How to enable DKIM email signatures in amavisd-new and ISPConfig 3

Thursday, September 3, 2009 posted by admin

DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "example.com" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain example.com. Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the example.com DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

Be Sociable, Share!



16 Responses to “How to enable DKIM email signatures in amavisd-new and ISPConfig 3”

  1. ionut_d says:

    And where is the amavis-new in this tutorial ’cause i just can’t see it

  2. Till says:

    See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf

  3. ionut_d says:

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

  4. ionut_d says:

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file

  5. Till says:

    This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

  6. Krupa says:

    Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    root@server1:/var/db/dkim# amavisd-new testkey
    TESTING#1: krupa._domainkey.hanumanhost.com => invalid (public key: not available)

    Please help me!

  7. Till says:

    Have you added the public key in your dns server?

  8. Priyadarsan says:

    In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

  9. freebourg says:

    Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

  10. freebourg says:

    And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

  11. freebourg says:

    I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter:
    mail._domainkey.faqforge.com. (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

  12. freebourg says:

    mail._domainkey….
    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

  13. linux says:

    you have to put the key into DNS zone file too

  14. Peter says:

    Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter

Leave a Reply