DKIM With Virtual Hosting

[Jerry Malcolm <te...@malcolms.com>]

I know just enough about DKIM to be very dangerous... so bear with me 
here...

I am still struggling with mail I send being bounced.  In the interim to 
protect my clients, I configured some of my tomcat apps to use Amazon's 
SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent 
via AWS just to see what might be different.  One thing I see is TWO 
DKIM signatures... one for the "from" domain of the email and another 
for the sending host domain "amazonaws.com".

I have had JAMES configured with DKIM for years. But all I have is a 
DKIM signature for my main server domain and not for each individual 
sending domain.  mail-tester.com hasn't complained. But again, mail is 
bouncing from some domains like icloud.com, outlook.com, etc.  So 
"something" is still wrong.... Everything is on the table as possibly 
flawed right now.

So what is the 'right' way to do DKIM?  I am going to assume that if AWS 
is signing for both the virtual domain and the sending server domain, 
that's probably a good thing.  But I don't see a way in the JAMES DKIM 
mailet to add a second signature for the sending virtual host domain.

Am I missing something?  Is my DKIM fine with only signing the basic 
server?  Should I continue to look elsewhere for my problems?  Or should 
I do additional work to start signing the virtual sending domain as well?

Thx

Jerry


---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: DKIM With Virtual Hosting

[Matthieu Baechler <ma...@apache.org>]

Hi Jerry,
Here is what gmail think about your email:

DKIM validation fails. It can be a problem with the way you sign the
mail or a problem with Apache mailing-list implementation.
Could you send me a direct mail to matthieu@apache.org so that I can
check?
Cheers,
-- Matthieu Baechler
On Fri, 2019-12-27 at 10:49 -0600, Jerry Malcolm wrote:
> I know just enough about DKIM to be very dangerous... so bear with
> me 
> here...
> 
> I am still struggling with mail I send being bounced.  In the interim
> to 
> protect my clients, I configured some of my tomcat apps to use
> Amazon's 
> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail
> sent 
> via AWS just to see what might be different.  One thing I see is TWO 
> DKIM signatures... one for the "from" domain of the email and
> another 
> for the sending host domain "amazonaws.com".
> 
> I have had JAMES configured with DKIM for years. But all I have is a 
> DKIM signature for my main server domain and not for each individual 
> sending domain.  mail-tester.com hasn't complained. But again, mail
> is 
> bouncing from some domains like icloud.com, outlook.com, etc.  So 
> "something" is still wrong.... Everything is on the table as
> possibly 
> flawed right now.
> 
> So what is the 'right' way to do DKIM?  I am going to assume that if
> AWS 
> is signing for both the virtual domain and the sending server
> domain, 
> that's probably a good thing.  But I don't see a way in the JAMES
> DKIM 
> mailet to add a second signature for the sending virtual host domain.
> 
> Am I missing something?  Is my DKIM fine with only signing the basic 
> server?  Should I continue to look elsewhere for my problems?  Or
> should 
> I do additional work to start signing the virtual sending domain as
> well?
> 
> Thx
> 
> Jerry
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
> 

Re: DKIM With Virtual Hosting

[Jerry Malcolm <te...@malcolms.com>]

On 12/28/2019 9:49 AM, Garry Hurley wrote:
> I wonder if the problem is not with your setup but with the spam filters on your recipients’ machines. You might remember that AOL used to be notorious for marking messages from certain domains as ‘untrusted’ and ‘possible spam’ even though a large percentage of the spam on the Internet originated from or passed through relays at AOL. Something similar might be happening to you, since AWS is a widely used hosting platform and they don’t check up on their clients’ instances to see if those machines are compromised or are compromising other systems. They simply lack the resources to do so.
>
> Sent from my iPhone

Garry,

Thanks for the info.  But that still begs the question why 'my' question 
on the forum was flagged by Peter's gmail and no other posts from the 
apache server were flagged.

My overriding problem still exists with having some mail bounced.  But 
I'd like to circle back to the original question on this thread about 
how DKIM should be configured in JAMES when sending for virtual 
domains.  Should I have a DKIM signature for the virtual host domain 
sending the email as well as a DKIM signature for my smtp server's 
domain the way AWS's email service does?  If so, how is that done in JAMES?

Thx.


>
>> On Dec 28, 2019, at 8:16 AM, Peter Henderson <pe...@starjar.com> wrote:
>>
>> Hi Jerry,
>>
>> Your original message was the only one I've seen which was flagged
>> suspicious. All other posts on the james user list are received without
>> suspicion.
>> For completeness, your reply to my feedback was not flagged.
>>
>> HTH
>>
>> Peter.
>>
>>
>>
>>
>>> On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:
>>>
>>> Hi Peter,
>>>
>>> Actually this tells me a lot.  The message that I posted that you
>>> received and gmail flagged did not come directly from my james server.
>>> My post went to the Apache JAMES forum, and the forum server re-sent it
>>> out to you and other subscribers.   Anything related to my JAMES server,
>>> my ip address, DKIM, spf, etc would have been scrubbed from the message
>>> before the forum server redistributed it.  So if gmail flagged it, it
>>> must have been something related to the content in the message itself or
>>> something related to Apache's James Forum server.  Do you get other
>>> posts to this forum that are flagged as suspicious, or was it only
>>> mine?  I'm sure gmail is not going to be much help in informing what it
>>> found that made it suspicious.
>>>
>>> Thx
>>>
>>> Jerry
>>>
>>>> On 12/27/2019 5:45 PM, Peter Henderson wrote:
>>>> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
>>> wrote:
>>>>> I know just enough about DKIM to be very dangerous... so bear with me
>>>>> here...
>>>>>
>>>>> I am still struggling with mail I send being bounced.  In the interim to
>>>>> protect my clients, I configured some of my tomcat apps to use Amazon's
>>>>> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent
>>>>> via AWS just to see what might be different.  One thing I see is TWO
>>>>> DKIM signatures... one for the "from" domain of the email and another
>>>>> for the sending host domain "amazonaws.com".
>>>>>
>>>>> I have had JAMES configured with DKIM for years. But all I have is a
>>>>> DKIM signature for my main server domain and not for each individual
>>>>> sending domain.  mail-tester.com hasn't complained. But again, mail is
>>>>> bouncing from some domains like icloud.com, outlook.com, etc.  So
>>>>> "something" is still wrong.... Everything is on the table as possibly
>>>>> flawed right now.
>>>>>
>>>>> So what is the 'right' way to do DKIM?  I am going to assume that if AWS
>>>>> is signing for both the virtual domain and the sending server domain,
>>>>> that's probably a good thing.  But I don't see a way in the JAMES DKIM
>>>>> mailet to add a second signature for the sending virtual host domain.
>>>>>
>>>>> Am I missing something?  Is my DKIM fine with only signing the basic
>>>>> server?  Should I continue to look elsewhere for my problems?  Or should
>>>>> I do additional work to start signing the virtual sending domain as
>>> well?
>>>>> Thx
>>>>>
>>>>> Jerry
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>>
>>>>>
>>>> FYI
>>>> My gmail client, RED flagged your message as suspicious.
>>>> So I diligently read the content, then clicked the "it's safe" button.
>>>>
>>>> Otherwise I can't help.
>>>>
>>>> HTH
>>>> Peter.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>
>>>
>> -- 
>> Peter Henderson
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: DKIM With Virtual Hosting

[Garry Hurley <ga...@gmail.com>]

I wonder if the problem is not with your setup but with the spam filters on your recipients’ machines. You might remember that AOL used to be notorious for marking messages from certain domains as ‘untrusted’ and ‘possible spam’ even though a large percentage of the spam on the Internet originated from or passed through relays at AOL. Something similar might be happening to you, since AWS is a widely used hosting platform and they don’t check up on their clients’ instances to see if those machines are compromised or are compromising other systems. They simply lack the resources to do so. 

Sent from my iPhone

> On Dec 28, 2019, at 8:16 AM, Peter Henderson <pe...@starjar.com> wrote:
> 
> Hi Jerry,
> 
> Your original message was the only one I've seen which was flagged
> suspicious. All other posts on the james user list are received without
> suspicion.
> For completeness, your reply to my feedback was not flagged.
> 
> HTH
> 
> Peter.
> 
> 
> 
> 
>> On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:
>> 
>> Hi Peter,
>> 
>> Actually this tells me a lot.  The message that I posted that you
>> received and gmail flagged did not come directly from my james server.
>> My post went to the Apache JAMES forum, and the forum server re-sent it
>> out to you and other subscribers.   Anything related to my JAMES server,
>> my ip address, DKIM, spf, etc would have been scrubbed from the message
>> before the forum server redistributed it.  So if gmail flagged it, it
>> must have been something related to the content in the message itself or
>> something related to Apache's James Forum server.  Do you get other
>> posts to this forum that are flagged as suspicious, or was it only
>> mine?  I'm sure gmail is not going to be much help in informing what it
>> found that made it suspicious.
>> 
>> Thx
>> 
>> Jerry
>> 
>>> On 12/27/2019 5:45 PM, Peter Henderson wrote:
>>> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
>> wrote:
>>> 
>>>> I know just enough about DKIM to be very dangerous... so bear with me
>>>> here...
>>>> 
>>>> I am still struggling with mail I send being bounced.  In the interim to
>>>> protect my clients, I configured some of my tomcat apps to use Amazon's
>>>> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent
>>>> via AWS just to see what might be different.  One thing I see is TWO
>>>> DKIM signatures... one for the "from" domain of the email and another
>>>> for the sending host domain "amazonaws.com".
>>>> 
>>>> I have had JAMES configured with DKIM for years. But all I have is a
>>>> DKIM signature for my main server domain and not for each individual
>>>> sending domain.  mail-tester.com hasn't complained. But again, mail is
>>>> bouncing from some domains like icloud.com, outlook.com, etc.  So
>>>> "something" is still wrong.... Everything is on the table as possibly
>>>> flawed right now.
>>>> 
>>>> So what is the 'right' way to do DKIM?  I am going to assume that if AWS
>>>> is signing for both the virtual domain and the sending server domain,
>>>> that's probably a good thing.  But I don't see a way in the JAMES DKIM
>>>> mailet to add a second signature for the sending virtual host domain.
>>>> 
>>>> Am I missing something?  Is my DKIM fine with only signing the basic
>>>> server?  Should I continue to look elsewhere for my problems?  Or should
>>>> I do additional work to start signing the virtual sending domain as
>> well?
>>>> 
>>>> Thx
>>>> 
>>>> Jerry
>>>> 
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>> 
>>>> 
>>> FYI
>>> My gmail client, RED flagged your message as suspicious.
>>> So I diligently read the content, then clicked the "it's safe" button.
>>> 
>>> Otherwise I can't help.
>>> 
>>> HTH
>>> Peter.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>> 
>> 
> 
> -- 
> Peter Henderson

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: DKIM With Virtual Hosting

[Peter Henderson <pe...@starjar.com>]

Hi Jerry,

Your original message was the only one I've seen which was flagged
suspicious. All other posts on the james user list are received without
suspicion.
For completeness, your reply to my feedback was not flagged.

HTH

Peter.




On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:

> Hi Peter,
>
> Actually this tells me a lot.  The message that I posted that you
> received and gmail flagged did not come directly from my james server.
> My post went to the Apache JAMES forum, and the forum server re-sent it
> out to you and other subscribers.   Anything related to my JAMES server,
> my ip address, DKIM, spf, etc would have been scrubbed from the message
> before the forum server redistributed it.  So if gmail flagged it, it
> must have been something related to the content in the message itself or
> something related to Apache's James Forum server.  Do you get other
> posts to this forum that are flagged as suspicious, or was it only
> mine?  I'm sure gmail is not going to be much help in informing what it
> found that made it suspicious.
>
> Thx
>
> Jerry
>
> On 12/27/2019 5:45 PM, Peter Henderson wrote:
> > On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
> wrote:
> >
> >> I know just enough about DKIM to be very dangerous... so bear with me
> >> here...
> >>
> >> I am still struggling with mail I send being bounced.  In the interim to
> >> protect my clients, I configured some of my tomcat apps to use Amazon's
> >> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent
> >> via AWS just to see what might be different.  One thing I see is TWO
> >> DKIM signatures... one for the "from" domain of the email and another
> >> for the sending host domain "amazonaws.com".
> >>
> >> I have had JAMES configured with DKIM for years. But all I have is a
> >> DKIM signature for my main server domain and not for each individual
> >> sending domain.  mail-tester.com hasn't complained. But again, mail is
> >> bouncing from some domains like icloud.com, outlook.com, etc.  So
> >> "something" is still wrong.... Everything is on the table as possibly
> >> flawed right now.
> >>
> >> So what is the 'right' way to do DKIM?  I am going to assume that if AWS
> >> is signing for both the virtual domain and the sending server domain,
> >> that's probably a good thing.  But I don't see a way in the JAMES DKIM
> >> mailet to add a second signature for the sending virtual host domain.
> >>
> >> Am I missing something?  Is my DKIM fine with only signing the basic
> >> server?  Should I continue to look elsewhere for my problems?  Or should
> >> I do additional work to start signing the virtual sending domain as
> well?
> >>
> >> Thx
> >>
> >> Jerry
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> >> For additional commands, e-mail: server-user-help@james.apache.org
> >>
> >>
> > FYI
> > My gmail client, RED flagged your message as suspicious.
> > So I diligently read the content, then clicked the "it's safe" button.
> >
> > Otherwise I can't help.
> >
> > HTH
> > Peter.
> >
> >
> >
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>

-- 
Peter Henderson

Re: DKIM With Virtual Hosting

[Jerry Malcolm <te...@malcolms.com>]

Hi Peter,

Actually this tells me a lot.  The message that I posted that you 
received and gmail flagged did not come directly from my james server.  
My post went to the Apache JAMES forum, and the forum server re-sent it 
out to you and other subscribers.   Anything related to my JAMES server, 
my ip address, DKIM, spf, etc would have been scrubbed from the message 
before the forum server redistributed it.  So if gmail flagged it, it 
must have been something related to the content in the message itself or 
something related to Apache's James Forum server.  Do you get other 
posts to this forum that are flagged as suspicious, or was it only 
mine?  I'm sure gmail is not going to be much help in informing what it 
found that made it suspicious.

Thx

Jerry

On 12/27/2019 5:45 PM, Peter Henderson wrote:
> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com> wrote:
>
>> I know just enough about DKIM to be very dangerous... so bear with me
>> here...
>>
>> I am still struggling with mail I send being bounced.  In the interim to
>> protect my clients, I configured some of my tomcat apps to use Amazon's
>> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent
>> via AWS just to see what might be different.  One thing I see is TWO
>> DKIM signatures... one for the "from" domain of the email and another
>> for the sending host domain "amazonaws.com".
>>
>> I have had JAMES configured with DKIM for years. But all I have is a
>> DKIM signature for my main server domain and not for each individual
>> sending domain.  mail-tester.com hasn't complained. But again, mail is
>> bouncing from some domains like icloud.com, outlook.com, etc.  So
>> "something" is still wrong.... Everything is on the table as possibly
>> flawed right now.
>>
>> So what is the 'right' way to do DKIM?  I am going to assume that if AWS
>> is signing for both the virtual domain and the sending server domain,
>> that's probably a good thing.  But I don't see a way in the JAMES DKIM
>> mailet to add a second signature for the sending virtual host domain.
>>
>> Am I missing something?  Is my DKIM fine with only signing the basic
>> server?  Should I continue to look elsewhere for my problems?  Or should
>> I do additional work to start signing the virtual sending domain as well?
>>
>> Thx
>>
>> Jerry
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>
> FYI
> My gmail client, RED flagged your message as suspicious.
> So I diligently read the content, then clicked the "it's safe" button.
>
> Otherwise I can't help.
>
> HTH
> Peter.
>
>
>
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org

Re: DKIM With Virtual Hosting

[Peter Henderson <pe...@starjar.com>]

On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com> wrote:

> I know just enough about DKIM to be very dangerous... so bear with me
> here...
>
> I am still struggling with mail I send being bounced.  In the interim to
> protect my clients, I configured some of my tomcat apps to use Amazon's
> SES (SMTP) service bypassing my JAMES server.  I analyzed the mail sent
> via AWS just to see what might be different.  One thing I see is TWO
> DKIM signatures... one for the "from" domain of the email and another
> for the sending host domain "amazonaws.com".
>
> I have had JAMES configured with DKIM for years. But all I have is a
> DKIM signature for my main server domain and not for each individual
> sending domain.  mail-tester.com hasn't complained. But again, mail is
> bouncing from some domains like icloud.com, outlook.com, etc.  So
> "something" is still wrong.... Everything is on the table as possibly
> flawed right now.
>
> So what is the 'right' way to do DKIM?  I am going to assume that if AWS
> is signing for both the virtual domain and the sending server domain,
> that's probably a good thing.  But I don't see a way in the JAMES DKIM
> mailet to add a second signature for the sending virtual host domain.
>
> Am I missing something?  Is my DKIM fine with only signing the basic
> server?  Should I continue to look elsewhere for my problems?  Or should
> I do additional work to start signing the virtual sending domain as well?
>
> Thx
>
> Jerry
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
FYI
My gmail client, RED flagged your message as suspicious.
So I diligently read the content, then clicked the "it's safe" button.

Otherwise I can't help.

HTH
Peter.







-- 
Peter Henderson