Guy,
> I'm currently using amavisd-new with clamav (that's the main thing
> it's in use for at the moment) but I'm wanting to try using it for
> DKIM signing as well. I've tried DKIMproxy but the performance hit
> made it unacceptable.
>
> I've been reading the documentation at
> http://www.ijs.si/software/amavisd/amavisd-new-docs.html but it's left
> me a little confused.
>
> I only need signing for messages going out on port 587 (port 25 is
> only for incoming mail).
> Port 587 requires users to be authenticated (Dovecot SASL).
> I've got 150 odd domains which all need to be signed (I'm adding this
> mostly to help reduce deferrals sending to Yahoo domains).
> And I need to be able to cater to mailing lists in the future.
>
> Does anyone know of documentation aimed at someone less familiar with
> amavis? Especially if it includes details for the multiple domains,
> mailing lists and auth'd users.
Allow amavisd to listen on one additional TCP port:
$inet_socket_port = [10024,10026];
Make a policy bank which will turn on the 'originating' flag,
optionally providing some additional settings there:
$policy_bank{'ORIGINATING'} = {
originating => 1, # indicates client is ours, allows signing
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
Associate a port number 10026 with this policy bank:
$interface_policy{'10026'} = 'ORIGINATING';
Tell Postfix to feed mail coming in from port 587
to amavisd on port 10026:
master.cf:
submission inet n - n - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10026
(keeping your remaining options for 587)
Now you have two paths through your mail system:
mail submitted to 587 goes to amavisd on port 10026, where it loads
a policy bank named (arbitrarily) 'ORIGINATING', and then continues
its way wherever your $forward_method points to, typically back to
Postfix on port 10025.
All remaining mail will observe your global setting for content_filter,
which will (presumably) feed it to amavisd on port 10024, and then
back on to MTA at port 10025. No policy bank will be activated for
this mail, global setting will apply.
Now to the DKIM part:
$enable_dkim_signing = 1; # you need this one
$enable_dkim_verification = 1; # can't hurt to have verification too
Now to the signing keys. You will need to decide whether you want
to provide each of your hosted domans with its own individual key,
or use the same key for all of them, or something inbetween.
Another choice is to always sign with your own signature, but
this is less interesting, as this would result in third-party signatures,
which are typically of less value to recipients (but can sometimes
be useful, e.g. in case of mailing lists).
Generate as many keys as necessary, writing them to files:
$ amavisd genrsa /var/db/dkim/one.key.pem
$ amavisd genrsa /var/db/dkim/two.key.pem
$ amavisd genrsa /var/db/dkim/three.key.pem
Declare them in amavisd.conf, one entry for each of your domains,
first argument is a domain name, the second is a selector name
(you will need it to set up DNS, pick any short string), the last one
is one of the above files containing a key:
dkim_key('example.com', 'foo', '/var/db/dkim/one.key.pem');
dkim_key('example.org', 'foo', '/var/db/dkim/two.key.pem');
dkim_key('example.net', 'gah', '/var/db/dkim/three.key.pem');
If you prefer, you may use the same key file for more than
one domain - it's not very nice, but is probably acceptable if
all domains are hosted and supervised by the same admin:
dkim_key('ex1.net', 'foo', '/var/db/dkim/three.key.pem');
dkim_key('ex2.net', 'foo', '/var/db/dkim/three.key.pem');
dkim_key('ex3.net', 'foo', '/var/db/dkim/three.key.pem');
With many domains it may be easier (although a bit less flexible),
to specify all your data in one file, and let amavis convert each line
into a call to a dkim_key. The syntax is the same as used by
dkim_milter, documented also in the RELEASE_NOTES:
- to facilitate transition of DKIM signing from dkim-milter to amavisd-new,
a new command-line tool is available (the extra utility code is not
loaded during normal operation), taking a file name as its argument,
e.g.:
# amavisd convert_keysfile /var/db/dkim/keysfile.txt
and writing to stdout a set of lines that may be directly included into
amavisd.conf configurations file, matching semantics of a dkim-filter
keys file. It can be useful during transition, or for those who prefer
to specify signing keys and sender-to-key mappings as a file in a
syntax compatible with options -K -k of dkim-filter, and can live with
limitations of such syntax. See dkim-filter(8) man page for details
on the syntax.
The produced output consists of signing key declarations (calls to a
procedure dkim_key), where each call normally corresponds to exactly
one DNS resource record publishing a corresponding DKIM public key.
When necessary output also produces an assignment to a list of lookup
tables @dkim_signature_options_bysender_maps, which supplies non-default
mappings of sender domains to signing keys, e.g. when third-party
signatures are desired.
From the dkim-filter man page: The keyfile should contain a set of lines
of the form sender-pattern:signing-domain:keypath where sender-pattern
is a pattern to match against message senders (with a special character
"*" interpreted as "zero or more characters"), signing-domain is the
domain to announce as the signing domain when generating signatures
(or a '*', implying author's domain), and keypath is a path to the
PEM-formatted private key to be used for signing messages which match
the sender-pattern. The selector used in the signature will be the
filename portion of keypath. A line starting with "/" is interpreted as
a root directory for keys, meaning the keypath values after that line
in the file are taken relative to that path. If a file referenced by
keypath cannot be opened, the filter will try again by appending ".pem"
and then ".private". '#'-delimited comments and blank lines are ignored.
What remains is to publish the public part of these keys in DNS zones
of each of your hosted domains. The command:
amavisd showkeys
(with domains as optional additional arguments) will provide the
output in a format directly cut/pastable into standard 'named' zone files.
After publishing keys in DNS, test them:
amavisd testkeys
That does it for your first need, signing mail submitted by your clients.
You also say you'd like to sign mailing lists, so you probably need
the third mail path from MTA to amavisd and back, but this time
with most of the content filtering disabled (as it was hopefully done
before mail entered a mailing list manager, just signing remains enabled).
Configure your mailing list manager to feed its output on a dedicated
Postfix port number (as it doesn't need checking again, just signing):
(mailman) mm_cfg.py:
SMTPHOST = '127.0.0.1'
SMTPPORT = 10587 # to Postfix, to be DKIM-signed by amavisd
Let Postfix forward such mail to amavisd on port 10028:
master.cf:
127.0.0.1:10587 inet n - n - - smtpd
-o content_filter=amavisfeed:[127.0.0.1]:10028
On the amavisd side we add one additional TCP port number:
$inet_socket_port = [10024,10026,10028];
associate it with another policy bank:
$interface_policy{'10028'} = 'NOCHECKS';
and provide a policy bank with most of the checks disabled,
and with a dkim_signature_options_bysender_maps overriding
the search for a suitable signing key by forcing amavisd to use
the key associated with the supplied mailing list owner's
domain (d => 'example.com'):
$policy_bank{'NOCHECKS'} = {
originating => 1, # allows signing
smtpd_discard_ehlo_keywords => ['8BITMIME'],
mynetworks_maps => [], # avoids loading MYNETS policy unnecessarily
os_fingerprint_method => undef,
penpals_bonus_score => undef,
bounce_killer_score => 0,
bypass_decode_parts => 1,
bypass_header_checks_maps => [1],
bypass_virus_checks_maps => [1],
bypass_spam_checks_maps => [1],
bypass_banned_checks_maps => [1],
spam_lovers_maps => [1],
banned_files_lovers_maps => [1],
dkim_signature_options_bysender_maps => [ {
# explicit 'd' forces a signature by the specified domain,
# regardless of the author's domain, typically resulting
# in a third-party signature
'.' => { d => 'example.com', c => 'relaxed/simple' },
} ],
};
Mark
------------------------------------------------------------------------------
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
