DKIM Signing of Relayed Mail with Amavis + Postfix

It has long been good practice to use email-validation tools such as Sender Protection Framework (SPF) and Domainkeys / DKIM to provide confidence that a given server or domain has the authority to send emails on behalf of its own or other domains. We use Postfix and Amavisd-new on Debian to perform DKIM signing of messages on a central mail server that relays mail for many other servers. There were a couple of catches to getting it all working that I wanted to record for posterity, should anyone else run into similar problems.

First. amavisd-new can now (since version 2.6.0) handle DKIM signing itself, meaning you can do away with additional milters or the use of dkimproxy. To tell amavis that you want it to sign mail, you need only add this line to an appropriate config file (say, conf.d/50-user):

$enable_dkim_signing = 1;

Keys and selectors are assigned to domains by adding lines like so:

dkim_key('example.com', 'selector', '/var/db/dkim/example.com.key.pem');

(I am omitting the details of generating keys and creating the DNS records necessary to make DKIM work. There are lots of tutorials on the net that cover that material.)

Problems arise if your server is relaying mail from elsewhere. Amavis will only sign mail originating at hosts identified as being in @mynetworks, which defaults to localhost. In order to sign relayed mail, you need to expand the definition of @mynetworks to include the remote host(s). This can also be added to your config file, where xxx.xxx.xxx.xxx is the email address of a relaying server:

@mynetworks = qw(
  127.0.0.0/8
  xxx.xxx.xxx.xxx/32
);

However -- and here's another gotcha -- amavis doesn't necessarily know the IP address of your relaying server. Postfix by default hides that information from content filters. To change this behaviour, you need to add an option to the definition of the amavis content filter in your /etc/postfix/master.cf file. You will need to add the option "-o smtp_send_xforward_command=yes" to whichever amavis service will handle your outgoing DKIM signing. The result might look like this:

smtp-amavis-sign     unix    -       -       y       -       -       smtp
        -o smtp_data_done_timeout=1200
        -o disable_dns_lookups=yes
        -o smtp_send_xforward_command=yes

With this in place, and postfix and amavis restarted, you should now be able to take advantage of the convenience of a centralized relaying SMTP server that will authoritatively sign the mail it sends, helping ensure its delivery.

 


Section: 


Code: 


Comments

Eric

Hello,

Nice work! I'm considering the same setup at work. But by looking at the amavisd.conf file, it seems that all the features are activated by default. It seems that I could disable them with the variable bypass_virus_checks_maps and bypass_spam_checks_maps. But there's so many settings in your case did you disable the spam and AV functionnality ? I wish to disable them, because this is being handled at another level.

Thanks!

Add new comment

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
1 + 10 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
By submitting this form, you accept the Mollom privacy policy.