amavis-user March 2011 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: [AMaViS-user] DKIM signing

[AMaViS-user] DKIM signing

From: Matthias Hanke <hanke_at_nospam>
Date: Tue Mar 01 2011 - 15:43:43 GMT

I work for a university institute and administrate its servers
Currently I am putting some work into our mail server configuration
(sendmail 8.13.1 with amavisd-new-2.6.4). Recently I got amavis to
verify DKIM signed mails. Now my plan was to sign outgoing Emails
This is what I have done (I replaced some names for privacy reasons):

1. I created a private key:
/usr/local/amavisd/amavisd genrsa /var/dkim/SEL1_DKIMkey.pem

2. Changed permissions for the user running amavis:
chown -R vscan.vscan /var/dkim/ && chmod -R 700 /var/dkim

3. Editet my /etc/amavisd.conf:
$enable_dkim_signing = 1;
# signing domain selector private key options
dkim_key ('', 'sel1', '/var/dkim/

4. Restarted amavis:
/etc/init.d/amavisd restart

5. Tested whether the private key is found and got public key as well
as DNS entry information:
/usr/local/amavisd/amavisd showkeys

; key#1, domain, /var/dkim/SEL1_DKIMkey.pem 3600 TXT (
   "v=DKIM1; p=...")

Now thing are getting a bit more complicated at least for me:
The Mailserver is on a different host than the DNS-server for The DNS-Server responsible for is the same as for which is at our
IT center and thus I do not administrate. I figured it out by "dig". Our local DNS-Servers are not accessable from
the internet.
For your setup it might be sufficient to edit the zone file of your

6. I let our IT-Center make the following entry in their DNS-Server
("..." is the public key from the "/usr/local/amavisd/amavisd
showkeys" command): IN TXT "v=DKIM1;
; p=..."

7. Verified that the public key can be fetched on
  (selector in this case is 'sel1')

8. Tested public key usage on my mailserver:
/usr/local/amavisd/amavisd testkeys

TESTING#1: => pass

9. Send Testmails to and
  . They automatically create answer mails considering signature

The problem is that amavis is not signing the mails. Both automatic
test emails reported, that the mail had not been signed. The mail to
my external account also did not contain any DKIM information.
I searched several forums for solution and placed a thread there, too.
 From this I know that different people have the same setup and thus
the same problem without a solution.

The PERL modules should be sufficiently new:
# tail -f /var/log/amavisd-info.log | grep DKIM
Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Signer 0.39
Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Verifier 0.39
Jan 5 11:01:53 bender amavis[16877]: DKIM code loaded
Jan 5 11:01:54 bender amavis[16877]: SpamAssassin loaded plugins:
AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval,
HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval,
MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop,
URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject

"My" system:
# uname -r & cat /etc/issue
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)

If you need any further information just let me know. I appreciate any

Best Regards

Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
AMaViS-user mailing list
 Please visit regularly
 For administrativa requests please send email to rainer at openantivirus dot org