2014-10-10 23:05:53 -05:00
< html >
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > Sign DKIM signature on outgoing emails for new mail domain< / title >
2015-07-31 23:14:52 -05:00
< link rel = "stylesheet" type = "text/css" href = "./css/markdown.css" / >
2014-10-10 23:05:53 -05:00
< / head >
< body >
< div id = "navigation" >
2016-03-15 08:23:02 -06:00
< a href = "/index.html" target = "_blank" > < img alt = "iRedMail web site" src = "images/logo-iredmail.png" style = "vertical-align: middle; height: 30px;" / > < span > iRedMail< / span > < / a >
2016-02-29 02:15:19 -06:00
// < a href = "./index.html" > Document Index< / a > < / div > < h1 id = "sign-dkim-signature-on-outgoing-emails-for-new-mail-domain" > Sign DKIM signature on outgoing emails for new mail domain< / h1 >
2014-10-11 02:42:05 -05:00
< div class = "toc" >
< ul >
< li > < a href = "#sign-dkim-signature-on-outgoing-emails-for-new-mail-domain" > Sign DKIM signature on outgoing emails for new mail domain< / a > < ul >
< li > < a href = "#use-existing-dkim-key-for-new-mail-domain" > Use existing DKIM key for new mail domain< / a > < / li >
< li > < a href = "#generate-new-dkim-key-for-new-mail-domain" > Generate new DKIM key for new mail domain< / a > < / li >
< li > < a href = "#use-one-dkim-key-for-all-mail-domains-without-updating-amavisd-config-file" > Use one DKIM key for all mail domains without updating Amavisd config file< / a > < / li >
2015-07-07 10:36:36 -05:00
< li > < a href = "#references" > References< / a > < / li >
2014-10-11 02:42:05 -05:00
< / ul >
< / li >
< / ul >
< / div >
2014-10-10 23:05:53 -05:00
< blockquote >
2014-12-15 08:34:46 -06:00
< p > Don't know what DKIM is? Check our tutorial here:
2015-05-15 19:58:44 -05:00
< a href = "./setup.dns.html#dkim-record-for-your-mail-domain-name" > What is a DKIM DNS record< / a > .< / p >
2014-10-10 23:05:53 -05:00
< p > Don't know where Amavisd config file is? check this tutorial:
2016-02-10 06:05:52 -06:00
< a href = "file.locations.html#amavisd" > Locations of configuration and log files of major components< / a > .< / p >
2014-10-10 23:05:53 -05:00
< / blockquote >
< p > iRedMail configures Amavisd to sign outgoing emails for the first mail domain
you added during iRedMail installation. If you added new mail domain, you
should update Amavisd config file to sign DKIM signature for it.< / p >
< p > Let's say your first mail domain added during iRedMail installation is
2014-10-11 22:46:28 -05:00
< code > mydomain.com< / code > , and new mail domain is < code > new_domain.com< / code > , please follow below
2014-10-10 23:05:53 -05:00
steps to enable DKIM signing for outgoing emails of this domain.< / p >
2014-10-11 02:40:30 -05:00
< h2 id = "use-existing-dkim-key-for-new-mail-domain" > Use existing DKIM key for new mail domain< / h2 >
< p > if you already have a working DKIM and valid DKIM DNS record, it's ok to
2014-12-15 08:34:46 -06:00
use this existing DKIM key to sign emails sent by other hosted mail domains.
This way, you don't need to ask your customer who owns this new domain to add
DKIM DNS record.< / p >
2014-10-11 02:40:30 -05:00
< ul >
< li > Find below setting in Amavisd config file < code > amavisd.conf< / code > :< / li >
< / ul >
< pre > < code > dkim_key('mydomain.com', " dkim" , " /var/lib/dkim/mydomain.com.pem" );
@dkim_signature_options_bysender_maps = ( {
...
" mydomain.com" => { d => " mydomain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
< / code > < / pre >
< p > Add one line in < code > @dkim_signature_options_bysender_maps< / code > , after < code > "mydomain.com"< / code >
line like below:< / p >
< pre > < code > @dkim_signature_options_bysender_maps = ( {
...
" mydomain.com" => { d => " mydomain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
2014-10-11 22:46:28 -05:00
" new_domain.com" => { d => " mydomain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
2014-10-11 02:40:30 -05:00
...
});
< / code > < / pre >
< ul >
< li > Restart Amavisd service.< / li >
< / ul >
< h2 id = "generate-new-dkim-key-for-new-mail-domain" > Generate new DKIM key for new mail domain< / h2 >
< p > If you or your customer prefer to use their own DKIM key, you can generate
a new DKIM key and ask your customer to add DKIM DNS record. Refer to our
2014-11-02 17:59:04 -06:00
tutorial to < a href = "setup.dns.html#dkim-record-for-your-mail-domain-name" > add DKIM DNS record< / a > .< / p >
2014-10-10 23:05:53 -05:00
< ul >
2016-01-22 09:22:11 -06:00
< li > Generate new DKIM key (key length < code > 1024< / code > ) for new domain.< / li >
2014-10-10 23:05:53 -05:00
< / ul >
2016-01-22 09:22:11 -06:00
< pre > < code class = "shell" > # amavisd-new genrsa /var/lib/dkim/new_domain.com.pem 1024
2015-07-07 09:45:45 -05:00
< / code > < / pre >
2015-10-13 11:07:35 -05:00
< blockquote >
< ul >
< li > if you're running CentOS, you may need to specify its config file on
command line. For example:< / li >
< / ul >
2016-01-22 09:22:11 -06:00
< p > < code > # amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem 1024< / code > < / p >
2015-10-13 11:07:35 -05:00
< / blockquote >
2014-10-10 23:05:53 -05:00
< ul >
< li > Find below setting in Amavisd config file < code > amavisd.conf< / code > :< / li >
< / ul >
< pre > < code > dkim_key('mydomain.com', " dkim" , " /var/lib/dkim/mydomain.com.pem" );
< / code > < / pre >
< p > Add one line after above line like below:< / p >
2014-10-11 22:46:28 -05:00
< pre > < code > dkim_key('new_domain.com', " dkim" , " /var/lib/dkim/new_domain.com.pem" );
2014-10-10 23:05:53 -05:00
< / code > < / pre >
< ul >
< li > Find below setting in Amavisd config file < code > amavisd.conf< / code > :< / li >
< / ul >
< pre > < code > @dkim_signature_options_bysender_maps = ( {
...
" mydomain.com" => { d => " mydomain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
< / code > < / pre >
< p > Add one line after < code > "mydomain.com"< / code > line like below:< / p >
< pre > < code > @dkim_signature_options_bysender_maps = ( {
...
" mydomain.com" => { d => " mydomain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
2014-10-11 22:46:28 -05:00
" new_domain.com" => { d => " new_domain.com" , a => 'rsa-sha256', ttl => 10*24*3600 },
2014-10-10 23:05:53 -05:00
...
});
< / code > < / pre >
< ul >
< li > Restart Amavisd service.< / li >
< / ul >
2015-09-09 10:01:33 -05:00
< p > Again, don't forget to ask your customer to add DKIM DNS record. The value of
DKIM record can be checked with command below:< / p >
< pre > < code class = "shell" > # amavisd-new showkeys
< / code > < / pre >
2014-10-11 02:40:30 -05:00
< h2 id = "use-one-dkim-key-for-all-mail-domains-without-updating-amavisd-config-file" > Use one DKIM key for all mail domains without updating Amavisd config file< / h2 >
2014-10-10 23:05:53 -05:00
< p > For compatibility with dkim_milter the signing domain can include a '*'
as a wildcard - this is not recommended as this way amavisd could produce
signatures which have no corresponding public key published in DNS.
The proper way is to have one dkim_key entry for each mail domain.< / p >
< p > If you still want to try this, please follow below steps:< / p >
< ul >
< li > Find below setting in Amavisd config file < code > amavisd.conf< / code > :< / li >
< / ul >
< pre > < code > dkim_key('mydomain.com', " dkim" , " /var/lib/dkim/mydomain.com.pem" );
< / code > < / pre >
< ul >
< li > Replace it by below line:< / li >
< / ul >
< pre > < code > dkim_key('*', " dkim" , " /var/lib/dkim/mydomain.com.pem" );
< / code > < / pre >
< ul >
< li > Restart Amavisd serivce.< / li >
< / ul >
< p > With above setting, all outbound emails with be signed with this dkim key.
And Amavisd will show a warning message when start amavisd service:< / p >
< blockquote >
< p > dkim: wildcard in signing domain (key#1, *), may produce unverifiable
signatures with no published public key, avoid!< / p >
2015-07-07 10:36:36 -05:00
< / blockquote >
< h2 id = "references" > References< / h2 >
< ul >
< li > Amavisd official document: < a href = "http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim" > Setting up DKIM mail signing and verification< / a > < / li >
2015-12-13 23:04:21 -06:00
< / ul > < p style = "text-align: center; color: grey;" > All documents are available in < a href = "https://bitbucket.org/zhb/iredmail-docs/src" > BitBucket repository< / a > , and published under < a href = "http://creativecommons.org/licenses/by-nd/3.0/us/" target = "_blank" > Creative Commons< / a > license. If you found something wrong, please do < a href = "http://www.iredmail.org/contact.html" > contact us< / a > to fix it.< script >
2015-02-05 07:02:53 -06:00
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-3293801-21', 'auto');
ga('send', 'pageview');
2014-10-13 19:28:43 -05:00
< / script >
< / body > < / html >
