Email Authentication with Mailchimp and Bluehost - authentication

Can someone please help me get this right. I've been trying for days and just can't do it.
This is what mail chimp is asking me to do.
Set a TXT (SPF) record for averyburch.com to:
v=spf1 include:servers.mcsv.net ?all
Set the CNAME record for k1._domainkey.averyburch.com to:
dkim.mcsv.net
So I have entered the following in my bluehost DNS zone editor. But it's not authenticating. I've waited 48 hours.
CNAME
k1._domainkey points to dkim.mcsv.net
TXT
# txt value is: v=spf1 a mx ptr include:bluehost.com include:servers.mcsv.net ?all
I did enter exactly k1._domainkey.averyburch.com but the control panel seems to change it to k1._domainkey. Everything in the spf record is the bluehost default setting apart from include:servers.mcsv.net which i added.
Can someone please tell me what I'm messing up. I'm not experienced with this. Thanks so much.

This is instructions I followed from someone else on another forum that worked perfectly the first time:
Hey all,
I have been looking into this because of wanting to use DKIM support
for MailChimp emails. Most of this stuff is above my pay grade, but I
was able to successfully set up DKIM. Here's how it went:
Here are the instructions from MailChimp:
DKIM: Create a CNAME record for k1._domainkey.[example.com] with this
value: dkim.mcsv.net
SPF: Create a TXT record for [example.com] with: v=spf1
include:servers.mcsv.net ?all
I then logged into my Bluehost account: cPanel -> DNS Zone Editor
I chose the domain I wanted in the dropdown menu and filled out the
following:
Host Record: k1._domainkey.[example.com] TTL: 14400 (the default)
Type: CNAME Points To: dkim.mcsv.net
Then I clicked "Add Record," and it added successfully.
Then I filled out another entry:
Host Record: [example.com] TTL: 14400 (the default) Type: TXT Points
To: v=spf1 include:servers.mcsv.net ?all**
"Add Record," and it was all set. Both entries showed up in the list
below.
I was able to use this methods for two domains, and MailChimp verified
that it went through, and they have authenticated DKIM and SPF
records.
Hope that helps. Thanks for the thread.

So there are a couple of issues that are immediately apparent:
The DKIM key is malformed. Looking at the DNS the key record is "k=rsa; p=MIGfMA0GCSqG...". That's missing the initial prefix. It should be "v=DKIM1;k=rsa;p=MIGfMA0GCSqG...". Ideally if you fix that, DKIM signatures will start working
The SPF record you've got in place exceeds the allowed domain lookup limit of 10. You can see some info here - https://dmarcian.com/spf-survey/averyburch.com . Solving this for situations like yours is non-trivial. (Full disclosure, my company ValiMail is about to roll out tech to address a number of common email authentication issues, including this one).
For the moment, assuming DKIM starts working, I wouldn't worry too much about the SPF issue.
Make the DKIM change noted above, and see if that at least gets DKIM authentication working. If you want some visibility, you may also want to add a DMARC record so you can see whether email is authenticating or failing.

Related

Exim - identify recipient BCC address

I'm using plus-addressing on Exim to create an automated system - I will process emails based on the local part of the address. So eg:
From: me#eximdomain.com
To: robot+project-4#eximdomain.com
This works well - I can process it based on the To address (specifically project-4). But ideally I want to be able to BCC an email to this address, eg:
From: me#eximdomain.com
To: somebody#otherdomain.com
Bcc: robot+project-4#eximdomain.com
When I am checking the mailbox for robot, I see the message, but nowhere in the header is the actual address that got it there, ie robot+project-4#eximdomain.com - so I cannot process it.
Obviously I do not want somebody#otherdomain.com to be aware of this address; but when robot#eximdomain.com receives it, I want to know that it was actually BCCd to robot+project-4#eximdomain.com (in some/any header).
Is there any way to do this?
Figured this out, if anyone comes across this: added this option to my local delivery transport (Dovecot LMTP in my case):
envelope_to_add = true
It then generates an Envelope-to header containing the incoming address.

Bareos error: Sorry, can not authenticate. Wrong username and/or password

I wanted to give Bareos (Open Source Data Protection) a go to see how it works and performs. However I cannot even get past the basic installation and get it working...
I followed the following installation tutorial (several times now): https://www.svennd.be/installing-bareos-on-centos-7/
But I am getting every time the following error: Sorry, can not authenticate. Wrong username and/or password.
I don't understand what I am doing wrong. I even tried using the previous version of Bareos 16.2, but that didn't make a difference and I experience the same issue. I am 200% sure the password and username are correct.
I also consulted the logs:
17-Mar 13:00 bareos-dir JobId 0: Fatal error: Authorization key rejected by Console USERNAME.
Please see http://doc.bareos.org/master/html/bareos-manual-main-reference.html#AuthorizationErrors for help.
17-Mar 13:00 bareos-dir: ERROR in authenticate.c:283 Unable to authenticate console "USERNAME" at client:127.0.0.1:9101
I checked that page (also several times) and even made sure the (user)names/passwords were correct. But still I get the message "Sorry, can not authenticate. Wrong username and/or password." when I try to login on "bareos-webui".
Probably I am doing something wrong, but I cannot disover what.
I have the following files available. Maybe I need to make certain changes to those as well?
/etc/bareos/bareos-dir.d/director/bareos-dir.conf
/etc/bareos/bareos-fd.d/director/bareos-dir.conf
/etc/bareos/bareos-sd.d/director/bareos-dir.conf
/etc/bareos/bconsole.conf
/etc/bareos/bareos-sd.d/storage/bareos-sd.conf
/etc/bareos/bareos-dir.d/client/bareos-fd.conf
/etc/bareos/bareos-dir.d/job/backup-bareos-fd.conf
When I compared some files, they have different passwords in them?
For example: /etc/bareos/bareos-fd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "J36zN1mQVF5lLA/FP0kASo+X9wTo8D988nsVqZjx"
Description = "Allow the configured Director to access this file daemon."
}
And /etc/bareos/bareos-sd.d/director/bareos-dir.conf
Director {
Name = bareos-dir
Password = "PAU/ov3RvnFp0I59brd4d8u9m8ejRpkVE7P/4Qz3"
Description = "Director, who is permitted to contact this storage daemon."
}
And (one more example): /etc/bareos/bconsole.conf
# Bareos User Agent (or Console) Configuration File
Director {
Name = bareos-dir
address = localhost
Password = "Fs5JnyO1ypBhcR0D9CNkx3gynPMa+jmp7sj9Ghst"
Description = "Bareos Console credentials for local Director"
}
They all have different passwords here? As I understand it, from the online docs, they should all be the same, right?
Maybe that's the issue? Hopefully someone can explain things a bit better or advice me what to do in order to get this working... Maybe it's something simple that I may overlooked?
FYI: I whitelisted all IP's and ports I use on this server.
//small edit
I re-read the documents once again and it says: "The default configuration files are automatically defined for correct authorization with random passwords. If you add to or modify these files, you will need to take care to keep them consistent."
So if I didn't change a thing, it should have worked in the first place, right? So I think something else is wrong here?
Well I finally found the issue...
Apparently my username or password was to difficult for Bareos to accept.
Don't know exactly which one it was, but either username or password caused issues.
I used as a username something like:
BCKPserver
And the password I used was similar to:
!!!!RNDpassW222####
For some reason Bareos saved the password (in the console) and was displayed correctly in the configuration files, HOWEVER it didn't allow me to login on the bareos-webui!
Solved. Hopefully this will help someone else.

Sendmail Header Rewrite (incoming mail, BCC/undisclosed-recipients to TO) (Centos)

my server uses sendmail 8.13.8 for incoming and outgoing.
I get spam destined to undisclosed-recipients - (see below example) i wish to know which address the spammer sent this to as my mailbox uses catch all from several domains...
I aware i can go to a maillog but that file can be very big . Is there way to rewrite Sendmail header name to always show TO instead of always getting undisclosed-recipients or the BCC address the spammer entered? such as his own? i spent a few months searching for results so i thought i would ask, thank you in advance.
From: Micheal Manka [mailto:micheal.manka103#gmail.com]
Sent: Monday, February 03, 2014 11:15 PM
To: undisclosed-recipients:
Subject: Order
Dear Sir/Madam
I would like to purchase Trap Doors r from your shop.What types of them you have
in the size and what would be the prices? What types of payments do you accept?
Looking forward to hear from you soon.
Regards,
Micheal Manka
Sendmail FAQ 3.29 : How can I add a header specifying the actual recipient when having multiple users in a virtual domain go to a single mailbox?
The simple version with one copy per every recipient passes username as $1 to ~catchall/.procmailrc
virtusertable:
#mydomain.com catchall+%1
The more complicate version http://anfi.homeunix.org/sendmail/sharedmailbox.html mentioned at the end of the FAQ entry is available at http://www.jmaimon.com/sendmail/anfi.homeunix.net/sendmail/sharedmailbox.html

What subject to use for SetClientCertificate?

I'm trying to send a request with:
ActiveXObject("WinHttp.WinHttpRequest.5.1")
however this requires a client certificate to do so (which we have been provided).
Having tested in PHP cURL I can do so with:
curl_setopt($SOAP, CURLOPT_SSLCERT,$filepathtocertificate);
Which works fine. However I must use IIS running asp(javascript) and point to the certificate store of the machine the script is running on with:
SetClientCertificate("LOCAL_MACHINE\\Personal\\Certificate subject");
for our actual deployment. The MS documentation (http://msdn.microsoft.com/en-us/library/windows/desktop/aa384055(v=vs.85).aspx) suggests that the path above has to state the 'subject' of the certificate, however the certificate seems to have several subjects and no combination of several or all of them seems to yeild any results and I am stuck with the following error before the request is even sent:
WinHttp.WinHttpRequest error '80072f0c'
A certificate is required to complete client authentication
Looking in the certificate store and using other scripts in the same folder show they are definitely there but have subjects like:
C=US, O=Organisation NAme, OU="Another Organisation Name, Inc.", CN=Organisation Name Root
Or similar.
Any advice on what parameters SetClientCertificate needs to be given to select and send certificates in the certificate store would be much appreciated.
I had a lot of trouble with this same issue - using winhttp 5.1 from a scripting language to set a client certificate before a send.
I had used mmc with the certificates snap-in to import the certificate in CURRENT_USER \ Personal - but the Winhttp SetClientCertificate didn't seem to be doing anything, nor was I able to pick up any error code or message so it was a case of repeated trial and error - the SetClientCertificate string should be something like "Location\store\subject" eg "CURRENT_USER\Personal\My Certificate" (or \ \ if your language requires \ to be escaped) -the final part being 'subject' which is not as clear as it should be. Under MMC the subject is broken into many elements.
I eventually got it working by dropping the location and store - they were the defaults so I may have been fortunate - and providing just the subject field - the value I used for the subject field was the value in the line "CN = " under subject (when the cert is opened under mmc) - but this (perhaps coincidentally) was also the value in the 'Issued To' column on the main mmc certificate list. In my case it worked - clearly if there is a cert with these two values different then you'd need to try each.
Hope this helps if somebody is similarly stuck.
This is a very old question yet I had to find an answer today. The answer provided above by #JSL helped me. If you only provide the certificate subject name then it works! So it is clear that there is a mistake in the way full path is specified.
I got the right info for Windows 7 from this link https://msdn.microsoft.com/en-us/library/windows/desktop/aa384076(v=vs.85).aspx
here is VBA script that works.
Dim objHttp As New WinHttp.WinHttpRequest
objHttp.Open "GET", url, False
objHttp.SetClientCertificate "CURRENT_USER\My\TestCert"
objHttp.send
Valid locations are LOCAL_MACHINE and CURRENT_USER and
Valid store names are "MY", "Root", and "TrustedPeople".
Remember to escape the backslashes in C++, C# etc.

2 DKIM on same domain

We are using an external service for our newsletter, which has required the followin DKIM setup in our domain gipote.dk:
_domainkey.gipote.dk. 43200 IN TXT "o=~"
default._domainkey.gipote.dk. 43200 IN TXT "k=rsa\; p=MIGf...ibnrkoqQIDAQAB"
(I truncated the public key for purpose of readability...)
However we are also sending out e-mail from our own server, which I would also like to sign.
Is it possible to have more than one public-key TXT record in our domain gipote.dk? If so, how should it be set up?
EDIT: I do not have access to the private key, that is used by the newsletter service. So I will not be able to just install that on my own server.
/ Carsten
I found out, that the answer is YES :-)
"default" can easily be replaced with another selector name.
Yes you can change the default to another selector.
BUT if you do the domain it is on will no longer verify the domain.
You need to Add a second key NOT CHANGE whats existing
using Google mail you end up with
default._domainkey "v=DKIM1; k=rsa; p=MIIBIj....."
google._domainkey "v=DKIM1; k=rsa; p=MIGfMA......"