[SOLVED] How to DKIM sign emails by amavisd-new

XXLRay · 10-21-2010, 07:09 AM

I work for a university institute and administrate its servers "incidently".
Currently I am putting some work into our mail server configuration (sendmail 8.13.1 with amavisd-new-2.6.4). Recently I got amavis to verify DKIM signed mails. Now my plan was to sign outgoing Emails ourselves.
This is what I have done (I replaced some names for privacy reasons):

1. I created a private key:

Code:

/usr/local/amavisd/amavisd genrsa /var/dkim/SEL1_DKIMkey.pem

2. Changed permissions for the user running amavis:

Code:

chown -R vscan.vscan /var/dkim/ && chmod -R 700 /var/dkim

3. Editet my /etc/amavisd.conf:

Code:

...
$enable_dkim_signing = 1;
# signing domain selector private key options
dkim_key ('my.domain.topdomain.de', 'sel1', '/var/dkim/SEL1_DKIMkey.pem');
...

4. Restarted amavis:

Code:

/etc/init.d/amavisd restart

5. Tested whether the private key is found and got public key as well as DNS entry information:

Code:

/usr/local/amavisd/amavisd showkeys

; key#1, domain my.domain.topdomain.de, /var/dkim/SEL1_DKIMkey.pem
sel1._domainkey.my.domain.topdomain.de.	3600 TXT (
  "v=DKIM1; p=...")

Now thing are getting a bit more complicated at least for me:
The Mailserver is on a different host than the DNS-server for my.domain.topdomain.de. The DNS-Server responsible for my.domain.topdomain.de is the same as for topdomain.de which is at our IT center and thus I do not administrate. I figured it out by "dig my.domain.topdomain.de". Our local DNS-Servers are not accessable from the internet.
For your setup it might be sufficient to edit the zone file of your DNS-server

6. I let our IT-Center make the following entry in their DNS-Server ("..." is the public key from the "/usr/local/amavisd/amavisd showkeys" command):

Code:

sel1._domainkey.my.domain.subdomain.de IN TXT "v=DKIM1; r=postmaster@my.domain.subdomain.de; p=..."

7. Verified that the public key can be fetched on http://dkimcore.org/c/keycheck (selector in this case is 'sel1')
8. Tested public key usage on my mailserver:

Code:

/usr/local/amavisd/amavisd testkeys

TESTING#1: sel1._domainkey.my.domain.topdomain.de  => pass

9. Send Testmails to sa-test@sendmail.net and check-auth@verifier.port25.com . They automatically create answer mails considering signature information.

10. Send emails to my external account at some other provider.

The problem is that amavis is not signing the mails. Both automatic test emails reported, that the mail had not been signed. The mail to my external account also did not contain any DKIM information.

"My" system:

Code:

# uname -r & cat /etc/issue
2.6.9-89.0.11.ELsmp
Red Hat Enterprise Linux AS release 4 (Nahant Update 8)

XXLRay · 10-21-2010, 09:15 AM

Perhaps the entries of the amavis log help (names are edited):

Code:

cat /var/log/amavisd-info.log | grep "sa-test@sendmail.net"

Oct 21 11:42:22 myhost amavis[1034]: (01034-07) LMTP::10024 /var/spool/amavis/tmp/amavis-20101021T113810-01034: <me@my.domain.topdomain.de> -> <check-auth@verifier.port25.com>,<sa-test@sendmail.net> SIZE=948 Received: from myhost.my.domain.topdomain.de ([127.0.0.1]) by localhost (myhost.my.domain.topdomain.de  [127.0.0.1]) (amavisd-new, port 10024) with LMTP; Thu, 21 Oct 2010 11:42:22 +0200 (CEST)
Oct 21 11:42:22 myhost amavis[1034]: (01034-07) Checking: ftI5Php4jI0W [192.168.3.11] <me@my.domain.topdomain.de> -> <check-auth@verifier.port25.com>,<sa-test@sendmail.net>
Oct 21 11:42:23 myhost amavis[1034]: (01034-07) SPAM-TAG, <me@my.domain.topdomain.de> -> <check-auth@verifier.port25.com>,<sa-test@sendmail.net>, No, score=-5.8 required=3 tests=[ALL_TRUSTED=-1.8, BAYES_00=-4] autolearn=no
Oct 21 11:42:23 myhost amavis[1034]: (01034-07) FWD via SMTP: <me@my.domain.topdomain.de> -> <check-auth@verifier.port25.com>,<sa-test@sendmail.net>,BODY=7BIT 250 2.0.0 Ok, id=01034-07, from MTA([127.0.0.1]:10025): 250 2.0.0 o9L9gNRZ001632 Message accepted for delivery
Oct 21 11:42:23 myhost amavis[1034]: (01034-07) Passed CLEAN, [192.168.3.11] [192.168.3.11] <me@my.domain.topdomain.de> -> <check-auth@verifier.port25.com>,<sa-test@sendmail.net>, Message-ID: <3AF5B106-5834-46E6-B16D-1DC74181A2DD@my.domain.topdomain.de>, mail_id: ftI5Php4jI0W, Hits: -5.8, size: 980, queued_as: 250 2.0.0 o9L9gNRZ001632 Message accepted for delivery, 930 ms

XXLRay · 10-25-2010, 10:24 AM

Can at least anyone confirm that it should work this way or did I leave out any step?

whatevs · 12-20-2010, 06:43 AM

XXLRay, did you ever manage to solve this? I have the exact same setup as you, have followed exactly the same steps and am having exactly the same problem.

I'd be really grateful to hear how you managed to get it working.

XXLRay · 12-21-2010, 02:02 AM

No I just can't use DKIM signing until now. The topic does not seem to be too interesting. Otherwise more would have contributed. I think that's sad because DKIM signing makes the net safer.

Quote:

Originally Posted by whatevs

I have the exact same setup as you, have followed exactly the same steps and am having exactly the same problem.

At least it seems to be reproducable...

rexjenny · 12-21-2010, 04:18 AM

Consider using "dkim-milter" for sendmail dkim signing purposes. If you "Google" you can find many easy tutorials for it's integration with Sendmail.

Noway2 · 12-21-2010, 04:44 AM

XXLRay, I would like to read the instructions that you followed and I was wondering if there is a particular how-to or documentation set that you followed for this. Off hand, it looks like you followed the amavisdnew docs, is this correct? I agree that domain keys are a good idea and it seems more and more major mail services are using them as a weighting factor in SPAM prevention.

According to your second post, it looks like you have your outgoing mail correctly passing through amavis based upon the local delivery on one port, SPAM scanning, and then re-injection on the other port. However, as you pointed out it doesn't appear to be 'signing' the mail with the domain keys.

When you restart amavis is there any sort of warning in any logs that indicates what might be the problem?

XXLRay · 12-21-2010, 10:34 AM

Quote:

Originally Posted by rexjenny

Consider using "dkim-milter" for sendmail dkim signing purposes.

Thank you for your hint but my time for enhancements is sparse. As Amavisd-new is supposed to offer DKIM signing directly this seemed as an economic solution to realize. In near future I won't have the time to put work in milter (and its own problems which will occur).

Quote:

Originally Posted by Noway2

XXLRay, I would like to read the instructions that you followed and I was wondering if there is a particular how-to or documentation set that you followed for this. Off hand, it looks like you followed the amavisdnew docs, is this correct?

I used several documentations as the amavisd-new guide is not without gaps especially when it comes to providing the public key. Nevertheless it was the basis for my procedure.

Quote:

Originally Posted by Noway2

When you restart amavis is there any sort of warning in any logs that indicates what might be the problem?

Code:

#/etc/init.d/amavisd restart && tail -f /var/log/amavisd-info.log

Dec 21 17:30:35 myserver amavis[23276]: logging initialized, log level 2, syslog: amavis.local5
Dec 21 17:30:35 myserver amavis[23276]: Valid PID file (younger than sys uptime 440 9:04:00)
Dec 21 17:30:35 myserver amavis[3366]: Net::Server: 2010/12/21-17:30:35 Server closing!
Dec 21 17:30:36 myserver amavis[23276]: Daemon [3366] terminated by SIGTERM
Dec 21 17:30:37 myserver amavis[23297]: logging initialized, log level 2, syslog: amavis.local5
Dec 21 17:30:37 myserver amavis[23297]: starting.  /usr/local/amavisd/amavisd at myserver.my.domain.topdomain.de amavisd-new-2.6.4 (20090625), Unicode aware, LANG="C"
Dec 21 17:30:37 myserver amavis[23297]: user=, EUID: 500 (500);  group=, EGID: 801 801 (801 801)
Dec 21 17:30:37 myserver amavis[23297]: Perl version               5.008005
Dec 21 17:30:37 myserver amavis[23297]: INFO: no optional modules: IO::Socket::INET6
Dec 21 17:30:41 myserver amavis[23297]: Sophos SAVI init: Version 4.60 (engine 3.14) recognizing 2166145 viruses
Dec 21 17:30:41 myserver amavis[23297]: SpamControl: scanner SpamAssassin, module Amavis::SpamControl::SpamAssassin
Dec 21 17:30:42 myserver amavis[23297]: INFO: SA version: 3.2.4, 3.002004, no optional modules: Net::CIDR::Lite Sys::Hostname::Long Encode::Detect Razor2::Client::Agent IP::Country::Fast
Dec 21 17:30:42 myserver amavis[23297]: SpamControl: init_pre_chroot on SpamAssassin done
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Process Backgrounded
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: 2010/12/21-17:30:42 Amavis (type Net::Server::PreForkSimple) starting! pid(23303)
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Binding to UNIX socket file /var/spool/amavis/amavisd.sock using SOCK_STREAM
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Binding to TCP port 10024 on host 127.0.0.1
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: Group Not Defined.  Defaulting to EGID '801 801'
Dec 21 17:30:42 myserver amavis[23303]: Net::Server: User Not Defined.  Defaulting to EUID '500'
Dec 21 17:30:43 myserver amavis[23303]: config files read: /usr/local/amavisd/amavisd.conf
Dec 21 17:30:43 myserver amavis[23303]: Module Amavis::Conf        2.207
Dec 21 17:30:43 myserver amavis[23303]: Module Archive::Zip        1.30
Dec 21 17:30:43 myserver amavis[23303]: Module BerkeleyDB          0.27
Dec 21 17:30:43 myserver amavis[23303]: Module Compress::Zlib      1.41
Dec 21 17:30:43 myserver amavis[23303]: Module Convert::TNEF       0.17
Dec 21 17:30:43 myserver amavis[23303]: Module Convert::UUlib      1.09
Dec 21 17:30:43 myserver amavis[23303]: Module Crypt::OpenSSL::RSA 0.25
Dec 21 17:30:43 myserver amavis[23303]: Module DBD::mysql          2.9004
Dec 21 17:30:43 myserver amavis[23303]: Module DBI                 1.40
Dec 21 17:30:43 myserver amavis[23303]: Module DB_File             1.809
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::MD5         2.33
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::SHA         5.47
Dec 21 17:30:43 myserver amavis[23303]: Module Digest::SHA1        2.07
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Entity        5.428
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Parser        5.428
Dec 21 17:30:43 myserver amavis[23303]: Module MIME::Tools         5.428
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::DKIM::Signer  0.31
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::DKIM::Verifier 0.31
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::Header        1.67
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::Internet      1.67
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::SPF           v2.005
Dec 21 17:30:43 myserver amavis[23303]: Module Mail::SpamAssassin  3.002004
Dec 21 17:30:43 myserver amavis[23303]: Module Net::DNS            0.63
Dec 21 17:30:43 myserver amavis[23303]: Module Net::Server         0.90
Dec 21 17:30:43 myserver amavis[23303]: Module NetAddr::IP         4.007
Dec 21 17:30:43 myserver amavis[23303]: Module SAVI                0.30
Dec 21 17:30:43 myserver amavis[23303]: Module Time::HiRes         1.83
Dec 21 17:30:43 myserver amavis[23303]: Module URI                 1.30
Dec 21 17:30:43 myserver amavis[23303]: Module Unix::Syslog        0.99
Dec 21 17:30:43 myserver amavis[23303]: Amavis::DB code      loaded
Dec 21 17:30:43 myserver amavis[23303]: Amavis::Cache code   loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL base code        NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL::Log code        NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SQL::Quarantine      NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Lookup::SQL code     NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Lookup::LDAP code    NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: AM.PDP-in proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: SMTP-in proto code   loaded
Dec 21 17:30:43 myserver amavis[23303]: Courier proto code   NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: SMTP-out proto code  loaded
Dec 21 17:30:43 myserver amavis[23303]: Pipe-out proto code  NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: BSMTP-out proto code NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Local-out proto code loaded
Dec 21 17:30:43 myserver amavis[23303]: OS_Fingerprint code  NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-VIRUS code      loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM code       loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-EXT code   NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-C code     NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: ANTI-SPAM-SA code    loaded
Dec 21 17:30:43 myserver amavis[23303]: Unpackers code       loaded
Dec 21 17:30:43 myserver amavis[23303]: DKIM code            loaded
Dec 21 17:30:43 myserver amavis[23303]: Tools code           NOT loaded
Dec 21 17:30:43 myserver amavis[23303]: Found $file            at /usr/bin/file
Dec 21 17:30:43 myserver amavis[23303]: No $altermime,         not using it
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .mail
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .asc 
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .uue 
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .hqx 
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .ync 
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .F    tried: unfreeze, freeze -d, melt, fcat
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .Z    at /usr/bin/gzip -d
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .gz   at /usr/bin/gzip -d
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .gz   (backup, not used)
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .bz2  at /usr/bin/bzip2 -d
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .lzo  tried: lzop -d
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .rpm  at /usr/bin/rpm2cpio
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .cpio at /usr/bin/pax
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .tar  at /usr/bin/pax
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .deb  at /usr/bin/ar
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .zip 
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .rar  tried: rar, unrar
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .arj  tried: arj, unarjmyserver
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .arc  tried: nomarch, arc
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .zoo  tried: zoo, unzoo
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .lha  at /usr/bin/lha
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .cab  tried: cabextract
Dec 21 17:30:43 myserver amavis[23303]: No decoder for       .tnef tried: tnef
Dec 21 17:30:43 myserver amavis[23303]: Internal decoder for .tnef
Dec 21 17:30:43 myserver amavis[23303]: Found decoder for    .exe  at /usr/bin/lha
Dec 21 17:30:43 myserver amavis[23303]: Using primary internal av scanner code for Sophos SAVI
Dec 21 17:30:43 myserver amavis[23303]: Found secondary av scanner Sophos Anti Virus (sweep) at /usr/local/sophos/bin/sweep
Dec 21 17:30:43 myserver amavis[23303]: Creating db in /var/spool/amavis/db/; BerkeleyDB 0.27, libdb 4.2
Dec 21 17:30:43 myserver amavis[23303]: initializing Mail::SpamAssassin
Dec 21 17:30:43 myserver amavis[23303]: SpamAssassin debug facilities: info
Dec 21 17:30:45 myserver amavis[23303]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject
Dec 21 17:30:45 myserver amavis[23303]: SpamControl: init_pre_fork on SpamAssassin done
...

Noway2 · 12-21-2010, 11:28 AM

From your log, I see two things for you to check:

1 - from this link, it looks like using perl module:mail DKIM verion 0.33 or higher is recommended when using the signing function. Your log states that you are on version 0.31. Don't know what the difference is, but it is worth looking into.

2 - From the documentation page in the link above,

Quote:

Starting with 2.6.0, verification of DKIM signatures (and historical DomainKeys signatures) is provided directly by amavisd (not only by a SpamAssassin plugin DKIM). A required version of a perl module Mail:

KIM is 0.31 or later, but recommended is 0.33 or later.

It isn't entirely clear to me whether the spam-assassin plugin was meant to handle signing and verification or just verification. The log (2nd to last line) shows that you are using a spam-assassin plug in. You might want to double check which version(s) of the programs you are running since it looks like the interaction has changed as the spam-assassin plug in is not required beyond a certain version.

XXLRay · 12-23-2010, 03:00 AM

1. That is a good hint. I will see whether I can upgrade the module.

2. I just use Spamassassin for spam detection. Nevertheless a good hint for others, too.

XXLRay · 01-05-2011, 04:08 AM

I upgraded The PERL module to 0.39:

Code:

# tail -f /var/log/amavisd-info.log | grep DKIM
Jan  5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Signer  0.39
Jan  5 11:01:53 bender amavis[16877]: Module Mail::DKIM::Verifier 0.39
Jan  5 11:01:53 bender amavis[16877]: DKIM code            loaded
Jan  5 11:01:54 bender amavis[16877]: SpamAssassin loaded plugins: AWL, AutoLearnThreshold, Bayes, BodyEval, Check, DCC, DKIM, DNSEval, HTMLEval, HTTPSMismatch, Hashcash, HeaderEval, ImageInfo, MIMEEval, MIMEHeader, Pyzor, Razor2, RelayEval, ReplaceTags, SPF, SpamCop, URIDNSBL, URIDetail, URIEval, VBounce, WLBLEval, WhiteListSubject

I activated signing in amavisd.conf and restarted the daemon. Unfortunately the mails are still not signed.

chickenrudi · 01-28-2011, 05:37 PM

Hi all,

I am having exactly the same problem. The only hint that I got when I set the log_level to 5 was:

Code:

dkim: not signing mail which is not originating from inside

I tried everything I could imagine to tell amavis that I am sending my mails from inside. Especially the following line should tell amavis my local network configuration:

Code:

@mynetworks = qw( 127.0.0.0/8 192.168.42.0/24 );

Unfortunately this doesn't help at all.

Thank you in advance for any help

darkfroid · 02-28-2011, 04:42 AM

Hi all,

I got this problem for days and days until now. I set next variables in amavis conf file:

1. $mydomain = testdomain.com
2. @local_domains_maps = ( [".$mydomain"] );
3. $inet_socket_port = 10024;

4.$interface_policy{'10024'} = 'ORIGINATING'; # with this all my mails are "originating from inside".

5. $policy_bank{'ORIGINATING'} = {
originating => 1,
allow_disclaimers => 1,
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
forward_method => 'smtp:[127.0.0.1]:10026',
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1],
terminate_dsn_on_notify_success => 0,
};

And now my mails are signed.

I hope this help you.

Regards

XXLRay · 03-01-2011, 03:14 AM

I am a bit frightened to just take these settings. Thus I have a question.
Until now I only have a local_domains_maps for 127.0.0.1 and not for $mydomain. Which effects will I have to consider if I add "@local_domains_maps = ( [".$mydomain"] );". Nevertheless is it at least necessary to have this option? To me it seems to be independent from the other options you used.

darkfroid · 03-01-2011, 06:16 AM

XXLRay you're right, i mean, with this configuration all e-mails who are sent through port 10024 are signed, no matter if you set local_domains_maps variable or not, but set this variable is useful for me to scan only local messages. Maybe it was my fault writing it with the other options.

Regards