Solved

DKIM with IIS 6.0 and ORACLE

Posted on 2012-03-13
13
569 Views
Last Modified: 2012-08-14
Hello there,

I have been setting up our E-Mail sending in the last few days including SPF and Sender-ID authentification. What I am missing still is DKIM.

Here is my situation:
I am using IIS 6.0 on an windows 2003 server und generate the mails with UTL_SMTP in ORACLE.

I tried to write the DKIM signature directly into the mail header but I am missing the Body Hash. To my understanding the body hash is simply a hash over the message body. Am I right? How can I compute this Body Hash in Oracle depending on the message content? Also what about HTML mails. How do I get the Body Hash for that occasion? Do I even need one?
0
Comment
Question by:appsystems
  • 4
  • 3
  • 3
13 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37727461
I'll take a stab at this, I've been waiting for some Oracle experts to chime in (I'm coming in from the email/DKIM angle) but that hasn't happened yet so...

I am vaguely familiar with UTL_SMTP from a quick Google search but have no experience with it.  My question for you however is -- is there a reason why you aren't relaying mail from Oracle to a "real" mail server internal to your network and having the signing done there?
0
 

Author Comment

by:appsystems
ID: 37732487
Mail gets relayed onto a real mail server via UTL_SMTP. We have a Windows 2003 Server with IIS 6.0 and the standard SMTP server which unfortunately can not sign with DKIM (at least as far as I know).
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37736131
I'm not familiar unfortunately with IIS+SMTP.  Is it possible to add a simple postfix server with a DKIM signing module into your environment?  I can help with the setup... what I have in mind is that it would be the edge mail server that does the sending+signing.  I understand this may not be ideal but trying to help.

If any IIS experts know of a way to handle it there please chime in.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:appsystems
ID: 37736610
We only use windows components in our infrastructure so a postfix server is not an option. Is there any (cost free) possibility to get DKIM to work on IIS 6.0?
0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 250 total points
ID: 37737292
I can help with the utl_smtp portion but I know nothing about the DKIM side except for what I just googled.

I'm not sure what the missing steps are.

Are you trying to get find a method within Oracle to generate the hash?  If so,  dbms_crypto package is probably what you're looking for.  It's not public execute by default though, so you may need your dba to grant access to it.
0
 

Author Comment

by:appsystems
ID: 37738226
As far as I can see dbms_crypto can not generate SHA-256 hashes which is necessary for DKIM nowadays. I would try it with SHA-1 but I do not think that adding a DKIM signature manually in oracle is best practice (especially because I mostly send HTML mails and I really do not think that hashing a CLOB generates a valid Body Hash). But if anyone here has done something like this I would like to know!

Is DKIM signing necessary? I currently have set up SPF and Sender-ID (although Microsoft does not recognize it, see my other open question about this). Is DKIM signing really necessary to avoid having my mails rejected?
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 37738293
>>> I do not think that adding a DKIM signature manually in oracle is best practice

Isn't that what this question is asking?


>>> Is DKIM signing really necessary to avoid having my mails rejected?

that's entirely up to the receiving end.

There is nothing in the email SMTP protocol itself that requires DKIM.

If your mail is going to junk mail folders, then it is being sent, it's simply in the filtering end.

What happens if you send mail by some means other than utl_smtp to the hotmail addresss?
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 250 total points
ID: 37738298
It's not necessary.  I've seen receiving servers reject sending servers due to no SPF but I would be very surprised if anyone is rejecting due to lack of DKIM.  

I always advocate DKIM signing but if it's not possible in your environment then there isn't much you can do.  Having a DKIM signature does not guarantee inbox placement, only improves your chances and helps protect your brand from spoofing.

I will look at your other open question in a bit.
0
 

Author Comment

by:appsystems
ID: 37738384
>>> Isn't that what this question is asking?
Yes, but part of the question is: Is manually signing really the way to go? And for now I unfortunately do not see it.

I am very new to mail administration so please bear with me.
I will try to use the dbms_crypto package with SHA-1 but I do not have high hopes.
0
 
LVL 74

Expert Comment

by:sdstuber
ID: 37738404
If you need sha256 you could use a java stored procedure to generate the hash.

Implementing that is sort of going astray on this question though.
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This video shows how to Export data from an Oracle database using the Original Export Utility.  The corresponding Import utility, which works the same way is referenced, but not demonstrated.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question