amavis dkim problem

Discussion in 'Installation/Configuration' started by ciprianflorea, Nov 3, 2009.

  1. ciprianflorea

    ciprianflorea New Member

    Hi, im trying to setup dkim signatures with amavis
    i followed this guide
    and all looks good until

    $ amavisd testkeys

    www1:/etc/amavis/conf.d# amavisd-new testkeys
    TESTING: => fail (message has been altered)

    any idea what i did wrong ?

    i think this has to do with adding the txt record to mydns server
    i have added the entry that was generated by
    amavisd showkeys

    but for some reason it doesnt display the record when i do dig...
  2. ciprianflorea

    ciprianflorea New Member

    no one had the same problem?
  3. ciprianflorea

    ciprianflorea New Member

    Finally i kind of figured out where is the problem but now im stucked on another issue.

    How can i insert a DKIM key into mydns record?

    i have a generated key i have added a new txt record to mydns but it doesn't show up .

    here is how it looks
    any idea?
    Last edited: Nov 3, 2009
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. ciprianflorea

    ciprianflorea New Member

    Well i finally got to insert the txt record but for some reason it is altered and amavis wont recognize it:

    here the output

    www1:~# dig @ mail._domainkey.mail.domain.tld. txt

    ; <<>> DiG 9.5.1-P3 <<>> @ mail._domainkey.mail.domain.tld. txt
    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39120
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ;; WARNING: recursion requested but not available

    ;mail._domainkey.mail.domain.tld. IN TXT

    mail._domainkey.mail.domain.tld. 1800 IN TXT "\"v=DKIM1\; p=\"\"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+j8TF4XX+23pdk228z1ie0dUR\"\"zyFSV4/AggUXW2YgYoOk+invQnCRYv/DlLlidlpPQmgFyiUDJ20oyuOeG98zskpw\"\"Affl0yhATIC2vBLOK4X2nOrMbkzHEi52QBxgnJs6bKSftzN+zSTJ8OKkRMcSMUbj\"\"/TaPjVL8vycrVvmAowIDAQAB\""

    domain.tld. 1800 IN NS ns1.domain.tld.
    domain.tld. 1800 IN NS www1.domain.tld.

    ns1.domain.tld. 1800 IN A
    www1.domain.tld. 1800 IN A

    ;; Query time: 1 msec
    ;; SERVER:
    ;; WHEN: Wed Nov 4 07:11:53 2009
    ;; MSG SIZE rcvd: 374

    www1:~# amavisd-new testkeys
    TESTING: mail._domainkey.mail.domain.tld => invalid (public key: invalid data)

    any idea?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is that the string is escaped with \. Please check the record in the database with phpmyadmin, does it contain the \ too? If not, its a mydns problem and you should check if you have the latest mydns version installed.
  7. ciprianflorea

    ciprianflorea New Member

    The string slashes are in database too, but this is kind of tricky because if i remove the slashes the whole thing can degenerate into a big mysql security hole :D im still searching for a reasonable way for getting this to work. I will post here updates for this matter :)
  8. ciprianflorea

    ciprianflorea New Member


    After a long fight i finally managed to get dkim signatures to work!
    In fact this job is pretty simple:
    After you generate the key file (in my case i had 3 key files for three different domains) use the showkeys command to display the key and create a TXT record in MyDns (just use the ISPConfig DNS Interface it will work), after that you have to wait for the changes to reflect on the internet.
    I think 24 hours will be enough.

    Here is how 50-user amanvisd conf file looks like:

    #$enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    @mynetworks = qw( x.x.x.x/32);
    dkim_key('', 'mail', '/var/db/dkim/');
    dkim_key('', 'mail', '/var/db/dkim/');
    dkim_key('', 'mail', '/var/db/dkim/');

    Now lets cut this into pieces:

    $enable_dkim_verification = 1;

    I commented this out because i really dont need that amavisd to check the incoming mail for signatures because some useful mails might get spam flagged. If you really think that you will need this you can uncomment this line.

    $enable_dkim_signing = 1;

    This line enables dkim signing for outgoing mail.

    @dkim_signature_options_bysender_maps = (
    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

    This one sets some dkim signature properties like: hashing algorhitm and key's TTL. I recommend to leave this as it is unless you really know what you are doing.

    Now the fun part is here:

    @mynetworks = qw(;

    Here is a list of hosts that are allowed to send mails thru you mail server, in other words the trusted networks for which amavisd will sign the emails. You have to add here the ip classes/addresses from where you will send your emails. In my case all the emails are sent by The Webmail interface (which uses the loopback address and a public ip address which belongs to my network's NAT Gateway ( , Notice the /32 mask which indicates thats only one ip address and not the whole class /24). If you are using your gateway/router as mail server too you will onlu have to add private ip class which your router is serving on (ie:

    In my case the problem was that i have separate machines for the mail server and gateway and i didnt had a record for my gateway's ip address and amavisd refused to sign my emails.

    Anyway now all its working like it should. The funny part is that the stupid Yahoo still marks my messages as spam but this is just matter of time until their spam filters will gather enough information and put my hosts on whitelist.

    Hope this will help!

    Later Edit: As i was saying some time ago... Yahoo was still marking my messages as spam. A few days ago i did another check, and... surprise... all of my messages got straight into Yahoo's Inbox. Thats so good news... so for those which are disapointed after setting up DKIM signs and the messages end in spam folder don't worry, its just a matter of time... so all you have to do is to wait.
    Last edited: Mar 3, 2010
  9. esmiz

    esmiz Member

    It helps mate, thanks a lot

    I've been struggling for 3 days triying to figure out why amavis refused to sign my e-mails.
    Your explanation about mynetworks has solved the problem.

    Thanks again
  10. Antennipasi

    Antennipasi ISPConfig Developer ISPConfig Developer

    finally got time to implement DKIM myself...
    but anyway, if one wants to sign messages for authenticated smtp-users, replacing @mynetworks-line with:
    $interface_policy{'10024'} = 'DKIM_ALWAYS'; 
    $policy_bank{'DKIM_ALWAYS'} = { originating => 1, };
    does the trick.
  11. esmiz

    esmiz Member

    Hi Ciprianflorea

    Do you know if that method is 100% reliable?
    Please don misunderstand me. I know that it works, but I would be more confident using it, if you can guarantee it's harmless.

  12. ciprianflorea

    ciprianflorea New Member

    Hi mate,

    using DKIM_ALWAYS is very safe because your smtp server relies on authenticated users. Although my_networks part is a strict declaration of allowed hosts/networks dkim_always allow email signing only for authenticated users which is very reliable for remote users and clients who have a dynamic ip address.

    I have dkim_always on three of my servers and its all good.
  13. esmiz

    esmiz Member

    Thanks for your explanation.

    I asked that question here but I didn't get an answer.

    I couldn't find any mention about this method in the official amavisd-new docs, that's why I suspected it was not advisable.

  14. binaryrogue

    binaryrogue Member

    ciprianflorea - In your screenshot, it shows the "Hostname" as mail._domainkey.mail.etc.., When I try to put mine in, it says hostname was not valid.

    Was your screenshot exactly the way how you impliment your DKIM entries?
  15. ciprianflorea

    ciprianflorea New Member

    Its about how you declare the key in amavisd conf file


    dkim_key(', 'mail', '/var/db/dkim/');

    the dns entry will be:
  16. rare

    rare New Member


    can anybody that succeded in setting amavisd to sign outgoing mail with dkim send me conf files for postfix ( and master.cs).

    We tried something with dkim-milter so there is many config lines, I am not sure which one is for what, probably because of that we can achieve dkim signing using amavisd.

    Dns settings are ok, there is an record, and amavisd is configured according to this forum thread, but it is still not working.

    There are some settings:
    $ dig -t TXT 86400 IN  TXT     "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/r50PSUTLQLdqjEoHaK/K8FJIcunp93vEdw5HbBJPwwZDWQfWHRJ0ato6VTcwUU+fvpGJDSKaLFcgtFmWpSybLOoM/CovTpPz/sWbQ2LsEGthAA0gmJVsWfbI7ewCYHHTRdH7UKdBc1tVDQnBZpo5Ttltig0+a5dRQwFexrdxSwIDAQAB"
    $ tail /etc/amavisdamavisd.conf                                                                                                                              
    dkim_key('', 'foo', '/var/db/dkim/odmorise-foo.key.pem');
    @dkim_signature_options_bysender_maps = (
        { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
    $interface_policy{'10024'} = 'DKIM_ALWAYS';
    $policy_bank{'DKIM_ALWAYS'} = { originating => 1, };
    #@mynetworks = qw(;  # list your internal networks                                                                                         
    #$enable_dkim_verification = 1;                                                                                                                                                  
    $enable_dkim_signing = 1;
    $ tail -f /etc/postfix/
    #smtpd_milters = inet:
    #non_smtpd_milters = inet:
    $ tail -f /etc/postfix/ -n 100
    #  ${nexthop} ${user}
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtpd_bind_address=
    smtp      inet  n       -       n       -       -       smtpd
        -o smtpd_proxy_filter=
        -o smtpd_client_connection_count_limit=10
    .... and many more lines like this 
    I am not sure how it should be set

    Thanks for help in advance
  17. Wisdown

    Wisdown Member

    I know the topic is old, but...

    You guys got Domainkeys working with this setup?

    I did all steps ( , and then sended an mail to:

    [email protected]

    For check, and got this as result:

    Summary of Results
    SPF check: pass
    DomainKeys check: neutral
    DKIM check: pass
    Sender-ID check: pass
    SpamAssassin check: ham

    Seems i missed something, or need more steps to get DomainKeys working too.
    Someone have an guide for this extra steps?

Share This Page