You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Mark Hale <ma...@gmail.com> on 2008/10/01 06:47:21 UTC
DomainKeys - Tim Brown's Mailet
I was wondering if anyone uses Tom Brown's Domain Keys mailet. If so,
do you have samples of how the mailet is invoked in config.xml for
both the Signer and Verifier?
Thanks!
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Mark Hale <ma...@gmail.com>.
Hi Tom,
Thanks a lot. That helps to get started. Examples go along way.
Do you have an example of the other mailet for DomainKeyVerifier?
I am also not entirely clear where these go. Does DomainKeySigner go
in the transport processor and DomainKeyVerifier in the root
processor?
I appreciate the help Tom.
Mark
On Thu, Oct 2, 2008 at 3:01 PM, Tom Brown <to...@gmail.com> wrote:
> Hi Mark,
>
> Here is a good example configuration (for config.xml):
>
> The classname of the signer mailet is:
> org.apache.mailet.domainkeys.DomainKeySigner
> The classname of the verification mailet is:
> org.apache.mailet.domainkeys.DomainKeyVerifier
>
> <mailet class="DomainKeySigner">
> <privateKeyFile>/path/to/key/file</privateKeyFile>
> <canonicalization>nofws</canonicalization>
> <domain>my.domain.here.com</domain>
> <selector>DK_selector</selector>
> <hashType>hash_type_to_sign_with</hashType>
> <signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders>
> </mailet>
>
>
> Is this what you are looking for?
>
> Tom Brown
>
>
> On Tue, Sep 30, 2008 at 10:47 PM, Mark Hale <ma...@gmail.com> wrote:
>> I was wondering if anyone uses Tom Brown's Domain Keys mailet. If so,
>> do you have samples of how the mailet is invoked in config.xml for
>> both the Signer and Verifier?
>>
>> Thanks!
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Tom Brown <to...@gmail.com>.
A few years ago I contributed mailets that would cause email to be
signed with a Yahoo! Domain Keys signature (or verify the signature).
Due to legal questions regarding patents, the code was not added to
the main James repository, but made available to all as a separate
download. The mailets can be found here:
https://issues.apache.org/jira/browse/JAMES-752
I'm not sure where the best place to put the signer mailet is, but its
location in the configuration (and its matcher) should be designed so
that it only signs outgoing messages. The verifier should of course be
placed in the configuration so as to verify incoming mail. I'm sorry I
can't be more specific about this.
The DomainKeysVerifier accepts one optional parameter: "dns-server"
which can be used to explicitly set the DNS server that will be used
for looking up the DomainKeys DNS entries.
I hope this helps...
Tom Brown
On Thu, Oct 2, 2008 at 5:44 PM, Jerry M <te...@malcolms.com> wrote:
> Where is the starting point (source/download/documentation/process/etc.) for
> this mailet? I'm interested. But this is the first I've heard of it.
>
> Thanks.
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tom Brown's Mailet
Posted by Stefano Bagnara <ap...@bago.org>.
Tom Brown ha scritto:
> A few years ago I contributed mailets that would cause email to be
> signed with a Yahoo! Domain Keys signature (or verify the signature).
> Due to legal questions regarding patents, the code was not added to
> the main James repository, but made available to all as a separate
> download. The mailets can be found here:
>
> https://issues.apache.org/jira/browse/JAMES-752
>
> I'm not sure where the best place to put the signer mailet is, but its
> location in the configuration (and its matcher) should be designed so
> that it only signs outgoing messages. The verifier should of course be
> placed in the configuration so as to verify incoming mail. I'm sorry I
> can't be more specific about this.
>
> The DomainKeysVerifier accepts one optional parameter: "dns-server"
> which can be used to explicitly set the DNS server that will be used
> for looking up the DomainKeys DNS entries.
>
> I hope this helps...
I can add that the Legal team at Apache finally reviewed the DomainKey
patent and here is the related issue:
https://issues.apache.org/jira/browse/LEGAL-22
The result is that they added this statement to the resolved legal
issues (http://www.apache.org/legal/resolved.html):
-----
* Does the Yahoo! DomainKeys Patent License Agreement v1.2 raise any
concerns?
No.
-----
If I understand it correctly this mean we can finally include it in our
repository and release it.
maybe the "mailet-crypto" product is the right place:
http://svn.apache.org/repos/asf/james/mailet/crypto/trunk/
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Tom Brown <to...@gmail.com>.
Jerry,
It is easy to verify messages, because verification instructions are
essentially built in to the message. Signing messages, however, is a
little more complex. You can read the spec
(http://www.ietf.org/rfc/rfc4870.txt), or check my descriptions below:
To verify a signed message:
After the DomainKeyVerifier mailet has processed a message, a
"DomainKey-Status" header is added to the message. This header
contains the results of the verification, and will be one of the
following values:
good
bad
revoked
bad format
internal error
no key
no signature
non participant
Most of these only hint at the legitimacy of the email and are not a
conclusive sign that the message may be valid or spam. However, you
should be able to whitelist "good" ones, and immediately mark, "bad",
or "revoked" ones as spam. You can check the official spec if you want
the official definition of the status header.
To sign a message:
The DK verification process is done using public/private key
encryption. This means that the message signature is created using a
private key (that only you know), and can be verified by a public key
(which is made available to anyone in the world).
Each domain that will be sending signed email must have a DNS entry
that contains a public key. Since organizations may not want to be
limited to a single key, a "selector" must also be determined. The
"selector" can be any arbitrary alphanumeric string of your choosing.
The "selector" is combined with the domain name to determine the DNS
name under which the public key is published. You must setup the DNS
record at "_domainkey.SELECTORNAME.yourdomainname.com".
After a DNS record is setup for each domain you wish to sign, you can
configure the DomainKeySigner mailet. You mentioned that your server
sends mail for over 50 different domains. As currently coded, you will
need 50 different DomainKeySigner mailet instances in your
configuration. However, if you're willing to change the source code
yourself, you can save yourself some entries in the config.xml.
If possible, I suggest that you use the same key to sign all the
different domains. You still have to publish a DomainKey DNS record
for each different domain, but the contents of the entries can be
roughly the same. You will have to change the source code to use the
domain specified by the "FROM" when signing the message, rather than
by using the hard-coded configuration entry.
Here is a more explicit definition of the DomainKeySigner mailet parameters:
privateKeyFile - Required. The name of a file that contains the
private key that will be used to sign this message.
domain - Required. The domain name from which the message is sent.
selector - Required. The name of the selector to be associated
with the signature.
canonicalization - Required. Accepted value are currently "simple"
or "nofws". You should "nofws" if you're unsure.
hashType - Required. Accepted values are currently "SHA1 or SHA256".
signableHeaders - Optional. A comma-separated list of header names
that will be signed. See the spec for details..
I'm sorry a simple turn-key solution is not available, but in the
interest of stopping SPAM on the internet, I'll be happy to help you
get this up and running. Please ask any more questions as they arise.
Tom Brown
On Fri, Oct 3, 2008 at 10:35 AM, Jerry M <te...@malcolms.com> wrote:
> Tom,
>
> Thanks for the pointer to the source. Is there any documentation (i.e.
> cookbook) on how to install and use this other than the info in this current
> thread on the forum? I understand the basic concept. But your sample
> config.xml entry in the post a couple of days ago was very generic, and I
> still can't find the precise syntax for including the other mailet in
> config.xml.
>
> A few questions... you list some syntax of
>
> <signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders>
>
> I'm completely new to this. How do I KNOW what headers need to be signed?
> What is the default? Why would I have the choice of randomly selecting
> headers for signing?
>
> Also, you show:
> <domain>my.domain.here.com</domain>
>
> I host over 50 independent domains on my server. Do I need a mailet entry
> in config.xml for EVERY domain name that I want to use this for?
>
> What I would really like is an example of a working config file entry as
> well as the syntax.
>
> I appreciate the work you have done for implementing this. And I'm sure
> there are many people who understand domainKeys that would have no problem
> picking up your code and running with it, given their previous knowledge.
> But there are those of us out here who can barely spell 'domainKey', but
> need desperately to get this implemented. Any basic step by step examples
> would be greatly appreciated.
>
> Thanks.
>
> Jerry
>
>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Jerry M <te...@malcolms.com>.
Tom,
thank you so much. That's a good start. I WILL be in touch.... :-)
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Jerry M <te...@malcolms.com>.
Tom,
Thanks for the pointer to the source. Is there any documentation (i.e.
cookbook) on how to install and use this other than the info in this
current thread on the forum? I understand the basic concept. But your
sample config.xml entry in the post a couple of days ago was very
generic, and I still can't find the precise syntax for including the
other mailet in config.xml.
A few questions... you list some syntax of
<signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders>
I'm completely new to this. How do I KNOW what headers need to be signed? What is the default? Why would I have the choice of randomly selecting headers for signing?
Also, you show:
<domain>my.domain.here.com</domain>
I host over 50 independent domains on my server. Do I need a mailet
entry in config.xml for EVERY domain name that I want to use this for?
What I would really like is an example of a working config file entry as
well as the syntax.
I appreciate the work you have done for implementing this. And I'm sure
there are many people who understand domainKeys that would have no
problem picking up your code and running with it, given their previous
knowledge. But there are those of us out here who can barely spell
'domainKey', but need desperately to get this implemented. Any basic
step by step examples would be greatly appreciated.
Thanks.
Jerry
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Jerry M <te...@malcolms.com>.
Where is the starting point (source/download/documentation/process/etc.)
for this mailet? I'm interested. But this is the first I've heard of it.
Thanks.
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DomainKeys - Tim Brown's Mailet
Posted by Tom Brown <to...@gmail.com>.
Hi Mark,
Here is a good example configuration (for config.xml):
The classname of the signer mailet is:
org.apache.mailet.domainkeys.DomainKeySigner
The classname of the verification mailet is:
org.apache.mailet.domainkeys.DomainKeyVerifier
<mailet class="DomainKeySigner">
<privateKeyFile>/path/to/key/file</privateKeyFile>
<canonicalization>nofws</canonicalization>
<domain>my.domain.here.com</domain>
<selector>DK_selector</selector>
<hashType>hash_type_to_sign_with</hashType>
<signableHeaders>comma,separated,list,of,headers,that,should,be,signed</signableHeaders>
</mailet>
Is this what you are looking for?
Tom Brown
On Tue, Sep 30, 2008 at 10:47 PM, Mark Hale <ma...@gmail.com> wrote:
> I was wondering if anyone uses Tom Brown's Domain Keys mailet. If so,
> do you have samples of how the mailet is invoked in config.xml for
> both the Signer and Verifier?
>
> Thanks!
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org