1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
|
DK-MILTER PACKAGE
This directory has the latest open source DomainKeys filter software from
Sendmail, Inc.
There is a web site at http://sourceforge.net/projects/dk-milter that is
home for the latest updates. There is also a mailing list available there
for discussion and support called "dk-milter-discuss". If you are using
this filter, you should be on the list.
Report any bugs to dk-milter-discuss@lists.sourceforge.net.
+--------------+
| INTRODUCTION |
+--------------+
The dk-milter package is an open source implementation of the DomainKeys
sender authentication system proposed by Yahoo!, Inc. It consists of a
library that implements the DomainKeys service, and a milter-based filter
application that can plug in to the sendmail MTA to provide that service
to sufficiently recent sendmail MTAs.
An optional asynchronous resolver library is also provided to work around
limitations of the basic BIND resolver which comes installed on most
systems.
+--------------+
| DEPENDENCIES |
+--------------+
To compile and operate, this package requires the following:
o OpenSSL (http://www.openssl.org, or ask your software vendor for a package)
o sendmail v8.13.0 (or later), and libmilter from the same distribution
(http://www.sendmail.org)
+-----------------------+
| RELATED DOCUMENTATION |
+-----------------------+
Documentation about Sendmail, Inc.'s sender authentication scheme testing
program is available at http://www.sendmail.net.
Yahoo!'s DomainKeys page is available at http://antispam.yahoo.com/domainkeys.
The man page for dk-filter (the actual filter program) is present in the
dk-filter directory of this source distribution.
HTML-style documentation for libdk is available in libdk/docs in this source
distribution.
Refer to the INSTALL file for information about how to install dk-milter.
Additional compile-time features are listed in the FEATURES file.
The formal (historical) specification for DomainKeys can be found in
RFC4870 from the IETF, a copy of which is included in this distribution.
+---------+
| WARNING |
+---------+
Since dk-milter uses cryptography, the following information from OpenSSL
applies to this package as well.
PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY
SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING
TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME
PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR
COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL
SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE
YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT
AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR
ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY.
If you use OpenSSL then make sure you read their README file which
contains information about patents etc.
+---------------------+
| DIRECTORY STRUCTURE |
+---------------------+
devtools m4-based build scripts and other data needed to compile
the package.
libar An optional thread-safe asynchronous resolver library.
libdk A library that implements the proposed DomainKeys standard.
libdk/docs HTML documentation describing the API provided by libdk.
dk-filter A milter-based filter application which uses libdk (and
optionally libar) to provide DomainKeys service via a
sendmail MTA and the milter protocol.
+-------------------+
| PERFORMANCE NOTES |
+-------------------+
Courtesy of Thom O'Connor from Sendmail, Inc. who's doing a lot of the
initial performance and stress testing (slightly edited):
The key to building a dk-filter binary built for very high performance is
two-fold:
1. If poll() is available on your system, build libmilter to use poll()
rather than select(). This is accomplished by modifying your build
file (devtools/Site/site.config.m4) to contain this:
dnl # use poll() instead of select() in libmilter
APPENDDEF(`confENVDEF', `-DSM_CONF_POLL=1')dnl
Then build dk-filter with the resulting libmilter.a. poll() is able to
handle higher descriptors than select() is on some systems. During high
loads where lots of descriptors can be in simultaneous use, this can
become important.
2. Make sure to build dk-filter using the asynchronous (ARLIB) resolver.
This is accomplished by modifying libdk/Makefile.m4 to enable these lines:
APPENDDEF(`confENVDEF', `-DUSE_ARLIB ')
APPENDDEF(`confINCDIRS', `-I../libar/ ')
Also, edit dk-filter/Makefile.m4 to enable this line:
bldPUSH_SMLIB(`ar')
Obviously, overall throughput performance is then based on factors such as
CPU resource available, DNS performance, etc. However, in benchmark tests
using 100% message signing or verification, on a 2-cpu linux box, I'm
getting consistent rates of over 100 messages signed or verified per second
with a 32kB average message size, and upwards of 200 messages
signed/verified per second when using 1kB messages.
+----------------+
| RUNTIME ISSUES |
+----------------+
WARNING: sendmail symbol 'X' not available
The filter attempted to get some information from the MTA which the MTA
did not provide.
At various points in the interaction between the MTA and the filter, certain
macros containing information about the job in progress or the connection
being handled are passed from the MTA to the filter. The names of the macros
the MTA should pass to the filter are defined by the "Milter.macros"
settings in sendmail.cf, e.g. "Milter.macros.connect",
"Milter.macros.envfrom", etc. This message indicates that the filter needed
the contents of macro X, but that macro was not passed down from the MTA.
Typically the values needed by this filter are passed from the MTA if the
sendmail.cf was generated by the usual m4 method. If you do not have
those options defined in your sendmail.cf, make sure your M4 configuration
files are current and rebuild your sendmail.cf to get appropriate lines
added to your sendmail.cf, and then restart sendmail.
MTA Timeouts
By default, the MTA is configured to wait up to ten seconds for a response
from a filter before giving up. When querying remote nameservers
for key and policy data, the DKIM filter may not get a response from the
resolver within that time frame, and thus this MTA timeout will occur.
This can cause messages to be rejected, temp-failed or delivered without
verification, depending on the failure mode selected for the filter.
When using the standard resolver library provided with your system, the
DNS timeout cannot be adjusted. If you encounter this problem, you must
increase the time the MTA waits for replies. See the documentation in
the sendmail open source distribution (libmilter/README in particular)
for instructions on changing these timeouts.
When using the provided asynchronous resolver library, you can use the
"-T" command line option to change the timeout so that it is shorter than
the MTA timeout.
$Revision: 1.11 $, Last updated $Date: 2007/05/31 18:40:11 $
|