ISPConfig – DKIM-Patch 57


Diese Anleitung ist nur für den DKIM-Patch bis 0.4.1. Für neuere Versionen bitte hier weiter lesen.

Ich habe bereits hier beschrieben, wie man mit ISCPonfig einen DKIM-Key automatisch in amavis eintragen kann. Die damalige Lösung funktioniert zwar, ist aber nicht unbedingt vollständig und auch nicht über das Interface steuerbar und dadurch auch nicht für Kunden / Clients nutzbar.

Daher habe ich ein Plugin entwickelt, dass

  • in das Interface integriert ist
  • pro Domain ein eigenes Key-Pair erlaubt
  • die Keys on-the-fly erstellt, damit in einer Multiserver-Umgebung die Keys auf allen Mailservern identisch sind
  • einen Platzhalter für das DNS-Template bietet
  • den DNS-Eintrag für den DKIM-Key per Klick einrichtet

Kurzbeschreibung
Installation
ausführliche Beschreibung
Download
neue / geänderte Files
Debug


Kurzbeschreibung

Wenn ein Key-Pair für DKIM im Interface erstellt oder eingefügt wird, werden die Keys in die Datenbank und Dateien geschrieben und der entsprechende Eintrag in Amavis vorgenommen. Dadurch werden alle ausgehenden Emails für die jeweilige Domain mit einem DKIM-Key signiert.
Im DNS muss dann nur noch der Public-Key per Klick angelegt werden.

Installation
Diese Anleitung ist bis zur Version 0.2.5 aktuell. Für evtl. neuer Versionen bitte unter DKIM-Patch nachsehen.

Mit der Version 0.3.0 (die für ISPConfig 3.0.5.4 ausgelegt ist) entfällt im folgenden das Ändern der Datenbank. Alle anderen Schritte in dieser Anleitung sind erforderlich.

mysql-Datenbank anpassen
Login mysql als root-User:

mysql -u root -p

oder in phpMyAdmin die entsprechende Datenbank auswählen und den Code via SQL-Aufruf ausführen.

Die Datenbank von ISPConfig auswählen (siehe $conf['db_database'] in /usr/local/ispconfig/interface/lib/config.inc.php) und erweitern:

use dbispconfig;
ALTER TABLE `mail_domain` ADD `dkim_public` MEDIUMTEXT NOT NULL AFTER `domain`; ALTER TABLE `mail_domain` ADD `dkim_private` MEDIUMTEXT NOT NULL AFTER `domain`; ALTER TABLE `mail_domain` ADD `dkim` ENUM( 'n', 'y' ) NOT NULL AFTER `domain`;
quit;

Patch installieren

cd /tmp
wget blog.schaal-24.de/files/dkim-latest_ispconfig3.tar.gz
tar xfvz dkim-latest_ispconfig3.tar.gz
cd dkim_ispconfig3

Die Rechte anpassen

chown -R ispconfig.ispconfig *

die neue Files kopieren,

cp -Rp interface /usr/local/ispconfig
cp -Rp server /usr/local/ispconfig

und das Server-Plugin aktivieren

ln -s /usr/local/ispconfig/server/plugins-available/mail_plugin_dkim.inc.php /usr/local/ispconfig/server/plugins-enabled/mail_plugin_dkim.inc.php

Amavis anpassen
Evtl. muss perl-Mail-DKIM installiert werden. In den meisten Installationen ist dies aber bereits vorhanden.
Ubuntu / Debian:

sudo apt-get install libmail-dkim-perl

CPAN:

perl -MCPAN -e 'install Mail::DKIM'


Wenn DKIM noch nicht aktiviert ist, müssen ein paar Parameter eingetragen werden. Das entsprechende Configfile ist /etc/amavisd.conf (openSusSE) oder /etc/amavis/conf.d/50-user (Debian).

Die folgenden Zeilen am Ende einfügen:

$inet_socket_port = [10024,10026];
$forward_method = 'smtp:[127.0.0.1]:10025';
$notify_method = 'smtp:[127.0.0.1]:10027';
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {
  originating => 1,
  smtpd_discard_ehlo_keywords => ['8BITMIME'],
  forward_method => 'smtp:[127.0.0.1]:10027',
};
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16);
$signed_header_fields{'received'} = 0; # turn off signing of Received
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

Postfix anpassen
main.cf
Einen Conten-Filter anlegen

content_filter = amavis:[127.0.0.1]:10024


und den Eintrag smtpd_sender_restrictions um check_sender_access regexp:/etc/postfix/tag_as_originating.re, permit_mynetworks, check_sender_access regexp:/etc/postfix/tag_as_foreign.re erweitern. Der Eintrag sollte da so aussehen:

smtpd_sender_restrictions =
  check_sender_access regexp:/etc/postfix/tag_as_originating.re
  permit_mynetworks
  permit_sasl_authenticated
  check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, regexp:/etc/postfix/tag_as_foreign.re

/etc/postfix/tag_as_originating.re mit folgendem Inhalt erstellen:

/^/ FILTER amavis:[127.0.0.1]:10026


und /etc/postfix/tag_as_foreign.re so erstellen:

/^/ FILTER amavis:[127.0.0.1]:10024


master.cf

10025 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks

10027 inet n - n - - smtpd
  -o content_filter=
  -o local_recipient_maps=
  -o relay_recipient_maps=
  -o smtpd_restriction_classes=
  -o smtpd_client_restrictions=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_mynetworks,reject
  -o mynetworks=127.0.0.0/8
  -o strict_rfc821_envelopes=yes
  -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
  -o smtp_send_xforward_command=yes


Postfix und Amavis neu starten:

/etc/init.d/amavis restart
/etc/init.d/postfix restart

Verzeichnis für die DKIM-keys anlegen

mkdir /etc/postfix/dkim

ISPConfig anpassen
Im Interface muss unter Server Config / Mail der Pfad für das Verzeichnis der Key-Files eingetragen werden.

Ab jetzt können über das Interface für Maildomains Keys erstellt und im DNS eingetragen werden.


ausführliche Beschreibung

Einstellung in der Server-Config
Nach der Installation des Plugins muss zunächst der Pfad für die DKIM-Keys unter Server Config definiert werden. Durch das Plugin werden später dort Private- und Public-Key gespeichert.
server-config

Erstellen der Keys für eine Mail-Domain
Beim Anlegen oder Bearbeiten einer Mail-Domain werden die Einstellungen im Bereich DomainKeys Identified Mail (DKIM) vorgenommen.
Der Private-Key kann entweder durch klicken auf “Generate DKIM Private-key” erstellt oder durch cut&paste eingefügt werden.
Der entsprechende Public-Key wird nur zur Information angezeigt und kann nicht geändert werden.
mail-domain-edit

Eintragen des Public-Keys in den DNS
Der Public-Key kann entweder über den Wizard oder per Button innerhalb der Zone eingefügt werden.
Bei der Verwendung im Wizard muss der Eintrag im Template {DKIM}|0|3600 sein.
DNS-create Template

Innerhalb einer bestehenden Zone kann der Public-Key über den Button DKIM eingefügt werden.
DNS-zone edit

DNS-zone edit-dkim

Das Ergebnis ist in beiden Fällen identisch – der Public-Key wird mit dem Validator default eingetragen:
DNS-zone edit-dkim-result

Nach dem Erstellen eines DKIM-Key-Paares werden beiden Keys in der Datenbank gespeichert. Durch ein Server-Plugin werden die Key-Files in zwei Files geschrieben und die Amavisd-Config um den entsprechenden Eintrag erweitert bzw. der vorhandene Eintrag angepasst.
Sobald der Public-Key im DNS eingetragen ist, erfolgt der entsprechende Eintrag über das bind-plugin.

Getestet werden können die Keys mit
amavisd testkeys
bzw.
amavisd-new testkeys

TESTING#1: default._domainkey.schaal-24.de => pass


Download

dkim-latest_ispconfig3.tar.gz


neue / geänderte Files

A  interface/lib/classes/validate_dkim.inc.php
M  interface/web/admin/form/server_config.tform.php
M  interface/web/admin/lib/lang/en_server_config.lng
M  interface/web/admin/templates/server_config_mail_edit.htm
A  interface/web/dns/dns_dkim_edit.php
A  interface/web/dns/dns_dkim_get.php
M  interface/web/dns/dns_wizard.php
A  interface/web/dns/form/dns_dkim.tform.php
M  interface/web/dns/form/dns_template.tform.php
A  interface/web/dns/lib/lang/en_dns_dkim.lng
M  interface/web/dns/lib/lang/en_dns_template.lng
M  interface/web/dns/templates/dns_a_list.htm
A  interface/web/dns/templates/dns_dkim_edit.htm
M  interface/web/dns/templates/dns_wizard.htm
M  interface/web/js/dns_dkim.js
A  interface/web/js/mail_domain_dkim.js
A  interface/web/mail/mail_domain_dkim_create.php
M  interface/web/mail/form/mail_domain.tform.php
M  interface/web/mail/lib/lang/en_mail_domain.lng
M  interface/web/mail/templates/mail_domain_edit.htm
A  server/plugins-available/mail_plugin_dkim.inc.php
M  DATABASE:
  ALTER TABLE `mail_domain` ADD `dkim_public` MEDIUMTEXT NOT NULL AFTER `domain`;
  ALTER TABLE `mail_domain` ADD `dkim_private` MEDIUMTEXT NOT NULL AFTER `domain`;
  ALTER TABLE `mail_domain` ADD `dkim` ENUM( 'n', 'y' ) NOT NULL AFTER `domain`;


Hinterlasse einen Kommentar zu Kai Antworten abbrechen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind markiert *

57 Gedanken zu “ISPConfig – DKIM-Patch

  • Stefan

    Hello.

    Please i have tried to install this patch to my ispconfig 3 and i think that everything is OK but if i try to run this command: dig -t txt dkim._domainkey.mydomain.com it return answer like this:

    <> DiG 9.9.5-9+deb8u1-Debian <> -t txt dkim._domainkey.mydomain.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER< pass

    Please can you tell me, if this response is good? How can i check, if the email, which i send has correct DKIM signature?

    Thank you a lot.

    • Florian Schaal Autor des Beitrags

      If this is the fould result for your query, your public key was not found on the dns. is dkim your selector?
      You can get the result for dkim-key with dig -t txt default._domainkey.schaal-24.de

  • basilis

    Good morning!
    Your patch seems to be the most (if not the only) elegant and automated way to install dkim support in ispconfig.
    In ispconfig, I very much like the clean upgrade path, which kind of guarantees the problem free operation of my server.
    I d like to ask, whether you think / know if your patch somehow could “break” that smooth and problem free upgrading of ispconfig?
    In the event that a future version of ispconfig incorporates an automated solution for dkim, could a clean uninstall of your patch be made to ensure smooth upgrade of ispconfig?
    And in general, is there a clean and complete uninstall of your patch?
    Thank you very much and my best wishes for the new year. 🙂
    basilis

    • Florian Schaal Autor des Beitrags

      With ISPConfig 3.1 the dkim-code is part of ispconfig. With the next release you can update/upgrade ispconfig at any time without losing the dkim-functionality. If you update to a 3.0.5-version, you have to install the dkim-patch again.
      There is no uninstall-script. Just remove the tag_es-rentries from postfix main.cf.

      • basilis

        First of all, thank you for the fast reply.

        You say: “With the next release you can update/upgrade ispconfig at any time without losing the dkim-functionality.” Do you mean, that if I install /config your patch correctly and everything works fine, when I update to 3.1 all the DKIM changes and functionality (made by / thanks to your patch) will be incorporated and I will have to do no uninstalling of your patch, fiddling with the system etc?

        If another 3.0.5 point version appears before 3.1 and I have to install it, will I have to reinstall your patch and reconfigure it?

        basilis

        • Florian Schaal Autor des Beitrags

          Yes. If we see another 3.0.5.4 version before 3.1, just reinstall the patch. With 3.1 there is no need for this as this patch is a backport from 3.1.

  • Curtis Maurand

    I just installed the interface piece of the patch onto 3.0.5.8. works like a charm. nice work. also since I am using powerdns (pdns) rather than bind, I had to increase the length of the content field in the powerdns records table to 64000 (pdns recommendation) to accomodate the fields. Funny how the 3.0.5.8 contained the altered tables, but not the interface for this or maybe I didn’t see the plugin.

    Thanks for your hard work,
    Curtis Maurand

  • Faizal Afriansyah

    why the mail server like yahoo or google always detect my older dkim?
    i check my dkim now is good (pass) in amavis testkey. same with when i check in dkimcore.org or dkimvalidator.com. why this happen? this is bug?

    • Florian Schaal Autor des Beitrags

      Maybe the did not get your latest key from your dns. are you using different selectors?

        • Florian Schaal Autor des Beitrags

          so you just changed the selector and not the key, too?

          btw… if i search for your dkim-record, i can find a key for phinemo.

          • Faizal Afriansyah

            i change too the key. yes of course you can find my dkim-record but the question is when i send message to mail server always detect my old selector (default)? or i can’t change the selector?
            this the error:when i check mail verification:
            ==========================================================
            Summary of Results
            ==========================================================
            SPF check: pass
            DomainKeys check: neutral
            DKIM check: permerror
            Sender-ID check: pass
            SpamAssassin check: ham

            DKIM check details:
            ———————————————————-
            Result: permerror (key “default._domainkey.phinemo.com” doesn’t exist)
            ID(s) verified:
            Canonicalized Headers:
            user-agent:Roundcube’20’Webmail/0.7.2’0D”0A’
            message-id:’0D”0A’
            subject:(no’20’subject)’0D”0A’
            to:’0D”0A’
            from:testing@phinemo.com’0D”0A’
            date:Wed,’20’01’20’Jul’20’2015’20’22:13:56’20’+0700’0D”0A’
            content-transfer-encoding:7bit’0D”0A’
            content-type:text/plain;’20’charset=UTF-8;’20’format=flowed’0D”0A’
            mime-version:1.0’0D”0A’
            received:from’20’112.78.40.51’20′(localhost’20′[127.0.0.1])’20′(Authenticated’20’sender:’20’testing@phinemo.com)’20’by’20’hosting.ptdes.net’20′(Postfix)’20’with’20’ESMTPSA’20’id’20’CFBA332199BAF’20’for’20’;’20’Wed,’20’1’20’Jul’20’2015’20’22:13:56’20’+0700’20′(WIB)’0D”0A’
            received:from’20’hosting.ptdes.net’20′([127.0.0.1])’20’by’20’localhost’20′(hosting.ptdes.net’20′[127.0.0.1])’20′(amavisd-new,’20’port’20’10026)’20’with’20’ESMTP’20’id’20’JueddsE6XW4k’20’for’20’;’20’Wed,’20’1’20’Jul’20’2015’20’22:13:57’20’+0700’20′(WIB)’0D”0A’
            dkim-signature:v=1;’20’a=rsa-sha256;’20’c=relaxed/simple;’20’d=phinemo.com;’20’h=’20’user-agent:message-id:subject:subject:to:from:from:date:date’20’:content-transfer-encoding:content-type:content-type’20’:mime-version:received:received;’20’s=default;’20’t=1435763637;’20’x=’20’1437578038;’20’bh=frcCV1k9oG9oKj3dpUqdJg1PxRT2RSN/XKdLCPjaYaY=;’20’b=

            Canonicalized Body:
            ‘0D”0A’

            DNS record(s):
            default._domainkey.phinemo.com. TXT (NXDOMAIN)

            NOTE: DKIM checking has been performed based on the latest DKIM specs
            (RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
            older versions. If you are using Port25’s PowerMTA, you need to use
            version 3.2r11 or later to get a compatible version of DKIM.

            Thanks for your response Florian 🙂

          • Florian Schaal Autor des Beitrags

            amavisd-new testkeys phinemo.com
            shows
            phinemo.com._domainkey.phinemo.com => pass?

          • Faizal Afriansyah

            this my amavis test florian :
            sudo amavisd-new testkeys
            TESTING#1: phinemo._domainkey.phinemo.com => pass

    • Kai

      Well i’m sorry that i missed to include the needed informations.

      I tried again yesterday and everything is working right now.
      The reason for non working and stop sending emails was a typo that i made 🙁 Shame on me.

      Thumbs up for your good work Florian.

      Sincerely,
      Kai

  • mccharlet

    Hi,

    I have this error with DKIM-Patch 0.3.1 (i think it’s after the last openssl update my distribution is debian 7.5

    amavisd-new testkeys
    RSA.xs:178: OpenSSL error: no start line at (eval 94) line 65.

    And the amavis service don’t start. If i remove the 60-dkim file, it’s ok, but dkim isn’t configured

    Best regards

    • mccharlet

      Hi,

      I disabled the dkim and it’s ok.

      root@srv3:/etc/amavis/conf.d# amavisd-new testkeys
      No DKIM private keys declared in a config file.

      I have active dkim for two domain and i have an other error now

      root@srv3:/etc/amavis/conf.d# amavisd-new testkeys
      TESTING#1: default._domainkey.domain1.ch => fail (bad RSA signature)
      TESTING#2: default._domainkey.domain2.ch => invalid (public key: not available)

      Best regards

      • Florian Schaal Autor des Beitrags

        If a public is not found or not available, you didn´t add your public-key to the dns or its currently not available on the dns which amavis checks. If you run your own dns you can check the public-key with “dig @YOURDNS default._domainkey.YOURDOMAIN TXT”. If you change your dkim-key you must also update your dns. I will add this to the plugin, to make sure, the dns is updated, if you change your dkim-key.

        To get the values for the key, please run “amavisd-new showkeys”

        I`m not sure if your problem is really related to the latest openssl-update. I´m running wheezy 7.5, too and have no problems. You could you please provide your amavis-version and the openssl-version?

        Anyway, to make sure this is not related to your openssl-verion, please try

        cd /tmp
        openssl rand -out random-data.bin 4096
        openssl genrsa -rand random-data.bin 1024 > test.priv
        cat test.priv | openssl rsa -pubout > test.pub

        and try the two keys with amavis.

        • mccharlet

          Hi,

          I removed all the dkim configuration and recreate all dkim certificate. Now it’s OK

          Big thaks Florian for your help

          Best regards

          • Florian Schaal Autor des Beitrags

            just remove the tag_as_ – settings from postfix main.cf and remove the dkim-settings in amavis 50-user

    • Florian Schaal Autor des Beitrags

      This is already a part of ispconfig-devel (aka git-master) and will be available with 3.1

    • Florian Schaal Autor des Beitrags

      This happens when a private-key is associated with a wrong public-key. You have no public-key in your dns. You can check it with
      dig default._domainkey.lgnuke.com TXT

    • Florian Schaal Autor des Beitrags

      You can setup the validator when editing a mail-domain with dkim-enabled. But can not change it from
      default._domainkey to default._xxxxxxxxxx since _domainkey is a requiered value in the dns-record

      • zeromechanic

        Ok the xx where unclear. sorry
        I understand the _domainkey.
        Already in use.
        found this patch for use with ispconfig (.54p1)
        Lot easier than manual..

        I want to change the “default” into a custom

      • zeromechanic

        mm got an js error.

        when going to the mail domain :

        Uncaught TypeError: Cannot read property ‘nodeValue’ of null

        keys are not created.
        error :
        Uncaught TypeError: Cannot read property ‘nodeValue’ of null VM203:61
        interpretRequest

        rolling back install

  • Florian Schaal Autor des Beitrags

    It´s hard answer your question without knowing whats in your logs. Could you mail me a logfile when you sign your mails with dkim and send this mail to google or hotmail? Just use my mail-address instead of posting your log as a comment.
    BTW: the SPF-record for your domain uses onyl IPv4. Maybe you are connecting to google or hotmail using IP6?

  • Juan

    ok and managed to solve it.

    It was the language problem.

    have one more question if I can help because they no longer do.
    when emails to gmail or hotmail sending me qualifies as spam, the other servers get well but these do not.

    I have configured it and now dkim spf. but I still get get well.

    any advice?

    regards

  • Juan

    Hello.
    I followed the instructions in the tutorial and all good unless the link to generate private key does not appear dkim me.

    it can be due to this.

    work under debian wheezy system.

    regards

    • Florian Schaal Autor des Beitrags

      Is there a entry in the apache error-log? Please make sure, that all files within interface are owned by ispconfig.ispconfig. Run chmod -R ispconfig.ispconfig /usr/local/ispconfig/interface.
      If you are not using the english-language, this may also lead to the error, that you can´t see the link/buttun to create the key.
      You can get the lng-files with

      wget blog.schaal-24.de/files/dkim-patch-all-languages.tar.gz

      This issue is already fixed within the next version. I will made a public-release when the next ispconfig-version is available, because the next version will only work on 3.0.5.4 (or the current stable-branch from the git-repositorie).

  • schiffsratte

    In the recent current dowload (patch 0-25)
    there is a typo in de_mail_domain.lng in $wb[“dkim_txt”] = ‘DKIM aktivieren’;

    The ‘; in the end are missing so the interface is not working if the language is german

  • djamu

    found 2 typo’s in backup.sh

    cp $INTERFACE_DIR/dns/dns_wizard.php $INTERFACE_DIR/dns/dns_wizard.php.old
    should be :
    cp $INTERFACE_DIR/web/dns/dns_wizard.php $INTERFACE_DIR/web/dns/dns_wizard.php.old

    isn’t commented:
    cp $INTERFACE_DIR/web/mail/mail_domain_dkim_create.php $INTERFACE_DIR/web/mail/mail_domain_dkim_create.php.old
    (no such file)

    djamu

    • Florian Schaal Autor des Beitrags

      The DNS-record is available after you successfull created the dkim-key for the mail-domain and is stored in the database. Please check the errorlog of your webserver.

  • Jeroen

    I followed all instructions and have checked it several times, but I can’t get it to work; no mail is signed.

    To get amavis to sign mails, I have to add @mynetworks = qw(0.0.0.0/0); to /etc/amavis/conf.d/50-user. But when I do so, every user can send email from any DKIM-enabled domain and everything will be signed nicely (both from desktop client and roundcube). For example: user1@domain1.nl is logged in and can send signed mail from it, but can also send signed mail from user2@domain2.nl. Note that user2 is not necessarily an existing user.

    Do you guys have this problem as well or am I the only one?

    • Florian Schaal Autor des Beitrags

      You can set

      @mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
      192.168.0.0/16);

      Sorry. I just forgot to add this to the blog-post and the INSTALL.TXT.

      If I send a local mail from a non-existing domain, the mail will not be signed. In this case the mail is classified as RelayedInbound by amavis since postfix doesn´t tagged the mail as ORIGINATING.

      You can find more informations about the mailflow here: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-mail-flow

      • Jeroen

        Thank you for your answer.

        The IP-adresses in @mynetworks are the ones clients can send mail from, right? In that case, I want people to be able to send mail from any IP, since they can be all over the world. If I do as you suggest, only email from the local server will work, such as Rouncube.

        Of course, mail for non-existent domains can’t be signed, since there is no key for them. I’m talking about non-existent mailboxes and DKIM-enable domains.

        Is this supposed to happen?

        • Florian Schaal Autor des Beitrags

          Usually local mails are send through your MTA (postfix). In my setup i use postfix to handle the content-filter defined in “smtpd_sender_restrictions”.
          The installation-instructions regarding postfix and amavis can also be found in the amavisd-documentation.
          You can playaround with the ip in @mynetworks, but for signing outgoing-mails with postfix as documented in this post, can set it to 0.0.0.0/8.

          What your MTA does with unknown mailboxes has nothing todo with amavis. You local MTA can handle unknown mailboxes as you define it. This must be defined within postfix.

          The mailflow is:

          INCOMING -> amavisd:10026->policy ORGINATING (sign)

          or

          INCOMING -> amavisd:10024

          That´s the reason for /etc/postfix/tag_as_originating.re and /etc/postfix/tag_as_foreign.re

  • Loïc

    Hi
    This for this tuto.
    I have a problem, when I try to test with this command : amavisd-new testkeys

    The answers : No DKIM private keys declared in a config file.

    My key is declared in ispconfig

    regards

    • Florian Schaal Autor des Beitrags

      Are the key-pairs created in the directory you defined in ispconfig (i.e. /etc/postfix/dkim)? Has the amavis-user at least read-access to this directory?
      Is DKIM enabled in amavis (you see something like “amavis[31429]: DKIM code loaded” in your amavis-log.

      • Loïc

        Thanks for your answer there some informations :

        ls -al /etc/postfix/dkim
        total 8
        drwxr-xr-x 2 root root 4096 14 sept. 19:42 .
        drwxr-xr-x 4 root root 4096 15 sept. 19:56 ..

        result :
        /usr/local/ispconfig/server/server.sh
        finished.

        I try to find amavis in /var/log, There is nothing (idem wind find / amavis-log)

        Also in my admin ispconfig, I found that 2013-09-14 18:18 ks3329571.domain.com Debug Unable to write DKIM settings; Check your config! in show system log, monitor menu

        • Florian Schaal Autor des Beitrags

          Did you setup “/etc/postfix/dkim” in the interface as DKIM Path under system / server config / SERVER / mail?

          The error indicates, that there is no directory for dkim-keys defined in ISPConfig.

          BTW you can mail me at info@schaal-24.de – so i can send you a server-plugin with much more logging so we can find out whats going wrong on your system.

          • Angel

            I have a two server configuration.
            Do i have to define the dkim-keys directory in the two servers?
            i’m receiving error “Unable to write DKIM settings; Check your config!”
            However dkim it’s working well.

            Thank’s for your time.

          • Florian Schaal Autor des Beitrags

            You must define (and create) the dkim-directory on each server that acts as a mail-server. The next release will create the dkim-dir if it doesn´t exists. The error in your logs is removed in next release, too. I made 0.3 public when ispconfig 3.0.5.4 is released due to a lot of changed code.