{{tag>mail dkim}}

====== DKIM keys via amavis ======
===== Generate new private/public key pair =====

==== Manual ====
  amavisd-new genrsa /var/lib/amavis/example.key.pem 1024
  openssl rsa -in example.key.pem -out /var/lib/amavis/example.key.pem.public -pubout -outform PEM

=== Create new configuration ===
  vi /etc/amavis/conf.d/60-dkim

add

<code>
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'mail1550766080', '/var/lib/amavis/example.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);
</code>

=== List public keys ===
<code>
amavisd-new showkeys
    
...
; key#2 1024 bits, i=mail1550766080, d=example.com, /var/lib/amavis/example.key.pem
mail1550766080._domainkey.example.com.	3600 TXT (
"v=DKIM1; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUwuIBMBsfo1uMwM8baCLy3VMw"
"Iv1lhIfUq6r2ZhSEySmFpJt0QEDl2JxId/0nHUD9kqaeQIOh+BvMYfQbJypltvJw"
"BcXhDeC0JmCv39/PXQGKPunoJXB27iDkrz8RQNVH1eJaSjT033PTa1cb8orPNHRN"
"s3tjCMzu6eonaFWKmQIDAQAB")

</code>

and copy it into DNS zone.

==== Via ISPconfig web UI ====

Under //Email > choose domain > DomainKeys Identified Mail (DKIM)// you can generate the keys.

<WRAP center round important 60%>
Don't add the public key via ISP config web ui (DNS > Records) because the input form will truncate it if the key has 2048 bits. Instead add it directly on the server in ///etc/bind// zone file, e.g.

<code>
...
example.com. 86400      TXT        "v=spf1 a mx ip4:138.201.137.220 -all"
example.com. 3600      TXT        "google-site-verification=Vd9dD-9pxxxxxxxxxxxxxxxxxxxx-bdxxxxx"
example.com. 3600      TXT        "MS=ms20857300"
mail1550766080._domainkey.example.com. 3600      TXT        "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUwuIBMBsfo1uMwM8baCLy3VMwIv1lhIfUq6r2ZhSEySmFpJt0QEDl2JxId/0nHUD9kqaeQIOh+BvMYfQbJypltvJwBcXhDeC0JmCv39/PXQGKPunoJXB27iDkrz8RQNVH1eJaSjT033PTa1cb8orPNHRNs3tjCMzu6eonaFWKmQIDAQAB"
</code>

If the key is generated vi ISCconfig it is automatically added.
</WRAP>

===== Check if the key is added =====
  amavisd-new testkeys
  
  TESTING#1 example.org: example._domainkey.example.org => pass
  TESTING#2 example.com: mail._domainkey.example.com => pass

===== Add new conf file =====

  vi /etc/amavis/conf.d/70-policy_bank
with content

<code>
# policy bank to have mails DKIM signed
$policy_bank{'ORIGINATING'} = {
# indicates client is ours, allows signing
originating => 1,
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
# forward to a smtpd service providing DKIM signing service
# (if using a signing milter instead of signing by amavisd):
forward_method => 'smtp:[127.0.0.1]:10025',
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["spamalert\@$mydomain"],
};

# Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING';
</code>

===== Restart amavis =====
  service amavis restart

===== Test =====
https://dkimvalidator.com
https://www.unlocktheinbox.com (send mail to mailtest@unlocktheinbox.com)

====== Tested on ======
  * Debianu Jessie 8.7
  * ISP config 3.1.1p1

====== See also ======
    * [[wiki:send_test_email_server|Send test email from server]]
    * [[wiki:send_test_email_via_php|Send test email via php]]
====== References ======
  * https://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/
  * https://www.linuxquestions.org/questions/linux-server-73/how-to-dkim-sign-emails-by-amavisd-new-839526/page2.html
  * https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns