amavis-user March 2011 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: [AMaViS-user] DKIM signing

[AMaViS-user] DKIM signing

From: Matthias Hanke <hanke_at_nospam>
Date: Tue Mar 01 2011 - 15:43:43 GMT
To: amavis-user@lists.sourceforge.net

I work for a university institute and administrate its servers
"incidently".
Currently I am putting some work into our mail server configuration
(sendmail 8.13.1 with amavisd-new-2.6.4). Recently I got amavis to
verify DKIM signed mails. Now my plan was to sign outgoing Emails
ourselves.
This is what I have done (I replaced some names for privacy reasons):

1. I created a private key:
/usr/local/amavisd/amavisd genrsa /var/dkim/SEL1_DKIMkey.pem

2. Changed permissions for the user running amavis:
chown -R vscan.vscan /var/dkim/ && chmod -R 700 /var/dkim

3. Editet my /etc/amavisd.conf:
...
$enable_dkim_signing = 1;
# signing domain selector private key options
dkim_key ('my.domain.topdomain.de', 'sel1', '/var/dkim/
SEL1_DKIMkey.pem');
...

4. Restarted amavis:
/etc/init.d/amavisd restart

5. Tested whether the private key is found and got public key as well
as DNS entry information:
/usr/local/amavisd/amavisd showkeys

; key#1, domain my.domain.topdomain.de, /var/dkim/SEL1_DKIMkey.pem
sel1._domainkey.my.domain.topdomain.de. 3600 TXT (
   "v=DKIM1; p=...")

Now thing are getting a bit more complicated at least for me:
The Mailserver is on a different host than the DNS-server for
my.domain.topdomain.de. The DNS-Server responsible for
my.domain.topdomain.de is the same as for topdomain.de which is at our
IT center and thus I do not administrate. I figured it out by "dig
my.domain.topdomain.de". Our local DNS-Servers are not accessable from
the internet.
For your setup it might be sufficient to edit the zone file of your
DNS-server.

6. I let our IT-Center make the following entry in their DNS-Server
("..." is the public key from the "/usr/local/amavisd/amavisd
showkeys" command):
sel1._domainkey.my.domain.subdomain.de IN TXT "v=DKIM1; r=postmaster@my.domain.subdomain.de
; p=..."

7. Verified that the public key can be fetched on http://dkimcore.org/c/keycheck
  (selector in this case is 'sel1')

8. Tested public key usage on my mailserver:
/usr/local/amavisd/amavisd testkeys

TESTING#1: sel1._domainkey.my.domain.topdomain.de => pass

9. Send Testmails to sa-test@sendmail.net and check-auth@verifier.port25.com
  . They automatically create answer mails considering signature
information.

The problem is that amavis is not signing the mails. Both automatic
test emails reported, that the mail had not been signed. The mail to
my external account also did not contain any DKIM information.
I searched several forums for solution and placed a thread there, too.
 From this I know that different people have the same setup and thus
the same problem without a solution.

The PERL modules should be sufficiently new:
# tail -f /var/log/amavisd-info.log | grep DKIM
Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Signer 0.39
Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Verifier 0.39
Jan 5 11:01:53 bender amavis[16877]: DKIM code loaded
Jan 5 11:01:54 bender amavis[16877]: SpamAssassin loaded plugins:
AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval,
HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval,
MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop,
URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
I

"My" system:
# uname -r & cat /etc/issue
2.6.9-89.0.11.ELsmp
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)

If you need any further information just let me know. I appreciate any
advise.

Best Regards
Matthias

------------------------------------------------------------------------------
Free Software Download: Index, Search & Analyze Logs and other IT data in
Real-Time with Splunk. Collect, index and harness all the fast moving IT data
generated by your applications, servers and devices whether physical, virtual
or in the cloud. Deliver compliance at lower cost and gain new business
insights. http://p.sf.net/sfu/splunk-dev2dev
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
 Please visit http://www.ijs.si/software/amavisd/ regularly
 For administrativa requests please send email to rainer at openantivirus dot org