Zhang Huangbin,
> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
> guide in release notes file, i did the following steps to enable DKIM,
> but i'm little confused, is this setting correct?
>
> shell# mkdir /var/amavis/dkim/
> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
These files with a pem key need not be writable by user amavis,
so I prefer to keep them owned by root and placed somewhere else,
My choice is /var/db/dkim/ (FreeBSD style location).
The 'amavisd genrsa' (may but) need not be run as use amavis.
Btw, Debian users are probably aware by now of a security flaw in
their openssl, which seriously impacted quality of pseudorandom
generation, which means that PEM keys generated by openssl or by
'amavisd genrsa' or by the key generation utility that comes with
dkim-milter (or keys generated by ssh-keygen), prior to fixing
their openssl, are of poor quality and need to be replaced by
new keys. The security bug is specific to Debian (and derivatives),
other platforms are not affected.
> $enable_dkim_verification = 1;
> $enable_dkim_signing = 1;
> dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
So far so good...
> @dkim_signature_options_bysender_maps = ( {
> '[EMAIL PROTECTED]' => { a => 'rsa-sha1', ttl => 7*24*3600 },
> ".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
> ".a.cn" => { d => "a.cn" },
In a perl associative array there there can not be two entries
with the same key. One of the above will get overwritten by the other.
You need to combine all attributes in a single entry, e.g.:
".a.cn" => { d => "a.cn", a => 'rsa-sha1', ttl => 10*24*3600},
Note that signing mail for subdomains with a key of a parent domain
is treated by recipients as a third-party key, which may hold
'less merit' in their eyes. If one has a choice, it is better to
publish a key for each domain (e.g. host1.a.cn) if mail is really
bearing author addresses like that. Sharing a PEM file for multiple
(sub)domains may be acceptable, so you don't need to generate a
different key for each subdomain, but you do need to publish it
in each subdomain. It is probably easier to avoid author addresses
like host1.a.cn and always use a parent domain (a.cn) in 'From:',
thus avoiding the issue altogether.
Btw, DKIM standard requires all implementations to support rsa-sha256,
while most also support rsa-sha1 (but need not). Unless there is a
good reason to use rsa-sha1, I'd recommend to stick with a default
which is rsa-sha256.
> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
> } );
> * Setup DNS record according the output of 'amavisd showkeys'.
> * Verify DNS setting via 'amavisd testkeys', it's 'pass'.
Good.
> Is it right?
You may also try it with some auto-responder. Note that some
are hoplessly out of date with their sw, so don't trust
blindly to what they say. The [EMAIL PROTECTED] seems
alright.
Mark
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
