.8.html > >> 2.) subcleanup unix n - - - 0 cleanup > > This line can be added anywhere in master.cf, followed by indented > options accepted by cleanup(8), such as " -o header_checks=." > http://www.postfix.org/cleanup.8.html > >> 3.) -o smtp_header_checks=regexp:/etc/postfix/header_checks > > smtp_header_checks are a property of the smtp(8) delivery transport. > As such, it can be added after any "smtp" transport in master.cf. > http://www.postfix.org/smtp.8.html > > Some things to keep in mind... > - only one action is allowed per header. If a header matches > multiple lines in your header_checks file, only the first match is > performed. > - You can have postfix log all the headers it examines with a > header_check like: > /./ INFO > Note this prevents any further matches from being processed (one > action per header). > - postfix does see headers added by milters, see mime_header_checks > (default value $header_checks). > - postfix does not see headers added after postfix has received the > mail, such as headers added by downstream content filters or a > next-hop relay. > - read the documentation! Great effort has been put into > documenting postfix clearly and correctly. > > http://www.postfix.org/documentation.html > http://www.postfix.org/header_checks.5.html > http://www.postfix.org/postconf.5.html (for main.cf syntax) > http://www.postfix.org/master.5.html (for master.cf syntax) > > -- Noel Jones Thank you so much for your tips. I really do appreciate. I have read of course the docs for many times before trying to implement it but it still does not work. I could've missed something somewhere. I will keep on trying though. You are saying that "there is only one action allowed per header". I guess this is the reason why it does not work. My /^User-Agent: .*/ IGNORE triggers and all the other rules like /^Received: .*/ IGNORE /^X-Originating-IP:/IGNORE and so on are not taken into account/consideration then and therefore do not work, is that right? Plus, you mentioned in your other post that header_checks and smtp_header_checks if used together may mangle each other and conflict? Did I understand you correctly? I will toggle them just to test and to check if that could be the reason as well... I haven't tried yet to use either header_checks or smtp_header_checks only. I have always used them both at the same time. Would be thankful for any further comments. -- View this message in context: http://postfix.1071664.n5.nabble.com/Stripping-Received-headers-tp56953p86997.html Sent from the Postfix Users mailing list archive at Nabble.com.