1

Topic: Amavisd configuration incomplete

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Linux/BSD distribution name and version: Centos 6.5, Linux 3.14.4-x86_64-linode40 on x86_64
- Related log if you're reporting an issue: n/a
====

So, in my server's default local domain email accounts, within the headers of received mail, I see this:

Authentication-Results: <my_domain> (amavisd-new);
    dkim=pass (2048-bit key) header.d=gmail.com

But then I noticed in received email within my other virtual domains, this header did not appear. I then realized that in amavisd config file:

@local_domains_maps

only contained my local domain, and NOT the rest of my virtual domains. Once they were added, the headers were written properly across all domains.

Shouldn't that field be appended to when when you add new domains within iredadmin(-pro)?

It would also be nice if you could integrate into iredadmin(-pro) the ability to manage the DKIM signing settings per domain. That too required manually editing the amavisd config file to get signing to work across all virtual domains as your initial setup scripts only cover the primary local domain. Which is fine considering at that stage the scripts only know of that 1 single domain but later to add domains means remembering to go back into amavisd.conf to get DKIM signing to also work for that new domain. Just a thought.

Thanks.

- Fabian S.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Amavisd configuration incomplete

With the latest iRedMail, we have below setting in Amavisd config file to mark all domains of recipients (in received emails) as local domains:

@local_domains_maps = 1;

So it should be fine.

iRedMail uses one DKIM key for all hosted mail domains, it should be easier for mail server administrator to manage it, you don't need to ask your clients to setup proper DKIM record in DNS.

Also, currently, Amavisd doesn't support query DKIM keys from SQL/LDAP, so we have to edit config files. No plan to achieve it in iRedAdmin-Pro.

3

Re: Amavisd configuration incomplete

ZhangHuangbin wrote:

With the latest iRedMail, we have below setting in Amavisd config file to mark all domains of recipients (in received emails) as local domains:

@local_domains_maps = 1;

So it should be fine.

That option does work fine. thank you. But be aware as I updated from v0.8.6, that option was not set accordingly. It was set to:

@local_domains_maps = ( [".$mydomain"] )

ZhangHuangbin wrote:

iRedMail uses one DKIM key for all hosted mail domains, it should be easier for mail server administrator to manage it, you don't need to ask your clients to setup proper DKIM record in DNS.

Also, currently, Amavisd doesn't support query DKIM keys from SQL/LDAP, so we have to edit config files. No plan to achieve it in iRedAdmin-Pro.

i do use one and the same dkim key for all domains as configured from the beginning. But what you say sounds inaccurate, unless i misunderstood you. DNS records for DKIM must exist for each domain who's email is being signed with it. otherwise, the check fails.

understood about iredadmin-pro; so what you're saying is it does not and will not modify file system files, only the DB? ok, that's kewl. thanks.

- Fabian S.

4

Re: Amavisd configuration incomplete

fsantiago06111979 wrote:

But what you say sounds inaccurate, unless i misunderstood you. DNS records for DKIM must exist for each domain who's email is being signed with it. otherwise, the check fails.

DKIM signature in mail header contains some info:

- b=[actual_digital_signature]
- s=[dkim_selector_in_DNS]. For example, s=dkim.
- d=[the_signing_domain]. For example, d=abc.com

So mail receiver can know it should query TXT type of DNS name 'dkim._domainkey.abc.com' to match the value of 'b=' in DKIM signature.

With default iRedMail setting, all outgoing emails are signed with the same DKIM key, so the signing domain is the same one. What you need to do is making sure you have the correct DKIM record in DNS for this signing domain.

Reference:
- wikipedia: http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
- RFC 4871: DomainKeys Identified Mail (DKIM) Signatures. http://www.ietf.org/rfc/rfc4871.txt