Amavis DKIM

E-mail authentication using DKIM and amavis.

Here is a quick setup of DKIM signing and DKIM/DK verification by amavisd for the impatient, without much explanation, assuming all originating mail comes from internal networks (not from authenticated roaming clients), only one domain needs signing, using default signature tags, no milters are in use and no mailing list manager needs signing. No changes in Postfix configuration is necessary for this simple setup. For more information and more complex setups please see sections further on.

Generate a signing key:

$ amavisd genrsa <path>example-foo.key.pem

add to amavisd.conf:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'mail', '<path>example-foo.key.pem');
@dkim_signature_options_bysender_maps = (    { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
                 192.168.0.0/16);  # list your internal networks

run:

$ amavisd showkeys

Add the public key (as displayed) to your DNS zone, increment SOA sequence number and reload DNS; then test signing and a published key:

$ORIGIN example.com.
;
mail._domainkey         TXT     "k=rsa\; p=<pubkey>"
_domainkey              TXT     "t=y; o=~;"

$ amavisd testkeys

TESTING#1:mail._domainkey.exmaple.com => pass

if all went well:

$ amavisd reload

You can also send an email to check-auth@verifier.port25.com to receive an auto reply with information on the status of your DomainKey implementation.

SpamAssassin

When all works well also change your spamassassin local.cf

# DKIM - perform DKIM verification
#
# Mail::DKIM module required for use.
#
loadplugin Mail::SpamAssassin::Plugin::DKIM
# DKIM options
score DKIM_VERIFIED -0.1
score DKIM_SIGNED    0
# don't waste time on ASP record, hardly anyone publishes it
score DKIM_POLICY_SIGNALL  0
score DKIM_POLICY_SIGNSOME 0
score DKIM_POLICY_TESTING  0
# DKIM-based whitelisting of domains with good reputation:
score USER_IN_DKIM_WHITELIST -8.0
whitelist_from_dkim  *@ebay.com
whitelist_from_dkim  *@*.ebay.com
whitelist_from_dkim  *@ebay.co.uk
whitelist_from_dkim  *@*.ebay.co.uk
whitelist_from_dkim  *@ebay.at
whitelist_from_dkim  *@ebay.ca
whitelist_from_dkim  *@ebay.de
whitelist_from_dkim  *@ebay.fr
whitelist_from_dkim  *@*.paypal.com
whitelist_from_dkim  *@paypal.com
whitelist_from_dkim  *@*                paypal.com
whitelist_from_dkim  *@*.paypal.be
whitelist_from_dkim  *@cern.ch
whitelist_from_dkim  *@amazon.com
whitelist_from_dkim  *@springer.delivery.net
whitelist_from_dkim  *@cisco.com
whitelist_from_dkim  *@alert.bankofamerica.com
whitelist_from_dkim  *@bankofamerica.com
whitelist_from_dkim  *@cnn.com
whitelist_from_dkim  *@*.cnn.com
whitelist_from_dkim  *@skype.net
whitelist_from_dkim  service@youtube.com
whitelist_from_dkim  *@welcome.skype.com
whitelist_from_dkim  *@cc.yahoo-inc.com  yahoo-inc.com
whitelist_from_dkim  *@cc.yahoo-inc.com
whitelist_from_dkim  rcapotenoy@yahoo.com
whitelist_from_dkim  googlealerts-noreply@google.com
# DKIM-based whitelisting of domains with less then perfect
# reputation can be given fewer negative score points:
score USER_IN_DEF_DKIM_WL -1.5
def_whitelist_from_dkim   *@google.com
def_whitelist_from_dkim   *@googlemail.com
def_whitelist_from_dkim   *@*  googlegroups.com
def_whitelist_from_dkim   *@*  yahoogroups.com
def_whitelist_from_dkim   *@*  yahoogroups.co.uk
def_whitelist_from_dkim   *@*  yahoogroupes.fr
def_whitelist_from_dkim   *@yousendit.com
def_whitelist_from_dkim   *@meetup.com
def_whitelist_from_dkim   dailyhoroscope@astrology.com

Amavis DKIM

SpamAssassin

Bugtraq

Full Disclosure

Security.NL