Hi,
I've recently set up Postfix/Amavis/ClamAV/Dovecot/Spamassassin on a new
Debian 12 server and I cannot for the life of me get it amavis to sign
emails. I have used a combination of a number of references on the
internet to set up amavis with razor and pyzor such as
https://blog.cyberfront.org/index.php/2021/10/28/debian-postfix-amavis-spamass-clamav/,
so I don't have exactly one set up.
I am coming from ClearOS where this DKIM howto worked on ClearOS -
https://web.archive.org/web/20220417120215/https://documentation.clearos.com/content:en_us:kb_howtos_using_dkim_to_sign_and_validate_mail,
but it is very similar to
https://blog.jeanbruenn.info/2021/08/07/amavisd-new-and-dkim/.
In /etc/amavis/conf.d/50-user, I have, among other things, a section:
# For DKIM signing
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('howitts.co.uk', '202410',
'/etc/amavis/dkim/202410.howitts.co.uk.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
"amavis testkeys" gives "TESTING#1 howitts.co.uk:
202410._domainkey.howitts.co.uk => pass"
But outgoing mails aren't signed. I can see amavis processing outbound
emails in the mail log:
2024-11-05T12:47:53.622762+00:00 mail-www postfix/qmgr[3637186]:
9645070E3E9: from=<n...@howitts.co.uk>, size=1632, nrcpt=1 (queue
active)
2024-11-05T12:47:53.631291+00:00 mail-www amavis[3635755]:
(3635755-03) Passed CLEAN {RelayedOpenRelay}, [172.17.2.116]:52514
<n...@howitts.co.uk> -> <check-a...@verifier.port25.com>, Queue-ID:
A016F70E38B, Message-ID:
<1e1f6efd-f32f-4739-88ac-06d4684a5...@howitts.co.uk>, mail_id:
CRoK8AaP7ooP, Hits: -0.199, size: 1161, queued_as: 9645070E3E9, 938 ms
2024-11-05T12:47:53.633606+00:00 mail-www
postfix/amavis/smtp[3637243]: A016F70E38B:
to=<check-a...@verifier.port25.com>,
relay=127.0.0.1[127.0.0.1]:10024, delay=0.99,
delays=0.03/0.02/0/0.94, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9645070E3E9)
2024-11-05T12:47:53.633832+00:00 mail-www postfix/qmgr[3637186]:
A016F70E38B: removed
But signing isn't happening.
From the earlier link I tried adding:
$policy_bank{'ORIGINATING'} = {
originating => 1,
forward_method => 'smtp:[127.0.0.1]:10025',
notify_method => 'smtp:[127.0.0.1]:10025',
terminate_dsn_on_notify_success => 0,
# see: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
};
but it didn't help.
If it helps in the diagnosis, I am sending emails using
submission/STARTTLS with the following in postfix's master.cf:
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
and I wonder if something is missing from there, but I can see the
message going through amavis in the logs.
Can anyone point me in the right direction here? Could there be a
mistake in the config causing the 50-user not to be read, but I cannot
see anything in the logs.
TIA,
Nick
