在 amavisd 設定 dkim

最後更新: 2018-06-1

目錄

  • 步驟1: 建立 key
  • 步驟2: 設定 signing
  • 步驟3: 查看 DNS 所需的 record
  • 步驟4: 設定好 dns 上的 dkim 的 txt
  • 步驟5: 測試
  • Thunderbird verify dkim plugin

 


步驟1: 建立 key

 

mkdir -p /var/lib/dkim/

cd /var/lib/dkim/

amavisd genrsa datahunter.org.pem

# check running user
# grep daemon_  /etc/amavisd.conf
# $daemon_user  = 'amavis';
# $daemon_group = 'amavis';

chgrp amavis /var/lib/dkim/*.pem

chmod 640 /var/lib/dkim/*.pem

cat datahunter.org.pem

-----BEGIN RSA PRIVATE KEY-----
..............................
-----END RSA PRIVATE KEY-----

 

步驟2: 設定 signing

在 /etc/amavisd/amavisd.conf 內有以下設定:

#
# DKIM Setting
#
$enable_dkim_verification = 1;

$enable_dkim_signing = 1;

# 一行一個 Domain
# dkim_key("new.domain", "dkim", "/var/lib/dkim/new.domain.pem");
dkim_key("datahunter.org", "dkim", "/var/lib/dkim/datahunter.org.pem");

# 懶人做法
$originating = 1;

service amavisd reload

 

步驟3: 查看 DNS 所需的 record

amavisd -c /etc/amavisd/amavisd.conf showkeys datahunter.org

; key#1, domain datahunter.org, /var/lib/dkim/datahunter.org.pem
dkim._domainkey.datahunter.org. 3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVqy15wIM2zFGgu/GArvrVaWzr"
  "r23kHOTJ7i9y6rrtv6vP46RIQZ+eVSopENli2LQlm154gfNCTVIqLRjdVTyOageY"
  "6AdNiFQ3z1uj/iBUWugZyA+Tr+diJzlli0Nq/WRwkoMBLsApmNVXPEul4Kjo0FPO"
  "cpao1TjOU9bRe4FEEQIDAQAB")

 

步驟4: 設定 dkim 的 DNS txt record

照用以上 Display setting

OR

# 把 " 清去保持一行

v=DKIM1; p=MIGfMA0GCSqG.............FEEQIDAQAB

 

步驟5: 測試

DNS 測試:

DNS 測試: (DNS 未生效時)

dig -t txt dkim._domainkey.datahunter.org @DNS1.NAME-SERVICES.COM

P.S.

s._domainkey.d 在 mail header 會出現, 見下文 !!

s = selector

if your domain selector is: "s1024", your public key record will be "s1024._domainkey.yourdomain"
 

Key 測試:

amavisd -c /etc/amavisd/amavisd.conf testkeys

TESTING#1: dkim._domainkey.datahunter.org    => pass

收到的信有 header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=datahunter.org;
     h=user-agent:message-id:subject:subject:to:from:from:date:date
    :content-transfer-encoding:content-type:content-type
    :mime-version; s=dkim; t=1386841757; x=1387705757; bh=15pFrAvOGi
    +eHKJgB6psh6iIBCbvYSuhPj+wQn6C7Ss=; b=RXbcSeWoHNG5sDgHrMmoYVG7rW
    v4H3N0xqnwl9F56jzu1bTcKQsyibD8/EMPvtNlvDbRPmv6tKCjVxIVvA2f+tUIKp
    3QSmTpJgE0oGaPSpdCa11/SSNjJTuQn4Pr+/ICnpGagCnZVgBMm/ge9Jmr+SY6t1
    7I0dkkWEmrrKemkDc=
  • v is the version,
  • a is the signing algorithm,
  • c is the canonicalization algorithm(s) for header and body,
  • q is the default query method,
  • l is the length of the canonicalized part of the body that has been signed,
  • t is the signature timestamp,
  • x is its expire time (amavisd 的 default 是 10 天後)
  • h is the list of signed header fields

 



Amavisd Remark (懶人做法)

 

Amavisd only considers DKIM-signing when a message has the $originating flag set.

This flag is supposed to be set only for mail originating from internal IP clients, or from authenticated roaming users.

Example Setting

# Listen 多一個 port - 10026
$inet_socket_port = [10024,10026];

# 把 port 設定為 policy - ORIGINATING
$interface_policy{'10026'} = 'ORIGINATING';

# policy - ORIGINATING
$policy_bank{'ORIGINATING'} = {
    originating => 1,
    ...
};

$policy_bank{'MYNETS'}
    originating => 1,
    ...
}

Note that 'outgoing' is not the same as 'originating from inside'.

The internal-to-internal mail is not outgoing, but is originating from inside.

To base rules on 'originating from inside', the use of policy bank MYNETS is needed,

in conjunction with XFORWARD Postfix extension to SMTP.

 


Thunderbird verify dkim plugin