I work for a university institute and administrate its servers "incidently". Currently I am putting some work into our mail server configuration (sendmail 8.13.1 with amavisd-new-2.6.4). Recently I got amavis to verify DKIM signed mails. Now my plan was to sign outgoing Emails ourselves. This is what I have done (I replaced some names for privacy reasons):
1. I created a private key: /usr/local/amavisd/amavisd genrsa /var/dkim/SEL1_DKIMkey.pem 2. Changed permissions for the user running amavis: chown -R vscan.vscan /var/dkim/ && chmod -R 700 /var/dkim 3. Editet my /etc/amavisd.conf: ... $enable_dkim_signing = 1; # signing domain selector private key options dkim_key ('my.domain.topdomain.de', 'sel1', '/var/dkim/ SEL1_DKIMkey.pem'); ... 4. Restarted amavis: /etc/init.d/amavisd restart 5. Tested whether the private key is found and got public key as well as DNS entry information: /usr/local/amavisd/amavisd showkeys ; key#1, domain my.domain.topdomain.de, /var/dkim/SEL1_DKIMkey.pem sel1._domainkey.my.domain.topdomain.de. 3600 TXT ( "v=DKIM1; p=...") Now thing are getting a bit more complicated at least for me: The Mailserver is on a different host than the DNS-server for my.domain.topdomain.de. The DNS-Server responsible for my.domain.topdomain.de is the same as for topdomain.de which is at our IT center and thus I do not administrate. I figured it out by "dig my.domain.topdomain.de". Our local DNS-Servers are not accessable from the internet. For your setup it might be sufficient to edit the zone file of your DNS-server. 6. I let our IT-Center make the following entry in their DNS-Server ("..." is the public key from the "/usr/local/amavisd/amavisd showkeys" command): sel1._domainkey.my.domain.subdomain.de IN TXT "v=DKIM1; r=postmas...@my.domain.subdomain.de ; p=..." 7. Verified that the public key can be fetched on http://dkimcore.org/c/keycheck (selector in this case is 'sel1') 8. Tested public key usage on my mailserver: /usr/local/amavisd/amavisd testkeys TESTING#1: sel1._domainkey.my.domain.topdomain.de => pass 9. Send Testmails to sa-t...@sendmail.net and check-a...@verifier.port25.com . They automatically create answer mails considering signature information. The problem is that amavis is not signing the mails. Both automatic test emails reported, that the mail had not been signed. The mail to my external account also did not contain any DKIM information. I searched several forums for solution and placed a thread there, too. From this I know that different people have the same setup and thus the same problem without a solution. The PERL modules should be sufficiently new: # tail -f /var/log/amavisd-info.log | grep DKIM Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Signer 0.39 Jan 5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Verifier 0.39 Jan 5 11:01:53 bender amavis[16877]: DKIM code loaded Jan 5 11:01:54 bender amavis[16877]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject I "My" system: # uname -r & cat /etc/issue 2.6.9-89.0.11.ELsmp Red Hat Enterprise Linux AS release 4 (Nahant Update 8) If you need any further information just let me know. I appreciate any advise. Best Regards Matthias ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org