2014-10-10 23:05:53 -05:00
|
|
|
# Sign DKIM signature on outgoing emails for new mail domain
|
|
|
|
|
2014-10-11 02:42:05 -05:00
|
|
|
[TOC]
|
|
|
|
|
2014-12-15 08:34:46 -06:00
|
|
|
> Don't know what DKIM is? Check our tutorial here:
|
2015-05-15 19:58:44 -05:00
|
|
|
> [What is a DKIM DNS record](./setup.dns.html#dkim-record-for-your-mail-domain-name).
|
2014-12-15 08:34:46 -06:00
|
|
|
|
|
|
|
|
2014-10-10 23:05:53 -05:00
|
|
|
> Don't know where Amavisd config file is? check this tutorial:
|
|
|
|
> [Locations of configuration and log files of mojor components](file.locations.html#amavisd).
|
|
|
|
|
|
|
|
iRedMail configures Amavisd to sign outgoing emails for the first mail domain
|
|
|
|
you added during iRedMail installation. If you added new mail domain, you
|
|
|
|
should update Amavisd config file to sign DKIM signature for it.
|
|
|
|
|
|
|
|
Let's say your first mail domain added during iRedMail installation is
|
2014-10-11 22:46:28 -05:00
|
|
|
`mydomain.com`, and new mail domain is `new_domain.com`, please follow below
|
2014-10-10 23:05:53 -05:00
|
|
|
steps to enable DKIM signing for outgoing emails of this domain.
|
|
|
|
|
2014-10-11 02:40:30 -05:00
|
|
|
## Use existing DKIM key for new mail domain
|
|
|
|
|
|
|
|
if you already have a working DKIM and valid DKIM DNS record, it's ok to
|
2014-12-15 08:34:46 -06:00
|
|
|
use this existing DKIM key to sign emails sent by other hosted mail domains.
|
|
|
|
This way, you don't need to ask your customer who owns this new domain to add
|
|
|
|
DKIM DNS record.
|
2014-10-11 02:40:30 -05:00
|
|
|
|
|
|
|
* Find below setting in Amavisd config file `amavisd.conf`:
|
|
|
|
|
|
|
|
```
|
|
|
|
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
|
|
|
|
|
|
@dkim_signature_options_bysender_maps = ( {
|
|
|
|
...
|
|
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
|
|
...
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
Add one line in `@dkim_signature_options_bysender_maps`, after `"mydomain.com"`
|
|
|
|
line like below:
|
|
|
|
|
|
|
|
```
|
|
|
|
@dkim_signature_options_bysender_maps = ( {
|
|
|
|
...
|
|
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
2014-10-11 22:46:28 -05:00
|
|
|
"new_domain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
2014-10-11 02:40:30 -05:00
|
|
|
...
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
* Restart Amavisd service.
|
|
|
|
|
|
|
|
## Generate new DKIM key for new mail domain
|
|
|
|
|
|
|
|
If you or your customer prefer to use their own DKIM key, you can generate
|
|
|
|
a new DKIM key and ask your customer to add DKIM DNS record. Refer to our
|
2014-11-02 17:59:04 -06:00
|
|
|
tutorial to [add DKIM DNS record](setup.dns.html#dkim-record-for-your-mail-domain-name).
|
2014-10-11 02:40:30 -05:00
|
|
|
|
2014-10-10 23:05:53 -05:00
|
|
|
* Generate new DKIM key for new domain.
|
|
|
|
|
|
|
|
```shell
|
2015-07-07 09:45:45 -05:00
|
|
|
# amavisd-new genrsa /var/lib/dkim/new_domain.com.pem 2048
|
|
|
|
```
|
|
|
|
|
|
|
|
`2048` is key length.
|
|
|
|
|
|
|
|
Note: if you're running CentOS, you may need to specify its config file on
|
|
|
|
command line. For example:
|
|
|
|
|
|
|
|
```
|
|
|
|
# amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem 2048
|
2014-10-10 23:05:53 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
* Find below setting in Amavisd config file `amavisd.conf`:
|
|
|
|
|
|
|
|
```
|
|
|
|
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
|
|
```
|
|
|
|
|
|
|
|
Add one line after above line like below:
|
|
|
|
|
|
|
|
```
|
2014-10-11 22:46:28 -05:00
|
|
|
dkim_key('new_domain.com', "dkim", "/var/lib/dkim/new_domain.com.pem");
|
2014-10-10 23:05:53 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
* Find below setting in Amavisd config file `amavisd.conf`:
|
|
|
|
|
|
|
|
```
|
|
|
|
@dkim_signature_options_bysender_maps = ( {
|
|
|
|
...
|
|
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
|
|
...
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
Add one line after `"mydomain.com"` line like below:
|
|
|
|
|
|
|
|
```
|
|
|
|
@dkim_signature_options_bysender_maps = ( {
|
|
|
|
...
|
|
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
2014-10-11 22:46:28 -05:00
|
|
|
"new_domain.com" => { d => "new_domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
2014-10-10 23:05:53 -05:00
|
|
|
...
|
|
|
|
});
|
|
|
|
```
|
|
|
|
|
|
|
|
* Restart Amavisd service.
|
|
|
|
|
2014-10-11 02:40:30 -05:00
|
|
|
Again, don't forget to ask your customer to add DKIM DNS record.
|
|
|
|
|
|
|
|
## Use one DKIM key for all mail domains without updating Amavisd config file
|
2014-10-10 23:05:53 -05:00
|
|
|
|
|
|
|
For compatibility with dkim_milter the signing domain can include a '*'
|
|
|
|
as a wildcard - this is not recommended as this way amavisd could produce
|
|
|
|
signatures which have no corresponding public key published in DNS.
|
|
|
|
The proper way is to have one dkim_key entry for each mail domain.
|
|
|
|
|
|
|
|
If you still want to try this, please follow below steps:
|
|
|
|
|
|
|
|
* Find below setting in Amavisd config file `amavisd.conf`:
|
|
|
|
|
|
|
|
```
|
|
|
|
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
|
|
```
|
|
|
|
|
|
|
|
* Replace it by below line:
|
|
|
|
|
|
|
|
```
|
|
|
|
dkim_key('*', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
|
|
```
|
|
|
|
|
|
|
|
* Restart Amavisd serivce.
|
|
|
|
|
|
|
|
With above setting, all outbound emails with be signed with this dkim key.
|
|
|
|
And Amavisd will show a warning message when start amavisd service:
|
|
|
|
|
|
|
|
> dkim: wildcard in signing domain (key#1, *), may produce unverifiable
|
|
|
|
> signatures with no published public key, avoid!
|
2015-07-07 10:36:36 -05:00
|
|
|
|
|
|
|
## References
|
|
|
|
|
|
|
|
* Amavisd official document: [Setting up DKIM mail signing and verification](http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim)
|