Hi, im trying to setup dkim signatures with amavis i followed this guide http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim and all looks good until $ amavisd testkeys www1:/etc/amavis/conf.d# amavisd-new testkeys TESTING: www1.xxx.com._domainkey.www1.xxx.com => fail (message has been altered) any idea what i did wrong ? i think this has to do with adding the txt record to mydns server i have added the entry that was generated by amavisd showkeys but for some reason it doesnt display the record when i do dig...
Finally i kind of figured out where is the problem but now im stucked on another issue. How can i insert a DKIM key into mydns record? i have a generated key i have added a new txt record to mydns but it doesn't show up . here is how it looks http://yfrog.com/j8dkimlj any idea?
The probem might be with the length of the record. mydns-ng has a new edata field for that in the latest version as I've read here, but thats not implemented in ispconfig yet. http://sourceforge.net/mailarchive/[email protected]&forum_name=mydns-users
Well i finally got to insert the txt record but for some reason it is altered and amavis wont recognize it: here the output www1:~# dig @127.0.0.1 mail._domainkey.mail.domain.tld. txt ; <<>> DiG 9.5.1-P3 <<>> @127.0.0.1 mail._domainkey.mail.domain.tld. txt ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39120 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mail._domainkey.mail.domain.tld. IN TXT ;; ANSWER SECTION: mail._domainkey.mail.domain.tld. 1800 IN TXT "\"v=DKIM1\; p=\"\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+j8TF4XX+23pdk228z1ie0dUR\"\"zyFSV4/AggUXW2YgYoOk+invQnCRYv/DlLlidlpPQmgFyiUDJ20oyuOeG98zskpw\"\"Affl0yhATIC2vBLOK4X2nOrMbkzHEi52QBxgnJs6bKSftzN+zSTJ8OKkRMcSMUbj\"\"/TaPjVL8vycrVvmAowIDAQAB\"" ;; AUTHORITY SECTION: domain.tld. 1800 IN NS ns1.domain.tld. domain.tld. 1800 IN NS www1.domain.tld. ;; ADDITIONAL SECTION: ns1.domain.tld. 1800 IN A 1.2.3.4 www1.domain.tld. 1800 IN A 1.2.3.4 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Nov 4 07:11:53 2009 ;; MSG SIZE rcvd: 374 www1:~# amavisd-new testkeys TESTING: mail._domainkey.mail.domain.tld => invalid (public key: invalid data) any idea?
The problem is that the string is escaped with \. Please check the record in the database with phpmyadmin, does it contain the \ too? If not, its a mydns problem and you should check if you have the latest mydns version installed.
The string slashes are in database too, but this is kind of tricky because if i remove the slashes the whole thing can degenerate into a big mysql security hole im still searching for a reasonable way for getting this to work. I will post here updates for this matter
Solved! After a long fight i finally managed to get dkim signatures to work! In fact this job is pretty simple: After you generate the key file (in my case i had 3 key files for three different domains) use the showkeys command to display the key and create a TXT record in MyDns (just use the ISPConfig DNS Interface it will work), after that you have to wait for the changes to reflect on the internet. I think 24 hours will be enough. Here is how 50-user amanvisd conf file looks like: #$enable_dkim_verification = 1; $enable_dkim_signing = 1; @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 x.x.x.x/32); dkim_key('mail.domain1.com', 'mail', '/var/db/dkim/domain1.com.key.pem'); dkim_key('mail.domain2.com', 'mail', '/var/db/dkim/domain3.com.key.pem'); dkim_key('mail.domain3.com', 'mail', '/var/db/dkim/domain3.com.key.pem'); Now lets cut this into pieces: $enable_dkim_verification = 1; I commented this out because i really dont need that amavisd to check the incoming mail for signatures because some useful mails might get spam flagged. If you really think that you will need this you can uncomment this line. $enable_dkim_signing = 1; This line enables dkim signing for outgoing mail. @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); This one sets some dkim signature properties like: hashing algorhitm and key's TTL. I recommend to leave this as it is unless you really know what you are doing. Now the fun part is here: @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 1.2.3.4/32); Here is a list of hosts that are allowed to send mails thru you mail server, in other words the trusted networks for which amavisd will sign the emails. You have to add here the ip classes/addresses from where you will send your emails. In my case all the emails are sent by The Webmail interface (which uses the loopback address 127.0.0.1/8) and a public ip address which belongs to my network's NAT Gateway (1.2.3.4/32 , Notice the /32 mask which indicates thats only one ip address and not the whole class /24). If you are using your gateway/router as mail server too you will onlu have to add private ip class which your router is serving on (ie: 192.168.1.0/24). In my case the problem was that i have separate machines for the mail server and gateway and i didnt had a record for my gateway's ip address and amavisd refused to sign my emails. Anyway now all its working like it should. The funny part is that the stupid Yahoo still marks my messages as spam but this is just matter of time until their spam filters will gather enough information and put my hosts on whitelist. Hope this will help! Cheers! Later Edit: As i was saying some time ago... Yahoo was still marking my messages as spam. A few days ago i did another check, and... surprise... all of my messages got straight into Yahoo's Inbox. Thats so good news... so for those which are disapointed after setting up DKIM signs and the messages end in spam folder don't worry, its just a matter of time... so all you have to do is to wait.
It helps mate, thanks a lot I've been struggling for 3 days triying to figure out why amavis refused to sign my e-mails. Your explanation about mynetworks has solved the problem. Thanks again
finally got time to implement DKIM myself... but anyway, if one wants to sign messages for authenticated smtp-users, replacing @mynetworks-line with: Code: $interface_policy{'10024'} = 'DKIM_ALWAYS'; $policy_bank{'DKIM_ALWAYS'} = { originating => 1, }; does the trick.
Hi Ciprianflorea Do you know if that method is 100% reliable? Please don misunderstand me. I know that it works, but I would be more confident using it, if you can guarantee it's harmless. regards
Hi mate, using DKIM_ALWAYS is very safe because your smtp server relies on authenticated users. Although my_networks part is a strict declaration of allowed hosts/networks dkim_always allow email signing only for authenticated users which is very reliable for remote users and clients who have a dynamic ip address. I have dkim_always on three of my servers and its all good.
Thanks for your explanation. I asked that question here but I didn't get an answer. I couldn't find any mention about this method in the official amavisd-new docs, that's why I suspected it was not advisable. Regards
ciprianflorea - In your screenshot, it shows the "Hostname" as mail._domainkey.mail.etc.., When I try to put mine in, it says hostname was not valid. Was your screenshot exactly the way how you impliment your DKIM entries? http://img692.yfrog.com/img692/4725/dkiml.jpg
Its about how you declare the key in amavisd conf file ie: for: dkim_key('mail.xxx.com, 'mail', '/var/db/dkim/xxx.com.key.pem'); the dns entry will be: mail._domainkey.mail.xxx.com.
Hi, can anybody that succeded in setting amavisd to sign outgoing mail with dkim send me conf files for postfix (main.cf and master.cs). We tried something with dkim-milter so there is many config lines, I am not sure which one is for what, probably because of that we can achieve dkim signing using amavisd. Dns settings are ok, there is an record, and amavisd is configured according to this forum thread, but it is still not working. There are some settings: Code: $ dig -t TXT foo._domainkey.odmorise.info foo._domainkey.odmorise.info. 86400 IN TXT "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/r50PSUTLQLdqjEoHaK/K8FJIcunp93vEdw5HbBJPwwZDWQfWHRJ0ato6VTcwUU+fvpGJDSKaLFcgtFmWpSybLOoM/CovTpPz/sWbQ2LsEGthAA0gmJVsWfbI7ewCYHHTRdH7UKdBc1tVDQnBZpo5Ttltig0+a5dRQwFexrdxSwIDAQAB" Code: $ tail /etc/amavisdamavisd.conf dkim_key('odmorise.info', 'foo', '/var/db/dkim/odmorise-foo.key.pem'); @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); $interface_policy{'10024'} = 'DKIM_ALWAYS'; $policy_bank{'DKIM_ALWAYS'} = { originating => 1, }; #@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 188.40.93.84/32); # list your internal networks #$enable_dkim_verification = 1; $enable_dkim_signing = 1; Code: $ tail -f /etc/postfix/main.cf #smtpd_milters = inet:188.40.93.84:10035 #non_smtpd_milters = inet:188.40.93.84:10035 Code: $ tail -f /etc/postfix/master.cf -n 100 # ${nexthop} ${user} amavis unix - - - - 2 smtp -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=127.0.0.1 smtp inet n - n - - smtpd -o smtpd_proxy_filter=127.0.0.1:10025 -o smtpd_client_connection_count_limit=10 .... and many more lines like this I am not sure how it should be set Thanks for help in advance
I know the topic is old, but... You guys got Domainkeys working with this setup? I did all steps (http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/) , and then sended an mail to: [email protected] For check, and got this as result: ========================================================== Summary of Results ========================================================== SPF check: pass DomainKeys check: neutral DKIM check: pass Sender-ID check: pass SpamAssassin check: ham Seems i missed something, or need more steps to get DomainKeys working too. Someone have an guide for this extra steps?
