DKFilter - Frequently Asked Questions

Here are some frequently asked questions, with answers.

How do I sign email submitted locally using sendmail?
Outgoing messages get stuck in the queue before getting signed. The Postfix log files report TLS handshake error. What causes this?
I get "socket connect failure: Connection refused" or "socket connect failure: Invalid argument". What causes this?
No messages are signed. The logs report "signing error - message parse error". What am I doing wrong?
Outgoing mail is getting an Authentication-Results header instead of the expected DomainKey-Signature. Verifiers report "no signature". What's going on?

How do I sign email submitted locally using `sendmail`?

Email submitted using Postfix sendmail on the same server as dkfilter will not get signed unless you add the content_filter option to the pickup interface in master.cf.

master.cf:

pickup    fifo  n       -       n       60      1       pickup
    -o content_filter=dksign:127.0.0.1:10027

Outgoing messages get stuck in the queue before getting signed. The Postfix log files report TLS handshake error. What causes this?

Postfix is trying to use TLS (encryption) when sending email through the content filter. This won't work. You'll need to configure your post-dksign-smtpd server to not announce TLS support, or configure your pre-dksign-smtp client to not use TLS.

This example shows how to configure the post-dksign-smtpd server to not announce TLS support.

master.cf:

#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
    -o smtpd_use_tls=no
    -o content_filter=
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtpd_helo_restrictions=
    -o smtpd_client_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

I get "socket connect failure: Connection refused" or "socket connect failure: Invalid argument". What causes this?

You are running dkfilter.in and/or dkfilter.out, and you connect to the listening port, but the connection is terminated immediately. Furthermore, you get the following output from dkfilter:

./dkfilter.in: socket connect failure: Connection refused

(On some platforms, the error is socket connect failure: Invalid argument.)

The filter is unable to connect to its "destination" port. Normally, Postfix should be listening on this port. Make sure you have added the appropriate entries to master.cf for the listening port and have restarted Postfix.

No messages are signed. The logs report "signing error - message parse error". What am I doing wrong?

Do you have the Mail::DomainKeys CPAN module installed, in addition to dkfilter? If so, dkfilter may be using the CPAN module instead of its own bundled Mail::DomainKeys module. This may be occuring if you are starting dkfilter using perl dkfilter.out, rather than ./dkfilter.out.

Outgoing mail is getting an Authentication-Results header instead of the expected DomainKey-Signature. Verifiers report "no signature". What's going on?

Your outgoing mail is going through the Dkfilter verifier (dkfilter.in) instead of the Dkfilter signer (dkfilter.out). Messages are verified or signed depending on which Postfix port you submit the mail on. If you followed my instructions, Postfix port 25 mail gets verified (this is the port other MTAs use to send mail to you) and Postfix port 587 mail gets signed. Most email clients (e.g. Thunderbird) default to port 25, so you should change that to port 587. (Port 587 is the standard mail submission port according to RFC 2476.)