I updated issue 1910 (http://dev.nethserver.org/issues/1910), but I’m still unsure about effectiveness of dkim (I’m using it).
Who has experience and wants to contribute data could add comments here.
@filippo_carletti DKIM is only for validating of our MAIL server for external servers like GOOGLE and so on , so without DKIM google could mark our letter like spam.
It’s not that easy, you control (through dns) how others should behave regarding dkim. And dkim setup is easy for a spammer. Assuming dkim pass as an ham indicator is a bad idea.
This is my second time doing DKIM, per the instructions on this page, this time I get the following errors:
amavisd -u amavis -g amavis showkeys
#
No DKIM private keys declared in a config file
amavisd -u amavis -g amavis showkeys
Error in config file “/etc/amavisd.conf”: Undefined subroutine &Amavis::Conf::HASH called at /etc/amavisd.conf line 295.
sed -n 291,300p /etc/amavisd.conf
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘example.com’, ‘dkim’, ‘/etc/pki/tls/private/example.com-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
HASH(0x14c88f0) );
ls -alF /etc/pki/tls/private
-rw-------. 1 root root 1675 Jan 14 23:11 server1.example.com.pem
-rw-------. 1 root root 1704 Sep 1 18:55 httpd-admin.key
-rw-------. 1 root root 1704 Sep 1 19:58 localhost.key
-rw-------. 1 root root 1704 Sep 1 18:54 NSRV.key
-rw-r-----. 1 root amavis 891 Jan 14 22:56 example.com-dkim.key.pem
cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key(‘example.com’, ‘dkim’, ‘/etc/pki/tls/private/example.com-dkim.key.pem’);
@dkim_signature_options_bysender_maps = (
{ ‘.’ => { ttl => 21243600, c => ‘relaxed/relaxed’ } } );
Where did I go WRONG?
Could you check all backslashes are in place in /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
@dkim_signature_options_bysender_maps = ( \{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
Hi @tzar,
Please regenerate this file by the command below:
signal-event nethserver-mail-filter-update
amavisd -u amavis -g amavis -c /etc/amavisd.conf showkeys
thank you very much for your assistance. DKIM, SPF, and DMARC records are up and working.
$ amavisd genrsa /etc/pki/tls/private/example.com-dkim.key.pem
$ chgrp amavis /etc/pki/tls/private/example.com-dkim.key.pem
$ chmod g+r /etc/pki/tls/private/example…com-dkim.key.pem
$ mkdir -p /etc/e-smith/templates-custom/etc/amavisd.conf
$ nano /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
#filippo enable dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
$log_level = 5;
dkim_key('example.com', 'dkim', '/etc/pki/tls/private/example.com-dkim.key.pem');
@dkim_signature_options_bysender_maps = ( \{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
$ signal-event nethserver-mail-filter-update
$ signal-event nethserver-mail-server-update
$ amavisd -u amavis -g amavis -c /etc/amavisd.conf showkeys
https://support.google.com/a/answer/2466563?hl=en - used for DMARC
http://www.mailradar.com/spf/ - used for SPF
Great job man! Thanks for your feedback
@filippo_carletti is it ready to be added to the core? Or needs more tests?
Happy New Year!
Is it possible someone to confirm that recently, dkim signing of outgoing mails is working, as discussed here a year ago?
I didn’t check recently, but I think that DKIM signing works only if you use a disclaimer text.
Hi Fillipo !
Thanks for your feedback - you are absolutely correct, DKIM signing works only when disclaimer text is used.
Sorry to bring on this subject under the carpet again but
I followed the @tzar instruction on a Nethserver 7
and the result is :
$ signal-event nethserver-mail-filter-update
$ signal-event nethserver-mail-server-update
$ amavisd -u amavis -g amavis -c /etc/amavisd/amavisd.conf showkeys
No DKIM private keys declared in a config file.
####and
cat /etc/amavisd/amavisd.conf |grep dkim
$enable_dkim_verification = 0; # disable DKIM signatures verification
$enable_dkim_signing = 0; # disable DKIM signing code
###So I double check and obviously can’t see my mistake
####95dkim config file
cat /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim
# filippo enable dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
$log_level = 5;
dkim_key(‘domain1.tld’, ‘dkim’, ‘/etc/pki/tls/private/domain1.tld-dkim.key.pem’);
@dkim_signature_options_bysender_maps = ( { ‘.’ => { ttl => 21243600, c => ‘relaxed/simple’ } } );
# filippo enable dkim
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
$log_level = 5;
dkim_key(‘domain2.tld’, ‘dkim’, ‘/etc/pki/tls/private/domain2.tld-dkim.key.pem’);
@dkim_signature_options_bysender_maps = ( { ‘.’ => { ttl => 21243600, c => ‘relaxed/simple’ } } );
#####REMARK:
- the @dkim_signature_options_bysender_maps = is in one line
- the file is group owned by amavis and this group have the right to read
I think you have to give the command
amavisd -u amavis -g amavis -c /etc/amavisd.conf showkeys
instead of
amavisd -u amavis -g amavis -c /etc/amavisd/amavisd.conf showkeys
Thank paolo;
but the file amavisd.conf is, in my case at least, really in /etc/amavisd/amavisd.conf
Any luck with DKIM for Nethserver 7?
I’ve followed these instructions successfully on NS7. The configuration file is now /etc/amavisd/amavisd.conf and so you’ll need to edit /etc/e-smith/templates-custom/etc/amavisd/amavisd.conf/95dkim (for example) rather than /etc/e-smith/templates-custom/etc/amavisd.conf/95dkim.
It works!!! Happy signing…
$ amavisd genrsa /etc/pki/tls/private/example.com-dkim.key.pem
$ chgrp amavis /etc/pki/tls/private/example.com-dkim.key.pem
$ chmod g+r /etc/pki/tls/private/example…com-dkim.key.pem
$ mkdir -p /etc/e-smith/templates-custom/etc/amavisd/amavisd.conf
$ nano /etc/e-smith/templates-custom/etc/amavisd/amavisd.conf/95dkim
#filippo enable dkim $enable_dkim_verification = 1; $enable_dkim_signing = 1; $log_level = 5; dkim_key('example.com', 'dkim', '/etc/pki/tls/private/example.com-dkim.key.pem'); @dkim_signature_options_bysender_maps = ( \{ '.' => \{ ttl => 21*24*3600, c => 'relaxed/simple' \} \} );
$ signal-event nethserver-mail-filter-update
$ signal-event nethserver-mail-server-update
$ amavisd -u amavis -g amavis -c /etc/amavisd/amavisd.conf showkeys
Add the disclaimer by going to the server control panel, on the left hand side, Configuration -> Email. Press edit beside your domain name and add your disclaimer.
I know this is an old thread, but for the sake of anyone finding it in a search, this setting won’t (by itself) do anything to make email clients automatically discover your server settings. Information on a simple configuration for this purpose is in this thread, and hopefully an automx module will be available soon which will handle all this stuff.
Hi @danb35
I tried to edit it to remove this part but I think because @alefattorini edit it after me I lost the edtion right on it .