DKIM keys via amavis

Generate new private/public key pair

Manual

amavisd-new genrsa /var/lib/amavis/example.key.pem 1024
openssl rsa -in example.key.pem -out /var/lib/amavis/example.key.pem.public -pubout -outform PEM

Create new configuration

vi /etc/amavis/conf.d/60-dkim

add

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'mail1550766080', '/var/lib/amavis/example.key.pem');
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);

List public keys

amavisd-new showkeys
    
...
; key#2 1024 bits, i=mail1550766080, d=example.com, /var/lib/amavis/example.key.pem
mail1550766080._domainkey.example.com.	3600 TXT (
"v=DKIM1; p="
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUwuIBMBsfo1uMwM8baCLy3VMw"
"Iv1lhIfUq6r2ZhSEySmFpJt0QEDl2JxId/0nHUD9kqaeQIOh+BvMYfQbJypltvJw"
"BcXhDeC0JmCv39/PXQGKPunoJXB27iDkrz8RQNVH1eJaSjT033PTa1cb8orPNHRN"
"s3tjCMzu6eonaFWKmQIDAQAB")

and copy it into DNS zone.

Via ISPconfig web UI

Under Email > choose domain > DomainKeys Identified Mail (DKIM) you can generate the keys.

Don't add the public key via ISP config web ui (DNS > Records) because the input form will truncate it if the key has 2048 bits. Instead add it directly on the server in /etc/bind zone file, e.g.

...
example.com. 86400      TXT        "v=spf1 a mx ip4:138.201.137.220 -all"
example.com. 3600      TXT        "google-site-verification=Vd9dD-9pxxxxxxxxxxxxxxxxxxxx-bdxxxxx"
example.com. 3600      TXT        "MS=ms20857300"
mail1550766080._domainkey.example.com. 3600      TXT        "v=DKIM1; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUwuIBMBsfo1uMwM8baCLy3VMwIv1lhIfUq6r2ZhSEySmFpJt0QEDl2JxId/0nHUD9kqaeQIOh+BvMYfQbJypltvJwBcXhDeC0JmCv39/PXQGKPunoJXB27iDkrz8RQNVH1eJaSjT033PTa1cb8orPNHRNs3tjCMzu6eonaFWKmQIDAQAB"

If the key is generated vi ISCconfig it is automatically added.

Check if the key is added

amavisd-new testkeys

TESTING#1 example.org: example._domainkey.example.org => pass
TESTING#2 example.com: mail._domainkey.example.com => pass

Add new conf file

vi /etc/amavis/conf.d/70-policy_bank

with content

# policy bank to have mails DKIM signed
$policy_bank{'ORIGINATING'} = {
# indicates client is ours, allows signing
originating => 1,
# force MTA to convert mail to 7-bit before DKIM signing
# to avoid later conversions which could destroy signature:
smtpd_discard_ehlo_keywords => ['8BITMIME'],
# forward to a smtpd service providing DKIM signing service
# (if using a signing milter instead of signing by amavisd):
forward_method => 'smtp:[127.0.0.1]:10025',
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["spamalert\@$mydomain"],
};

# Use ORIGINATING policy to enable DKIM signing
$interface_policy{'10024'} = 'ORIGINATING';

Restart amavis

service amavis restart

Test

https://dkimvalidator.com https://www.unlocktheinbox.com (send mail to mailtest@unlocktheinbox.com)

Tested on

Debianu Jessie 8.7
ISP config 3.1.1p1

antisaWiki

Table of Contents