DKIM+disclaimer problems after upgrade to mail2 module

testing
mail2
mailserver

(Gabriel GHEORGHIU) #61

As far I understand, is not possible on NS, at least for now, to have DKIM and disclaimer in the same time, or is possible but is difficult.
IMO, this is not a critical issue.
Don’t forget that NS is not an authoritative name server. So, you must have such server to keep your domain records. Usually, DKIM, Spf, DMARC records are kept there.
So, you can have disclaimer on NethServer without issues.


(Pasha) #62

Bump.
May someone please explain how to remove the disclaimer module so that DKIM doesn’t get affected?
Thanks!


(Stéphane de Labrusse) #63

Put disabled the checkbox of the disclaimer per domain and it is done


(Zimny) #64

You mean dedicated email relay just to fix that issue like a Stephane mention about smarthost?
Ok will works and it is work around. For now.
Just wonder if create another instance just to sort this issue is an answer in development.

Anyway I understand the alterMIME issue here. Just wonder if we consider this like something to resolve or we simply close the subject like in GitHub has been done?


(Dan) #65

What does this have to do with the question? Yes, the relevant records are kept on the authoritative nameserver, which isn’t your Neth box unless you’ve done a good bit of hacking on it. How does that affect the ability of the system to DKIM-sign the message after the (misguided and annoying) disclaimer has been added?


(Gabriel GHEORGHIU) #66

No.
I said that you can put DKIM record on the name server and on the NethServer Email Server enable disclaimer.
In this mode, DKIM validation is done by the name server, and all emails that you will send from your organization will have your appended signature.

In this mode, DKIM validation is done by the name server, and all emails that you will send from your organization will have appended signature.

I thought that we try to find the best solutions for some issues.
This is my opinion regarding this issue, based on, let’s say, good practices.
Is good, is bad, I don’t know.
Some of you will agree with this, some of you will not agree.

More info:

“DKIM is based on domain names, rather than complete email addresses.”
(http://www.dkim.org/info/dkim-faq.html)

"Technically DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication. "
( http://www.dkim.org/)

https://www.sparkpost.com/resources/email-explained/dkim-domainkeys-identified-mail/


(Dan) #67

No, the name server doesn’t validate anything at any point, nor does it sign anything relevant. It serves information. With respect to DKIM, it serves the domain’s public key. When the receiving mail server does DKIM validation, it uses that public key to verify that the message was signed with the corresponding private key. The sending host signs the message; the receiving host validates the signature. The only function of the DNS server is to provide the key that the receiving host uses to validate.

The problem is that Neth first signs, then adds the disclaimer, which breaks the signature. In principle, it seems that it should be straightforward enough to reverse the order of these two operations (even if email disclaimers should die a quick and brutal death), but it appears that isn’t the case.

Isn’t there a signing mode in which DKIM signs only the headers? That would still allow a receiving host to validate that the message came from the host it claims to have come from, but would not guarantee integrity of the message in transit. Obviously that wouldn’t be an ideal solution, but it might provide a way these things can work together.


(Zimny) #68

Woo

So how you like to validate not signed message???
DNS record for your domain is for receiving MTA to validate!
What you said don’t have any sense.
To have DKIM implemented in your domain you need have DKIM record already in your DNS and your MTA to get it work.
Please don’t confuse the others what is DKIM and how it works.


(Rob Bosch) #69

Just for reference (and all those members that have no clue what DKIM is) here an explanation ‘in plain English’ what DKIM is and does: https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/

To validate your DKIM record you can use https://app.dmarcanalyzer.com/dns/dkim


(Gabriel GHEORGHIU) #70

@danb35
@zimny

Maybe I was not so clear.
What I wanted to say, in a few words, is that you need an authoritative name server (NethServer isn’t) to validate DKIM Key of an email message which has in header a DKIM signature.
The DKIM must be set on two servers: DNS and Email Server.
Usually, DKIM must be used in conjunction with Spf and DMARC.

To be not misunderstood, I’ve put some links to articles that explain this type of authentication very well. You can read or ignore that articles.

Crystal clear!


(Gabriel GHEORGHIU) #71

Maybe this article can solve the issue:

https://forums.zimbra.org/viewtopic.php?t=56954#p261301


(Dan) #72

Yes, I think we all knew that (except that nothing prevents Neth from being an authoritative name server, though it’d take a bit of hacking to make it one).

I’m pretty sure we all knew this too.

What relevance does either of these facts have to the issue being discussed in this thread?


(Gabriel GHEORGHIU) #73

cc: @zimny

You are right! None!
Sorry!


(Saito Benkei) #74

So, What is the problem (apart from the obvious big lack of interest) that Nethesis or any other here inside can continue the development of alterMIME as the license allows (it’s contained here https://pldaniels.com/altermime/altermime-0.3.10.tar.gz)?

I’m not a programmer so I can’t, but here I see that someone is.


(Pasha) #75

Eureka!
Actually I was sure I hadn’t activated any autodisclaimer, and in fact the checkbox was empty… so rereading carefully… I discovered that NS wanted a “default” selector before ._domainkey.domain.ext while in my DNS I had “dkim” as a selector… rapidly changed “dkim” with “default” and everything now runs smooth!

Suggestion:
clearly show the SELECTOR field before DKIM record, not to run into this “quickread” problems by average user (like me)…

Thanks!!!


(Zimny) #76

This is not a problem or solution presented in this thread.
Probably you finally got DKIM up and running on your domain.
Good move and a way to go.

If you are not using disclaimer future for your domain you will be not affected by this bug at all.


(Zimny) #77

Be careful with your opinion :slight_smile:

I already got a PM from one of the moderators here. He email me “be quiet” and that I’m rude with my opinions.
Surly I hate when someone without any knowledge or experience in the subject is making a comments. This just create a mess in the thread.
But for this moderator PM me with “Be quiet” in the subject of email isn’t rude at all :slight_smile:

Not sure how think about NS this days. This project always has great support and community.

It’s start looking like this became very well build home gateway and home server.


(Zimny) #78

https://mimedefang.org/

I know this is for sendmail but is written in perl and have a lot of futures.
Is open source as well and in active development maybe can be easily adopted for postfix?


(Davide Principi) #79

Well I visited their site. It’s a milter, and this is good. Maybe it works with Postfix too. It’s in EPEL! This is very good! Then I read the package infos…

[root@vm8 ~]# yum info mimedefang
Available Packages
Name        : mimedefang
Arch        : x86_64
Version     : 2.84
Release     : 1.el7
Size        : 255 k
Repo        : epel/x86_64
Summary     : E-Mail filtering framework using Sendmail's Milter interface
URL         : https://mimedefang.org/
License     : GPLv2+
Description : MIMEDefang is an e-mail filter program which works with Sendmail 8.12
            : and later. It filters all e-mail messages sent via SMTP. MIMEDefang
            : splits multi-part MIME messages into their components and potentially
            : deletes or modifies the various parts. It then reassembles the parts
            : back into an e-mail message and sends it on its way.
            : 
            : There are some caveats you should be aware of before using MIMEDefang.
            : MIMEDefang potentially alters e-mail messages. This breaks a "gentleman's
            : agreement" that mail transfer agents do not modify message bodies. This
            : could cause problems, for example, with encrypted or signed messages.

…do you think it can work with DKIM?


(Zimny) #80

I’m going through the manual now. Is very modular and perl so lot of CPAN modules to implement.
We can implement just what we need and in order we need. I think should work in our scenario.
Documentation is pretty impressive with a lot of examples as well.

https://mimedefang.org/static/mimedefang-lisa04.pdf

Whit this options in hand and access to CPAN probably we can even extend functionality in mail module.