Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I work for a university institute and administrate its servers "incidently".
Currently I am putting some work into our mail server configuration (sendmail 8.13.1 with amavisd-new-2.6.4). Recently I got amavis to verify DKIM signed mails. Now my plan was to sign outgoing Emails ourselves.
This is what I have done (I replaced some names for privacy reasons):
Now thing are getting a bit more complicated at least for me:
The Mailserver is on a different host than the DNS-server for my.domain.topdomain.de. The DNS-Server responsible for my.domain.topdomain.de is the same as for topdomain.de which is at our IT center and thus I do not administrate. I figured it out by "dig my.domain.topdomain.de". Our local DNS-Servers are not accessable from the internet.
For your setup it might be sufficient to edit the zone file of your DNS-server
6. I let our IT-Center make the following entry in their DNS-Server ("..." is the public key from the "/usr/local/amavisd/amavisd showkeys" command):
Code:
sel1._domainkey.my.domain.subdomain.de IN TXT "v=DKIM1; r=postmaster@my.domain.subdomain.de; p=..."
7. Verified that the public key can be fetched on http://dkimcore.org/c/keycheck (selector in this case is 'sel1')
8. Tested public key usage on my mailserver:
10. Send emails to my external account at some other provider.
The problem is that amavis is not signing the mails. Both automatic test emails reported, that the mail had not been signed. The mail to my external account also did not contain any DKIM information.
"My" system:
Code:
# uname -r & cat /etc/issue
2.6.9-89.0.11.ELsmp
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
Last edited by XXLRay; 01-05-2011 at 03:47 AM.
Reason: censored domain
XXLRay, did you ever manage to solve this? I have the exact same setup as you, have followed exactly the same steps and am having exactly the same problem.
I'd be really grateful to hear how you managed to get it working.
No I just can't use DKIM signing until now. The topic does not seem to be too interesting. Otherwise more would have contributed. I think that's sad because DKIM signing makes the net safer.
Quote:
Originally Posted by whatevs
I have the exact same setup as you, have followed exactly the same steps and am having exactly the same problem.
XXLRay, I would like to read the instructions that you followed and I was wondering if there is a particular how-to or documentation set that you followed for this. Off hand, it looks like you followed the amavisdnew docs, is this correct? I agree that domain keys are a good idea and it seems more and more major mail services are using them as a weighting factor in SPAM prevention.
According to your second post, it looks like you have your outgoing mail correctly passing through amavis based upon the local delivery on one port, SPAM scanning, and then re-injection on the other port. However, as you pointed out it doesn't appear to be 'signing' the mail with the domain keys.
When you restart amavis is there any sort of warning in any logs that indicates what might be the problem?
Consider using "dkim-milter" for sendmail dkim signing purposes.
Thank you for your hint but my time for enhancements is sparse. As Amavisd-new is supposed to offer DKIM signing directly this seemed as an economic solution to realize. In near future I won't have the time to put work in milter (and its own problems which will occur).
Quote:
Originally Posted by Noway2
XXLRay, I would like to read the instructions that you followed and I was wondering if there is a particular how-to or documentation set that you followed for this. Off hand, it looks like you followed the amavisdnew docs, is this correct?
I used several documentations as the amavisd-new guide is not without gaps especially when it comes to providing the public key. Nevertheless it was the basis for my procedure.
Quote:
Originally Posted by Noway2
When you restart amavis is there any sort of warning in any logs that indicates what might be the problem?
Code:
#/etc/init.d/amavisd restart && tail -f /var/log/amavisd-info.log
Dec 21 17:30:35 myserver amavis[23276]: logging initialized, log level 2, syslog: amavis.local5
Dec 21 17:30:35 myserver amavis[23276]: Valid PID file (younger than sys uptime 440 9:04:00)
Dec 21 17:30:35 myserver amavis[3366]: Net::Server: 2010/12/21-17:30:35 Server closing!
Dec 21 17:30:36 myserver amavis[23276]: Daemon [3366] terminated by SIGTERM
Dec 21 17:30:37 myserver amavis[23297]: logging initialized, log level 2, syslog: amavis.local5
Dec 21 17:30:37 myserver amavis[23297]: starting. /usr/local/amavisd/amavisd at myserver.my.domain.topdomain.de amavisd-new-2.6.4 (20090625), Unicode aware, LANG="C"
Dec 21 17:30:37 myserver amavis[23297]: user=, EUID: 500 (500); group=, EGID: 801 801 (801 801)
Dec 21 17:30:37 myserver amavis[23297]: Perl version 5.008005
Dec 21 17:30:37 myserver amavis[23297]: INFO: no optional modules: IO::Socket::INET6
Dec 21 17:30:41 myserver amavis[23297]: Sophos SAVI init: Version 4.60 (engine 3.14) recognizing 2166145 viruses
Dec 21 17:30:41 myserver amavis[23297]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin
Dec 21 17:30:42 myserver amavis[23297]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Encode::Detect Razor2::Client::Agent IP::Country::Fast
Dec 21 17:30:42 myserver amavis[23297]: SpamControl: init_pre_chroot on SpamAssassin done
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Process Backgrounded
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: 2010/12/21-17:30:42 Amavis (type Net::Server::PreForkSimple) starting! pid(23303)
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Binding to UNIX socket file /var/spool/amavis/amavisd.sock using SOCK_STREAM
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Group Not Defined. Defaulting to EGID '801 801'
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: User Not Defined. Defaulting to EUID '500'
Dec 21 17:30:43 myserver amavis[23303]: config files read: /usr/local/amavisd/amavisd.conf
Dec 21 17:30:43 myserver amavis[23303]: Module Amavis::Conf 2.207
Dec 21 17:30:43 myserver amavis[23303]: Module Archive::Zip 1.30
Dec 21 17:30:43 myserver amavis[23303]: Module BerkeleyDB 0.27
Dec 21 17:30:43 myserver amavis[23303]: Module Compress::Zlib 1.41
Dec 21 17:30:43 myserver amavis[23303]: Module Convert::TNEF 0.17
Dec 21 17:30:43 myserver amavis[23303]: Module Convert::UUlib 1.09
Dec 21 17:30:43 myserver amavis[23303]: Module Crypt::OpenSSL::RSA 0.25
Dec 21 17:30:43 myserver amavis[23303]: Module DBD::mysql 2.9004
Dec 21 17:30:43 myserver amavis[23303]: Module DBI 1.40
Dec 21 17:30:43 myserver amavis[23303]: Module DB_File 1.809
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::MD5 2.33
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::SHA 5.47
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::SHA1 2.07
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Entity 5.428
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Parser 5.428
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Tools 5.428
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::DKIM::Signer 0.31
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::DKIM::Verifier 0.31
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::Header 1.67
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::Internet 1.67
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::SPF v2.005
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::SpamAssassin 3.002004
Dec 21 17:30:43 myserver amavis[23303]: Module Net::DNS 0.63
Dec 21 17:30:43 myserver amavis[23303]: Module Net::Server 0.90
Dec 21 17:30:43 myserver amavis[23303]: Module NetAddr::IP 4.007
Dec 21 17:30:43 myserver amavis[23303]: Module SAVI 0.30
Dec 21 17:30:43 myserver amavis[23303]: Module Time::HiRes 1.83
Dec 21 17:30:43 myserver amavis[23303]: Module URI 1.30
Dec 21 17:30:43 myserver amavis[23303]: Module Unix::Syslog 0.99
Dec 21 17:30:43 myserver amavis[23303]: Amavis::DB code loaded
Dec 21 17:30:43 myserver amavis[23303]: Amavis::Cache code loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL base code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL::Log code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL::Quarantine NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Lookup::SQL code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Lookup::LDAP code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: AM.PDP-in proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: SMTP-in proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: Courier proto code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SMTP-out proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: Pipe-out proto code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: BSMTP-out proto code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Local-out proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: OS_Fingerprint code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-VIRUS code loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM code loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-EXT code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-C code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-SA code loaded
Dec 21 17:30:43 myserver amavis[23303]: Unpackers code loaded
Dec 21 17:30:43 myserver amavis[23303]: DKIM code loaded
Dec 21 17:30:43 myserver amavis[23303]: Tools code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Found $file at /usr/bin/file
Dec 21 17:30:43 myserver amavis[23303]: No $altermime, not using it
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .mail
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .asc
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .uue
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .hqx
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .ync
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .F tried: unfreeze, freeze -d, melt, fcat
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .Z at /usr/bin/gzip -d
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .gz at /usr/bin/gzip -d
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .gz (backup, not used)
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .bz2 at /usr/bin/bzip2 -d
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .lzo tried: lzop -d
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .rpm at /usr/bin/rpm2cpio
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .cpio at /usr/bin/pax
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .tar at /usr/bin/pax
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .deb at /usr/bin/ar
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .zip
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .rar tried: rar, unrar
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .arj tried: arj, unarjmyserver
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .arc tried: nomarch, arc
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .zoo tried: zoo, unzoo
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .lha at /usr/bin/lha
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .cab tried: cabextract
Dec 21 17:30:43 myserver amavis[23303]: No decoder for .tnef tried: tnef
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .tnef
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for .exe at /usr/bin/lha
Dec 21 17:30:43 myserver amavis[23303]: Using primary internal av scanner code for Sophos SAVI
Dec 21 17:30:43 myserver amavis[23303]: Found secondary av scanner Sophos Anti Virus (sweep) at /usr/local/sophos/bin/sweep
Dec 21 17:30:43 myserver amavis[23303]: Creating db in /var/spool/amavis/db/; BerkeleyDB 0.27, libdb 4.2
Dec 21 17:30:43 myserver amavis[23303]: initializing Mail::SpamAssassin
Dec 21 17:30:43 myserver amavis[23303]: SpamAssassin debug facilities: info
Dec 21 17:30:45 myserver amavis[23303]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Dec 21 17:30:45 myserver amavis[23303]: SpamControl: init_pre_fork on SpamAssassin done
...
1 - from this link, it looks like using perl module:mail DKIM verion 0.33 or higher is recommended when using the signing function. Your log states that you are on version 0.31. Don't know what the difference is, but it is worth looking into.
2 - From the documentation page in the link above,
Quote:
Starting with 2.6.0, verification of DKIM signatures (and historical DomainKeys signatures) is provided directly by amavisd (not only by a SpamAssassin plugin DKIM). A required version of a perl module Mail:KIM is 0.31 or later, but recommended is 0.33 or later.
It isn't entirely clear to me whether the spam-assassin plugin was meant to handle signing and verification or just verification. The log (2nd to last line) shows that you are using a spam-assassin plug in. You might want to double check which version(s) of the programs you are running since it looks like the interaction has changed as the spam-assassin plug in is not required beyond a certain version.
I am having exactly the same problem. The only hint that I got when I set the log_level to 5 was:
Code:
dkim: not signing mail which is not originating from inside
I tried everything I could imagine to tell amavis that I am sending my mails from inside. Especially the following line should tell amavis my local network configuration:
I am a bit frightened to just take these settings. Thus I have a question.
Until now I only have a local_domains_maps for 127.0.0.1 and not for $mydomain. Which effects will I have to consider if I add "@local_domains_maps = ( [".$mydomain"] );". Nevertheless is it at least necessary to have this option? To me it seems to be independent from the other options you used.
XXLRay you're right, i mean, with this configuration all e-mails who are sent through port 10024 are signed, no matter if you set local_domains_maps variable or not, but set this variable is useful for me to scan only local messages. Maybe it was my fault writing it with the other options.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.