NOTE: This post is about ISPConfig 3.0 and not 3.1 and newer. ISPConfig 3.1 and newer has DKIM support builtin, you can simply enable DKIM in ISPConfig 3.1 GUI now for the mail domain.
DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "example.com" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.
1) Create the domain key:
mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem
2) Configure amavisd to use this key for the domain example.com. Edit the amavisd configuration file
vi /etc/amavisd/amavisd.conf
and add the following lines:
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16); # list your internal networks
3) Run the command:
amavisd showkeys
to get the public key that has to be added as TXT record in the DNS server of the example.com DNS server.
4) Thest the setup with the command:
amavisd testkeys
and if it works properly, restart amavisd:
/etc/init.d/amavis restart
Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:
http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
And where is the amavis-new in this tutorial ’cause i just can’t see it
if I understand correctly, at the first step, we need to replace
amavisd by amavis-new
and at the second step, do we need to be careful and remove output detail like $, ^??
See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf
root@server:/]# ls /etc/amavisd/amavisd.conf
ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory
root@server:/]# ls /etc/amavisd/amavisd.conf
ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory
There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file
This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.
Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.
root@server1:/var/db/dkim# amavisd-new testkey
TESTING#1: krupa._domainkey.hanumanhost.com => invalid (public key: not available)
Please help me!
Have you added the public key in your dns server?
No. I didnt add public key, Please tell how to do so….
In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.
The following post might help
http://www.howtoforge.com/forums/showthread.php?p=216600#post216600
Of course, like every tutorial you match it to your own configuration, not juste copy & paste.
In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.
When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user
I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).
And you would need “libmail-dkim-perl” as well to run the “showkeys” command.
OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.
I said too many errors:
of course > should be replaced by >
so that you see an arrow in your configuration file:
{ ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );
When you’ve done what it’s asked here. Do that:
After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter:
mail._domainkey.faqforge.com. (don’t forget the last dot) as hostname
put 3600 in TTL
and the whole section with braces.
Then, wait 30 sec and try “amavisd-new testkeys”.
It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.
mail._domainkey….
was in the case you put “mail” instead of foo.
Otherwise it should be “foo._domainkey”…
This name (which is called a “selector”) should be unique. So don’t use it twice.
you have to put the key into DNS zone file too
Nice tutorial, thank you!
But i have a problem on my ISP-Config3.
“amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
I have check it with test tools, but no dkim was found.
Did i need to make some other change, that the server put it in each mail of this domain?
Best, Peter
How is this related to ISPConfig?
Dkim is integrated in ISPConfig 3.1 now, so the above steps are not needed anymore to enable Dkim in ISPConfig.
You should make an video because it’s much smoother this way!
This post is about ispconfig 3.0, it does not apply to recent ISPConfig 3.1 versions. ISPConfig 3.1 has builtin DKIM support, so the above steps are not needed in ISPConfig 3.1 and will damage the setup if applied on ISPConfig 3.1