qmail-scanner + DomainKeys HOWTO

[mian]

This small HOWTO will allow you to sign outgoing messages with DomainKeys http://antispam.yahoo.com/domainkeys. It is useful if you are using art's qmail-scanner RPM which modifies the qmail process to go from qmail-queue -> qmail-scanner.pl -> qmail-queue.orig to qmail-queue -> qmail-scanner.pl -> qmail-dk -> qmail-queue.orig. You can enable DomainKey verification with another option such as SpamAssassin.

One thing is Plesk does not allow you to enter hostnames with an underscore in them, to get around this you can just enter 'domainkey' without the underscore then manually update the dns_recs table to make it '_domainkey'

Download libdomainkeys from http://sourceforge.net/projects/domainkeys/
Download qmail-dk-patch from http://www.qmail.org/qmail-1.03-dk-0.53.patch
Download qmail source from ftp://ftp.jp.qmail.org/qmail/qmail-1.03.tar.gz

Compile libdomainkeys

tar -zxvf libdomainkeys-0.67.tar.gz
cd libdomainkeys-0.67
make

Generate DomainKey

./dknewkey default
# add this record to your Plesk domain template so all domains get it
default._domainkey  IN  TXT "k=rsa; p=MEwwDQYJKoZIhvvbfdgvfdBQADOwAwOAIxALoXn7ejsFvfIkdRo6UxmmW2BXbCOuRGc42XxDDrKHQKVMnAc0vEztfngdfgdAB"

mkdir /etc/domainkeys
cp default /etc/domainkeys
chown qmailq:qmail /etc/domainkeys/default
chmod 400 /etc/domainkeys/default

-r--------  1 qmailq qmail 400 Aug 26 17:11 /etc/domainkeys/default

Untar qmail to libdomainkeys directory, patch and compile

tar -zxvf ../qmail-1.03.tar.gz

cd qmail-1.03
patch -p0 < ../../qmail-1.03-dk-0.53.patch

make qmail-dk

# if you receive an error regarding errno edit error.h and add #include "errno.h" before extern int errno;

cp qmail-dk /var/qmail/bin/qmail-dk
chown qmailq:qmail /var/qmail/bin/qmail-dk
chmod 4511 /var/qmail/bin/qmail-dk

-r-s--x--x  1 qmailq qmail 33844 Aug 26 17:15 /var/qmail/bin/qmail-dk

Patch qmail-scanner-queue.pl to sign messages

nano -w /var/qmail/bin/qmail-scanner-queue.pl

# approx line 1584 
sub qmail_requeue {
  my($sender,$env_recips,$msg)=@_;
  my ($temp,$findate);

  # check rcpthosts file for relaying domains
  open(RCPTHOSTS, "</var/qmail/control/rcpthosts");
  while (<RCPTHOSTS>) {
    chomp;
    if (/^$domain_returnpath$/i || $domain_returnpath =~ /$_$/i) {
      # match found
      # set DKSIGN variable to private key to sign with
      # set DKQUEUE to original qmail-queue to spawn
      $ENV{'DKSIGN'}='/etc/domainkeys/default';
      $ENV{'DKQUEUE'}=$qmailqueue;

      # set $qmailqueue to qmail-dk so qmail-scanner calls it to sign keys
      $qmailqueue  = '/var/qmail/bin/qmail-dk';
      &minidebug("Signing message from $returnpath with a DomainKey");
    }
  }
  close(RCPTHOSTS);

  &debug("q_r: fork off child into $qmailqueue...");

Send a message to yourself and check the qmail-queue.log

tail /var/spool/qmailscan/qmail-queue.log
Signing message from [email][email protected][/email] with DomainKey

If you view the message source in Thunderbird you should see the DomainKey record

Comment: DomainKeys? See [url]http://antispam.yahoo.com/domainkeys[/url]
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=default; d=blah.com;
  b=vHk1tQnQBvdfgdfgsfdS/FmrDgfdgbF/oaMhJpde1SsOGbiFKbqIjsYYxfm4KSP86b  ;

You can also verify your DNS records using

http://domainkeys.sourceforge.net/policycheck.html
http://domainkeys.sourceforge.net/selectorcheck.html

 

[HolmesSPH]

this post was written in 2005, so I am not sure if it's entirely correct for my system... BUT..

I am curious, I thought plesk was already using qmail, as it turns out, it's not even on my system.

Also, I read a post "qmail vs sendmail" and then I thought... HMMM... IF I change over to qmail in order to get domainKeys working, does that mean I have to start using "qmail()" in my code instead of "sendMail()"????

I am lost I guess to put it bluntly, but either way I HAVE to have a domainKeys solution.. My site sends out thousands of emails a day, and it's hard when Yahoo is alway rejecting confirmation numbers and ****

 

[hesham55]

every thing is ok except thes error

Sat, 28 Apr 2007 18:03:01 EEST:32322: error_condition: X-Qmail-Scanner-2.01st: Requeuing: Unmatched [ in regex; marked by <-- HERE in m/^[ <-- HERE ]$/ at /var/qmail/bin/qmail-scanner-queue.pl line 1746, <RCPTHOSTS> line 1.

can you help me?

 

[georanger]

I've followed this and also have the same error message as hesham55, can anyone help?

 

[bluewrath]

Same error here

We'd appreciate some help here

 

[ajack]

Same problem with DomainKeys / Plesk / Qmail / Qmail-Scanner

Just tried with the most up-to-date version of the different files and I am having the exact same problem (from the qmail log file):

Requeuing: Unmatched [ in regex; marked by <-- HERE in m/^[ <-- HERE ]$/ at /var/qmail/bin/qmail-scanner-queue.pl line 1747, <RCPTHOSTS> line 1.

Looking at the code, it's the line after 'chomp':

# check rcpthosts file for relaying domains
open(RCPTHOSTS, "</var/qmail/control/rcpthosts");
while (<RCPTHOSTS>) {
chomp;
if (/^$domain_returnpath$/i || \$domain_returnpath =~ /$_$/i) {
# match found
# set DKSIGN variable to private key to sign with
# set DKQUEUE to original qmail-queue to spawn
$ENV{'DKSIGN'}='/etc/domainkeys/default';
$ENV{'DKQUEUE'}=$qmailqueue;

# set $qmailqueue to qmail-dk so qmail-scanner calls it to sign keys
$qmailqueue = '/var/qmail/bin/qmail-dk';
&minidebug("Signing message from $returnpath with a DomainKey");

I thought that maybe the problem is in the variables, so I enclosed them in \Q...\E but it does seem to help:

if (/^\Q$domain_returnpath\E$/i || \Q$domain_returnpath\E =~ /$_$/i) {

Any suggestions?

Ajack

 

[dash]

oh! at last! DomainKey support will be available in Plesk Unix 8.4

BTW, gentlemen,

What are you interested in the first place:
signing of outgoing mail or incoming mail checking?
As for me, I do not think that incoming mail checking with DomainKey is effective antispam solution right now.

 

[atomicturtle]

Domain Keys have been supported by spamassassin since I think 2002. Odds are you've been checking for them all along.

 

[crnunez]

DomainKey in Plesk 8.4

Excellent this news. I really need implement domainkeys for all my domains in all my servers...

 

[ajack]

Domain Keys have been supported by spamassassin since I think 2002. Odds are you've been checking for them all along.

Possibly, but what I am looking for is signing my outgoing mail... Do you know if there is a way to do that with qmail-scanner? That older post is evidently not accurate...

Thanks in advance for any help

Ajack

 

[exi1ed0ne]

The reason I'm interested in it is that Yahoo requires DK signing outbound messages to participate in their spam feedback loop program:

http://help.yahoo.com/l/us/yahoo/mail/postmaster/postmaster-30.html

I guess I'll wait until 8.4 is out before I start mucking about with Qmail.

 

[gshelton]

Does anyone have any insight as to when the 8.4 Nix release is to happen? I am tired of my customers emails not making it to their inbox.

 

[josesan311]

root@localhost qmail-1.03]# less /var/qmail/bin/qmail-scanner-queue.pl
/var/qmail/bin/qmail-scanner-queue.pl: No such file or directory


Does anyone know where is qmail-scanner-queue.pl is in 8.0.1 im unable to find it.

Thank you.

 

[exi1ed0ne]

Are you set up to use the the atomic yum repo? See http://www.atomicrocketturtle.com for more info.

 

[josesan311]

Hello, thank you for your fast response. I have enabled atomic repo and i have successfully installed qmail-scanner. Now, im having the same problem as ajack.
Im getting:

Apr 29 08:12:08 localhost X-Qmail-Scanner-2.02st: [localhost.localdomain120948192879124300] Requeuing: Unmatched [ in regex; marked by <-- HERE in m/^[ <-- HERE ]$/ at /var/qmail/bin/qmail-scanner-queue.pl line 1778, <RCPTHOSTS> line 1.
Apr 29 08:12:08 localhost qmail: 1209481928.387371 warning: trouble injecting bounce message, will try later


And i believe is due this portion of the regex code,

# check rcpthosts file for relaying domains
open(RCPTHOSTS, "</var/qmail/control/rcpthosts");
while (<RCPTHOSTS>) {
chomp;
if (/^$domain_returnpath$/i || $domain_returnpath =~ /$_$/i) {


Can someone please advice.

Thank you very much

 

[exi1ed0ne]

Modify /etc/qmail-scanner.ini to your liking and run as root qmail-scanner-reconfigure and see if that clears it up. You will also need to remove the Plesk spamassassin and Dr Web antivirus modules for it to work correctly.

 

[josesan311]

exi1ed0ne, thank you again.

I checked the file /etc/qmail-scanner.ini but i do not know what changes do i need to make there.
My clients uses spamassassin as i do too, there is no way to setup yahoo domainkeys with spamassassin ?

Thank you in advance.

 

[exi1ed0ne]

Search the forums at atomicrocketturtle.com for the options in qmail-scanner.ini

Qmail scanner doesn't work with Plesks version of spamassassin. You will need to go to the "mainstream" version of spamassassin and clamav. That's just the way it goes unfortunately. However you will get a more modern and capable version of spamassassin, even if there is no whizbang GUI for it.

 

[ClaudiuR]

I think the correct aproach to the problem is this:
if (/^\$domain_returnpath$/i || $domain_returnpath =~ /$_$/i) {

Al leat this one worked for me.

Cheers

 

[ShibashishS]

Error

Doesn't work for me... i get the following error... any clues...

@400000004a9e787207f36c5c Global symbol "$domain_returnpath" requires explicit package name at /var/qmail/bin/qmail-scanner-queue.pl line 1454.
@400000004a9e787207f3742c BEGIN not safe after errors--compilation aborted at /var/qmail/bin/qmail-scanner-queue.pl line 2000.

qmail scanner Version: 2.05
qmail 1.05