Milter-greylist

Hi,

When most recently turning on the SPF facility in milter-greylist, I must say
I'm very happy with the results. Using the SPF blacklist functionality I've
been able to reduce even further the already little amount of spam making it
into the servers.

For my stats, spam making it in (to be processed by other filters) has reduced
from 1.5% to 0.5% at the end of each day.

I'm glad I did this so looking at other email verification techniques (like
DKIM and digitally signing outgoing emails like Yahoo does) would it be a good
idea to implement support for this in milter-greylist?

I currently use the Mail::DKIM perl module for SA to score for DK signed emails.

Michael.

Michael Mansour <mic@...> wrote:

> I'm glad I did this so looking at other email verification techniques (like
> DKIM and digitally signing outgoing emails like Yahoo does) would it be a good
> idea to implement support for this in milter-greylist?

DKIM works with e-mail headers, so you cannot filter with that at RCPT
stage (racl statements). We could do it at DATA stage, though (dacl
statements)

Would you like to contribute support for that? How would the config look
like? We could mimic the SPF clauses in ACL: what are possible DKIM
status? valid, failed, something else?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Hi Emmanuel,

> Michael Mansour <mic@...> wrote:
> 
> > I'm glad I did this so looking at other email verification techniques (like
> > DKIM and digitally signing outgoing emails like Yahoo does) would it be a good
> > idea to implement support for this in milter-greylist?
> 
> DKIM works with e-mail headers, so you cannot filter with that at 
> RCPT stage (racl statements). We could do it at DATA stage, though (dacl
> statements)

I'm quite new to DKIM so since emailing here did the following:

* went to www.dkim.org to read up on DKIM

* downloaded the dkim-milter from sourceforge and started reading the
documentation there

Compiling the dkim-milter is quite fiddly so it's not a route I'd personally
like to take. Having support in milter-greylist similar to the SPF support
(ie. using the powerful ACL's that milter-greylist provides) would be much easier.

> Would you like to contribute support for that? 

I'd be happy to help where I can, yes.

> How would the config look like? We could mimic the SPF clauses in 
> ACL: what are possible DKIM status? valid, failed, something else?

A typical SPF entry I have is:

racl blacklist from /.*@domainname\.com*$/ spf softfail msg "Rejected (SPF
check failed), look at
http://www.openspf.org/why.html?sender=%f&ip=%i&receiver=%r"

Ideally, a DKIM entry should mimic this with:

dacl blacklist from /.*@domainname\.com*$/ dkim fail msg "Rejected (DKIM check
failed), look at http://www.blahblah.org/why.html"

In terms of the DKIM returned status, from looking at the www.dkim.org site,
it seems to me there's only two status, verified or unverified (pass or fail).

I've gone and taken a look at one of my spam messages which came from
yahoo.com (which signs everything with its own older DomainKeys system) and
the header looks like:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=Received:X-Mailer:Date:From:Reply-To:Subject:To:MIME-Version:Content-Type:Message-ID;
b=z1PqxYrxvgjKQo9+hdIKPGamA/nglEtpEQXazNWRHXP3zRML3S5BLrOyA7eYJcqiYFfmUZgGLcVO3hAiGk91LCgvU2Y1P+P+oCyV1vQXx18FfP7FC+DUF1Ib3yJY7wP8ek6XKCe2eS31iJlJaxjsJ4kXS2OVf85hlNfWEaFJvzg=;

and my SA report looks like:

0.00	DKIM_SIGNED	Domain Keys Identified Mail: message has a signature
-0.00	DKIM_VERIFIED	Domain Keys Identified Mail: signature passes verification

I use the Mail::DKIM perl module under SA to do this check.

It's also worth noting the supporters list:

http://www.dkim.org/deploy/supporters.html

and End user organisations which use it:

http://www.dkim.org/deploy/users/index.htm

Regards,

Michael.

> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
> ------------------------------------
> 
> Yahoo! Groups Links
> 
> 
>

Michael Mansour <mic@...> wrote:

> In terms of the DKIM returned status, from looking at the www.dkim.org site,
> it seems to me there's only two status, verified or unverified (pass or fail).

To which we need to add at least the "none" state (no DKIM header), and
perhaps "bogus" if the library returns an error.

And we would have such a clause:
dkim {none|bogus|signed|verified}

What library should we use? sendmail's dkim-milter has an internal
libdkim. Whould we import it or depend on it as an external software
package? Or use another library? Opinions?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Moving a bit furhter...

dkim-milter comes with a library (libdkim), which seems a good candidate
for usage in milter-greylist.

We start by calling once dkim_init(), then dkim_verify() for each
message we want to verify. Then we call dkim_header(), dkim_eoh(),
dkim_body(), dkim_eom(), dkim_getpresult(), and dkim_free(). Each should
be called at different milter callback stages.

DKIM status are:

DKIM_STAT_OK -- successful completion 
DKIM_STAT_BADSIG -- signature did not match headers and body
DKIM_STAT_NOSIG -- no signature present 
DKIM_STAT_NOKEY -- no key available for  verifying
DKIM_STAT_CANTVRFY -- can't get key for  verifying
DKIM_STAT_SYNTAX -- message is not in  valid syntax
DKIM_STAT_NORESOURCE -- resource  unavailable
DKIM_STAT_INTERNAL -- internal error
DKIM_STAT_REVOKED -- signing key revoked
DKIM_STAT_INVALID -- invalid  
DKIM_STAT_NOTIMPLEMENT -- function not implemented
DKIM_STAT_KEYFAIL -- key retrieval failed (try again later)
DKIM_STAT_CBREJECT -- callback requested message rejection
DKIM_STAT_CBTRYAGAIN -- callback can't complete (try again later)
DKIM_STAT_CBERROR -- unspecified  callback error    
DKIM_STAT_MULTIDNSREPLY -- multiple DNS replies

We probably want to have meta-status to check in our ACL. In fact, these
migh be enough, I'm not convinced there is a need for checking the
detailed error codes. Moreover, that would prevent us from adopting a
second DKIM library later.

So here are the proposed meta-status:
pass -> ok
fail -> badsig, nokey, revoked, cbreject
none -> nosig
unknown -> cantvrfy
error -> syntax, invalid, notimplement, invalid, cberror, multidnsreply

keyfail and cbtryagain should probably just cause a tempfail, without
returning the value for testing to the ACL code.

internal is about memory allocation issues and callbacks been called in
the wrong order. That should cause the milter to exit.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Michael Mansour <mic@...> wrote:

> > Would you like to contribute support for that? 
> I'd be happy to help where I can, yes.

Ok, so it's time to help.
Please checkout latest milter-greylist from CVS, and configure with
--with-openssl and --with-dkim

--with-openssl must point to the directory containing
include/openssl/*.h and lib/libcrypto.*
--with-dkim must point to dkim-milter source directory. You must have
buit dkim-milter first.

Then you can add to your DATA-stage ACL dkim clauses, and tell me how it
works. Running with debug flag is advised.

Warning: this is highly experimental. It just builds at mine, I have not
even tested it (and I cannot test it since I have no account at a
DKIM-enabled domain).

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

One question:
How would I allow mails from a certain domain (typically yahoo.com) to
skip the racl greylisting allowing the latter dacl processing?
Thanks,

Ondrej

manu@... wrote:

>
> Michael Mansour <mic@... <mailto:mic%40npgx.com.au>> wrote:
>
> > > Would you like to contribute support for that?
> > I'd be happy to help where I can, yes.
>
> Ok, so it's time to help.
> Please checkout latest milter-greylist from CVS, and configure with
> --with-openssl and --with-dkim
>
> --with-openssl must point to the directory containing
> include/openssl/*.h and lib/libcrypto.*
> --with-dkim must point to dkim-milter source directory. You must have
> buit dkim-milter first.
>
> Then you can add to your DATA-stage ACL dkim clauses, and tell me how it
> works. Running with debug flag is advised.
>
> Warning: this is highly experimental. It just builds at mine, I have not
> even tested it (and I cannot test it since I have no account at a
> DKIM-enabled domain).
>
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz <http://hcpnet.free.fr/pubz>
> manu@... <mailto:manu%40netbsd.org>
>
>

Ondrej Valousek <webserv@...> wrote:

> How would I allow mails from a certain domain (typically yahoo.com) to
> skip the racl greylisting allowing the latter dacl processing?

I guess you want something like this:

racl whitelist domain /@.../
(...)
dacl whitelist dkim valid
dacl blacklist domain /@.../
-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...