Thanks Mark. :)
Mark Martinec wrote:
> Zhang Huangbin,
>
>
>> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
>> guide in release notes file, i did the following steps to enable DKIM,
>> but i'm little confused, is this setting correct?
>>
>> shell# mkdir /var/amavis/dkim/
>> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
>>
>
> These files with a key need not be writable by user amavis,
> so I prefer to keep them owned by root and placed somewhere else,
> My choice is /var/db/dkim/ (FreeBSD style location).
> The 'amavisd genrsa' may but need not be run as use amavis.
I changed the steps:
shell# mkdir /var/lib/dkim/
shell# amavisd genrsa /var/lib/dkim/a.cn.pem
shell# setfacl -m u:amavis:r-- /var/lib/dkim/a.cn.pem
BTW, I think '/var/lib/dkim/' is the correct location on RHEL.
>> ".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
>> ".a.cn" => { d => "a.cn" },
>>
>
> In a perl associative array there there can't be two entries
> with a same key. One of the above will get overwritten by the other.
> You need to combine all attributes in a single entry, e.g.:
>
> ".a.cn" => { d => "a.cn", a => 'rsa-sha1', ttl => 10*24*3600},
>
Changed. Thanks.
> Note that signing mail for subdomains with a key of a parent
> domain is treated by recipients as a third-party key, which
> may 'hold less merit' in their eyes. If one has a choice,
> it is better to publish a key for each domain (e.g. host1.a.cn)
> if mail is really coming from it. Sharing a pem file
> for multiple domains may be acceptable, so you don't need
> to generate a different key for each subdomain, but you
> do need to publish it in each subdomain. It is probably
> easier to avoid sending addresses like host1.a.cn and
> always use a parent domain (a.cn) in 'From:', thus
> avoiding the issue altogether.
>
OK. got it.
> Btw, DKIM standard requires all implementations to support rsa-sha256,
> while most also support rsa-sha1 (but need not). Unless there is a
> good reason to use rsa-sha1, I'd recommend to stick with a default
> which is rsa-sha256.
>
>> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
>> } );
>>
>
>
Changed: rsa-sha1 -> rsa-sha256.
It works fine.
> You may also try it with some auto-responder. Note that some
> are hoplessly out of date with their sw, so don't trust
> blindly what they say.
How can i test it?
--
Best Regards.
Zhang Huangbin
- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
http://rhms.googlecode.com/
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
