Zhang Huangbin,
> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
> guide in release notes file, i did the following steps to enable DKIM,
> but i'm little confused, is this setting correct?
>
> shell# mkdir /var/amavis/dkim/
> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
These files with a key need not be writable by user amavis,
so I prefer to keep them owned by root and placed somewhere else,
My choice is /var/db/dkim/ (FreeBSD style location).
The 'amavisd genrsa' may but need not be run as use amavis.
Btw, Debian users are probably aware by now of a security flaw in
their openssl, which seriously impacted quality of pseudorandom
generation, which means that PEM keys generated by openssl
or by 'amavisd genrsa' or by the key generation utility that
comes with dkim-milter, prior to fixing their openssl,
are of poor quality and need to be replaced by new keys.
The security bug is specific to Debian (and derivatives),
other platforms are not affected.
> $enable_dkim_verification = 1;
> $enable_dkim_signing = 1;
> dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
So far so good...
> @dkim_signature_options_bysender_maps = ( {
> '[EMAIL PROTECTED]' => { a => 'rsa-sha1', ttl => 7*24*3600 },
> ".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
> ".a.cn" => { d => "a.cn" },
In a perl associative array there there can't be two entries
with a same key. One of the above will get overwritten by the other.
You need to combine all attributes in a single entry, e.g.:
".a.cn" => { d => "a.cn", a => 'rsa-sha1', ttl => 10*24*3600},
Note that signing mail for subdomains with a key of a parent
domain is treated by recipients as a third-party key, which
may 'hold less merit' in their eyes. If one has a choice,
it is better to publish a key for each domain (e.g. host1.a.cn)
if mail is really coming from it. Sharing a pem file
for multiple domains may be acceptable, so you don't need
to generate a different key for each subdomain, but you
do need to publish it in each subdomain. It is probably
easier to avoid sending addresses like host1.a.cn and
always use a parent domain (a.cn) in 'From:', thus
avoiding the issue altogether.
Btw, DKIM standard requires all implementations to support rsa-sha256,
while most also support rsa-sha1 (but need not). Unless there is a
good reason to use rsa-sha1, I'd recommend to stick with a default
which is rsa-sha256.
> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
> } );
> * Setup DNS record according the output of 'amavisd showkeys'.
> * Verify DNS setting via 'amavisd testkeys', it's 'pass'.
Good.
> Is it right?
You may also try it with some auto-responder. Note that some
are hoplessly out of date with their sw, so don't trust
blindly what they say.
Mark
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
