You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Jerry Malcolm <te...@malcolms.com> on 2019/12/27 16:49:07 UTC
DKIM With Virtual Hosting
I know just enough about DKIM to be very dangerous... so bear with me
here...
I am still struggling with mail I send being bounced. In the interim to
protect my clients, I configured some of my tomcat apps to use Amazon's
SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
via AWS just to see what might be different. One thing I see is TWO
DKIM signatures... one for the "from" domain of the email and another
for the sending host domain "amazonaws.com".
I have had JAMES configured with DKIM for years. But all I have is a
DKIM signature for my main server domain and not for each individual
sending domain. mail-tester.com hasn't complained. But again, mail is
bouncing from some domains like icloud.com, outlook.com, etc. So
"something" is still wrong.... Everything is on the table as possibly
flawed right now.
So what is the 'right' way to do DKIM? I am going to assume that if AWS
is signing for both the virtual domain and the sending server domain,
that's probably a good thing. But I don't see a way in the JAMES DKIM
mailet to add a second signature for the sending virtual host domain.
Am I missing something? Is my DKIM fine with only signing the basic
server? Should I continue to look elsewhere for my problems? Or should
I do additional work to start signing the virtual sending domain as well?
Thx
Jerry
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DKIM With Virtual Hosting
Posted by Matthieu Baechler <ma...@apache.org>.
Hi Jerry,
Here is what gmail think about your email:
DKIM validation fails. It can be a problem with the way you sign the
mail or a problem with Apache mailing-list implementation.
Could you send me a direct mail to matthieu@apache.org so that I can
check?
Cheers,
-- Matthieu Baechler
On Fri, 2019-12-27 at 10:49 -0600, Jerry Malcolm wrote:
> I know just enough about DKIM to be very dangerous... so bear with
> me
> here...
>
> I am still struggling with mail I send being bounced. In the interim
> to
> protect my clients, I configured some of my tomcat apps to use
> Amazon's
> SES (SMTP) service bypassing my JAMES server. I analyzed the mail
> sent
> via AWS just to see what might be different. One thing I see is TWO
> DKIM signatures... one for the "from" domain of the email and
> another
> for the sending host domain "amazonaws.com".
>
> I have had JAMES configured with DKIM for years. But all I have is a
> DKIM signature for my main server domain and not for each individual
> sending domain. mail-tester.com hasn't complained. But again, mail
> is
> bouncing from some domains like icloud.com, outlook.com, etc. So
> "something" is still wrong.... Everything is on the table as
> possibly
> flawed right now.
>
> So what is the 'right' way to do DKIM? I am going to assume that if
> AWS
> is signing for both the virtual domain and the sending server
> domain,
> that's probably a good thing. But I don't see a way in the JAMES
> DKIM
> mailet to add a second signature for the sending virtual host domain.
>
> Am I missing something? Is my DKIM fine with only signing the basic
> server? Should I continue to look elsewhere for my problems? Or
> should
> I do additional work to start signing the virtual sending domain as
> well?
>
> Thx
>
> Jerry
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
Re: DKIM With Virtual Hosting
Posted by Jerry Malcolm <te...@malcolms.com>.
On 12/28/2019 9:49 AM, Garry Hurley wrote:
> I wonder if the problem is not with your setup but with the spam filters on your recipients’ machines. You might remember that AOL used to be notorious for marking messages from certain domains as ‘untrusted’ and ‘possible spam’ even though a large percentage of the spam on the Internet originated from or passed through relays at AOL. Something similar might be happening to you, since AWS is a widely used hosting platform and they don’t check up on their clients’ instances to see if those machines are compromised or are compromising other systems. They simply lack the resources to do so.
>
> Sent from my iPhone
Garry,
Thanks for the info. But that still begs the question why 'my' question
on the forum was flagged by Peter's gmail and no other posts from the
apache server were flagged.
My overriding problem still exists with having some mail bounced. But
I'd like to circle back to the original question on this thread about
how DKIM should be configured in JAMES when sending for virtual
domains. Should I have a DKIM signature for the virtual host domain
sending the email as well as a DKIM signature for my smtp server's
domain the way AWS's email service does? If so, how is that done in JAMES?
Thx.
>
>> On Dec 28, 2019, at 8:16 AM, Peter Henderson <pe...@starjar.com> wrote:
>>
>> Hi Jerry,
>>
>> Your original message was the only one I've seen which was flagged
>> suspicious. All other posts on the james user list are received without
>> suspicion.
>> For completeness, your reply to my feedback was not flagged.
>>
>> HTH
>>
>> Peter.
>>
>>
>>
>>
>>> On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:
>>>
>>> Hi Peter,
>>>
>>> Actually this tells me a lot. The message that I posted that you
>>> received and gmail flagged did not come directly from my james server.
>>> My post went to the Apache JAMES forum, and the forum server re-sent it
>>> out to you and other subscribers. Anything related to my JAMES server,
>>> my ip address, DKIM, spf, etc would have been scrubbed from the message
>>> before the forum server redistributed it. So if gmail flagged it, it
>>> must have been something related to the content in the message itself or
>>> something related to Apache's James Forum server. Do you get other
>>> posts to this forum that are flagged as suspicious, or was it only
>>> mine? I'm sure gmail is not going to be much help in informing what it
>>> found that made it suspicious.
>>>
>>> Thx
>>>
>>> Jerry
>>>
>>>> On 12/27/2019 5:45 PM, Peter Henderson wrote:
>>>> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
>>> wrote:
>>>>> I know just enough about DKIM to be very dangerous... so bear with me
>>>>> here...
>>>>>
>>>>> I am still struggling with mail I send being bounced. In the interim to
>>>>> protect my clients, I configured some of my tomcat apps to use Amazon's
>>>>> SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
>>>>> via AWS just to see what might be different. One thing I see is TWO
>>>>> DKIM signatures... one for the "from" domain of the email and another
>>>>> for the sending host domain "amazonaws.com".
>>>>>
>>>>> I have had JAMES configured with DKIM for years. But all I have is a
>>>>> DKIM signature for my main server domain and not for each individual
>>>>> sending domain. mail-tester.com hasn't complained. But again, mail is
>>>>> bouncing from some domains like icloud.com, outlook.com, etc. So
>>>>> "something" is still wrong.... Everything is on the table as possibly
>>>>> flawed right now.
>>>>>
>>>>> So what is the 'right' way to do DKIM? I am going to assume that if AWS
>>>>> is signing for both the virtual domain and the sending server domain,
>>>>> that's probably a good thing. But I don't see a way in the JAMES DKIM
>>>>> mailet to add a second signature for the sending virtual host domain.
>>>>>
>>>>> Am I missing something? Is my DKIM fine with only signing the basic
>>>>> server? Should I continue to look elsewhere for my problems? Or should
>>>>> I do additional work to start signing the virtual sending domain as
>>> well?
>>>>> Thx
>>>>>
>>>>> Jerry
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>>
>>>>>
>>>> FYI
>>>> My gmail client, RED flagged your message as suspicious.
>>>> So I diligently read the content, then clicked the "it's safe" button.
>>>>
>>>> Otherwise I can't help.
>>>>
>>>> HTH
>>>> Peter.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>
>>>
>> --
>> Peter Henderson
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DKIM With Virtual Hosting
Posted by Garry Hurley <ga...@gmail.com>.
I wonder if the problem is not with your setup but with the spam filters on your recipients’ machines. You might remember that AOL used to be notorious for marking messages from certain domains as ‘untrusted’ and ‘possible spam’ even though a large percentage of the spam on the Internet originated from or passed through relays at AOL. Something similar might be happening to you, since AWS is a widely used hosting platform and they don’t check up on their clients’ instances to see if those machines are compromised or are compromising other systems. They simply lack the resources to do so.
Sent from my iPhone
> On Dec 28, 2019, at 8:16 AM, Peter Henderson <pe...@starjar.com> wrote:
>
> Hi Jerry,
>
> Your original message was the only one I've seen which was flagged
> suspicious. All other posts on the james user list are received without
> suspicion.
> For completeness, your reply to my feedback was not flagged.
>
> HTH
>
> Peter.
>
>
>
>
>> On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:
>>
>> Hi Peter,
>>
>> Actually this tells me a lot. The message that I posted that you
>> received and gmail flagged did not come directly from my james server.
>> My post went to the Apache JAMES forum, and the forum server re-sent it
>> out to you and other subscribers. Anything related to my JAMES server,
>> my ip address, DKIM, spf, etc would have been scrubbed from the message
>> before the forum server redistributed it. So if gmail flagged it, it
>> must have been something related to the content in the message itself or
>> something related to Apache's James Forum server. Do you get other
>> posts to this forum that are flagged as suspicious, or was it only
>> mine? I'm sure gmail is not going to be much help in informing what it
>> found that made it suspicious.
>>
>> Thx
>>
>> Jerry
>>
>>> On 12/27/2019 5:45 PM, Peter Henderson wrote:
>>> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
>> wrote:
>>>
>>>> I know just enough about DKIM to be very dangerous... so bear with me
>>>> here...
>>>>
>>>> I am still struggling with mail I send being bounced. In the interim to
>>>> protect my clients, I configured some of my tomcat apps to use Amazon's
>>>> SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
>>>> via AWS just to see what might be different. One thing I see is TWO
>>>> DKIM signatures... one for the "from" domain of the email and another
>>>> for the sending host domain "amazonaws.com".
>>>>
>>>> I have had JAMES configured with DKIM for years. But all I have is a
>>>> DKIM signature for my main server domain and not for each individual
>>>> sending domain. mail-tester.com hasn't complained. But again, mail is
>>>> bouncing from some domains like icloud.com, outlook.com, etc. So
>>>> "something" is still wrong.... Everything is on the table as possibly
>>>> flawed right now.
>>>>
>>>> So what is the 'right' way to do DKIM? I am going to assume that if AWS
>>>> is signing for both the virtual domain and the sending server domain,
>>>> that's probably a good thing. But I don't see a way in the JAMES DKIM
>>>> mailet to add a second signature for the sending virtual host domain.
>>>>
>>>> Am I missing something? Is my DKIM fine with only signing the basic
>>>> server? Should I continue to look elsewhere for my problems? Or should
>>>> I do additional work to start signing the virtual sending domain as
>> well?
>>>>
>>>> Thx
>>>>
>>>> Jerry
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>
>>>>
>>> FYI
>>> My gmail client, RED flagged your message as suspicious.
>>> So I diligently read the content, then clicked the "it's safe" button.
>>>
>>> Otherwise I can't help.
>>>
>>> HTH
>>> Peter.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>
>
> --
> Peter Henderson
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DKIM With Virtual Hosting
Posted by Peter Henderson <pe...@starjar.com>.
Hi Jerry,
Your original message was the only one I've seen which was flagged
suspicious. All other posts on the james user list are received without
suspicion.
For completeness, your reply to my feedback was not flagged.
HTH
Peter.
On Sat, 28 Dec 2019 at 01:07, Jerry Malcolm <te...@malcolms.com> wrote:
> Hi Peter,
>
> Actually this tells me a lot. The message that I posted that you
> received and gmail flagged did not come directly from my james server.
> My post went to the Apache JAMES forum, and the forum server re-sent it
> out to you and other subscribers. Anything related to my JAMES server,
> my ip address, DKIM, spf, etc would have been scrubbed from the message
> before the forum server redistributed it. So if gmail flagged it, it
> must have been something related to the content in the message itself or
> something related to Apache's James Forum server. Do you get other
> posts to this forum that are flagged as suspicious, or was it only
> mine? I'm sure gmail is not going to be much help in informing what it
> found that made it suspicious.
>
> Thx
>
> Jerry
>
> On 12/27/2019 5:45 PM, Peter Henderson wrote:
> > On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com>
> wrote:
> >
> >> I know just enough about DKIM to be very dangerous... so bear with me
> >> here...
> >>
> >> I am still struggling with mail I send being bounced. In the interim to
> >> protect my clients, I configured some of my tomcat apps to use Amazon's
> >> SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
> >> via AWS just to see what might be different. One thing I see is TWO
> >> DKIM signatures... one for the "from" domain of the email and another
> >> for the sending host domain "amazonaws.com".
> >>
> >> I have had JAMES configured with DKIM for years. But all I have is a
> >> DKIM signature for my main server domain and not for each individual
> >> sending domain. mail-tester.com hasn't complained. But again, mail is
> >> bouncing from some domains like icloud.com, outlook.com, etc. So
> >> "something" is still wrong.... Everything is on the table as possibly
> >> flawed right now.
> >>
> >> So what is the 'right' way to do DKIM? I am going to assume that if AWS
> >> is signing for both the virtual domain and the sending server domain,
> >> that's probably a good thing. But I don't see a way in the JAMES DKIM
> >> mailet to add a second signature for the sending virtual host domain.
> >>
> >> Am I missing something? Is my DKIM fine with only signing the basic
> >> server? Should I continue to look elsewhere for my problems? Or should
> >> I do additional work to start signing the virtual sending domain as
> well?
> >>
> >> Thx
> >>
> >> Jerry
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> >> For additional commands, e-mail: server-user-help@james.apache.org
> >>
> >>
> > FYI
> > My gmail client, RED flagged your message as suspicious.
> > So I diligently read the content, then clicked the "it's safe" button.
> >
> > Otherwise I can't help.
> >
> > HTH
> > Peter.
> >
> >
> >
> >
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
--
Peter Henderson
Re: DKIM With Virtual Hosting
Posted by Jerry Malcolm <te...@malcolms.com>.
Hi Peter,
Actually this tells me a lot. The message that I posted that you
received and gmail flagged did not come directly from my james server.
My post went to the Apache JAMES forum, and the forum server re-sent it
out to you and other subscribers. Anything related to my JAMES server,
my ip address, DKIM, spf, etc would have been scrubbed from the message
before the forum server redistributed it. So if gmail flagged it, it
must have been something related to the content in the message itself or
something related to Apache's James Forum server. Do you get other
posts to this forum that are flagged as suspicious, or was it only
mine? I'm sure gmail is not going to be much help in informing what it
found that made it suspicious.
Thx
Jerry
On 12/27/2019 5:45 PM, Peter Henderson wrote:
> On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com> wrote:
>
>> I know just enough about DKIM to be very dangerous... so bear with me
>> here...
>>
>> I am still struggling with mail I send being bounced. In the interim to
>> protect my clients, I configured some of my tomcat apps to use Amazon's
>> SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
>> via AWS just to see what might be different. One thing I see is TWO
>> DKIM signatures... one for the "from" domain of the email and another
>> for the sending host domain "amazonaws.com".
>>
>> I have had JAMES configured with DKIM for years. But all I have is a
>> DKIM signature for my main server domain and not for each individual
>> sending domain. mail-tester.com hasn't complained. But again, mail is
>> bouncing from some domains like icloud.com, outlook.com, etc. So
>> "something" is still wrong.... Everything is on the table as possibly
>> flawed right now.
>>
>> So what is the 'right' way to do DKIM? I am going to assume that if AWS
>> is signing for both the virtual domain and the sending server domain,
>> that's probably a good thing. But I don't see a way in the JAMES DKIM
>> mailet to add a second signature for the sending virtual host domain.
>>
>> Am I missing something? Is my DKIM fine with only signing the basic
>> server? Should I continue to look elsewhere for my problems? Or should
>> I do additional work to start signing the virtual sending domain as well?
>>
>> Thx
>>
>> Jerry
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>
> FYI
> My gmail client, RED flagged your message as suspicious.
> So I diligently read the content, then clicked the "it's safe" button.
>
> Otherwise I can't help.
>
> HTH
> Peter.
>
>
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Re: DKIM With Virtual Hosting
Posted by Peter Henderson <pe...@starjar.com>.
On Fri, 27 Dec 2019 at 16:50, Jerry Malcolm <te...@malcolms.com> wrote:
> I know just enough about DKIM to be very dangerous... so bear with me
> here...
>
> I am still struggling with mail I send being bounced. In the interim to
> protect my clients, I configured some of my tomcat apps to use Amazon's
> SES (SMTP) service bypassing my JAMES server. I analyzed the mail sent
> via AWS just to see what might be different. One thing I see is TWO
> DKIM signatures... one for the "from" domain of the email and another
> for the sending host domain "amazonaws.com".
>
> I have had JAMES configured with DKIM for years. But all I have is a
> DKIM signature for my main server domain and not for each individual
> sending domain. mail-tester.com hasn't complained. But again, mail is
> bouncing from some domains like icloud.com, outlook.com, etc. So
> "something" is still wrong.... Everything is on the table as possibly
> flawed right now.
>
> So what is the 'right' way to do DKIM? I am going to assume that if AWS
> is signing for both the virtual domain and the sending server domain,
> that's probably a good thing. But I don't see a way in the JAMES DKIM
> mailet to add a second signature for the sending virtual host domain.
>
> Am I missing something? Is my DKIM fine with only signing the basic
> server? Should I continue to look elsewhere for my problems? Or should
> I do additional work to start signing the virtual sending domain as well?
>
> Thx
>
> Jerry
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
> For additional commands, e-mail: server-user-help@james.apache.org
>
>
FYI
My gmail client, RED flagged your message as suspicious.
So I diligently read the content, then clicked the "it's safe" button.
Otherwise I can't help.
HTH
Peter.
--
Peter Henderson