Yahoo Groups archive
Thread
2007-11-11 by manu@netbsd.org
Hello A quick question for DKIM/DomainKeys users: I'm looking at DKIM/DomainKeys. DKIM seems to be an evolution of DomainKeys. Is there a need for supporting both, or is there some backward compatibility that means DKIM support bring DomainKeys support? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-11-11 by Michael Mansour
Hi Emmanuel, > Hello > > A quick question for DKIM/DomainKeys users: > > I'm looking at DKIM/DomainKeys. DKIM seems to be an evolution of > DomainKeys. Is there a need for supporting both, or is there some > backward compatibility that means DKIM support bring DomainKeys support? The DKIM perl module I use has both DKIM and DomainKeys support. Reading the SpamAssassin v310.pre file: # DomainKeys - perform DomainKeys verification # # External modules required for use, see INSTALL for more information. # Note that this may be redundant if you also plan to use the DKIM plugin. # #loadplugin Mail::SpamAssassin::Plugin::DomainKeys and the v312.pre file: # DKIM - perform DKIM verification # # Mail::DKIM module required for use, see INSTALL for more information. # # Note that if C<Mail::DKIM> version 0.20 or later is installed, this # renders the DomainKeys plugin redundant. # #loadplugin Mail::SpamAssassin::Plugin::DKIM and on my server, I use the spamassassin and perl-Mail-DKIM RPM's provided by rpmforge: spamassassin-3.2.3-1.el4.rf perl-Mail-DKIM-0.26-1.el4.rf So just enabling the DKIM pm in the SpamAssassin v312.pre file does the job nicely for both DKIM and DomainKeys support. Regards, Michael. > -- > Emmanuel Dreyfus > http://hcpnet.free.fr/pubz > manu@... ------- End of Original Message -------
2007-11-11 by manu@netbsd.org
Michael Mansour <mic@...> wrote: > The DKIM perl module I use has both DKIM and DomainKeys support. Sure, but I won't link with a perl module :-) Anyone knows about libkdim? Is it good enough? http://sourceforge.net/projects/libdkim/ -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-11-11 by Jim Hermann
--- In milter-greylist@yahoogroups.com, manu@... wrote: > A quick question for DKIM/DomainKeys users: > > I'm looking at DKIM/DomainKeys. DKIM seems to be an evolution of > DomainKeys. Is there a need for supporting both, or is there some > backward compatibility that means DKIM support bring DomainKeys support? No. They are separate standards. Yahoo develeped DomainKeys and still uses it. DKIM was the combinations of DK and something else. A valid DKIM Header will not pass DomainKeys and vice versa. Jim
2007-11-11 by manu@netbsd.org
Jim Hermann <hostmaster@...> wrote: > No. They are separate standards. Yahoo develeped DomainKeys and > still uses it. DKIM was the combinations of DK and something else. > A valid DKIM Header will not pass DomainKeys and vice versa. Is there a library that implement both protocols at the same time? If there isn't, which one is the most useful? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-11-11 by Michael Mansour
Hi Emmanuel, > > No. They are separate standards. Yahoo develeped DomainKeys and > > still uses it. DKIM was the combinations of DK and something else. > > A valid DKIM Header will not pass DomainKeys and vice versa. > > Is there a library that implement both protocols at the same time? If > there isn't, which one is the most useful? Both are. Yahoo implements DomainKeys, google implements DKIM. At some stage this year I'll be implementing an smtp proxy to sign outbounds from my mailservers, and that proxy can sign with either. Regards, Michael. > -- > Emmanuel Dreyfus > http://hcpnet.free.fr/pubz > manu@... ------- End of Original Message -------
2007-11-12 by Jim Hermann
--- In milter-greylist@yahoogroups.com, manu@... wrote: > > Jim Hermann <hostmaster@...> wrote: > > > No. They are separate standards. Yahoo develeped DomainKeys and > > still uses it. DKIM was the combinations of DK and something else. > > A valid DKIM Header will not pass DomainKeys and vice versa. > > Is there a library that implement both protocols at the same time? If > there isn't, which one is the most useful? I have not found a library that implments both standards. I have been using dk-filter for several months. It is flakey and hard to use. They released dk-filter version 0.60 and stopped all additional work. As near as I can determine, it does not use a file for configuration settings, so eveything has to be a command line parameter. Getting it to validate inbound email was not hard. Getting it to sign outbound email was the problem. It uses only the From: or Sender: Header values and requires that they match the signing domain. I had to add the Sender: Header back to my mailing list servers, which I don't like because of the effect on MS Outlook. For forwarded email messages, I had to implement a mime-defang program to identify email that will be forwarded and add a Sender: Header value. Oh yeah, both the mailing list servers and the mime-defang programs had to remove any existing DomainKeys signature or dk-filter would not sign the outbound email. I am just about to start using dkim-filter in addition to dk-filter. It is supported better. They have released several updates this year. It uses a configuration file. It signs any email that you specify, independent of existing Headers. DKIM definitely is the preferred standard. Jim
2007-11-12 by manu@netbsd.org
<manu@...> wrote: > I'm looking at DKIM/DomainKeys. I'm looking at libdkim and libdomainkeys, but both libs come with zero documentation on the API. Anyone has some experience with either of them? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@...
2007-11-13 by Jim Hermann
--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> <manu@...> wrote:
>
> > I'm looking at DKIM/DomainKeys.
>
> I'm looking at libdkim and libdomainkeys, but both libs come with zero
> documentation on the API. Anyone has some experience with either
of
> them?
Look at the HTML files in dkim-milter-2.3.2/libdkim/docs directory.
It contains this Overview, among other API documentation:
To verify a message under DKIM, make the following calls:
1. lib = dkim_init(...);
+ initialize an instance of the library
+ this must be done once before any of the other calls are made
+ this needs to be called once when the application is started,
but its result can be reused at the start of processing of
each message
+ the remaining steps can use the same value of lib, even in
multiple threads and over multiple messages
2. dkim = dkim_verify(lib, ...);
+ initialize a handle set up for verifying the message
+ the canonicalization and signing algorithms and public key
were selected by the agent that signed the message, and so
don't need to be provided here
3. stat = dkim_header(dkim, ...);
+ pass a header to libdkim
+ this should be done once for each header that should be
included in computation of the digest to be verified
(currently all of them)
4. stat = dkim_eoh(dkim);
+ notify libdkim that the end of this message's headers has
been reached
5. stat = dkim_body(dkim, ...);
+ pass to libdkim a chunk of the body that should be included
in computation of the digest to be verified (currently all of
it)
6. stat = dkim_eom(dkim);
+ notify libdkim that the end of this message has been reached
+ see if stat is DKIM_STAT_OK (verification OK) or
DKIM_STAT_BADSIG (verification failed)
7. stat = dkim_free(dkim);
+ free resources related to this message
8. dkim_close(lib);
+ free resources related to this library instance
DomainKeys has the same documentation linked to
dk-milter-0.6.0/libdk/docs/index.html
Jim2007-11-13 by Emmanuel Dreyfus
On Tue, Nov 13, 2007 at 04:54:17AM -0000, Jim Hermann wrote: > It contains this Overview, among other API documentation: > 5. stat = dkim_body(dkim, ...); > + pass to libdkim a chunk of the body that should be included > in computation of the digest to be verified (currently all of > it) Ok, that's how it works (I'm discovering, I was completely clueless). That means DKIM and DomainKeys can only be checked in a DATA-stage ACL. At that time, the greylisting was already taken. I wonder how that could be used. -- Emmanuel Dreyfus manu@...