DKIM is a system to verify the sender and integrity of emails. ISPConfig 3 uses amavisd-new as content filter for spam and virus scanning and amavisd-new is also able to sign messages with DKIM. The next steps explain how to configure amavisd-new to sign messages for a domain named "example.com" with DKIM. The steps below should work with any amavisd-new setup even if you do not use ISPConfig.

1) Create the domain key:

mkdir /var/db/dkim/
amavisd genrsa /var/db/dkim/example-foo.key.pem

2) Configure amavisd to use this key for the domain example.com. Edit the amavisd configuration file

vi /etc/amavisd/amavisd.conf

and add the following lines:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'foo', '/var/db/dkim/example-foo.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);  # list your internal networks

3) Run the command:

amavisd showkeys

to get the public key that has to be added as TXT record in the DNS server of the example.com DNS server.

4) Thest the setup with the command:

amavisd testkeys

and if it works properly, restart amavisd:

/etc/init.d/amavis restart

Here is a more detailed description in the amavisd-new manual on how to setup DKIM in amavisd-new:

http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim

How to enable DKIM email signatures in amavisd-new and ISPConfig 3
Tagged on:

17 thoughts on “How to enable DKIM email signatures in amavisd-new and ISPConfig 3

  • ionut_d
    Permalink

    And where is the amavis-new in this tutorial ’cause i just can’t see it

    Reply
    • bob
      Permalink

      if I understand correctly, at the first step, we need to replace
      amavisd by amavis-new

      and at the second step, do we need to be careful and remove output detail like $, ^??

      Reply
  • Till
    Permalink

    See Step 2: The configuration file of amavisd-new is /etc/amavisd/amavisd.conf

    Reply
  • ionut_d
    Permalink

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    Reply
  • ionut_d
    Permalink

    root@server:/]# ls /etc/amavisd/amavisd.conf
    ls: cannot access /etc/amavisd/amavisd.conf: No such file or directory

    There is no /etc/amavisd directory. I have /etc/amavis-new, but no .conf file

    Reply
  • Till
    Permalink

    This Tutorial was written on debian. It might be that the path or config files names differ on your Linux distribution. There must be a configuration file in your amavisd-new directory where you can add these settings.

    Reply
  • Krupa
    Permalink

    Hi all, I;m using IPSConfig3 in Ubuntu9.4. It works great. I setup the DKIM signature based on this tutorial. But, it ended up in the following error while issuing amavisd-new testkey.

    root@server1:/var/db/dkim# amavisd-new testkey
    TESTING#1: krupa._domainkey.hanumanhost.com => invalid (public key: not available)

    Please help me!

    Reply
  • Till
    Permalink

    Have you added the public key in your dns server?

    Reply
    • krupa
      Permalink

      No. I didnt add public key, Please tell how to do so….

      Reply
  • Priyadarsan
    Permalink

    In Ubuntu I had to use the command “amavisd-new genrsa” instead of “amavisd genrsa”. Also I too have the same problem as Krupa and yes I have added the TXT file in my dream host DNS. Any pointers will be helpful.

    Reply
  • freebourg
    Permalink

    Of course, like every tutorial you match it to your own configuration, not juste copy & paste.

    In Debian, you’ll need to install “libcrypt-openssl-rsa-perl”, and use “mkdir -p /var/db/dkim” because there is no “/var/db”.
    And with amavisd-new, you just have to write “amavisd-new” instead of “amavisd” to generate the RSA key.

    When you’re done, you need to write the configuration lines in one of the files in the /etc/amavisd/conf.d/ directory, for example 50-user

    I’d suggest you to write the URL of this page in a comment in this file too “Just in case” (you need a new rsa key of example).

    Reply
  • freebourg
    Permalink

    And you would need “libmail-dkim-perl” as well to run the “showkeys” command.

    OK, you’re right. This is not a good tutorial on how to install DKIM in a normal (as described on howtoforge, which is a officially recommended tutorial) ISPConfig3 on Debian Lenny.

    Reply
  • freebourg
    Permalink

    I said too many errors:

    of course > should be replaced by >
    so that you see an arrow in your configuration file:
    { ‘.’ => { ttl => 21*24*3600, c => ‘relaxed/simple’ } } );

    When you’ve done what it’s asked here. Do that:

    After typing “amavisd-new showkeys”, open ISPConfig3 admin interface. Go to the “DNS” section, click on your domain name, open the “Records” tab, create a “+TXT” record and enter:
    mail._domainkey.faqforge.com. (don’t forget the last dot) as hostname
    put 3600 in TTL
    and the whole section with braces.

    Then, wait 30 sec and try “amavisd-new testkeys”.

    It should say pass. If not, wait 30 s more. If it’s not working either there is a real error. See what the commands return.

    Reply
  • freebourg
    Permalink

    mail._domainkey….
    was in the case you put “mail” instead of foo.
    Otherwise it should be “foo._domainkey”…

    This name (which is called a “selector”) should be unique. So don’t use it twice.

    Reply
  • Peter
    Permalink

    Nice tutorial, thank you!

    But i have a problem on my ISP-Config3.
    “amavisd testkeys” works well, but when i sent a mail, dkim is not written there.
    I have check it with test tools, but no dkim was found.
    Did i need to make some other change, that the server put it in each mail of this domain?

    Best, Peter

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*