Hello!
Here are my so far unsuccessful attempts to link opendkim with amavis in
order to add or verify the DKIM signature to mails.
_*/etc/opendkim.conf*_
Canonicalization relaxed/simple
Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020"
(2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More
granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain meinedomain.de
Selector default
KeyFile /etc/opendkim/keys/meinedomain.de/default.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is
required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a
chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix
runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
#Socket local:/run/opendkim/opendkim.sock
#Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
Socket inet:8892@localhost
PidFile /run/opendkim/opendkim.pid
*_/etc/amavis/conf.d/50-user_
*
$policy_bank{'ORIGINATING'} = { # mail supposedly originating from our
users
originating => 1, # declare that mail was submitted by our smtp client
allow_disclaimers => 1, # enables disclaimer insertion if available
# notify administrator of locally originating malware
virus_admin_maps => ["virusalert\@$mydomain"],
spam_admin_maps => ["virusalert\@$mydomain"],
warnbadhsender => 1,
# force MTA conversion to 7-bit (e.g. before DKIM signing)
smtpd_discard_ehlo_keywords => ['8BITMIME'],
bypass_banned_checks_maps => [1], # allow sending any file names and
types
terminate_dsn_on_notify_success => 0, # don't remove NOTIFY=SUCCESS
option
};
$max_servers = 4;
#$undecipherable_subject_tag = '***Encrypted Message***'
$undecipherable_subject_tag = undef;
@client_ipaddr_policy = (
[qw( 0.0.0.0/8 127.0.0.1/8 [::] [::1] )] => 'LOCALHOST',
\@mynetworks => 'MYNETS',
);
$policy_bank{'LOCALHOST'} = {
originating => 1,
bypass_virus_checks_maps => [1],
bypass_spam_checks_maps => [1],
bypass_banned_checks_maps => [1],
};
$bad_header_quarantine_method = undef;
# Enable DKIM signing
dkim_key('meinedomain.de','default',
'/etc/opendkim/keys/meinedomain.de/default.private');
# Use OpenDKIM for signing
#$enable_dkim = 1;
$enable_dkim_signing = 1;
$enable_dkim_verification = 1;
#------------ Do not modify anything below this line -------------
1; # ensure a defined return
*_/etc/postfix/main.cf Milter config_*
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendmarc/opendmarc.sock,
local:spamass/spamass.sock, inet:127.0.0.1:8892
non_smtpd_milters = $smtpd_milters
Now I have the problem that opendkim still adds the DKIM signature
immediately after the mail is delivered and amavis no longer starts due
to missing read rights for the key file. If I set the reading rights to
640, amavis starts, but then I get the error message:
2024-12-24T12:49:49.950952-06:00 axum opendkim[2486]:
default._domainkey.meinedomain.de: key data is not secure:
/etc/opendkim/keys/meinedomain.de/default.private is in group 120 which
has multiple users (e.g., "postfix")
Now I am completely confused and don't know how to proceed.
Unfortunately, I can find almost nothing on the subject of opendkim
integration (signing/verification) in amavis. At least nothing that is
promising.
Merry X-mas
Andreas
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
