Hi guys. Hope someone with better understanding of amavis and dkim can help me out. I have have amavis installed, however it does not seem to be dkim signing the outgoing emails from my hosted domains. I really only have 2 right now, but they run forums that send out mail using phpmail(). I'm not sure if it's cuz I don't have a key installed, as when I do showkeys this is my output : Code: [email protected]:~# amavisd-new showkeys No DKIM private keys declared in a config file. If this is the likely issue, how can I generate a key for dkim? I have found this : $ amavisd genrsa /var/db/dkim/example-foo.key.pem But wasn't sure which is the best folder to install the new key. As there may be one specific for Ispconfig. This is the DKIM portion of my /etc/amavis/conf.d/50-user file Code: # DKIM $enable_dkim_verification = 1; $enable_dkim_signing = 1; # load DKIM signing code $signed_header_fields{'received'} = 0; # turn off signing of Received @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); Or also I'm not sure if NOT running my own nameserver is an issue, as I use Enom name servers and just set the "a" record to my server ip address. Would this affect it? I am Running newest Debian 8 with all updates and newest Ispconfig. Thanks for any help or suggestions.
Do not change anything in amavis. Just enable DKIM for a maildomain and publish the generated public-key
Thanks for replying florian030, appreciate it. It was exactly as you said, and I just didn't know that step was necessary since I was able to send emails without having the maildomain setup. For future reference for anyone else that may find this from search, I created the mail domain and dkim as florian030 says, but since I'm using an external nameserver, I had to go to my registar and add a new text record with host of "default._domainkey" type "txt" and the address box "<my domain key>". Which my domain key is dns record from ispconfig starting at the "v=DKIM1... Hope that can help someone in the future, and thanks again florian030.
I had the same problem as tal56 wrote. But still DKIM is not included in mails. So fare ... This post help me to understand that ... 1. amavisd-new showkeys is mot relevant when we are using ISPConfig. (Thanks for the post.) 2. In ISPConfig I enable DKIM for a maildomain and publish the generated public-key. (Thanks for the answer in the post!) Then I checked the DKIM with this web tool dkimcore.org/tools/keycheck.html And I can see that my DNS records are setup correctly. ( I used cloudns so TXT record can have more than 256 charecters, and with a CNAME point to that record) But still DKIM is not included when I send a mail. Some help please. What is missing ? Why is the DKIM not included in the mail?
there is an issue if you send mail from @<hostname> which you are warned to not insert into virtual maildomains. If you don't have a key added manually for @<hostname> it will not be signed. I think there was another issue regarding local injected mails using pickup service. I'll have to check that on a new server later anyway, maybe I find something.
Hi, I understand that there is an issue with virtual domains. And that you are checking. Thanks! About manual key. I also tried to create a key. But there were a problem to restart amavisd.service Here is the steps Code: amavisd genrsa /var/db/dkim/XXXX.key.pem and add to amavisd.conf: Code: $enable_dkim_verification = 1; $enable_dkim_signing = 1; dkim_key('XXXX.com', 'dkim', '/var/db/dkim/XXXX.key.pem'); @dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } ); then (in Centos 7) run systemctl restart amavisd.service But the restart failed and will not send any mail. Mail is broken. If I check this command amavisd showkeys, then the key is displayed. Thats is possitive. So my conclusion is that ISPConfig do not work with manual key. Therefor in amavisd.conf the attribute "dkim_key" will course amavisd.service to fail on restart. I think that ISPConfig do not work with manual DKIM key
it does work on centos, just a bit different, however I have no centos setup at hand anymore. First of all, I used latest ISPConfig with BIND9 DNS and Postfix/dovecot/amavis for this, well and debian ... Didn't cenots' amavis also include config files from /etc/amavis/.conf ...? https://www.howtoforge.com/community/threads/debian-9-dkim-sign-outgoing-mails-sent-by-host.79527/ A quick hack would be to modify start parameters and include custom config file which includes original and custom configs @I_M on centos you could also have had a file permission issue, check wether your service runs chrooted and can access the file permission wise and chrooted wise.
About my mentioning of the pickup service, I don't know if this is applicable for your issue but... try'n'error If your mail() has [email protected] - maybe it solves the issue, not sure right now. Code: postconf -P "pickup/unix/content_filter=amavis:[127.0.0.1]:10024" postconf -P "pickup/unix/milter_macro_daemon_name=ORIGINATING" changes your postfix master.conf ( adding lines to pickup, simply remove them to revert ). it's from a server where I changed tons of stuff ... it may harm your mail sent from cli/cron mail stuff
Hi, I changed the permissions on the file XXXX.pem and now command systemctl restart amavisd.service is OK! I tested one mail by sending a mail to a gmail account. In gmail I looked in "Original Message" and found a problem. I checked with dkimcore.org and there my DNS passed. So maybe gmail will found the DNS later on. Is it a question of time so the DNS will be updated?
this might be, it can take some time - check other services meanwhile, unlockinbox, mxtoolbox.... you can also make sure if you have set and amavis used the right selector ( prefixname on your dns entry... ) or send a mail to oyurself and check if there is a sign of dkim in the raw mail headers, send to some extern email account which is not controlled by the server first, if that works, try local delivery
Hi, I used dkimvalidator.com for testing a mail. And the result was positive. I think gmail will recognize the DNS dkim record later on Thanks a lot!
