DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "example.com" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain example.com. Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the example.com DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

How to enable DKIM email signatures in amavisd-new and ISPConfig 3
Facebooktwittergoogle_plusredditlinkedinmail
Tagged on:

17 thoughts on “How to enable DKIM email signatures in amavisd-new and ISPConfig 3

  • October 27, 2009 at 2:43 pm
    Permalink

    And where is the amavis-new in this tutorial ’cause i just can’t see it

    Reply
    • December 20, 2015 at 3:47 pm
      Permalink

      if I understand correctly, at the first step, we need to replace
      amavisd by amavis-new

      and at the second step, do we need to be careful and remove output detail like $, ^??

      Reply
  • October 27, 2009 at 2:52 pm
    Permalink

    See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf

    Reply
  • October 27, 2009 at 3:17 pm
    Permalink

    [email protected]:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    Reply
  • October 27, 2009 at 3:18 pm
    Permalink

    [email protected]:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file

    Reply
  • October 27, 2009 at 3:31 pm
    Permalink

    This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

    Reply
  • November 3, 2009 at 6:13 pm
    Permalink

    Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    [email protected]:/var/db/dkim# amavisd-new testkey
    TESTING#1: krupa._domainkey.hanumanhost.com => invalid (public key: not available)

    Please help me!

    Reply
  • November 4, 2009 at 11:04 am
    Permalink

    Have you added the public key in your dns server?

    Reply
    • November 8, 2009 at 9:32 am
      Permalink

      No. I didnt add public key, Please tell how to do so….

      Reply
  • December 9, 2009 at 4:41 pm
    Permalink

    In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

    Reply
  • September 24, 2010 at 8:11 pm
    Permalink

    Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

    Reply
  • September 24, 2010 at 8:17 pm
    Permalink

    And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

    Reply
  • September 24, 2010 at 8:28 pm
    Permalink

    I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter:
    mail._domainkey.faqforge.com. (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

    Reply
  • September 24, 2010 at 8:45 pm
    Permalink

    mail._domainkey….
    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

    Reply
  • September 2, 2011 at 4:30 pm
    Permalink

    you have to put the key into DNS zone file too

    Reply
  • November 20, 2013 at 6:54 pm
    Permalink

    Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *