Hi Mark, thanks a lot for your reply, much appreciated!
Is there a dedicated DKIM documentation for amavis? I only found information at the "bits and pieces" page, but have a few other questions, so before asking this list, I'd like to do RTFM, especially if it's not RTF-RFC. :-) Apart from an explanation of the available settings, I'm missing the description of the tags. 2011/1/12 Mark Martinec <mark.martinec+ama...@ijs.si>: >> However, I have problems with signing my hosted mailing lists -- as >> footers are added and subjects are modified, the DKIM signature is >> broken. As far as I understood, this does no harm, and is normal -- >> signing only parts of the body has to be implemented on the sender's >> side, which I can't influence. > > Well, yes, although 'signing only parts of the body' (tag 'l') is > not very useful, as it can too easily be abused. The sooner we > forget it exists, the better. So, if someone from outside mails to one of my hosted mailing lists, and these lists change the subject or add a footer, it's fairly normal that the Authentication-Result shows softfail for DKIM, right? (Of course, if it annoys, I could remove it e.g. with Postfix header checks). > If these signatures are from the domain which also run a mailing list > (as opposed to a signature of an author of each post), then these signatures > should have been added on the fan-out side of their mailing list manager, > i.e. after all the mangling of a message has already been made. Right now, the messages get signed two times: First of all, when my users submit their mail via port 587, then it goes to the mailing list, the authentication-result afterwards is broken (because of subject and footer), and eventually, all is re-signed again. It still sounds a bit weird to me, but it basically seems to work. What makes me wonder is that the Authentication-Result header is not added all of the time when a local user sends to a local list, but that might be on purpose? >> It looks, however, as if amavisd-new only adds third-party signatures when >> the sender is not from one of my hosted domains. > > It tries to add the best available signature, subject to overrides in > @dkim_signature_options_bysender_maps. A signing domain matching > an author domain (From) is considered better than other matches. > > If a message already contains a *valid* signature from a domain > which we are just considering adding, then a duplicate will not be added > (which solves a case when a message pases (unchanged) through amavisd > multiple times for some reason). > > Grep a log (level 2 or higher) and search for ' dkim: ' (space before and > after). > These log entries explain the choices made about signing. Thanks, I will try that! Right now, my configuration parts look like this: == main.cf == smtp inet n - n - - smtpd -o receive_override_options=no_address_mappings submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o receive_override_options=no_address_mappings -o content_filter=amavisfeed:[127.0.0.1]:10026 amavisfeed unix - - n - 5 lmtp -o lmtp_data_done_timeout=1200 -o lmtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_data_restrictions=reject_unauth_pipelining -o smtpd_end_of_data_restrictions= -o smtpd_restriction_classes= -o mynetworks=127.0.0.0/8 -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_unknown_recipient_checks,no_milters -o local_header_rewrite_clients= 127.0.0.1:10027 inet n - n - - smtpd -o receive_override_options=no_address_mappings -o content_filter=amavisfeed:[127.0.0.1]:10028 == == amavis == $inet_socket_port = [10024,10026,10028]; $enable_dkim_signing = 1; dkim_key('domain1.org', '20110105', '/etc/amavis/domain1.org.key.pem'); dkim_key('domain2.org', '20110105', '/etc/amavis/domain1.org.key.pem'); dkim_key('lists.domain1.org', '20110105', '/etc/amavis/domain1.org.key.pem'); dkim_key('lists.domain2.org', '20110105', '/etc/amavis/domain1.org.key.pem'); $policy_bank{'ORIGINATING'} = { originating => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'], final_spam_destiny => D_BOUNCE, final_virus_destiny => D_BOUNCE, final_banned_destiny => D_BOUNCE, }; $policy_bank{'NOCHECKS'} = { originating => 1, smtpd_discard_ehlo_keywords => ['8BITMIME'], mynetworks_maps => [], os_fingerprint_method => undef, penpals_bonus_score => undef, bounce_killer_score => 0, bypass_decode_parts => 1, bypass_header_checks_maps => [1], bypass_virus_checks_maps => [1], bypass_spam_checks_maps => [1], bypass_banned_checks_maps => [1], spam_lovers_maps => [1], banned_files_lovers_maps => [1], dkim_signature_options_bysender_maps => [ { 'domain1.org' => { d => 'domain1.org', c => 'relaxed/simple' }, 'domain2.org' => { d => 'domain2.org', c => 'relaxed/simple' }, 'lists.domain1.org' => { d => 'lists.domain1.org', c => 'relaxed/simple' }, 'lists.domain2.org' => { d => 'lists.domain2.org', c => 'relaxed/simple' }, } ], }; $interface_policy{'10026'} = 'ORIGINATING'; $interface_policy{'10028'} = 'NOCHECKS'; == As you can see, I'm still rather new to the DKIM topic. :-) I was reading your docs and some mailing list posts and ended up with the above configuration, but there might be some glitches in it. > Is the 'dkim_signature_options_bysender_maps => ...' syntactically part > of a policy bank hash (key/value pairs) ? If it is not but is a global > setting, > then your syntax is wrong, you need a proper assignment to a variable > @dkim_signature_options_bysender_maps, not a key=>value pair. > > In your case that would be: > > @dkim_signature_options_bysender_maps = ( { > 'second-domain.tld' => { d => 'second-domain.tld', c => 'relaxed/simple' }, > 'first-domain.tld' => { d => 'first-domain.tld', c => 'relaxed/simple' }, > 'lists.second-domain.tld' => { d => 'lists.second-domain.tld', c => > 'relaxed/simple' }, > 'lists.first-domain.tld' => { d => 'lists.first-domain.tld', c => > 'relaxed/simple' }, > } ); At the moment, it is part of a policy bank, but just because I've seen that in an example and tried it out, to be honest. :-) Is the global approach better? I feel as I'm still missing some basic information and knowledge on the DKIM process. Any pointers welcome! Thanks so much, Florian ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user Please visit http://www.ijs.si/software/amavisd/ regularly For administrativa requests please send email to rainer at openantivirus dot org