[AMaViS-user] Is this setting correct? DKIM support in Amavisd-new
Zhang Huangbin
We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
guide in release notes file, i did the following steps to enable DKIM,
but i'm little confused, is this setting correct?
* Shell command:
-----------8<---------------------
shell# mkdir /var/amavis/dkim/
shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
-----------8<---------------------
* Modify /etc/amavisd.conf to enable DKIM:
-------------8<---------------
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
@dkim_signature_options_bysender_maps = ( {
#
# For domain: a.cn.
#
'postm...@a.cn' => { a => 'rsa-sha1', ttl => 7*24*3600 },
#"spam-r...@a.cn" => { a => 'rsa-sha1', ttl => 7*24*3600 },
".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
".a.cn" => { d => "a.cn" },
# explicit 'd' forces a third-party signature on foreign (hosted)
domains
# catchall defaults
'.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
# 'd' defaults to a domain of an author/sender address,
# 's' defaults to whatever selector is offered by a matching key
} );
----------8<-------------------
* Setup DNS record according the output of 'amavisd showkeys'.
* Verify DNS setting via 'amavisd testkeys', it's 'pass'.
Is it right?
Thanks very much.
--
Best Regards.
Zhang Huangbin
- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
http://rhms.googlecode.com/
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
Mark Martinec
> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
> guide in release notes file, i did the following steps to enable DKIM,
> but i'm little confused, is this setting correct?
>
> shell# mkdir /var/amavis/dkim/
> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
These files with a key need not be writable by user amavis,
so I prefer to keep them owned by root and placed somewhere else,
My choice is /var/db/dkim/ (FreeBSD style location).
The 'amavisd genrsa' may but need not be run as use amavis.
Btw, Debian users are probably aware by now of a security flaw in
their openssl, which seriously impacted quality of pseudorandom
generation, which means that PEM keys generated by openssl
or by 'amavisd genrsa' or by the key generation utility that
comes with dkim-milter, prior to fixing their openssl,
are of poor quality and need to be replaced by new keys.
The security bug is specific to Debian (and derivatives),
other platforms are not affected.
> $enable_dkim_verification = 1;
> $enable_dkim_signing = 1;
> dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
So far so good...
> @dkim_signature_options_bysender_maps = ( {
> 'postm...@a.cn' => { a => 'rsa-sha1', ttl => 7*24*3600 },
In a perl associative array there there can't be two entries
with a same key. One of the above will get overwritten by the other.
You need to combine all attributes in a single entry, e.g.:
".a.cn" => { d => "a.cn", a => 'rsa-sha1', ttl => 10*24*3600},
Note that signing mail for subdomains with a key of a parent
domain is treated by recipients as a third-party key, which
may 'hold less merit' in their eyes. If one has a choice,
it is better to publish a key for each domain (e.g. host1.a.cn)
if mail is really coming from it. Sharing a pem file
for multiple domains may be acceptable, so you don't need
to generate a different key for each subdomain, but you
do need to publish it in each subdomain. It is probably
easier to avoid sending addresses like host1.a.cn and
always use a parent domain (a.cn) in 'From:', thus
avoiding the issue altogether.
Btw, DKIM standard requires all implementations to support rsa-sha256,
while most also support rsa-sha1 (but need not). Unless there is a
good reason to use rsa-sha1, I'd recommend to stick with a default
which is rsa-sha256.
> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
> } );
> * Setup DNS record according the output of 'amavisd showkeys'.
> * Verify DNS setting via 'amavisd testkeys', it's 'pass'.
Good.
> Is it right?
You may also try it with some auto-responder. Note that some
are hoplessly out of date with their sw, so don't trust
blindly what they say.
Mark
Mark Martinec
> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
> guide in release notes file, i did the following steps to enable DKIM,
> but i'm little confused, is this setting correct?
>
> shell# mkdir /var/amavis/dkim/
> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
These files with a pem key need not be writable by user amavis,
so I prefer to keep them owned by root and placed somewhere else,
My choice is /var/db/dkim/ (FreeBSD style location).
The 'amavisd genrsa' (may but) need not be run as use amavis.
Btw, Debian users are probably aware by now of a security flaw in
their openssl, which seriously impacted quality of pseudorandom
generation, which means that PEM keys generated by openssl or by
'amavisd genrsa' or by the key generation utility that comes with
dkim-milter (or keys generated by ssh-keygen), prior to fixing
their openssl, are of poor quality and need to be replaced by
new keys. The security bug is specific to Debian (and derivatives),
other platforms are not affected.
> $enable_dkim_verification = 1;
> $enable_dkim_signing = 1;
> dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
So far so good...
> @dkim_signature_options_bysender_maps = ( {
> 'postm...@a.cn' => { a => 'rsa-sha1', ttl => 7*24*3600 },
In a perl associative array there there can not be two entries
with the same key. One of the above will get overwritten by the other.
You need to combine all attributes in a single entry, e.g.:
Note that signing mail for subdomains with a key of a parent domain
is treated by recipients as a third-party key, which may hold
'less merit' in their eyes. If one has a choice, it is better to
publish a key for each domain (e.g. host1.a.cn) if mail is really
bearing author addresses like that. Sharing a PEM file for multiple
(sub)domains may be acceptable, so you don't need to generate a
different key for each subdomain, but you do need to publish it
in each subdomain. It is probably easier to avoid author addresses
like host1.a.cn and always use a parent domain (a.cn) in 'From:',
thus avoiding the issue altogether.
Btw, DKIM standard requires all implementations to support rsa-sha256,
while most also support rsa-sha1 (but need not). Unless there is a
good reason to use rsa-sha1, I'd recommend to stick with a default
which is rsa-sha256.
> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
> } );
> * Setup DNS record according the output of 'amavisd showkeys'.
> * Verify DNS setting via 'amavisd testkeys', it's 'pass'.
Good.
> Is it right?
You may also try it with some auto-responder. Note that some
are hoplessly out of date with their sw, so don't trust
blindly to what they say. The sa-...@sendmail.net seems
alright.
Mark
Zhang Huangbin
Mark Martinec wrote:
> Zhang Huangbin,
>
>
>> We use amavisd-new-2.6.0 to support DKIM feature, according to the quick
>> guide in release notes file, i did the following steps to enable DKIM,
>> but i'm little confused, is this setting correct?
>>
>> shell# mkdir /var/amavis/dkim/
>> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
>>
>
> These files with a key need not be writable by user amavis,
> so I prefer to keep them owned by root and placed somewhere else,
> My choice is /var/db/dkim/ (FreeBSD style location).
> The 'amavisd genrsa' may but need not be run as use amavis.
I changed the steps:
shell# mkdir /var/lib/dkim/
shell# amavisd genrsa /var/lib/dkim/a.cn.pem
shell# setfacl -m u:amavis:r-- /var/lib/dkim/a.cn.pem
BTW, I think '/var/lib/dkim/' is the correct location on RHEL.
>> ".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
>> ".a.cn" => { d => "a.cn" },
>>
>
> In a perl associative array there there can't be two entries
> with a same key. One of the above will get overwritten by the other.
> You need to combine all attributes in a single entry, e.g.:
>
> ".a.cn" => { d => "a.cn", a => 'rsa-sha1', ttl => 10*24*3600},
>
Changed. Thanks.
> Note that signing mail for subdomains with a key of a parent
> domain is treated by recipients as a third-party key, which
> may 'hold less merit' in their eyes. If one has a choice,
> it is better to publish a key for each domain (e.g. host1.a.cn)
> if mail is really coming from it. Sharing a pem file
> for multiple domains may be acceptable, so you don't need
> to generate a different key for each subdomain, but you
> do need to publish it in each subdomain. It is probably
> easier to avoid sending addresses like host1.a.cn and
> always use a parent domain (a.cn) in 'From:', thus
> avoiding the issue altogether.
>
OK. got it.
> Btw, DKIM standard requires all implementations to support rsa-sha256,
> while most also support rsa-sha1 (but need not). Unless there is a
> good reason to use rsa-sha1, I'd recommend to stick with a default
> which is rsa-sha256.
>
>> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
>> } );
>>
>
>
Changed: rsa-sha1 -> rsa-sha256.
It works fine.
> You may also try it with some auto-responder. Note that some
> are hoplessly out of date with their sw, so don't trust
> blindly what they say.
How can i test it?
--
Best Regards.
Zhang Huangbin
- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
http://rhms.googlecode.com/
Mark Martinec
> > You may also try it with some auto-responder. Note that some
> > are hoplessly out of date with their sw, so don't trust
> > blindly what they say.
>
> How can i test it?
Seem my repost of the same message, which I edited in details,
including adding the auto-responder address.
(my first post was stuck at sourceforge for 10 hours,
and I thought it was lost)
Mark
Mark Martinec
seem -> see
Zhang Huangbin
> Zhang Huangbin,
>
>
>>> You may also try it with some auto-responder. Note that some
>>> are hoplessly out of date with their sw, so don't trust
>>> blindly what they say.
>>>
>> How can i test it?
>>
>
> Seem my repost of the same message, which I edited in details,
> including adding the auto-responder address.
>
> (my first post was stuck at sourceforge for 10 hours,
> and I thought it was lost)
Found it:
----8<----
You may also try it with some auto-responder. Note that some
are hoplessly out of date with their sw, so don't trust
blindly to what they say. The sa-...@sendmail.net seems
alright.
----8<----
Thanks Mark. :)
--
Best Regards.
Zhang Huangbin
- Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
http://rhms.googlecode.com/
Luis Daniel Lucio Quiroz
Another question about DKIM:
Is there a service that a user may post complete mail and you can know if that
DKIM signature is valid or not?
LD
Mark Martinec
> Is there a service that a user may post complete mail and you can know if
> that DKIM signature is valid or not?
Not that I would know.
I usually test signatures of a message from a commad line, e.g.:
perl -MMail::DKIM::Verifier -ne '
BEGIN{$dkim=Mail::DKIM::Verifier->new_object};
s/\r?\n\z/\015\012/;$dkim->PRINT($_);
END{$dkim->CLOSE;print $dkim->result_detail,"\n"}' test.msg
Make sure you have a fairly recent version of Mail::DKIM
(0.31 is fine).
Note that some mail readers (such as kmail) gratuitously
reformats some of the header fields, so saving a received
message to a file from MUA and checking it may fail
even though the message as seen by MTA/filter/LDA was fine.
It is best to pick a received message directly from a
mailbox file.
Mark
smal...@gmail.com
> guide in release notes file, i did the following steps to enableDKIM,
> but i'm little confused, is this setting correct?
>
> * Shell command:
> -----------8<---------------------
> shell# mkdir /var/amavis/dkim/
> shell# su - amavis -c "amavisd genrsa /var/amavis/dkim/example.com.pem"
> -----------8<---------------------
>
> * Modify /etc/amavisd.conf to enableDKIM:
> -------------8<---------------
> $enable_dkim_verification = 1;
> $enable_dkim_signing = 1;
>
> dkim_key("a.cn", 'dkim', "/var/amavis/dkim/a.cn.pem");
>
> @dkim_signature_options_bysender_maps = ( {
> #
> # For domain: a.cn.
> #
> #"spam-repor...@a.cn" => { a => 'rsa-sha1', ttl => 7*24*3600 },
> ".a.cn" => { a => 'rsa-sha1', ttl => 10*24*3600 },
> ".a.cn" => { d => "a.cn" },
> # explicit 'd' forces a third-party signature on foreign (hosted)
> domains
>
> # catchall defaults
> '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
> # 'd' defaults to a domain of an author/sender address,
> # 's' defaults to whatever selector is offered by a matching key} );
>
> ----------8<-------------------
>
> * Setup DNS record according the output of 'amavisd showkeys'.
> * Verify DNS setting via 'amavisd testkeys', it's 'pass'.
>
> Is it right?
>
> Thanks very much.
>
> --
> Best Regards.
>
> Zhang Huangbin
>
> - Mail Server Solution for Red Hat(R) Enterprise Linux & CentOS 5.x:
> http://rhms.googlecode.com/
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> _______________________________________________
> AMaViS-user mailing list
> AMaViS-u...@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/amavis-user
i have actually tried all this but i'm extremely lost, i used to run
dkimproxy.in and .out
i'm not sure whether or not this is required at
http://www.ijs.si/software/amavisd/amavisd-new-docs.html "Setting up
DKIM mail signing and verification"
because the release notes do not include that at all, i've copied the
configuration that he has posted.
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('domain.com', 'default','/usr/local/etc/postfix/dkim/
amavisd.key');
dkim_key('domain2.com', 'default','/usr/local/etc/postfix/dkim/
amavisd.key');
@dkim_signature_options_bysender_maps = ( {
#
# For domain: a.cn.
#
's...@domain.com' => { a => 'rsa-sha256', ttl => 300 },
# explicit 'd' forces a third-party signature on foreign (hosted)
domains
# catchall defaults
'.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 300 },
# 'd' defaults to a domain of an author/sender address,
# 's' defaults to whatever selector is offered by a matching key
} );
with testkeys both passing..
i'm extremely confused, sa-test autoresponder will tell me i dont have
anything, i dont see anything being signed, i dont see anything being
verified.
appreciate it.