DKIM in amavisd-new and postfix

| No Comments | No TrackBacks

As most of you know, email is an inherently insecure protocol. Basically, you're sending around text files with a certain format and you have to trust the servers that are forwarding the email, that they wont modify the content or lie about who they are.

One of the big issues here is, that anybody can claim to be sending email from and whoever receives the email has to believe it.

DKIM adds a certain level of protecting. What it does is, it gives the owner of the DNS record of a domain the possibility to provide a cryptographic public key to anyone who cares to validate the signature. The sending mailserver holds a copy of the corresponding private key and signs every outgoing message with that key. Every recipient can the check weather the signature is correct by checking the published public key.

A lot of the big players like gmail, etc. have added support for DKIM signatures in their infrastructure.

I have also implemented DKIM (along with SPF) on my mail server.

Following are the basic steps necessary to implement DKIM:

  1. create a crypto key-pair
  2. setup a separate path in your mailer for outgoing mail
  3. configure mailer to sign outgoing messages
  4. publish the public key through DNS

The best howto I came across is this

The most important part is to set postfix to tag mails as incoming or outgoing by using the

smtpd_sender_restrictions = 
    check_sender_access regexp:/etc/postfix/
    check_sender_access regexp:/etc/postfix/

part in

The rest of the setup happens in amavis by adding an additional policy in amavis:

$inet_socket_port = [10024,10026];  # listen on two ports
$enable_dkim_signing = 1;  # loads DKIM signing code
dkim_key('DOMAIN_NAME, 'dk1', '/path/to/keyfile');
$interface_policy{'10026'} = 'ORIGINATING';
$policy_bank{'ORIGINATING'} = {  # mail originating from our users
    originating => 1,  # indicates client is ours, allows signing

The only remaining thing to do is publish the public key. My domains are managed by united domains. To get this working you have to create a subdomain and set the TXT record for this subdomain called (the dk1 part has to be the same as the identifier provided in the amavisd config above).

No TrackBacks

TrackBack URL:

Leave a comment

Click here to add a video comment!

About this Entry

This page contains a single entry by Thomas Jaehnel published on July 19, 2010 9:00 PM.

.de DNS root server failure was the previous entry in this blog.

New PGP key is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Creative Commons License
This blog is licensed under a Creative Commons License.
homemade code GmbH
powered by homemade code GmbH ~ the application security experts!