Guide to DKIM signing with amavisd-new and postfix

EDIT: I have updated the format to work better with Jekyll. No content has been changed, only formatting.

This guide assumes that you already have a working amavisd-new setup.  There are plenty of other guides that are already out there for that so I don’t want to just rehash the same stuff.  However, the guides to do DKIM with amavisd are fairly spread out and difficult to follow, or are embedded in a guide for an entire system.  This makes it difficult to just update your settings properly when you already have a working set up.

Because DKIM signing requires a message to be marked as ORIGINATING in amavisd, you will have to update both postfix and amavisd settings if you follow this guide.

Let me explain my set up.  I have several ports on amavisd open in order to mark mails as incoming or outgoing.  All mail received on port 25 is sent as received and all messages received on 587 (submission) are considered originating.  Also, all messages picked up by the postfix “pickup” service are also considered originating so they get signed as well.

Please remember to back up your configs!

Let us begin by generating some DKIM keys.  I store mine in /var/db/dkim/ but you can store them anywhere really.  The amavisd command also could be amavisd-new as it is on Debian 6

$ amavisd genrsa /var/db/dkim/

This will generate a key for you.

Next, add them to amavisd.conf like this

$enable_dkim_verification = 1;  
$enable_dkim_signing = 1;  
dkim_key("", "selector", "/var/db/dkim/");  
@dkim_signature_options_bysender_maps = (     { "." => { ttl => 21*24*3600, c => "relaxed/simple" } } );

Then you can run:

$ amavisd showkeys

That will show you the DNS record you need to add. For Linode DNS, you need to get rid of all of the quotation marks and line breaks but I believe if using BIND you can just copy it directly.

Once you have updated DNS, you can test by running:

$ amavisd testkeys

That will show you if everything went well.  Before we reload amavisd, we need to update a bit more on it”s side and postfix side.

To do this, you need one amavisd interface for incoming and one for outgoing.  For me, these are 10024 and 10026 which can be activated by adding or ammending the following line in amavisd.conf

$inet_socket_port = [10024,10026];

Then you need to set up the policy blocks in amavisd.conf to mark messages received on 10026 as originating. This is what mine looks like.

$interface_policy{"10026"} = "ORIGINATING";
$policy_bank{"ORIGINATING"} = { # mail supposedly originating from our users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# forward to a smtpd service providing DKIM signing service
forward_method => "smtp:[]:10027",
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ["8BITMIME"],
bypass_banned_checks_maps => [1], # allow sending any file names and types
terminate_dsn_on_notify_success => 0, # don"t remove NOTIFY=SUCCESS option

This will tell amavisd that ALL email received via 10026 is considered originating.


This part is dependant on your current configuration.  In my case I had ALL mail passing through via the content_filter directive in /etc/postfix/  I opted to leave this and override it for certain processes in /etc/postfix/  I decided to mark all mail received on submission (port 587) as originating and all mail received on the “pickup” section as well.  You can choose any you want and make it look like this:

submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o content_filter=amavisfeed:[]:10026

The amavisfeed:[]:10026 can be replaced by however you have it set up to feed to amavis.

Secondly, you will need to enable the 10027 port on the postfix side by adding this to your

[]:10027 inet n - n - - smtpd  
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=[]/8
-o smtpd_error_sleep_time=0  
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=

Now it is time to reload both postfix and amavisd! This should be all you need, but you may want to set SOFTBOUNCE to yes in postfix just to be sure.  Please feel free to contact me with any questions.