E-mail authentication using DKIM and amavis.
Here is a quick setup of DKIM signing and DKIM/DK verification by amavisd for the impatient, without much explanation, assuming all originating mail comes from internal networks (not from authenticated roaming clients), only one domain needs signing, using default signature tags, no milters are in use and no mailing list manager needs signing. No changes in Postfix configuration is necessary for this simple setup. For more information and more complex setups please see sections further on.
Generate a signing key:
$ amavisd genrsa <path>example-foo.key.pem
add to amavisd.conf:
$enable_dkim_verification = 1;
$enable_dkim_signing = 1;
dkim_key('example.com', 'mail', '<path>example-foo.key.pem');
@dkim_signature_options_bysender_maps = ( { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );
@mynetworks = qw(0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16); # list your internal networks
run:
$ amavisd showkeys
Add the public key (as displayed) to your DNS zone, increment SOA sequence number and reload DNS; then test signing and a published key:
$ORIGIN example.com. ; mail._domainkey TXT "k=rsa\; p=<pubkey>" _domainkey TXT "t=y; o=~;"
$ amavisd testkeys
TESTING#1:mail._domainkey.exmaple.com => pass
if all went well:
$ amavisd reload
You can also send an email to check-auth@verifier.port25.com to receive an auto reply with information on the status of your DomainKey implementation.
SpamAssassin
When all works well also change your spamassassin local.cf
# DKIM - perform DKIM verification # # Mail::DKIM module required for use. # loadplugin Mail::SpamAssassin::Plugin::DKIM # DKIM options score DKIM_VERIFIED -0.1 score DKIM_SIGNED 0 # don't waste time on ASP record, hardly anyone publishes it score DKIM_POLICY_SIGNALL 0 score DKIM_POLICY_SIGNSOME 0 score DKIM_POLICY_TESTING 0 # DKIM-based whitelisting of domains with good reputation: score USER_IN_DKIM_WHITELIST -8.0 whitelist_from_dkim *@ebay.com whitelist_from_dkim *@*.ebay.com whitelist_from_dkim *@ebay.co.uk whitelist_from_dkim *@*.ebay.co.uk whitelist_from_dkim *@ebay.at whitelist_from_dkim *@ebay.ca whitelist_from_dkim *@ebay.de whitelist_from_dkim *@ebay.fr whitelist_from_dkim *@*.paypal.com whitelist_from_dkim *@paypal.com whitelist_from_dkim *@* paypal.com whitelist_from_dkim *@*.paypal.be whitelist_from_dkim *@cern.ch whitelist_from_dkim *@amazon.com whitelist_from_dkim *@springer.delivery.net whitelist_from_dkim *@cisco.com whitelist_from_dkim *@alert.bankofamerica.com whitelist_from_dkim *@bankofamerica.com whitelist_from_dkim *@cnn.com whitelist_from_dkim *@*.cnn.com whitelist_from_dkim *@skype.net whitelist_from_dkim service@youtube.com whitelist_from_dkim *@welcome.skype.com whitelist_from_dkim *@cc.yahoo-inc.com yahoo-inc.com whitelist_from_dkim *@cc.yahoo-inc.com whitelist_from_dkim rcapotenoy@yahoo.com whitelist_from_dkim googlealerts-noreply@google.com # DKIM-based whitelisting of domains with less then perfect # reputation can be given fewer negative score points: score USER_IN_DEF_DKIM_WL -1.5 def_whitelist_from_dkim *@google.com def_whitelist_from_dkim *@googlemail.com def_whitelist_from_dkim *@* googlegroups.com def_whitelist_from_dkim *@* yahoogroups.com def_whitelist_from_dkim *@* yahoogroups.co.uk def_whitelist_from_dkim *@* yahoogroupes.fr def_whitelist_from_dkim *@yousendit.com def_whitelist_from_dkim *@meetup.com def_whitelist_from_dkim dailyhoroscope@astrology.com
