Voytek, > as I was re-starting amavisd after a recent re-config I noticed the DKIM > message [1] in the log; > > [1] > DKIM signature verification disabled, corresponding features not > available. If not intentional, consider enabling it by setting: > $enable_dkim_verification to 1, or explicitly disable it by setting it to > 0 to quench down this warning. > > I'm 'vaguely' familiar with DKIM to the extent that 'I know it exists' but > not much beyond, and, do not have DKIM here, looking at amavisd docs, it > requires certain setup with certificates, etc > > so, dumb question: > > I should just disable it, > and, there is no point in 'just enabling' this settings UNLESS I also set > up corresponding keys, etc
These are two mostly independent features: verification and signing. The message [1] only says that verification is disabled. Turning on DKIM verification does not require any keys or certificates on your side, these are only required on the sender's side. DKIM verification does not cost much, so my position is to just enable it ($enable_dkim_verification=1). If for nothing else, it will insert an Authentication-Results header field to a received signed messages, and provide additional information in the log - both of which can serve as a gentle getting-used-to / introduction to the new concept. If using amavisd 2.6.4 with SpamAssaswsin 3.3.0 or later, letting amavisd do the DKIM verification has another benefit: the verification results are passed from amavisd to a SpamAssasin's DKIM plugin, which need not do the verification again, so DNS lookups and crypto calculation is done only once. This has significance with messages larger than the $sa_mail_body_size_limit, namely a truncation of a message passed on from amavisd to SA would invalidate DKIM signatures and SA could assign score points for this - but if amavisd is allowed to do a verification, it can do it on a pristine untruncated message, and just pass results to SA, so DKIM signatures on large messages would not get invalidated. Later you may decide to use some additional benefits of DKIM verification in amavisd, like loading a policy bank based on a valid signature, which can serve to let-in some messages from your trusted correspondents which might otherwise be blocked by banning, anti-spam or anti-virus checks. Also, you can add (positive or negative) spam points to the SA score based on a reputation of a DKIM signer (see @signer_reputation_maps in release notes). Now, the DKIM signing is another matter, mostly independent from verification. To produce a valid DKIM signature, you need to generate one or more signing keys (amavisd can do it for you: '$ amavisd genrsa <filename>'), then you need to add the generated public key as a TXT record to a DNS zone of your domain, and make the private key counterpart available on a file to amavisd, and letting it be aware of it by a dkim_key() in amavisd.conf. This is pretty much all there is to. For a simple setup this is quite straightforward, just follow the: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-impatient Benefits of signing are that you make it easier for recipients of you mail to reliably treat it favourably. Some big players are starting to collect reputation data on signing domains, so if your outgoing mail is spam-free, it is likely that you will have less problems with future delivery of your mail to big players (like yahoo or gmail). Mark ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
