Loading ...
Sorry, an error occurred while loading the content.

postfix / dkim: no signature for emails submitted through ssh tunnel

Expand Messages
  • patrick.proniewski@...
    Hello, I have a small problem with my postfix/dkim setup: - dkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from
    Message 1 of 5 , Mar 16, 2013
    • 0 Attachment
      Hello,

      I have a small problem with my postfix/dkim setup:

      - dkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from the server.
      - dkim won't sign emails I send from my workstation to my server via an ssh tunnel.

      transcript for a webmail sending:

      rack postfix/pickup[51760]: 32E681CC025: uid=80 from=<patpro@...>
      rack postfix/cleanup[52839]: 32E681CC025: message-id=<eec030e8a722c0c18ea83a504d776005@...>
      + rack opendkim[50749]: 32E681CC025: DKIM-Signature header added (s=patpro, d=mydomain.tld)
      rack postfix/qmgr[29993]: 32E681CC025: from=<patpro@...>, size=994, nrcpt=1 (queue active)
      rack postfix/local[52842]: 32E681CC025: to=<patpro@...>, orig_to=<root@...>, relay=local, delay=0.21, delays=0.18/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -a "$EXTENSION")
      rack postfix/qmgr[29993]: 32E681CC025: removed

      transcript for a mail submitted via ssh tunnel:

      rack postfix/smtpd[57044]: connect from localhost[127.0.0.1]
      rack milter-greylist: (unknown id): Sender IP 127.0.0.1 and address <patpro@...> are SPF-compliant, bypassing greylist
      rack postfix/smtpd[57044]: NOQUEUE: client=localhost[127.0.0.1]
      rack postfix/smtpd[57049]: connect from localhost[127.0.0.1]
      rack postfix/smtpd[57049]: 5E0BE1CC020: client=localhost[127.0.0.1], orig_client=localhost[127.0.0.1]
      rack postfix/cleanup[57050]: 5E0BE1CC020: message-id=<727D4403-CE21-4282-A3F3-0C056924C270@...>
      rack postfix/smtpd[57049]: disconnect from localhost[127.0.0.1]
      rack postfix/qmgr[29993]: 5E0BE1CC020: from=<patpro@...>, size=2220, nrcpt=1 (queue active)
      rack amavis[50721]: (50721-14) Passed CLEAN {RelayedInternal}, LOCAL [127.0.0.1]:13772 [127.0.0.1] <patpro@...> -> <root@...>, Message-ID: <727D4403-CE21-4282-A3F3-0C056924C270@...>, mail_id: 0ha-G1TZRb7p, Hits: -3.4, size: 1712, queued_as: 5E0BE1CC020, 1762 ms
      rack postfix/smtpd[57044]: proxy-accept: END-OF-MESSAGE: 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5E0BE1CC020; from=<patpro@...> to=<root@...> proto=ESMTP helo=<[127.0.0.1]>
      rack postfix/local[57051]: 5E0BE1CC020: to=<patpro@...>, orig_to=<root@...>, relay=local, delay=0.06, delays=0.04/0/0/0.02, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -a "$EXTENSION")
      rack postfix/qmgr[29993]: 5E0BE1CC020: removed


      main.cf reads:

      smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
      non_smtpd_milters = inet:127.0.0.1:8891

      and I have a before-queue content filter:

      smtp inet n - n - 20 smtpd
      -o smtpd_proxy_filter=127.0.0.1:10024
      -o smtpd_client_connection_count_limit=10
      -o smtpd_proxy_ehlo=amavis-at-mydomain.tld
      -o disable_mime_output_conversion=yes

      127.0.0.1:10025 inet n - n - - smtpd
      -o smtpd_authorized_xforward_hosts=127.0.0.0/8
      -o smtpd_client_restrictions=
      -o smtpd_helo_restrictions=
      -o smtpd_sender_restrictions=
      -o smtpd_recipient_restrictions=permit_mynetworks,reject
      -o smtpd_data_restrictions=
      -o mynetworks=127.0.0.0/8
      -o receive_override_options=no_unknown_recipient_checks
      -o smtpd_milters=
      -o non_smtpd_milters=


      Obviously I'm missing something here. The processing of an email that I feed through the webmail (sitting on the same server as postfix), and the processing of an email I feed through my email client on my workstation via an ssh tunnel are very different.
      On workstation side, I'm using an on demand tunnel, everything is piped into nc targeting localhost:25.

      Any idea that would allow DKIM to sign emails I'm sending via my ssh tunnel?

      Patrick
    • Reindl Harald
      ... that is only a snippet and statet in the welcome message post output of postconf -n
      Message 2 of 5 , Mar 16, 2013
      • 0 Attachment
        Am 16.03.2013 20:51, schrieb patrick.proniewski@...:
        > main.cf reads:
        >
        > smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
        > non_smtpd_milters = inet:127.0.0.1:8891

        that is only a snippet and statet in the welcome
        message post output of "postconf -n"
      • Noel Jones
        ... Have you tried submitting mail from 127.0.0.1 via SMTP without the tunnel? I m guessing that doesn t work either, meaning the question can be rephrased
        Message 3 of 5 , Mar 16, 2013
        • 0 Attachment
          On 3/16/2013 2:51 PM, patrick.proniewski@... wrote:
          > Hello,
          >
          > I have a small problem with my postfix/dkim setup:
          >
          > - dkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from the server.
          > - dkim won't sign emails I send from my workstation to my server via an ssh tunnel.


          Have you tried submitting mail from 127.0.0.1 via SMTP without the
          tunnel? I'm guessing that doesn't work either, meaning the question
          can be rephrased "works from non-smtpd, doesn't work with smtpd".



          > main.cf reads:
          >
          > smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
          > non_smtpd_milters = inet:127.0.0.1:8891

          You should check your "postconf -n" output to see if it contains
          these same settings. The list welcome message asks for "postconf
          -n" output, not main.cf snippings.

          Assuming your dkim milter is on inet:127.0.0.1:8891, it appears to
          be included in both smtpd and non-smtpd mail.

          Since it's not working with smtpd mail, that strongly suggests a
          configuration problem with your dkim milter. Check your dkim
          configuration to make sure mail from localhost will be signed.

          Check the docs for your dkim software.



          -- Noel Jones
        • patrick.proniewski@...
          ... I tried to telnet a mail, but DKIM won t sign it. Looks like you are right. ... postconf -n appears to be correct (in a previous message). ... it is. ...
          Message 4 of 5 , Mar 17, 2013
          • 0 Attachment
            On 17 mars 2013, at 00:38, Noel Jones wrote:

            > On 3/16/2013 2:51 PM, patrick.proniewski@... wrote:
            >> Hello,
            >>
            >> I have a small problem with my postfix/dkim setup:
            >>
            >> - dkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from the server.
            >> - dkim won't sign emails I send from my workstation to my server via an ssh tunnel.
            >
            >
            > Have you tried submitting mail from 127.0.0.1 via SMTP without the
            > tunnel? I'm guessing that doesn't work either, meaning the question
            > can be rephrased "works from non-smtpd, doesn't work with smtpd".

            I tried to telnet a mail, but DKIM won't sign it. Looks like you are right.


            >> main.cf reads:
            >>
            >> smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
            >> non_smtpd_milters = inet:127.0.0.1:8891
            >
            > You should check your "postconf -n" output to see if it contains
            > these same settings. The list welcome message asks for "postconf
            > -n" output, not main.cf snippings.

            postconf -n appears to be correct (in a previous message).


            > Assuming your dkim milter is on inet:127.0.0.1:8891, it appears to
            > be included in both smtpd and non-smtpd mail.

            it is.

            > Since it's not working with smtpd mail, that strongly suggests a
            > configuration problem with your dkim milter. Check your dkim
            > configuration to make sure mail from localhost will be signed.

            I've suspected a conflict or interaction between milter-greylist and milter-opendkim, but disabling milter-greylist wouldn't change anything.
            I'll check on the opendkim config side, but out of the box it's supposed to sign everything from localhost, and I've added every IP addresses of the server.
            May be there's something on the MACRO side of the problem, not sure.

            thanks,
            Patrick
          • patrick.proniewski@...
            Finally, after an interesting discussion over this issue on opendkim-users, I ve been able to google my way out, with a solution from Wietse:
            Message 5 of 5 , Mar 18, 2013
            • 0 Attachment
              Finally, after an interesting discussion over this issue on opendkim-users, I've been able to google my way out, with a solution from Wietse:

              <http://postfix.1071664.n5.nabble.com/Any-best-practices-for-stacking-filters-td51592.html>

              thanks,

              On 17 mars 2013, at 14:51, patrick.proniewski@... wrote:

              > On 17 mars 2013, at 00:38, Noel Jones wrote:
              >
              >> On 3/16/2013 2:51 PM, patrick.proniewski@... wrote:
              >>> Hello,
              >>>
              >>> I have a small problem with my postfix/dkim setup:
              >>>
              >>> - dkim properly sign every emails I send via my webmail frontend, crontab, or the mail command from the server.
              >>> - dkim won't sign emails I send from my workstation to my server via an ssh tunnel.
              >>
              >>
              >> Have you tried submitting mail from 127.0.0.1 via SMTP without the
              >> tunnel? I'm guessing that doesn't work either, meaning the question
              >> can be rephrased "works from non-smtpd, doesn't work with smtpd".
              >
              > I tried to telnet a mail, but DKIM won't sign it. Looks like you are right.
              >
              >
              >>> main.cf reads:
              >>>
              >>> smtpd_milters = unix:/var/milter-greylist/milter-greylist.sock inet:127.0.0.1:8891
              >>> non_smtpd_milters = inet:127.0.0.1:8891
              >>
              >> You should check your "postconf -n" output to see if it contains
              >> these same settings. The list welcome message asks for "postconf
              >> -n" output, not main.cf snippings.
              >
              > postconf -n appears to be correct (in a previous message).
              >
              >
              >> Assuming your dkim milter is on inet:127.0.0.1:8891, it appears to
              >> be included in both smtpd and non-smtpd mail.
              >
              > it is.
              >
              >> Since it's not working with smtpd mail, that strongly suggests a
              >> configuration problem with your dkim milter. Check your dkim
              >> configuration to make sure mail from localhost will be signed.
              >
              > I've suspected a conflict or interaction between milter-greylist and milter-opendkim, but disabling milter-greylist wouldn't change anything.
              > I'll check on the opendkim config side, but out of the box it's supposed to sign everything from localhost, and I've added every IP addresses of the server.
              > May be there's something on the MACRO side of the problem, not sure.
              >
              > thanks,
              > Patrick
            Your message has been successfully submitted and would be delivered to recipients shortly.