Home > Server Admin > DKIM and DomainKeys for qmail

DKIM and DomainKeys for qmail

March 19th, 2009

DomainKeys and its successor DomainKeys Identified Mail (DKIM) are technologies that allow organizations to take responsibility for a message. This is done by cryptographically signing an email as it leaves an organization in route to its destination. The signature can be verified using the DNS system to establish trust. In theory the technologies help cut down on spam by proving a message originated from the domain it says it does.

Support for DomainKeys in qmail has existed for a while thanks to a patch by Russel Nelson. Kyle Wheeler created a set of wrapper scripts that can be used to provide support for DKIM and DomainKeys. Mihai Secasiu has some wrapper scripts similar to Kyle’s that provide support for DKIM via the libdkim library instead of Perl’s Mail::DKIM module.

The current methods take different approaches to implement DKIM and DomainKeys. The DomainKeys patch creates a single program, qmail-dk that is called before qmail-queue. This program signs or verifies all incoming messages (that may later become outbound) based on the existence of the DKSIGN and DKVERIFY variables. The DKIM wrapper scripts wrap qmail-remote to sign messages and wrap qmail-queue (or qmail-dk) to verify incoming messages. This can be easier understood by looking at the qmail big picture.

I tend to agree with separate programs for signing outbound messages and verifying inbound messages as this allows signing all outbound messages, even those (such as NDRs) that never pass through qmail-queue. I also prefer patching qmail as it tends to be a little easier and requires less configuration after qmail is installed.

In this post I will show you how to patch qmail to support DKIM as well as DomainKeys. My qmail DKIM/DomainKeys patch uses neither Russel Nelson’s DomainKeys patch nor Kyle Wheeler’s DKIM/DomainKey wrappers, but borrows ideas from both. My patch uses the libdomainkeys and libdkim libraries to do the actual signing and verifying. Rather than creating two new programs, I patch qmail-smtpd (for verifying) and qmail-remote (for signing) directly.

I’ll do my best to provide step by step instructions for patching and installing for you non-Gentoo users, but in my next post I’ll share my ebuild which does it all for you.


1. Install libdomainkeys

The libdomainkeys library is used to sign and verify DomainKeys signatures.

$ wget http://downloads.sourceforge.net/domainkeys/libdomainkeys-0.69.tar.gz
$ tar -xzf libdomainkeys-0.69.tar.gz
$ cd libdomainkeys-0.69
$ make
(If you get errors during make, edit the Makefile and add -lresolv to the end of the LIBS line)
$ sudo install -m 644 libdomainkeys.a /usr/local/lib
$ sudo install -m 644 domainkeys.h dktrace.h /usr/local/include
$ sudo install -m 755 dknewkey /usr/local/bin
$ cd ..


2. Install libdkim

The libdkim library is used to sign and verify DKIM signatures. You’ll need g++ to compile this on your system. The library claims to be portable, but I needed to patch it to get it to compile on my Gentoo box. I’ve also included a (slightly modified) patch from Mihai Secasiu that makes working with libdkimtest much easier.

$ wget http://downloads.sourceforge.net/libdkim/libdkim-1.0.19.zip
$ wget http://www.bltweb.net/qmail/libdkim-1.0.19-linux.patch
$ wget http://www.bltweb.net/qmail/libdkim-1.0.19-extra-options.patch
$ unzip libdkim-1.0.19.zip
$ cd libdkim/src
$ patch -p2 < ../../libdkim-1.0.19-linux.patch
$ patch -p2 < ../../libdkim-1.0.19-extra-options.patch
$ make
$ sudo make install
$ cd ../..


3. Patch and install qmail

I’m currently using John Simpson’s qmail Combined Patch Set for my qmail installation. The instructions below highlight how to apply my DKIM/DomainKeys patch on top of John’s combined patch. I’d highly recommend checking out John’s combined patch as it is about as close as you can get to an actively maintained qmail.

I’m not attempting to describe or document John’s patch in anyway in this post, as John runs an excellent site about qmail (qmail.jms1.net) that contains far more information than is contained here. Do not attempt to proceed without reading through John’s documentation as well as the rest of this post.

$ wget http://cr.yp.to/software/qmail-1.03.tar.gz
$ wget http://qmail.jms1.net/patches/qmail-1.03-jms1.7.08.patch
$ wget http://www.bltweb.net/qmail/qmail-1.03-jms1.7.08-dkim-r1.patch
$ tar -xzf qmail-1.03.tar.gz
$ mv qmail-1.03 qmail-1.03-jms1.7.08
$ cd qmail-1.03-jms1.7.08
$ patch < ../qmail-1.03-jms1.7.08.patch
$ patch -p1 < ../qmail-1.03-jms1.7.08-dkim-r1.patch
$ sed -ie '1s/$/ -DDKIM/' conf-cc
$ make
$ make man
$ sudo make setup check
$ cd ..


4. Configure DKIM/DomainKeys signing

Signing is done by qmail-remote and is controlled by the dksign control file. Signatures are created using a private key on your system, and verified by a public key stored in the DNS for the email domain.

Generate keys

Before you can sign an email, you must create at least one public/private key pair. You should create key pairs for every domain you wish to sign. To create keys for example.com:

# mkdir -p /etc/domainkeys/example.com
# cd /etc/domainkeys/example.com
# dknewkey default 1024 > default.pub
# chown -R root:root /etc/domainkeys
# chmod 640 /etc/domainkeys/example.com/default
# chown root:qmail /etc/domainkeys/example.com/default

It is very important that the default file be readable only by root and the group which qmailr (the qmail-remote user) belongs to. This is the private key used for signing messages and, if compromised, would allow others to sign messages as your domain.

Now add a TXT entry to the DNS for default._domainkey.example.com containing the quoted part in the /etc/domainkeys/example.com/default.pub. NOTE: You normally want to include the quotes!

Configure control files

Create a file /var/qmail/control/dksign containing one line:

/etc/domainkeys/%/default

The % will be replaced with the domain name in the From: header (or the Sender: header if it exists). If no file exists for the given domain, parent domains will be tried. For example if the message is from foo@bar.example.com, /etc/domainkeys/bar.example.com/default will be tested first. If the file does not exist, /etc/domainkeys/example.com/default will be tested. If no key can be found, the message will not be signed. If a key exists, but cannot be read or contains invalid data, the message will not be sent and will remain in the queue until the problem is fixed.

If you do not create the /var/qmail/control/dksign file, no messages will be signed.

Test outbound signing

Now that DKIM/DomainKeys signing is configured, you can test it by sending an email to sa-test (at) sendmail dot net. This reflector will reply (within seconds) to the envelope sender with a status of the DomainKeys and DKIM signatures.

If you experience problems, consult the qmail-remote man page or post a comment below and I’ll try to help.


5. Configure DKIM/DomainKeys verification

Verification is performed by qmail-smtpd and is controlled by the DKVERIFY environment variable. Messages are only verified if DKVERIFY is set and RELAYCLIENT is not set. You may control which IP addresses are verified using the tcpserver access file (sometimes stored in /etc/tcprules.d/tcp.qmail-smtp).

When verifying a message, the contents of DKVERIFY are checked against the status of the DomainKeys and DKIM results. Each test result is represented by a letter. DKVERIFY should contain a series of letters for DomainKeys results, a comma, and then a series of letters for the DKIM results. If the letter is uppercase, the message will be rejected (hard error). If the letter is lowercase, the message will be deferred (soft error). The DKVERIFY variable can be set but empty, in which case messages will be verified and an Authentication-Results: header will be added but all messages will be accepted regardless of status.

The letters for DomainKeys results are:

Code Status Description
A OK The message contained a signature which correctly matched the contents of the message.
B BADSIG The message contained a signature which DID NOT correctly match the contents of the message. The signature may be forged, or the content may have been changed after the original server applied the signature.
C NOSIG The message did not contain a DomainKey-Signature header, or contained one which was missing a required field, or had a signature header without a “From:” header.
D NOKEY The public key needed to verify the signature does not exist (i.e. the authoritative DNS server for the domain says that the TXT record which should contain the key does not exist.)
E BADKEY The public key which was found in DNS is not usable.
F CANTVRFY The public key needed to verify the signature cannot be found, because the DNS server which should have the key is not responding, or returned a temporary error condition. The domainkeys specification says that the server SHOULD treat this as a soft error, telling the client to try their delivery again at some point in the future.
G SYNTAX The message is not in the proper format. This could be an improperly formatted email address, a duplicate “From:” header in the message, or any number of things which “confuse” the program.
H NORESOURCE Out of memory. The domainkeys specification says that the server SHOULD treat this as a soft error, telling the client to try their delivery again at some point in the future.
I ARGS Arguments are not usable
J REVOKED The key which was used to generate the signature has been revoked.
K INTERNAL There was an internal error in the libdomainkeys library

The letters for the DKIM results are:

Code Status Description
A OK The message contained a signature which correctly matched the contents of the message.
B FAIL The message failed verification
C BAD_SYNTAX The DKIM-Signature header could not be parsed or had bad tags/values
D SIG BAD RSA verify failed
E SIG BAD (testing) RSA verify failed but testing
F SIG EXPIRED Signature is expired (x= is old)
G SELECTOR INVALID Selector doesn’t parse or contains invalid values
H SELECTOR MISMATCH Selector granularity doesn’t match
I SELECTOR REVOKED The selector was revoked (p= is empty)
J DOMAIN TOO LONG The domain name is too long to request
K DNS TEMP FAIL Temporary DNS error requesting public key
L DNS PERM FAIL Permanent DNS error requestion public key
M PUBLIC KEY INVALID Public key isn’t valid or can’t be parsed
N NO SIG The message contains no DKIM signatures
O NO VALID SIG The message contains no valid signatures
P BAD BODY HASH The message body doesn’t verify
Q ALGORITHM MISMATCH The selector (h=) doesn’t match signature (a=)
R STAT INCOMPAT Incompatible v=

I recommend a DKVERIFY value of DEGIJKfh,CGHIJMQRkl. This will only reject improperly formatted messages. Messages that don’t verify will still be allowed. I would advise against rejecting messages that don’t verify as there are still some problems with DomainKeys and DKIM (such as mailing lists). Rather than rejecting bad signatures, incorporate the Authentication-Results header into your broader spam prevention strategy.

The Authentication-Results header

All messages received by qmail-smtpd when DKVERIFY is set will add an Authentication-Results header to the incoming message. This header conforms to the IETF internet draft. Here’s an example from one of my emails:

Authentication-Results: bltweb.net; domainkeys=pass (ok); dkim=pass (ok)


6. Examples

Here are some examples to help you configure your box. Anything that normally should be private is made up.

Keys

For my bltweb.net domain name, here’s what my keys look like (these are not the actual keys installed on my system, those are private):

$ ls -l /etc/domainkeys/bltweb.net
total 8.0K
-rw-r----- 1 root qmail 887 Mar 4 18:49 default
-rw-r--r-- 1 root root  254 Mar 4 18:49 default.pub

$ cat /etc/domainkeys/bltweb.net/default.pub
default._domainkey IN TXT “k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbFnVeFZdlud6/xvLoMt2/g9qrQzZjg6mopp4IYgPwNxRfQTsvYJo4dxP/aIt5UcL1YWtEnOm6/VL+wzj33WvVGL8GWdJDcUWGpCOysWuKasH/sXCaxoZSFMNM02K5pOgzaIVinWZNLIv+yaDSnBC3zb35HoQOnU4KLySECWPRuQIDAQAB”

$ sudo cat /etc/domainkeys/bltweb.net/default
—–BEGIN RSA PRIVATE KEY—–
MIICXAIBAAKBgQDbFnVeFZdlud6/xvLoMt2/g9qrQzZjg6mopp4IYgPwNxRfQTsv
YJo4dxP/aIt5UcL1YWtEnOm6/VL+wzj33WvVGL8GWdJDcUWGpCOysWuKasH/sXCa
xoZSFMNM02K5pOgzaIVinWZNLIv+yaDSnBC3zb35HoQOnU4KLySECWPRuQIDAQAB
AoGAXuZniI2JuwK8Pg4LghEmhKK0waKnmIubnfYuVis+0XrKVEiJPoh1xSevfd7n
K3IDJQ9By8K8a8b3gGtH7fX3ktWWFNz++DpewvWzFksC++7rhZoarBC1puWxVNYI
M4xdqEtKXHIzaj3nRHM76RBD5htqa2hZkIDqfK7vDVZUkEECQQD0C5pmMGaBjO1K
bC0hs8dMogxsrnwooIiHg1FO0WhOXGxKYuQGxXjR/fNz8gUyeicCPB3/piKaucGT
OY1X0b9FAkEA5dHhTQTnkMD0pLow6yXTehy8NWzmIl9/EeIQu9HoXVpIGePy4Mrr
ydJzaisQ+RJ8dO5C+1PeR89IRYdeGS/l5QJBAKHRG8SMbTuTdTe2uMozCYA/pttd
asgJgd3Q7dXENlRXJhrArY/r2ivrJkUIAfgxVLI/qGh+AU30w2zaaWUEl70CQEe7
wv8vULg2AiaIl0xOejvbTEPAwfRoqlkCnwaA9m5tB6RNKjpQHFjaf3vcBWg5BO/a
jr2z5+WyJXTOU+i4sqECQC/lZY/0/cgEyyD0UL+oqYrVmlIm5Sc9Pnsu1fIRsfgC
SnHS8/eTTUxNERGIYso4+wVFHR82oR8hucVYa8iY7CM=
—–END RSA PRIVATE KEY—–
Signing Configuration

To sign emails for all domains for which I have a key in /etc/domainkeys, I set the control/dksign configuration file:

$ ls -l /var/qmail/control/dksign
-rw-r--r-- 1 root root 31 Mar 17 14:02 /var/qmail/control/dksign

$ cat /var/qmail/control/dksign
/etc/domainkeys/%/default
Verify Configuration

Here’s an example of my /etc/tcprules.d/tcp.qmail-smtp file. Make sure you regenerate the cdb file after editing your tcp.qmail-smtp file!

# Connections from localhost are allowed to relay
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

# Everyone else can’t relay unless they auth
# All signed mail is allowed, even if it’s bad, but still prepend the
# Authentication-Results header
:allow,DKVERIFY="",AUTH_UNSET_DKVERIFY=""

# Or if I want to use the recommend DKIM settings, comment out the line
# above and use
# :allow,DKVERIFY="DEGIJKfh,CGHIJMQRkl",AUTH_UNSET_DKVERIFY=""


7. Finished

That’s it. You should now have a qmail installation capable of signing and verifying messages. More information is contained in the qmail-smtpd and qmail-remote man pages.

If you have any comments or find any bugs, please feel free to post a comment below.

Server Admin , , , ,

  1. March 28th, 2010 at 20:00 | #1

    @Rodrigo Graeff
    Hmm… So you see a domainkey signature but not a DKIM signature? That is very weird as both signatures are added by the same piece of code.

    Check your conf-cc file in the qmail source you downloaded and compiled. Does it contain -DDKIM? It should.

  2. March 30th, 2010 at 08:45 | #2

    Yes Brandon, I’m using -DDKIM on cc options, did you try to check from two servers using your patch, it’s quite odd that both send dk and both fail on verify each other, but yahoo tells both are ok… YES just reconfirmed and it’s like I said, they fail to identify each other but yahoo tells its ok…

  3. March 30th, 2010 at 08:51 | #3

    I’ve managed to get it working, dkim… not it’s like my last post, dkim sign and verifies OK even on yahoo. but from one smtp to another using your patch dk sign fails (I believe it fails to check, as yahoo tells me the dk sign are perfect). I’ve seen that happen with qmail-dk from russel as well.
    This is so strange…

  4. Alexandre Pareto
    March 31st, 2010 at 05:03 | #4

    @400000004baf33e430c96334 info msg 12632107: bytes 1478 from qp 10620 uid 1010
    Hi Brandon. My e-mails are exploding in the logs do you have any idea why ?

    @400000004baf33e430c9671c starting delivery 1: msg 12632107 to remote br0_del@yahoo.com
    @400000004baf33e430c96eec status: local 0/10 remote 1/20
    @400000004baf33e92c87aa74 delivery 1: success: eceived:(qmail10620invokedbyuid1010);28Mar201010:47:54-0000_/Comment:DomainKeys?Seehttp://antispam.yahoo.com/domainkeys_/D_/andthenovelcontinues…_/r_98.137.54.238_accepted_message./Remote_host_said:_250_ok_dirdel/

    Seems that all body message was exploed, if I rename control/dksing it stops, it’s something related to your function dkblast I believe.

    Thanks

  5. March 31st, 2010 at 08:56 | #5

    @Alexandre Pareto
    I have not seen that in my logs. How are you sending the message (SMTP, qmail-inject, etc.)?

  6. Alexandre Pareto
    March 31st, 2010 at 11:04 | #6

    @Brandon
    Using SMTP. Do you have any idea what could it be ?

  7. OriginalGeek
    March 31st, 2010 at 20:32 | #7

    @Brandon

    Just FYI I was testing my setup using the sa-test at sendmail. Their reply told me my domain key signature was bad. I sent an email to an @yahoo.com email address and examined the headers. Yahoo! gave me the green light on DomainKeys and DKIM:

    mta1005.mail.sp2.yahoo.com from=.com; domainkeys=pass (ok); from=.com; dkim=pass (ok)

    BTW, thanks for the patch =) Appreciated very much.

  8. March 31st, 2010 at 22:36 | #8

    @OriginalGeek
    I’ve seen sa-test fail on messages with only blank lines in the body. See this comment. However, I saw DKIM failing the sa-test reflector rather than domainkeys as you suggested. Weird.

  9. March 31st, 2010 at 22:37 | #9

    @Alexandre Pareto
    Unfortunately I don’t know what the problem is. I’ll let you know if I come across something.

  10. OriginalGeek
    March 31st, 2010 at 22:40 | #10

    @Brandon

    I tried it again with some text in the body. The reflector still says domainkeys BAD. [question marks]

  11. March 31st, 2010 at 23:13 | #11

    @OriginalGeek
    Actually I do remember seeing this. See this comment. If I send mail via Thunderbird, sa-test says Domainkeys failed, while Yahoo says it passed. Unfortunately I never figured out why :(

  12. September 2nd, 2010 at 13:24 | #12

    Hello Brandon,

    I’ve been following your guide for setting up Qmail with DKIM and DomainKeys, i was wondering, if its possible, if we can hire you for a little hands on to review what we did, ensure the server is setup correctly, and Possibly, write an exact how to step-by-step guide for a complete new server, to having it ready to send and receive emails.

    we are willing to pay for your time and service. please contact me
    Tim
    954-975-2575

  13. Vik Nat
    September 17th, 2010 at 17:27 | #13

    Hello Brandon,

    I am looking at implementing domainkeys and DKIM. I currently have over 500 domains. Would I need to create keys for each domain or is there a way to create a single key that would sign all emails going for each of these domains.

    Thanks in advance
    Vik.

  14. September 20th, 2010 at 22:01 | #14

    @Vik Nat
    Yes you can use just one key for all domains. Just put an absolute path (without the %) in /var/qmail/control/dksign

  15. jimjam
    October 10th, 2010 at 12:56 | #15

    hi
    i get error messages
    # tail -f /var/log/maillog
    Oct 10 10:54:49 mx1 qmail: 1286708089.712805 info msg 12136453: bytes 1436 from qp 97523 uid 81
    Oct 10 10:54:49 mx1 qmail: 1286708089.714422 starting delivery 67: msg 12136453 to remote admin@example.com
    Oct 10 10:54:49 mx1 qmail: 1286708089.714435 status: local 1/10 remote 1/20
    Oct 10 10:54:49 mx1 qmail: 1286708089.714447 delivery 66: success: did_0+1+0/qp_97523/
    Oct 10 10:54:49 mx1 qmail: 1286708089.714511 status: local 0/10 remote 1/20
    Oct 10 10:54:49 mx1 qmail: 1286708089.714560 end msg 12136451
    Oct 10 10:54:49 mx1 qmail: 1286708089.714725 delivery 67: failure: Unable_to_run_qmail-remote./
    Oct 10 10:54:49 mx1 qmail: 1286708089.714792 status: local 0/10 remote 0/20
    Oct 10 10:54:49 mx1 qmail: 1286708089.714823 triple bounce: discarding bounce/12136453
    Oct 10 10:54:49 mx1 qmail: 1286708089.714851 end msg 12136453
    ^C

  16. jimjam
    October 10th, 2010 at 12:57 | #16

    i have not set dns yet…..
    but still without it qmail-remote never works….

  17. Thibs
    March 8th, 2011 at 06:16 | #17

    Hello,

    Do you know if it also works with 7.10 version of John’s combined patch ?

    Regards

    Thibault

  18. March 15th, 2011 at 03:07 | #18

    Hello
    Your help me install DKIM for email sent?
    I have successfully installed SPF, domainkey but DKIM erro.
    I make :
    My domainkey is: private._domainkey in TXT k=rsa; p=MEwwDQYJ……
    => DKIM of domain? private._domainkey in TXT v=DKIM1; k=rsa; p=MEwwDQYJ……?

    my PRIVATE KEY is:
    —–BEGIN RSA PRIVATE KEY—–
    MIICW…………………….UK1ultw==
    —–END RSA PRIVATE KEY—–
    my VPS: https://96.45.176.205:7777/
    user: admin
    pass: tuyetthanh
    You help me?
    Thanks

  19. March 22nd, 2011 at 14:58 | #19

    hi,

    thanks for explaining dkim for qmail. But i have a problem. when i send mail i got 533 error.

  20. Dave
    April 18th, 2011 at 00:17 | #20

    @Thibs
    I tried it with john’s 7.10 patch but qmail-smtpd was segfaulting so for now I’m using the qmail-remote wrapper. For now I’m only signing, not verifying, but spamassassin does some verification I believe.

  21. Andrew
    August 23rd, 2011 at 00:12 | #21

    @Thibs

    Send email to yahoo email.

  22. zeescientist
    August 23rd, 2011 at 07:38 | #22

    when I tried to compile libdkim I faced this errors
    ./libdkim.a(dns.o): In function `_DNSGetTXT(char const*, char*, int)’:
    dns.cpp:(.text+0x6c): undefined reference to `__res_query’
    dns.cpp:(.text+0x14d): undefined reference to `__dn_expand’
    dns.cpp:(.text+0x1de): undefined reference to `__dn_expand’
    collect2: ld returned 1 exit status
    make: *** [libdkimtest] Error 1

    could you please tell me what is the problem

  23. August 23rd, 2011 at 07:53 | #23

    @zeescientist

    If you are using debian, you can happily install libdkim by the following command:
    apt-get install libdkim-dev

    Also, I would not recommend using Kyle’s method since the server I maintained sends 80K+ per day and it hanged due to the signing. I will report if the same problem occur by using Brando’s method.

  24. August 28th, 2011 at 10:11 | #24

    Brandon,

    Thanks for all your efforts. I especially appreciated that you took the time to document each step thoroughly. Being fairly new to this Linux/Qmail environment, it’s great to find a resource that doesn’t assume I’ll be able to “take it from there.” The examples and followup feedback were also very helpful.

    Thanks again!

  25. John
    December 1st, 2011 at 18:34 | #25

    Hi Brandon,

    I’ve noticed that with john’s combined patch 7.08 and your 7.08-dkim-r1 patch, I am occasionally getting segfaults with qmail-smtpd when verifying certain senders…

    Getting the following in /var/log/messages
    Dec 2 10:19:54 mailserver03 kernel: qmail-smtpd[25082]: segfault at 0000000000000000 rip 000000000040fdb2 rsp 00007ffff36d1348 error 4

    Also getting tcpserver: end status 11 in qmail-smtpd log.

    I am running on CentOS 5.6 x86_64 (2.6.18-238.9.1.el5). Any ideas?

  26. December 1st, 2011 at 18:55 | #26

    Yes, me too. I encountered occasionally segmentation fault of qmail-smtpd. My system is Debian squeeze.

  27. John
    December 1st, 2011 at 21:04 | #27

    Which domains are you getting the segfault on?

    Can you check the size of the txt records? The maximum size for all txt records I believe cannot exceed 512 bytes.

    I’m thinking that with large TXT records, qmail-smtpd might segfault (die with status 11) on some platforms… just like the an issue with the old SPF patch (http://www.saout.de/misc/spf/) for qmail.

  28. Nick
    February 15th, 2012 at 08:08 | #28

    Hello Brandon ,

    Have you ported this patch to qmail-ldap ? I have manually patched the qmail-remote part so far but was wondering if there is already a patch I could use ..

  29. February 29th, 2012 at 01:57 | #29

    Finally, I figure a workaround to avoid the segmentation fault of qmail-smtpd. I split the dkim patch into two, one for qmail-remote and one for qmail-smtpd. As I employ spamassassin for verify the dkim record of incoming mail, so, I just apply patch for qmail-remote for signing all outgoing mails. Hope there will be no more segfault later on.

  30. Thomas
    May 16th, 2013 at 17:27 | #30

    Hi,

    First, thanks for a great guide! Everything is (almost) working fine, I have some issues with segfault. I am running Debian Squeeze (6.0.7).

    From kern.log

    May 17 00:01:34 mail kernel: [9277821.001168] qmail-smtpd[25041]: segfault at 0 ip 00000000004117f2 sp 00007fffc53782f8 error 4 in qmail-smtpd[400000+1d000]

    From spamassassin:

    Thu, 16 May 2013 11:23:41 CEST:7429/7428: g_e_h: no sender and no recips, from via SMTP from r14.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:23:44 CEST:7438/7437: g_e_h: no sender and no recips, from via SMTP from r15.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:23:48 CEST:7447/7446: g_e_h: no sender and no recips, from via SMTP from r16.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:23:51 CEST:7454/7453: g_e_h: no sender and no recips, from via SMTP from r17.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:25:53 CEST:7934/7933: g_e_h: no sender and no recips, from via SMTP from r14.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:25:56 CEST:7942/7940: g_e_h: no sender and no recips, from via SMTP from r15.mid.accor-mail.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:33:05 CEST:9017/9016: g_e_h: no sender and no recips, from via SMTP from mail89.emailspinner.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:33:36 CEST:9151/9150: g_e_h: no sender and no recips, from via SMTP from send2.notifications.wizzair.com. Dropping, this isn’t a QS
    error.
    Thu, 16 May 2013 11:36:05 CEST:9535/9534: g_e_h: no sender and no recips, from via SMTP from smtp404.td3x.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:38:32 CEST:9843/9841: g_e_h: no sender and no recips, from via SMTP from omp.e-mail.schneider-electric.com. Dropping, this isn’t a Q
    S error.
    Thu, 16 May 2013 11:40:21 CEST:10227/10226: g_e_h: no sender and no recips, from via SMTP from smtp400.td3x.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:43:06 CEST:10549/10548: g_e_h: no sender and no recips, from via SMTP from mail89.emailspinner.com. Dropping, this isn’t a QS error.
    Thu, 16 May 2013 11:47:07 CEST:11150/11139: g_e_h: no sender and no recips, from via SMTP from mail102.us4.mandrillapp.com. Dropping, this isn’t a QS er

    From qmail-smtpd log:

    @40000000519533e317527774 5504 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @40000000519534563745ba14 5701 QS-2.10st: Process 5701 closed, parent process died
    @40000000519536402609a5e4 6822 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @40000000519537db0553bb3c 7767 QS-2.10st: Process 7767 closed, parent process died
    @40000000519538a33ab01dd4 8347 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @4000000051953ae81ec3d4e4 9577 QS-2.10st: no sender and no recips, from via SMTP from smtp124-2.1-hostingservice.com
    @4000000051953aff38298e4c 9652 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @4000000051953b5e39182084 9785 QS-2.10st: Process 9785 closed, parent process died
    @4000000051953c0f1304668c 10230 QS-2.10st: no sender and no recips, from via SMTP from server2.puco.be
    @4000000051953d6314eb04c4 10927 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @4000000051953d7d30232884 10946 QS-2.10st: no sender and no recips, from via SMTP from vps9404.inmotionhosting.com
    @4000000051953ee32193a654 11693 QS-2.10st: Process 11693 closed, parent process died
    @400000005195423236931b84 13400 QS-2.10st: no sender and no recips, from via SMTP from akira.ientry.com
    @40000000519542692e1b7d5c 13497 QS-2.10st: Process 13497 closed, parent process died
    @40000000519544cf23bccfb4 14802 QS-2.10st: Process 14802 closed, parent process died
    @40000000519545ef18b94ad4 15539 QS-2.10st: Process 15539 closed, parent process died
    @40000000519549740805a854 17655 QS-2.10st: Process 17655 closed, parent process died
    @4000000051954cf7333f4534 19352 QS-2.10st: Process 19352 closed, parent process died
    @400000005195507c1f914a8c 21164 QS-2.10st: Process 21164 closed, parent process died
    @4000000051955298165f9f7c 22195 QS-2.10st: Process 22195 closed, parent process died
    @40000000519554011967cab4 23099 QS-2.10st: Process 23099 closed, parent process died
    @4000000051955748372b582c 25043 QS-2.10st: no sender and no recips, from via SMTP from smtp130-2.1-hostingservice.com
    @400000005195578624ab8514 25171 QS-2.10st: Process 25171 closed, parent process died
    @4000000051955b0a046fcbac 27039 QS-2.10st: Process 27039 closed, parent process died

    To me it looks like every time spamd/smtp get’s the error above I get segfault in kern.log. Mail that generate errors are not important and are spam, rest of the system is in production and receives alot of other real mail (and some more spam.. hehe).

    Do you have some hints about how I can get rid of that irritating segfault?

    Have a nice day and thanks in advance!

  31. Thomas
    May 17th, 2013 at 15:30 | #31

    Hi again,

    A little follow-up from yesterday’s post. I have tried different solution to get rid of segfault without making changes to your patch. When I only sign outgoing message, and not checking incoming rather than with spamassassinn segfault message is gone. (in other words I removed DKVERIFY from tcp.smtp.

    Any tips/help would be aoorecuated, the solution I have now is ok.. but I want to have DKIM check in header of incomming mails ;)

  32. September 10th, 2013 at 12:58 | #32

    It’s a shame you don’t have a donate button! I’d most certainly donate to this excellent blog!
    I guess for now i’ll settle for bookmarking and adding your RSS feed to my
    Google account. I look forward to new updates and will talk about this blog
    with my Facebook group. Chat soon!

  33. December 1st, 2013 at 04:38 | #33

    Greetings from Colorado! I’m bored to tears at work so I decided to browse your website on my iphone during lunch break.
    I love the knowledge you provide here and can’t wait to take a look when I get home.

    I’m surprised at how quick your blog loaded on my mobile ..
    I’m not even using WIFI, just 3G .. Anyhow, awesome blog!

  34. Florin
    February 6th, 2014 at 03:26 | #34

    Hello Brandon,

    May thanks fort the work.

    However if you have some time I need some advice regarding a problem I have with return-path in qmail.

  35. Ash
    March 16th, 2014 at 09:23 | #35

    Hello Brandon,
    First of all, your patch is great. Thank you.

    Anyway, I found a problem.
    My qmail server couldn’t receive the mails via Yahoo! mail Japan.
    Error mail to yahoo! mail is bellow.

    Connected to a.b.c.d but connection died. Possible duplicate! (#4.4.2)
    I’m not going to try again; this message has been in the queue too long.

    I got rid of DKVERIFY from tcp.smtp, and then could receive the mail from yahoo!.

    It seems Thomas’s problem.
    I also want to have DKIM check in header of incomming mails.

    Do you have any work arround?

    regards.

  36. Ash
    March 16th, 2014 at 10:10 | #36

    Hi, again.
    A little follow-up.

    Yahoo! Japan also use qmail.

    Qmail-remote at yahoo! said bellow.
    -–
    Connected to a.b.c.d but connection died. Possible duplicate! (#4.4.2)
    I’m not going to try again; this message has been in the queue too long.
    –-

    Regards.

  37. Ash
    March 16th, 2014 at 12:37 | #37

    @Ash
    Finally resoluved.(maybe)

    qmail-smtpd.c

    dkimst = DKIMVerifyResults(&dkim);

    + dkstatus = “none (no signature)”;
    switch(dkst) {
    case DK_STAT_OK: dkstatus = “pass (ok)”; break;

    Parameter “dkstatus” is not initialized.

  38. March 18th, 2014 at 10:45 | #38

    @Ash
    I made a patch.

  39. March 18th, 2014 at 10:46 | #39

    @Ash
    I made a patch. Down load here (http://blog.kamata-net.com/archives/005898.html)

  40. July 7th, 2014 at 12:19 | #40

    jerseys Suns With Direct

  41. September 21st, 2014 at 03:23 | #41

    Hello, after reading this awesome article i am too
    delighted to share my experience here with mates.

  42. September 25th, 2014 at 05:20 | #42

    Thanks for sharing your thoughts about domainkeys.

    Regards

  43. Leandro N.
    March 18th, 2015 at 08:47 | #43

    Someone have problems compiling qmail+patches in modern distro ?

    /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../lib/libdomainkeys.a(domainkeys.o): undefined reference to symbol ‘EVP_PKEY_free@@OPENSSL_1.0.0′
    /usr/bin/ld: note: ‘EVP_PKEY_free@@OPENSSL_1.0.0′ is defined in DSO /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/libcrypto.so so try adding it to the linker command line
    /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../x86_64-linux-gnu/libcrypto.so: could not read symbols: Invalid operation

    any sugestion ?

  44. October 7th, 2015 at 09:03 | #44

    Anyone have any idea how to get around this ?make[2]: Entering dioectrry `/home/deger/openssl-0.9.8e/apps ( :; LIBDEPS= ${LIBDEPS: L.. -lssl -L.. -lcrypto } ; LDCMD= ${LDCMD:-cc} ; LDFLAGS= ${LDFLAGS: O} ; LIBPATH=`for x in $LIBDEPS; do if echo $x | grep ^ *-L > /dev/null 2>&1; then echo $x | sed -e s/^ *-L// ; fi; done | uniq`; LIBPATH=`echo $LIBPATH | sed -e s/ /:/g `; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=openssl} openssl.o verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o rsautl.o dsa.o dsaparam.o ec.o ecparam.o x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o s_time.o apps.o s_cb.o s_socket.o app_rand.o version.o sess_id.o ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o ${LIBDEPS} )../libcrypto.a(sha256.o): In function `sha256_block_data_order :sha256.c:(.text+0xe3): undefined reference to `sha256_block ../libcrypto.a(sha256.o): In function `sha256_block_host_order :sha256.c:(.text+0x12e): undefined reference to `sha256_block collect2: ld returned 1 exit statusmake[2]: *** [link_app.] Error 1make[2]: Leaving dioectrry `/home/deger/openssl-0.9.8e/apps make[1]: *** [openssl] Error 2make[1]: Leaving dioectrry `/home/deger/openssl-0.9.8e/apps make: *** [build_apps] Error 1

  45. October 11th, 2015 at 03:50 | #45

    The script will eveatunlly forward the message to the real qmail-queuethe path to the real qmail-queue must be set in the DKIMQUEUE env variable or else it will use qmail-dk ( which is a domainkeys wrapper for qmail-queue ). If you don t have qmail-dk on your system and you have not set DKIMQUEUE the script will most likely fail.You should test the script before trying to run it as qmail queue.You can simply try to pipe a message into it and see what you get in response.If qmail-queue is correctly set up then it should just complain that it cannot run when not called by qmail.If you set DKIMQUEUE=/bin/cat then the script should just output the message with a line that will say DKIM-Status: good or DKIM-Status: failed in front of the message . I hope this helps.

  46. October 11th, 2015 at 03:54 | #46

    Hi, there. I found these scripts hard to run. The liibkdm compiled succesfully but I cannot use it with qmail-dk. Even I change the inbound script:) | /bin/cat $tmp | $DKIMQUEUEto:) | /bin/cat $tmp | $DKIMQUEUE -it works when I change:[ "$DKIMQUEUE" ] || DKIMQUEUE= /var/qmail/bin/qmail-dk to[ "$DKIMQUEUE" ] || DKIMQUEUE= /var/qmail/bin/qmail-queue.orig If I leave the DKIMQUEUE to qmail-dk, qmail-dk seems to call the qmail-queue not the qmail-queue.orig as originally and it loops endlessly Another issue is that the verify functionality can be found in Spamassassin with plugin dkim. The pro is that based on the verifying the mail it can score it different.And last the qmail-remote script is not run! I don t know why So I can t sign the mails..Can you shed some light on this?THX

  47. October 15th, 2015 at 20:05 | #47

    An interesting discussion is worth comment. I believe that you ought to write more on this
    subject, it might not be a taboo subject but usually people don’t talk about these subjects.
    To the next! Kind regards!!

  48. October 28th, 2015 at 15:51 | #48

    Among the very best tips for millennial house buyers is to have a long term view of own a home.
    There will constantly be ups and downs in the market.

  49. October 30th, 2015 at 17:07 | #49

    привет! Мне действительно нравится очень много!
    доля поддерживать переписку дополнительная о
    Ваш пост на AOL? Я требует эксперт в этом дом разгадать.
    Может быть, что Вы! Имея вид вперед увидеть вас.

  50. January 11th, 2016 at 23:37 | #50

    Right here is the perfect webpage for everyone who would like to understand this topic.
    You understand so much its almost tough to argue with you (not that I actually will need
    to…HaHa). You certainly put a fresh spin on a subject which has been written about
    for ages. Great stuff, just wonderful!

Comment pages
  1. July 4th, 2011 at 09:48 | #1
  2. February 17th, 2012 at 03:09 | #2
  3. April 30th, 2013 at 04:13 | #3
  4. March 8th, 2014 at 05:30 | #4