Forums & Blog

Hi guys,

I have a scenario I would like to know if is a plausible scenario.

a) I have a SmarterMail 5.x mailserver (and happy with it so far ;-) )

b) I have a website that sends out automated emails; registration confirmations, events etc...

c) I have already set up a SPF record that allows this scenario.

d) I have not yet implemented DomainKeys on this domain.

I would like to add DomainKeys to my domain. But I want to make sure that I do not run into any problems with this scenario. The automated emails I send from my website are not signed with the DomainKeys right now. How can I make sure that they are?

1) Will the emails be signed if I just use the SmarterMail 5.x SMTP Server and send from that?

2) Is there an API where I can connect to the SmarterMail server and send directly through that? Perhaps a webservice?

3) If I set up the SmarterMail server as a smarthost for my IIS SMTP server (that I use right now) will the mails be signed?

4) Are there some .NET API's (preferably open source) where I can use the same key pair to sign my mails with a DomainKey?

5) Do I have to do something completely different from one of the four above?

I haven't tried anything yet because I do not want to risk my mails being sent with wrong signatures or have the DomainKeys setup on DNS and not signing mails. I am not sure what implications that would have.

Thanks,
JP

Is there just something I haven't read in the documentation that is so obvious that you guys couldn't be bothered answering the question?

Am I the only one with this concern?!? Or maybe my question is just plain jibberish and doesn't make any sense?

Anyways... I would really like some input on this, even if it is info on how others have done this using other mailservers.

/JP

Hey JP,

Sounds like some good questions.  For #1 sounds like authentication is a prereq for domainkey signing, see below for more on that.

For #2, you can use the ASP.net SMTP API, or in regular ASP it would be like this to send an authenticated email from a website to SmarterMail:

 set objMsg = CreateObject("CDO.Message")
 set objCfg = CreateObject("CDO.Configuration")
 objCfg.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate").Value = 1 ' cdoBasic
 objCfg.Fields("http://schemas.microsoft.com/cdo/configuration/sendusername") = myUserID
 objCfg.Fields("http://schemas.microsoft.com/cdo/configuration/sendpassword") = myPswd
 objCfg.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendusing").Value = 2 ' cdoSendUsingPort
 objCfg.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserver").Value = "mySmarterMailServer.mydomain.com"
 objCfg.Fields.Item("http://schemas.microsoft.com/cdo/configuration/smtpserverport").Value = 25
 objCfg.Fields.Update()

 set objMsg.Configuration = objCfg
 objMsg.To = sTo
 objMsg.From = sFrom
 objMsg.Subject = sSubject
 objMsg.TextBody = sBody
 objMsg.Send

For #3, not unless you set outbound security.  There's a button in the IIS SMTP service you can set Outbound Security.  I just tested that here and it does in fact work for the SmartHost.  Once authentication is setup then domainkeys *should* be able to sign the outbound message, AFAIK.

#4 - not sure about that, may not be necessary.

With all that said ... I'm not sure the inner workings of DK - how it determines which domain to use to sign the emails - if it will at all.  Is is the "FROM" address, is it the authenticated user's domain, etc.  Anybody have thoughts on that?

Duane

I've been asking similar questions.  Sending email from website does not get signed.  They do get sent however.  See post: http://www.smartertools.com/forums/t/18303.aspx

 Does this mean that you can't send email from Outlook and get it signed? Does this mean that emails sent from websites using ASP, ColdFusion, PHP, must use the object to send mail?

Thanks.

SmarterMail will only sign authenticated messages.  If the smtp component you use to send from your websites does not allow for SMTP authentication, you can add the IP's from which your websites will connect to SmarterMail to the SMTP authentication bypass list.  It will then treat any messages from those IP addresses as authenticated.

To set your own keys for SmarterMail to use you would need to edit the domainConfig.xml file(s).  The public and private keys will be in there in PEM format so you would just replace those with your own.  Note that SmarterMail will not automatically pick up changes, you need to restart the service before it will start using the values you set.  The best way to do that is to copy the domainConfig.xml file and make your changes to the copy, then stop the SmarterMail service, switch the domainConfig.xml file with your edited copy and then start the SmarterMail service.

Anyone know how smartermail figures out which domain to use to sign a message if that message originates from Outlook or from a web server?  I'm guessing it either uses the "from" address or the "sender" address ...

-D

DomainKeys can only sign a message for the domain that the user has authenicated the smtp session with, by definition. So if you authenicate with @somwhere.com and your from address is @somewhelse.com. It can not work.

Above Bryon mentions that using the Authentication Bypass list will basically allow you to skip the authentication step.  So ... SM has to try to deduce the domain since it really doesn't know which domain has authenticated.

The sender address is what will be on the envelop (I believe) and the from address will be in the header.  Just curious which it might use, or maybe SM does something entirely different  ...

Thanks for the input guys. I will try it out, and report back with my experiences. It does sound like it is pretty straight forward.

I won't have time for at least a week or two.

/jp

Hey all, just did some quick testing (finally got things setup) and it appears to work well.  Have the webserver listing in the Authenticated Bypass and SM was able to send domainkey signed messages to yahoo using the domain in the Sender field (will become the return-path).

Also of note, SM mentioned this in another post but the "Test DNS" feature only works with a 512 bit key since the SM DNS component can only handle single DNS packets.

Duane