DKIM amavis email not signed

Hi,

I fallowed this guide from Florian: http://blog.schaal-24.de/?p=2223&lang=en

and it works, I get:

Code:

amavisd-new testkeys
TESTING#1: default._domainkey.mydomain.com      => pass

When I go on: http://dkimcore.org/c/keycheck to check the dkim on the dns, I get:

Code:

This is a valid DKIM key record

but when I send an email to: [email protected] to check if everything is good I get this result:

Code:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham
----------------------------------------------------------
DomainKeys check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: [email protected] DNS record(s):

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         neutral (message not signed)
ID(s) verified: 

NOTE: DKIM checking has been performed based on the latest DKIM specs (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for older versions.  If you are using Port25's PowerMTA, you need to use version 3.2r11 or later to get a compatible version of DKIM.

and the amavis part of the header of the email sent is:

Code:

Received: from localhost (localhost [127.0.0.1])
	by ns2.mydomain.com (Postfix) with ESMTP id 0C6E240006D
	for <[email protected]>; Thu,  8 Aug 2013 05:57:33 -0400 (EDT)
X-Virus-Scanned: Debian amavisd-new at ns2.mydomain.com
Received: from ns2.mydomain.com ([IPv6:::ffff:127.0.0.1])
	by localhost (ns2.mydomain.com [::ffff:127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZszVRidPhEP4 for <[email protected]>;
	Thu,  8 Aug 2013 05:57:32 -0400 (EDT)

can anyone help me to find why my email aren't signed?

Thank you

 

Please note that this patch is a beta-version and not part of the offical ispconfig-version.

Did you add your public-key to the DNS? see http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

 

Thanks for your answer Florian,

I know it's a beta patch and it works great on ispconfig. my problem seems to be on amavis.

yes the dns part is good, that's why I get this

Code:

This is a valid DKIM key record

when I test the dns part

Thank you

 

Are you sure, that your amavisd supports DKIM-Signing/Verifing (perl mail::dkim)?

After restarting amavisd you must see something like

Code:

Module Mail::DKIM::Signer  0.39
Module Mail::DKIM::Verifier 0.39

in your amavis-log.

Otherwise you must install perl-Mail-DKIM to make sure, that

Code:

Mail::DKIM

is installed.

 

Yes I do...

Code:

Aug  8 19:09:14 ns1 amavis[23702]: Module Mail::DKIM::Signer  0.39
Aug  8 19:09:14 ns1 amavis[23702]: Module Mail::DKIM::Verifier 0.39

 

This is what I get when I send an email:

Code:

Aug  8 19:19:06 ns2 postfix/smtpd[22349]: connect from localhost[127.0.0.1]
Aug  8 19:19:06 ns2 postfix/smtpd[22349]: BBC8840006D: client=localhost[127.0.0.1]
Aug  8 19:19:06 ns2 postfix/cleanup[22343]: BBC8840006D: message-id=<[email protected]>
Aug  8 19:19:06 ns2 postfix/qmgr[18191]: BBC8840006D: from=<[email protected]>, size=3073, nrcpt=1 (queue active)
Aug  8 19:19:06 ns2 amavis[22296]: (22296-01) Passed CLEAN {RelayedOpenRelay}, [1.2.3.4]:16280 <[email protected]> -> <[email protected]>, Queue-ID: 71AF340006A, Message-ID: <[email protected]>, mail_id: EWdd1eBDfHHt, Hits: -0.001, size: 2602, queued_as: BBC8840006D, 259 ms
Aug  8 19:19:06 ns2 postfix/smtp[22344]: 71AF340006A: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.34, delays=0.07/0/0/0.26, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as BBC8840006D)
Aug  8 19:19:06 ns2 postfix/qmgr[18191]: 71AF340006A: removed
Aug  8 19:19:07 ns2 postfix/smtp[22350]: BBC8840006D: to=<[email protected]>, relay=verifier.port25.com[96.244.219.19]:25, delay=0.71, delays=0/0.01/0.46/0.24, dsn=2.6.0, status=sent (250 2.6.0 message received)
Aug  8 19:19:07 ns2 postfix/qmgr[18191]: BBC8840006D: removed

should I see something about dkim or amavis other then scanning for antivirus?

 

Before someone ask...

this is my config file:

/etc/amavis/conf.d/50-user (same as Florian's guide with this added)

Code:

$inet_socket_port = [10024,10026];
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = { originating => 1, };

/etc/postfix/master.cf

Code:

smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
...default stuff...
amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

Thank you

 

As you can see, the mail is not ORGINATING. Amavis signs only local outgoing mails with the DKIM-key.

Code:

amavis[22296]: (22296-01) Passed CLEAN {RelayedOpenRelay}, 

You can add

Code:

@mynetworks = qw( 127.0.0.0/8 [::1] [FE80::]/10 [FEC0::]/10
                  10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 );

to amavis.

 

same result:

Code:

Summary of Results
==========================================================
SPF check:          pass
DomainKeys check:   neutral
DKIM check:         neutral
Sender-ID check:    pass
SpamAssassin check: ham

mail.log:

Code:

Aug  9 05:55:46 ns1 postfix/smtpd[26791]: connect from localhost[127.0.0.1]
Aug  9 05:55:46 ns1 postfix/smtpd[26791]: 372C440006D: client=localhost[127.0.0.1]
Aug  9 05:55:46 ns1 postfix/cleanup[26785]: 372C440006D: message-id=<[email protected]>
Aug  9 05:55:46 ns1 postfix/qmgr[25720]: 372C440006D: from=<[email protected]>, size=3097, nrcpt=1 (queue active)
Aug  9 05:55:46 ns1 amavis[26705]: (26705-01) Passed CLEAN {RelayedOpenRelay}, [184.162.x.x]:14692 <[email protected]> -> <[email protected]>, Queue-ID: C8EAF40006A, Message-ID: <[email protected]>, mail_id: 29rjibHP_t52, Hits: -0.001, size: 2626, queued_as: 372C440006D, 364 ms
Aug  9 05:55:46 ns1 postfix/smtp[26786]: C8EAF40006A: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.44, delays=0.07/0.01/0.01/0.36, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 372C440006D)
Aug  9 05:55:46 ns1 postfix/qmgr[25720]: C8EAF40006A: removed

 

I finally found what's missing...

from scratch...

this guide to install debian with ispconfig: http://www.howtoforge.com/perfect-server-debian-wheezy-apache2-bind-dovecot-ispconfig-3-p3

this guide to add the dkim-patch to ispconfig: http://blog.schaal-24.de/?p=2223&lang=en

then, modify these files:
/etc/postfix/main.cf

Code:

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re

/etc/postfix/tag_as_originating.re

Code:

/^/  FILTER amavis:[127.0.0.1]:10026

/etc/postfix/tag_as_foreign.re

Code:

/^/  FILTER amavis:[127.0.0.1]:10024

/etc/amavis/conf.d/50-user

Code:

$inet_socket_port = [10024,10026];

$interface_policy{'10026'} = 'ORIGINATING';

$policy_bank{'ORIGINATING'} = {
        originating => 1,
        smtpd_discard_ehlo_keywords => ['8BITMIME'],
};

and now my outgoing email are signed

Thanks to Florian for your help

 

Thanks. I`ve updated my blog-post.

 

For my part,
I've this kind of error in my ispconfig.log

Code:

16.09.2013-09:28 - ERROR - Unable to delete the DKIM settings from amavis-config for hypnotized.org.
16.09.2013-10:50 - ERROR - Unable to write DKIM settings; Check your config!

 

Please verify that the directory DKIM-Path in the control-panel is set and exists.

The first error occurs if you change the dkim-settings for a domain (change domain-name, key, disable dkim) for a domain that is not listed in your amavis-config.

The second errors means, that the key-files could not be stored in the directory for the key-files (DKIM-Path).

IF the key-files couldn´t be saved (error #2) the plugin tries to disable the domain from the amavis-config (error #1) to make sure the server won´t use wrong key-files for signing.

Anyway, i`ll look at the log-messages to make them a little bit more explicit.

 

Hi,
thanks for your answer…

I'll try to make it clear ;-)

It's set ;-) (Attach files)

How can I check if it's listed ?
if it's by doing this : amavisd-new testkeys
-> then, yes it is listed

Ok but when I try this : amavisd-new testkeys
the two domain is "pass"
So it's correctly stored ?

Thanks !

 

showkeys displays the public-key for all defined dkim-keys in your amavis-config.

testkeys checks all defined private key-files against your public-key in the dns-record.

Yes. If testkeys return "pass" everything works fine.

Did you use DKIM-signing before installing the plugin?

 

So yes, I've my 2 domain with the TXT information (suppose from the DNS record).

No, i've followed you tutorial step by step…
That come from a fresh install


Update1:
now, I've no more error but…
when I DIG TXT on my domain, the TXT field doesn't appear.
But in pri.domain.tld the TXT field is present…
An idea abut my issue ?

 

Hey, Florian
first of all thanks for the mod..

I got a curious issue though, hope you can help me out.
Os=debian wheezy > latest perfect server + apache ... etc...
notable difference with tut is that I installed Mail:KIM from repo instead of cpan. > same version

I first followed your blog page http://blog.schaal-24.de/?p=2223&lang=en
and after noticing a couple of errors in the logs ( due to a faulty copy paste of the 50-user conf ) I modified it according to
http://www.howtoforge.com/forums/showpost.php?p=300967&postcount=10

My log showed 10025 command not recognized and I added the local host ip ( 127.0.0.1:10025... / 127.0.0.1:10027 ) to the master.cf

Restarted amavis + postfix and got amavisd-new testkeys => pass.
Mails where signed, and that was that, or so I thought..... as I got a "service unavailable" when I logged in to roundcube ( after server reboot )
It was quite late and I thought I'd check hunt the issue the next day ( today )



Today I went on a typo hunt, to get Roundcube working again, noticed on
http://www.howtoforge.com/forums/showpost.php?p=300985&postcount=11
you had updated your blog post, and started comparing this to post 10.

I found a couple of differences and wondered which of both are most correct.

most importantly in the 50-user file:

Code:

[B][COLOR="Red"]post 10 has:[/COLOR][/B]
$policy_bank{'ORIGINATING'} = {
        originating => 1,
        smtpd_discard_ehlo_keywords => ['8BITMIME'],
};

[B][COLOR="Red"]your blog has:[/COLOR][/B]
$policy_bank{'ORIGINATING'} = {
  originating => 1,
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  forward_method => 'smtp:[127.0.0.1]:10027',
};

which of both is the more correct one ?


according to me these 3 lines do exactly the same and i'm using the first

Code:

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access regexp:/etc/postfix/tag_as_foreign.re

smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, regexp:/etc/postfix/tag_as_foreign.re

smtpd_sender_restrictions =
  check_sender_access regexp:/etc/postfix/tag_as_originating.re
  permit_mynetworks
  permit_sasl_authenticated
  check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, regexp:/etc/postfix/tag_as_foreign.re

post 10 had an extra space in, for both tag_as_originating.re / tag_as_foreign.re files. ( I recalled this being problematic for some parsers )

Code:

/^/  FILTER amavis:[127.0.0.1]:10026
vs
/^/ FILTER amavis:[127.0.0.1]:10026

I also removed the localhost ip's for the master.cf, rebooted and lo and behold, Roundcube was working again...


problem is now :
amavisd-new testkeys => invalid (public key: not available)
amavisd-new showkeys shows the key ( 1 domain )
/etc/postfix/dkim contains both private + public key
mail still gets signed but [email protected] reports permerror on dkim.

I then undid all the changes, rebooted, to no avail...
amavisd-new testkeys => invalid (public key: not available)
...

system has now identical config as yesterday, roundcube still works and amavis still doesn't

any suggestion is welcome
thx

Jan

 

Seems like it fixed itself, after I altered resolv.conf to point to host..

I'm still curious on the impact of the minor differences in previous post

Jan

 

Can't connect to INET4 socket

Thanks for the detailed install directions and nice interface into ISPConfig.

I have, however, clearly made an error during the set-up which I'm unable to locate.

Update edit: Found the error which was an awful copy & past job which omitted 127.0.0.1 off the entries 127.0.0.1:10025 and 127.0.0.1:10027.

Great module!

From the mail warning log:

Code:

Oct 11 13:48:27 fluffybunny amavis[7221]: (07221-01) (!)connect to [127.0.0.1]:10027 failed, attempt #1: Can't connect to INET4 socket [127.0.0.1]:10027: Connection refused

Oct 11 13:48:27 fluffybunny amavis[7221]: (07221-01) (!)FWD from <[email protected]> -> <[email protected]>, 451 4.5.0 From MTA() during fwd-connect (All attempts (1) failed connecting to smtp:[127.0.0.1]:10027): id=07221-01

Any thoughts on locating my error would be appreciated.

Cheers!

 

showkeys just displays the keys defined in your amavisd-config
testkeys checks the public-key in your dns against your (local) private key

I recommend to use the setup as described on my blog.