amavis-user January 2011 archive
Main Archive Page > Month Archives  > amavis-user archives
amavis-user: Re: [AMaViS-user] DKIM signing mailing lists

Re: [AMaViS-user] DKIM signing mailing lists

From: Florian Effenberger <floeff_at_nospam>
Date: Thu Jan 13 2011 - 11:54:30 GMT
To: amavis-user@lists.sourceforge.net

Hi Mark,

thanks a lot for your reply, much appreciated!

Is there a dedicated DKIM documentation for amavis? I only found
information at the "bits and pieces" page, but have a few other
questions, so before asking this list, I'd like to do RTFM, especially
if it's not RTF-RFC. :-) Apart from an explanation of the available
settings, I'm missing the description of the tags.

2011/1/12 Mark Martinec <Mark.Martinec+amavis@ijs.si>:

>> However, I have problems with signing my hosted mailing lists -- as
>> footers are added and subjects are modified, the DKIM signature is
>> broken. As far as I understood, this does no harm, and is normal --
>> signing only parts of the body has to be implemented on the sender's
>> side, which I can't influence.
>
> Well, yes, although 'signing only parts of the body' (tag 'l') is
> not very useful, as it can too easily be abused. The sooner we
> forget it exists, the better.

So, if someone from outside mails to one of my hosted mailing lists,
and these lists change the subject or add a footer, it's fairly normal
that the Authentication-Result shows softfail for DKIM, right? (Of
course, if it annoys, I could remove it e.g. with Postfix header
checks).

> If these signatures are from the domain which also run a mailing list
> (as opposed to a signature of an author of each post), then these signatures
> should have been added on the fan-out side of their mailing list manager,
> i.e. after all the mangling of a message has already been made.

Right now, the messages get signed two times: First of all, when my
users submit their mail via port 587, then it goes to the mailing
list, the authentication-result afterwards is broken (because of
subject and footer), and eventually, all is re-signed again. It still
sounds a bit weird to me, but it basically seems to work. What makes
me wonder is that the Authentication-Result header is not added all of
the time when a local user sends to a local list, but that might be on
purpose?

>> It looks, however, as if amavisd-new only adds third-party signatures when
>> the sender is not from one of my hosted domains.
>
> It tries to add the best available signature, subject to overrides in
> @dkim_signature_options_bysender_maps. A signing domain matching
> an author domain (From) is considered better than other matches.
>
> If a message already contains a *valid* signature from a domain
> which we are just considering adding, then a duplicate will not be added
> (which solves a case when a message pases (unchanged) through amavisd
> multiple times for some reason).
>
> Grep a log (level 2 or higher) and search for  ' dkim: '  (space before and after).
> These log entries explain the choices made about signing.

Thanks, I will try that! Right now, my configuration parts look like this:

== main.cf ==
smtp inet n - n - - smtpd -o
receive_override_options=no_address_mappings

submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o receive_override_options=no_address_mappings
  -o content_filter=amavisfeed:[127.0.0.1]:10026

amavisfeed unix - - n - 5 lmtp
    -o lmtp_data_done_timeout=1200
    -o lmtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n - n - - smtpd
    -o content_filter=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o smtpd_restriction_classes=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_unknown_recipient_checks,no_milters
    -o local_header_rewrite_clients=

127.0.0.1:10027 inet n - n - - smtpd -o
receive_override_options=no_address_mappings
                                                        -o content_filter=amavisfeed:[127.0.0.1]:10028
==

== amavis ==
$inet_socket_port = [10024,10026,10028];
$enable_dkim_signing = 1;
dkim_key('domain1.org', '20110105', '/etc/amavis/domain1.org.key.pem');
dkim_key('domain2.org', '20110105', '/etc/amavis/domain1.org.key.pem');
dkim_key('lists.domain1.org', '20110105', '/etc/amavis/domain1.org.key.pem');
dkim_key('lists.domain2.org', '20110105', '/etc/amavis/domain1.org.key.pem');
$policy_bank{'ORIGINATING'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
final_spam_destiny => D_BOUNCE,
final_virus_destiny => D_BOUNCE,
final_banned_destiny => D_BOUNCE,
};
$policy_bank{'NOCHECKS'} = {
originating => 1,
smtpd_discard_ehlo_keywords => ['8BITMIME'],
mynetworks_maps => [],
os_fingerprint_method => undef,
penpals_bonus_score => undef,
bounce_killer_score => 0,
bypass_decode_parts => 1,
bypass_header_checks_maps => [1],
bypass_virus_checks_maps => [1],
bypass_spam_checks_maps => [1],
bypass_banned_checks_maps => [1],
spam_lovers_maps => [1],
banned_files_lovers_maps => [1],
dkim_signature_options_bysender_maps => [ {
'domain1.org' => { d => 'domain1.org', c => 'relaxed/simple' },
'domain2.org' => { d => 'domain2.org', c => 'relaxed/simple' },
'lists.domain1.org' => { d => 'lists.domain1.org', c => 'relaxed/simple' },
'lists.domain2.org' => { d => 'lists.domain2.org', c => 'relaxed/simple' },
} ],
};
$interface_policy{'10026'} = 'ORIGINATING';
$interface_policy{'10028'} = 'NOCHECKS';
==

As you can see, I'm still rather new to the DKIM topic. :-) I was
reading your docs and some mailing list posts and ended up with the
above configuration, but there might be some glitches in it.

> Is the 'dkim_signature_options_bysender_maps => ...' syntactically part
> of a policy bank hash (key/value pairs) ?  If it is not but is a global setting,
> then your syntax is wrong, you need a proper assignment to a variable
> @dkim_signature_options_bysender_maps, not a key=>value pair.
>
> In your case that would be:
>
> @dkim_signature_options_bysender_maps = ( {
>  'second-domain.tld' => { d => 'second-domain.tld', c => 'relaxed/simple' },
>  'first-domain.tld' => { d => 'first-domain.tld', c => 'relaxed/simple' },
>  'lists.second-domain.tld' => { d => 'lists.second-domain.tld', c => 'relaxed/simple' },
>  'lists.first-domain.tld' => { d => 'lists.first-domain.tld', c => 'relaxed/simple' },
>  } );

At the moment, it is part of a policy bank, but just because I've seen
that in an example and tried it out, to be honest. :-) Is the global
approach better?

I feel as I'm still missing some basic information and knowledge on
the DKIM process. Any pointers welcome!

Thanks so much,
Florian

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand
malware threats, the impact they can have on your business, and how you
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
 Please visit http://www.ijs.si/software/amavisd/ regularly
 For administrativa requests please send email to rainer at openantivirus dot org