Hi, im trying to setup dkim signatures with amavis
i followed this guide http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
and all looks good until

$ amavisd testkeys

www1:/etc/amavis/conf.d# amavisd-new testkeys
TESTING: www1.xxx.com._domainkey.www1.xxx.com => fail (message has been altered)

any idea what i did wrong ?

i think this has to do with adding the txt record to mydns server
i have added the entry that was generated by
amavisd showkeys

but for some reason it doesnt display the record when i do dig...

no one had the same problem?

Finally i kind of figured out where is the problem but now im stucked on another issue.

How can i insert a DKIM key into mydns record?

i have a generated key i have added a new txt record to mydns but it doesn't show up .

here is how it looks
http://yfrog.com/j8dkimlj
any idea?

The probem might be with the length of the record. mydns-ng has a new edata field for that in the latest version as I've read here, but thats not implemented in ispconfig yet.

http://sourceforge.net/mailarchive/forum.php?thread_name=49C92480.3030201%40cohtech.c om&forum_name=mydns-users

Well i finally got to insert the txt record but for some reason it is altered and amavis wont recognize it:

here the output

www1:~# dig @127.0.0.1 mail._domainkey.mail.domain.tld. txt

; <<>> DiG 9.5.1-P3 <<>> @127.0.0.1 mail._domainkey.mail.domain.tld. txt
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39120
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mail._domainkey.mail.domain.tld. IN TXT

;; ANSWER SECTION:
mail._domainkey.mail.domain.tld. 1800 IN TXT "\"v=DKIM1\; p=\"\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+j8TF4XX+23 pdk228z1ie0dUR\"\"zyFSV4/AggUXW2YgYoOk+invQnCRYv/DlLlidlpPQmgFyiUDJ20oyuOeG98zskpw\"\"Affl0yhATIC2vBLOK4X2nOrMbkzHEi52QBxgnJs6bKSftzN+zS TJ8OKkRMcSMUbj\"\"/TaPjVL8vycrVvmAowIDAQAB\""

;; AUTHORITY SECTION:
domain.tld. 1800 IN NS ns1.domain.tld.
domain.tld. 1800 IN NS www1.domain.tld.

;; ADDITIONAL SECTION:
ns1.domain.tld. 1800 IN A 1.2.3.4
www1.domain.tld. 1800 IN A 1.2.3.4

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 4 07:11:53 2009
;; MSG SIZE rcvd: 374

www1:~# amavisd-new testkeys
TESTING: mail._domainkey.mail.domain.tld => invalid (public key: invalid data)


any idea?

The problem is that the string is escaped with \. Please check the record in the database with phpmyadmin, does it contain the \ too? If not, its a mydns problem and you should check if you have the latest mydns version installed.

The string slashes are in database too, but this is kind of tricky because if i remove the slashes the whole thing can degenerate into a big mysql security hole :D im still searching for a reasonable way for getting this to work. I will post here updates for this matter :)

After a long fight i finally managed to get dkim signatures to work!
In fact this job is pretty simple:
After you generate the key file (in my case i had 3 key files for three different domains) use the showkeys command to display the key and create a TXT record in MyDns (just use the ISPConfig DNS Interface it will work), after that you have to wait for the changes to reflect on the internet.
I think 24 hours will be enough.

Here is how 50-user amanvisd conf file looks like:

#$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 x.x.x.x/32);
dkim_key('mail.domain1.com', 'mail', '/var/db/dkim/domain1.com.key.pem');
dkim_key('mail.domain2.com', 'mail', '/var/db/dkim/domain3.com.key.pem');
dkim_key('mail.domain3.com', 'mail', '/var/db/dkim/domain3.com.key.pem');

Now lets cut this into pieces:

$enable_dkim_verification = 1;

I commented this out because i really dont need that amavisd to check the incoming mail for signatures because some useful mails might get spam flagged. If you really think that you will need this you can uncomment this line.

$enable_dkim_signing = 1;

This line enables dkim signing for outgoing mail.

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

This one sets some dkim signature properties like: hashing algorhitm and key's TTL. I recommend to leave this as it is unless you really know what you are doing.

Now the fun part is here:

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 1.2.3.4/32);

Here is a list of hosts that are allowed to send mails thru you mail server, in other words the trusted networks for which amavisd will sign the emails. You have to add here the ip classes/addresses from where you will send your emails. In my case all the emails are sent by The Webmail interface (which uses the loopback address 127.0.0.1/8) and a public ip address which belongs to my network's NAT Gateway (1.2.3.4/32 , Notice the /32 mask which indicates thats only one ip address and not the whole class /24). If you are using your gateway/router as mail server too you will onlu have to add private ip class which your router is serving on (ie: 192.168.1.0/24).

In my case the problem was that i have separate machines for the mail server and gateway and i didnt had a record for my gateway's ip address and amavisd refused to sign my emails.

Anyway now all its working like it should. The funny part is that the stupid Yahoo still marks my messages as spam but this is just matter of time until their spam filters will gather enough information and put my hosts on whitelist.

Hope this will help!
Cheers!


Later Edit: As i was saying some time ago... Yahoo was still marking my messages as spam. A few days ago i did another check, and... surprise... all of my messages got straight into Yahoo's Inbox. Thats so good news... so for those which are disapointed after setting up DKIM signs and the messages end in spam folder don't worry, its just a matter of time... so all you have to do is to wait.

I've been struggling for 3 days triying to figure out why amavis refused to sign my e-mails.
Your explanation about mynetworks has solved the problem.

Thanks again

Now the fun part is here:

@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 192.168.1.0/24 1.2.3.4/32);

finally got time to implement DKIM myself...
but anyway, if one wants to sign messages for authenticated smtp-users, replacing @mynetworks-line with:
$interface_policy{'10024'} = 'DKIM_ALWAYS';
$policy_bank{'DKIM_ALWAYS'} = { originating => 1, };

does the trick.

Hi Ciprianflorea

Do you know if that method is 100% reliable?
Please don misunderstand me. I know that it works, but I would be more confident using it, if you can guarantee it's harmless.

regards

Hi Ciprianflorea

Do you know if that method is 100% reliable?
Please don misunderstand me. I know that it works, but I would be more confident using it, if you can guarantee it's harmless.

regards

Hi mate,

using DKIM_ALWAYS is very safe because your smtp server relies on authenticated users. Although my_networks part is a strict declaration of allowed hosts/networks dkim_always allow email signing only for authenticated users which is very reliable for remote users and clients who have a dynamic ip address.

I have dkim_always on three of my servers and its all good.

Thanks for your explanation.

I asked that question here (http://www.howtoforge.com/forums/showthread.php?t=43547&page=2#18) but I didn't get an answer.

I couldn't find any mention about this method in the official amavisd-new docs, that's why I suspected it was not advisable.

Regards

ciprianflorea - In your screenshot, it shows the "Hostname" as mail._domainkey.mail.etc.., When I try to put mine in, it says hostname was not valid.

Was your screenshot exactly the way how you impliment your DKIM entries?
http://img692.yfrog.com/img692/4725/dkiml.jpg

ciprianflorea - In your screenshot, it shows the "Hostname" as mail._domainkey.mail.etc.., When I try to put mine in, it says hostname was not valid.

Was your screenshot exactly the way how you impliment your DKIM entries?
http://img692.yfrog.com/img692/4725/dkiml.jpg

Its about how you declare the key in amavisd conf file

ie:

for:
dkim_key('mail.xxx.com, 'mail', '/var/db/dkim/xxx.com.key.pem');


the dns entry will be:

mail._domainkey.mail.xxx.com.

Hi,

can anybody that succeded in setting amavisd to sign outgoing mail with dkim send me conf files for postfix (main.cf and master.cs).

We tried something with dkim-milter so there is many config lines, I am not sure which one is for what, probably because of that we can achieve dkim signing using amavisd.

Dns settings are ok, there is an record, and amavisd is configured according to this forum thread, but it is still not working.

There are some settings:
$ dig -t TXT foo._domainkey.odmorise.info
foo._domainkey.odmorise.info. 86400 IN TXT "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/r50PSUTLQLdqjEoHaK/K8FJIcunp93vEdw5HbBJPwwZDWQfWHRJ0ato6VTcwUU+fvpGJD SKaLFcgtFmWpSybLOoM/CovTpPz/sWbQ2LsEGthAA0gmJVsWfbI7ewCYHHTRdH7UKdBc1tVDQnBZpo 5Ttltig0+a5dRQwFexrdxSwIDAQAB"


$ tail /etc/amavisdamavisd.conf
dkim_key('odmorise.info', 'foo', '/var/db/dkim/odmorise-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
$interface_policy{'10024'} = 'DKIM_ALWAYS';
$policy_bank{'DKIM_ALWAYS'} = { originating => 1, };
#@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 188.40.93.84/32); # list your internal networks
#$enable_dkim_verification = 1;
$enable_dkim_signing = 1;


$ tail -f /etc/postfix/main.cf

#smtpd_milters = inet:188.40.93.84:10035
#non_smtpd_milters = inet:188.40.93.84:10035

$ tail -f /etc/postfix/master.cf -n 100
# ${nexthop} ${user}

amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_chec ks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1


smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
.... and many more lines like this


I am not sure how it should be set

Thanks for help in advance