在 amavisd 設定 dkim

最後更新: 2018-06-1

目錄

  • 安裝與設定
  • ...
  • Whitelist by DKIM
  • DMARC
  • Thunderbird verify dkim plugin

 


DKIM Verify

 

#### DKIM Setting
$enable_dkim_verification = 1;

Enable 後

[1] 會在 EML 加入 header field - "Authentication-Results"(RFC 5451)

i.e.

Authentication-Results: mx1.datahunter.org (amavisd-new); dkim=pass [email protected]

[2] 可以用 policy_bank_maps

  • @author_to_policy_bank_maps    # 不同的 author 入不同的 bank

author's e-mail address: 'From:'

  • @signer_reputation_maps

Can adjust spam score based on signing domain's reputation for valid signatures found in a message.

 


安裝與設定

  • 步驟1: 建立 key
  • 步驟2: 設定 signing
  • 步驟3: 查看 DNS 所需的 record
  • 步驟4: 設定好 dns 上的 dkim 的 txt
  • 步驟5: 測試

步驟1: 建立 key

mkdir -p /var/lib/dkim/

cd /var/lib/dkim/

amavisd genrsa datahunter.org.pem

# check running user
grep daemon_  /etc/amavisd.conf

# $daemon_user  = 'amavis';
# $daemon_group = 'amavis';

chown amavis: /var/lib/dkim/*.pem

chmod 640 /var/lib/dkim/*.pem

cat /var/lib/dkim/*.pem

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

步驟2: 設定 signing

在 /etc/amavisd/amavisd.conf 內有以下設定:

####
$enable_dkim_signing = 1;

# 一行一個 Domain
# dkim_key("new.domain", "dkim", "/var/lib/dkim/new.domain.pem");
dkim_key("datahunter.org", "dkim", "/var/lib/dkim/datahunter.org.pem");

# 懶人做法
$originating = 1;

service amavisd reload

步驟3: 查看 DNS 所需的 record

amavisd -c /etc/amavisd/amavisd.conf showkeys datahunter.org

; key#1, domain datahunter.org, /var/lib/dkim/datahunter.org.pem
dkim._domainkey.datahunter.org. 3600 TXT (
  "v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVqy15wIM2zFGgu/GArvrVaWzr"
  "r23kHOTJ7i9y6rrtv6vP46RIQZ+eVSopENli2LQlm154gfNCTVIqLRjdVTyOageY"
  "6AdNiFQ3z1uj/iBUWugZyA+Tr+diJzlli0Nq/WRwkoMBLsApmNVXPEul4Kjo0FPO"
  "cpao1TjOU9bRe4FEEQIDAQAB")

步驟4: 設定 dkim 的 DNS txt record

A) 照用以上 Display setting

OR

B) 把 " 清去保持一行

v=DKIM1; p=MIGfMA0GCSqG.............FEEQIDAQAB

步驟5: 測試

DNS 測試:

DNS 測試: (DNS 未生效時)

dig -t txt dkim._domainkey.datahunter.org @DNS1.NAME-SERVICES.COM

P.S.

s._domainkey.d 在 mail header 會出現, 見下文 !!

s = selector

if your domain selector is: "s1024", your public key record will be "s1024._domainkey.yourdomain"
 

Key 測試:

amavisd -c /etc/amavisd/amavisd.conf testkeys

TESTING#1: dkim._domainkey.datahunter.org    => pass

收到的信有 header:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=datahunter.org;
     h=user-agent:message-id:subject:subject:to:from:from:date:date
    :content-transfer-encoding:content-type:content-type
    :mime-version; s=dkim; t=1386841757; x=1387705757; bh=15pFrAvOGi
    +eHKJgB6psh6iIBCbvYSuhPj+wQn6C7Ss=; b=RXbcSeWoHNG5sDgHrMmoYVG7rW
    v4H3N0xqnwl9F56jzu1bTcKQsyibD8/EMPvtNlvDbRPmv6tKCjVxIVvA2f+tUIKp
    3QSmTpJgE0oGaPSpdCa11/SSNjJTuQn4Pr+/ICnpGagCnZVgBMm/ge9Jmr+SY6t1
    7I0dkkWEmrrKemkDc=
  • v is the version,
  • a is the signing algorithm,
  • c is the canonicalization algorithm(s) for header and body,
  • q is the default query method,
  • l is the length of the canonicalized part of the body that has been signed,
  • t is the signature timestamp,
  • x is its expire time (amavisd 的 default 是 10 天後)
  • h is the list of signed header fields

 



Amavisd Remark (懶人做法)

 

Amavisd only considers DKIM-signing when a message has the $originating flag set.

This flag is supposed to be set only for mail originating from internal IP clients, or from authenticated roaming users.

Example Setting

# Listen 多一個 port - 10026
$inet_socket_port = [10024,10026];

# 把 port 設定為 policy - ORIGINATING
$interface_policy{'10026'} = 'ORIGINATING';

# policy - ORIGINATING
$policy_bank{'ORIGINATING'} = {
    originating => 1,
    ...
};

$policy_bank{'MYNETS'}
    originating => 1,
    ...
}

Note that 'outgoing' is not the same as 'originating from inside'.

The internal-to-internal mail is not outgoing, but is originating from inside.

To base rules on 'originating from inside', the use of policy bank MYNETS is needed,

in conjunction with XFORWARD Postfix extension to SMTP.

 


Whitelist by DKIM

 

provided directly by amavisd (not only by a SpamAssassin plugin DKIM)

perl module Mail::DKIM

設定

$policy_bank{'DKIM_WHITELIST'} = {
  originating                => 1,
  allow_disclaimers          => 0,
  bypass_spam_checks_maps    => [1],
  bypass_banned_checks_maps  => [1],
  bypass_virus_checks_maps   => [1],
  bypass_header_checks_maps  => [1],
};

@author_to_policy_bank_maps = ( {
    'qq.com'               => 'DKIM_WHITELIST',
    'datahunter.org'       => 'DKIM_WHITELIST',
  } );

Log (測試)

# 沒有中 Whitelist

... Passed CLEAN, [FROM_IP] [PRIVER_IP] ... Hits: 1.19, ... [email protected], ...

# 中了 Whitelist

... Passed CLEAN, DKIM_WHITELIST LOCAL [FROM_IP] [PRIVER_IP] ... Hits: -, ... [email protected], ...

 


DMARC

 

Amavis 並不會對 DMARC 進行驗證. 如果需要對 DMARC 進行驗證就需要使用 opendmarc 之類

 


Thunderbird verify dkim plugin

 

 


 

 

Creative Commons license icon Creative Commons license icon