DKIM Signing with Amavis

Discussion in 'General' started by tal56, Aug 5, 2017.

  1. tal56

    tal56 Member

    Hi guys. Hope someone with better understanding of amavis and dkim can help me out.
    I have have amavis installed, however it does not seem to be dkim signing the outgoing emails from my hosted domains. I really only have 2 right now, but they run forums that send out mail using phpmail().

    I'm not sure if it's cuz I don't have a key installed, as when I do showkeys this is my output :
    root@server1:~# amavisd-new showkeys
    No DKIM private keys declared in a config file.
    If this is the likely issue, how can I generate a key for dkim?
    I have found this :
    $ amavisd genrsa /var/db/dkim/example-foo.key.pem
    But wasn't sure which is the best folder to install the new key. As there may be one specific for Ispconfig.

    This is the DKIM portion of my /etc/amavis/conf.d/50-user file
    # DKIM
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1; # load DKIM signing code
    $signed_header_fields{'received'} = 0;  # turn off signing of Received
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    Or also I'm not sure if NOT running my own nameserver is an issue, as I use Enom name servers and just set the "a" record to my server ip address. Would this affect it?

    I am Running newest Debian 8 with all updates and newest Ispconfig.

    Thanks for any help or suggestions.
  2. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Do not change anything in amavis. Just enable DKIM for a maildomain and publish the generated public-key
  3. tal56

    tal56 Member

    Thanks for replying florian030, appreciate it. It was exactly as you said, and I just didn't know that step was necessary since I was able to send emails without having the maildomain setup.

    For future reference for anyone else that may find this from search, I created the mail domain and dkim as florian030 says, but since I'm using an external nameserver, I had to go to my registar and add a new text record with host of "default._domainkey" type "txt" and the address box "<my domain key>". Which my domain key is dns record from ispconfig starting at the "v=DKIM1...

    Hope that can help someone in the future, and thanks again florian030.
  4. I_M

    I_M New Member

    I had the same problem as tal56 wrote. But still DKIM is not included in mails.
    So fare ...
    This post help me to understand that ...
    1. amavisd-new showkeys is mot relevant when we are using ISPConfig. (Thanks for the post.)
    2. In ISPConfig I enable DKIM for a maildomain and publish the generated public-key. (Thanks for the answer in the post!)
    Then I checked the DKIM with this web tool
    And I can see that my DNS records are setup correctly. ( I used cloudns so TXT record can have more than 256 charecters, and with a CNAME point to that record)
    But still DKIM is not included when I send a mail.
    Some help please. What is missing ? Why is the DKIM not included in the mail?
  5. Well-Known Member HowtoForge Supporter

    there is an issue if you send mail from @<hostname> which you are warned to not insert into virtual maildomains.
    If you don't have a key added manually for @<hostname> it will not be signed.

    I think there was another issue regarding local injected mails using pickup service. I'll have to check that on a new server later anyway, maybe I find something.
  6. I_M

    I_M New Member

    I understand that there is an issue with virtual domains. And that you are checking. Thanks!
    About manual key.
    I also tried to create a key. But there were a problem to restart amavisd.service
    Here is the steps
    amavisd genrsa /var/db/dkim/XXXX.key.pem
    and add to amavisd.conf:
    $enable_dkim_verification = 1;
      $enable_dkim_signing = 1;
      dkim_key('', 'dkim', '/var/db/dkim/XXXX.key.pem');
      @dkim_signature_options_bysender_maps = (
        { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    then (in Centos 7) run systemctl restart amavisd.service
    But the restart failed and will not send any mail. Mail is broken.
    If I check this command amavisd showkeys, then the key is displayed. Thats is possitive.
    So my conclusion is that ISPConfig do not work with manual key. Therefor in amavisd.conf the attribute "dkim_key" will course amavisd.service to fail on restart. I think that ISPConfig do not work with manual DKIM key
  7. Well-Known Member HowtoForge Supporter

    it does work on centos, just a bit different, however I have no centos setup at hand anymore.

    First of all, I used latest ISPConfig with BIND9 DNS and Postfix/dovecot/amavis for this, well and debian ...
    Didn't cenots' amavis also include config files from /etc/amavis/.conf ...?
    A quick hack would be to modify start parameters and include custom config file which includes original and custom configs

    @I_M on centos you could also have had a file permission issue, check wether your service runs chrooted and can access the file permission wise and chrooted wise.
  8. Well-Known Member HowtoForge Supporter

    About my mentioning of the pickup service, I don't know if this is applicable for your issue but... try'n'error :)
    If your mail() has [email protected] - maybe it solves the issue, not sure right now.
    postconf -P "pickup/unix/content_filter=amavis:[]:10024"
    postconf -P "pickup/unix/milter_macro_daemon_name=ORIGINATING"
    changes your postfix master.conf ( adding lines to pickup, simply remove them to revert ).
    it's from a server where I changed tons of stuff ... it may harm your mail sent from cli/cron mail stuff
  9. I_M

    I_M New Member

    I changed the permissions on the file XXXX.pem and now command systemctl restart amavisd.service is OK!
    I tested one mail by sending a mail to a gmail account. In gmail I looked in "Original Message" and found a problem.
    I checked with and there my DNS passed.
    So maybe gmail will found the DNS later on. Is it a question of time so the DNS will be updated?
  10. Well-Known Member HowtoForge Supporter

    this might be, it can take some time - check other services meanwhile, unlockinbox, mxtoolbox....
    you can also make sure if you have set and amavis used the right selector ( prefixname on your dns entry... )
    or send a mail to oyurself and check if there is a sign of dkim in the raw mail headers, send to some extern email account which is not controlled by the server first, if that works, try local delivery
  11. I_M

    I_M New Member

    I used for testing a mail. And the result was positive.
    I think gmail will recognize the DNS dkim record later on
    Thanks a lot!
 likes this.

Share This Page