MailServer Configuration (autodiscover, SPF, DKIM)

#Before you install your NethServer

  • Please consider a server must have FQDN
    # when you run hostname -f it must return something like SERVER.DOMAIN.TLD
  • And your DNS zone must look something like this
    A @
    A server1.domain.tld.
    CNAME mail. server1.domain.tld.

#After you installed your Nethserver


  • simply add a CNAME with autodiscover and point it to your mailserver
    CNAME autodiscover. mail.domain.tld.


  • add a TXT entry


TXT @ "v=spf1 a:domain.tld mx ?all"


# amavisd genrsa /etc/pki/tls/private/YOUR_DOMAIN-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf

add those lines into /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim

# filippo enable dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘’, ‘dkim’, ‘/etc/pki/tls/private/nethesis-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21243600, c => ‘relaxed/relaxed’ } } );

Edit your DNS

# amavisd -u amavis -g amavis showkeys

  • make a TXT with this info
    TXT dkim._domainkey "v=DKIM1; k=rsa; " “p=…OpenDKIMKey…”

##Restart service
# signal-event nethserver-mail-server-update

##Test your mail configuration

Thanks @filippo_carletti for your help!


I think that DKIM setup is much more simple following the commands shown here:

Why do you think milters are a better way?

maybe, but I know mine works and before I made it, I did’nt find anything about DKIM into this forum.
do you have DKIM with AMAVIS in production ?

Yep! Amavis is only that you need !

You’re both probably right but I’d tried with Amavis
in this file /etc/amavisd.conf
# ================= DO NOT MODIFY THIS FILE =================
# Manual changes will be lost when this file is regenerated.

and at the step3 of this howto :
i’d receive this error : amavisd showkeys

Yep, since when I wrote that issue.

Would you mind trying the simpler setup described in the issue to validate my configurations?
We could move on and work together on a better config and have it as a default.

Note: a lot of material is archived on the old google forum:!forum/nethserver

Thank to reply :wink:
Of course I want to do it like you described…
Saddly I don’t trully understand

it is those line you talk about ?

# grep dkim /etc/amavisd.conf


# amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
# chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
# chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
# cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim

Oops, the commands are my notes, hard to understand even for me, sorry. I should have been more careful. :smile:

Run the following commands:

amavisd genrsa /etc/pki/tls/private/nethesis-dkim.key.pem
chgrp amavis /etc/pki/tls/private/nethesis-dkim.key.pem
chmod g+r /etc/pki/tls/private/nethesis-dkim.key.pem
mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf
cat <<EOF >/etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
# filippo enable dkim
\$enable_dkim_verification = 1;
\$enable_dkim_signing = 1;
dkim_key('', 'dkim', '/etc/pki/tls/private/nethesis-dkim.key.pem');
@dkim_signature_options_bysender_maps = (
\{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
signal-event nethserver-mail-server-update

These commands generates a proper RSA key for dkim, give the key file the correct permissions to be accessed by amavisd, create a custom template to enable dkim in amavisd and apply the new configuration.

Do you think it would be a valuable addition to the system having a server-manager interface to confgiure DKIM?

After i’d followed those instruction with the command : amavisd showkeys
i’d receive : Error in config file “/etc/amavisd.conf”: syntax error at /etc/amavisd.conf line 303, near "="
so I add those line into /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

and now, when i’m running : amavisd showkeys
I have the same result then before : drop_priv: No such username:

Mightbe a nice feature to add into the server-manager but with an option to choose if you want to be : relaxed/relaxed or relaxed/simple
because G**gle use relaxed/relaxed.

amavisd -u amavis -g amavis showkeys
1 Like

@filippo_carletti all is cool but :
1 in WebUI we need to see Dkim key for copying for our DNS Provider.
2 If we use DNSmasq we need to integrate Dkim to it .
Because @JOduMonT is newcommer and if it have success on Amavis , he hardly sign his letter by DNS provider :slight_smile:

so everything is fine and working thank @filippo_carletti
But I kept those modifications
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

1 Like

I don’t understand, sorry. How do you intend to integrate dnsmasq and dkim?

My bad, sorry: variable expansion happens in heredoc, need to protect $.

@filippo_carletti so if we use DKIM and DNSmasq we should add TXT record to DNSmasq,"v=DKIM1; t=y; k=rsa;
 y9SowCrZWNgLtuxBjDaI20CAwEAAQ==","dkim=all; t=s"
1 Like

Got it, thank you @Nas. This usually go into the registrar/dns maintainer web panel.

So; this morning I need to disable the antivirus filter (AMAVIS)
on my email to send and receive email ;(
I did’nt trully find a clear error into log.

@JOduMonT tell us fully , what have beed done with AMAVIS… try to help you

1 Like

amavis has it’s own log verbosity

####cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘’, ‘dkim’, ‘/etc/pki/tls/private/deass-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21243600, c => ‘relaxed/relaxed’ } } );

####[root@neth1 ~]# amavisd -u amavis -g amavis showkeys
; key#1, domain, /etc/pki/tls/private/deass-dkim.key.pem 3600 TXT (
“enh5kEUfxSRVRDqF4Fsq366D6nkXgrPHWeyNDh1j32sDNTaPsaHfFjUeJvKwu153” “flU5i31ZwKlvDpe8FyrQO3A3q45wlUXLyyReZysaKhRQF38s14B+G7iZA2ABCo0a”

and I’d restart the service

into my DNS

txt dkim._domainkey “v=DKIM1; p=” “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+qUWxnFO37pR+H/ij0z9i7Zkv” “enh5kEUfxSRVRDqF4Fsq366D6nkXgrPHWeyNDh1j32sDNTaPsaHfFjUeJvKwu153” “flU5i31ZwKlvDpe8FyrQO3A3q45wlUXLyyReZysaKhRQF38s14B+G7iZA2ABCo0a” “lbMbZ7RPQ/C+sMn1nQIDAQAB”

and letter become to stuck ?