I've noticed you are using amavisd-new. It can easily sign your messages.
I'm showing what I use:
cat /etc/amavis/conf.d/22-dkim
use strict;
$enable_dkim_signing = 1;
dkim_key('domain1.com', 'dkim', '/path/to/domain1.com-dkim.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 ); # list your internal networks
1; # ensure a defined return
Generate certificate:
amavisd-new genrsa /path/to/domain1.com-dkim.key.pem 2048
Show the formatted value for DNS TXT record:
amavisd-new showkeys domain1.com
Marius.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of James B. Byrne
Sent: Monday, May 5, 2014 8:12 PM
To: Postfix users
Subject: Getting DKIM to work with Mailman and Postfix
I am wrestling with the issues arising from Yahoo.com, and now AOL.com,
enforcing dkim for their addresses. Specifically we run a small number of
mailing lists using Mailman which have a large number of subscribers from
both
these domains. As Mailman is configured to forward mail without altering
the
FROM: header this trips the DKIM reject.
We have installed and configured OpenDKIM on our smtp relay, generated the
private keys, configured the KeyTable and SigningTable files and published
the
necessary _domainkey.domain DNS records.
Our desired solution is to have mail forwared by Mailman resigned using the
Sender, where present, instead of the From header. As Mailman does set the
Sender properly, according to reports from [email protected]
we
altered the configuration of opendkim.conf to this: SenderHeaders
Sender,From.
Dkim is configured in main.cf thus:
# set up opendkim - also see: /etc/opendkim.conf and
/etc/opendkim/TrustedHosts
# make sure opendkim service is running
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2
Mailman is interfaced to Postfix using this entry in master.cf
# Local delivery of mailing list traffic
mailman unix - n n - - pipe
flags=FR user=mailman:mailman
argv=/usr/lib/mailman/postfix/postfix-to-mailman.py ${nexthop} ${user}
The problem that we have is that mail being forwarded from Mailman is not
being signed at all. And I suspect that it relates to the fact that the
Mailman MLM and the Postfix MTA reside on the same server. When I look at a
test message sent through the MLM to the auth-resultes address I see this:
[email protected]
Received: from localhost (localhost [127.0.0.1])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id 36876609A5
for <[email protected]>; Mon, 5 May 2014 12:30:20
-0400
(EDT)
X-Virus-Scanned: amavisd-new at harte-lyne.ca
Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1])
by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1])
(amavisd-new,
port 10024)
with ESMTP id JUcMvst-FkzK for <[email protected]>;
Mon, 5 May 2014 12:30:19 -0400 (EDT)
Received: from inet08.hamilton.harte-lyne.ca (localhost [IPv6:::1])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP
for <[email protected]>; Mon, 5 May 2014 12:30:19
-0400
(EDT)
Received: from localhost (localhost [127.0.0.1])
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTP id F2EDF609C8
for <[email protected]>;
Mon, 5 May 2014 12:30:17 -0400 (EDT)
X-Virus-Scanned: amavisd-new at harte-lyne.ca
Received: from inet08.hamilton.harte-lyne.ca ([127.0.0.1])
by localhost (inet08.hamilton.harte-lyne.ca [127.0.0.1])
(amavisd-new,
port 10024)
with ESMTP id AuPvOnGIir-m for <[email protected]>;
Mon, 5 May 2014 12:30:16 -0400 (EDT)
Received: from webmail.harte-lyne.ca (inet04.hamilton.harte-lyne.ca
[216.185.71.24])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
by inet08.hamilton.harte-lyne.ca (Postfix) with ESMTPSA id
A9475609A5
for <[email protected]>;
Mon, 5 May 2014 12:30:16 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=harte-lyne.ca;
s=dkim_hll; t=1399307416;
bh=z0DQjPUP3iSnJocIWpmAvVX8Alr4K8XVzrxjZOaSExM=;
h=Date:Subject:From:To;
b=IzhcNAwvf+zYpkcZNewyIGKhI7KTx0QviTFyWvhDUjzHJHODKVnq555p3QWyLMnWk
E0CFEVQov6ehMHDW/OsDJ3MSAAz7ijAU4xe8jl7/j2Tb0msjU0sBJ1nWdupKcl1Bxh
A+09YBd/IhBgUZsseUr8gJm8eV566jYmOwitoOpMuCCoDhbarW1YBGfBu3Gvs7hd5w
PO4mp3KFK/ym7iFgRg8dVGCR0w+21BcJhqpMrdHs29pEzd2+tpOzCPGVg/fxe/JtsQ
JI/cClyHLTGq82wwLHF5xdY+fjCa31xb74sm+0mDNPA6+g1iB9Spn4o2gR0CADRTEr
4PsC8BCP3f8nQ==
Received: from 216.185.71.44 (SquirrelMail authenticated user byrnejb)
by webmail.harte-lyne.ca with HTTP; Mon, 5 May 2014 12:30:16 -0400
Message-ID:
<[email protected]>
Date: Mon, 5 May 2014 12:30:16 -0400
From: "James B. Byrne" <[email protected]>
To: [email protected]
User-Agent: SquirrelMail/1.4.22-4.el6
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: [Logistics-l] dkim test
X-BeenThere: [email protected]
X-Mailman-Version: 2.1.12
So, If I read this aright then the test email from me via the webmail
interface is send to our MTA at ineto8. Inet08 signs the original mail and
sends it to the Amavisd mail scanner. The mail returns to postfix who then
submits it to Mailman? from the local address (127.0.0.1) and therein lies
the
problem I think. The mail then is forwarded on directly to the addresses
and
does not pass through Postfix again to be re-signed.
Is there any way to accomplish this and have the reinjected mail from
mailman
pass through the dkim milter a second time?
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
