Implementing DomainKeys-DKIM on OS X 10.10.X Yosemite and OS X 10.11.X El Capitan With Server 5.X

1. Introduction
2. Requirements
3. Using Mail::DKIM to verify incoming messages
4. Using amavisd-net to sign outgoing messages
5. Advanced configuration options
6. Caveats – READ this chapter!

DISCLAIMER: The author(s) claim(s) no responsibility for any damage that may occur from the use of any information found here or found on links followed from this document. Please make sure you have a backup before applying modifications to your server.

1. Introduction

The purpose of this document is to provide instructions on how to implement DomainKeys/DKIM on OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x.

You will not find many explanations as to why something is done one way or the other. Neither will I discuss whether DomainKeys/DKIM are useful or not. This is a decision you must make for yourself. There are plenty of discussions about this available on the internet.

DomainKeys/DKIM functionality has two sides to it. First, it is used to verify if a sender domain is using DomainKeys/DKIM signatures and if the incoming mail was correctly signed. Second, it allows you to sign outgoing messages with a digital signature for recipients to verify your mail server.

Unlike previous versions of this tutorial which were based on dkimproxy and amavisd, this tutorial relies only on amavisd. dkimproxy is still a valid solution, but it hasn’t been maintained much in the past couple of years. On the other hand, Apple is now including an updated version of amavisd-new with its Server OS, so why rely on extra components when all we need is already available.

Verification of signatures is done through amavisd-new/SpamAssassin. This allows to integrate as closely as possible with the existing components on OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x.

Signing is handled by amavisd-new and Postfix.

This document will require you to use the command line. If you do not feel comfortable with using the command line, you should look for a ready made installer package or for somebody to assist you.

This document is written for OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x. It does not apply to earlier versions. Separate versions of this tutorial are available for earlier Mac OS X Server versions.

If you have used Mac OS X Server releases prior to OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x, you are most likely used to a series of standard file paths. While some of them are still the same, many have changed in an attempt by Apple to better consolidate server related files and binaries. So always be very careful and double-check which file you are editing.

This tutorial has been tested on a standard OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x installation. If you have already tinkered with your system, be aware that things might differ. It is impossible for me to foresee all changes that one might have applied to a server.

This tutorial contains step-by-step instructions for the terminal. Although you could just type them in line by line, it is recommended you have a basic understanding of the terminal.

DISCLAIMER: Whatever you do based on this document, you do it at your own risk! Just in case you haven’t understood: Whatever you do based on this document, you do it at your own risk!

2. Requirements

Before you get started, you need to make sure some basic requirements are met:

  • You have made a backup of your system.
  • You are running OS X 10.10.x Yosemite or OS X 10.11.x El Capitan With Server 5.x
  • You do have a backup
  • Familiarity with a command line editor or alternatively a GUI plain text editor (do NOT use Word or similar)
  • While not a requirement, it is recommended you subscribe to our newsletter or follow us on Twitter be informed when updated versions of this and other tutorials become available:
    Newsletter: http://topicdesk.com/newsletter/
    Twitter: @topicdesk
3. Using Mail::DKIM to verify incoming messages

As mentioned, we will use Mail::DKIM together with SpamAssassin to verify incoming messages.

Nothing needs to be done in OS X 10.10.x Yosemite and OS X 10.11.x El Capitan With Server 5.x. Everything is already correctly configured.

Send yourself an e-mail from a domain that uses DomainKeys/DKIM (e.g. yahoo.com, gmail) and check the headers. You should see something along the lines of:

DKIM_SIGNED=0.001  
DKIM_VALID=-0.1  

in the X-Spam-Status Tests.

The scores are low on purpose by default. It is up to you to change them if you would like action to be taken based on this information. Simply edit:

/Library/Server/Mail/Config/spamassassin/local.cf  

(or wherever you keep your score adjustments) and add:

score DKIM_SIGNED 0.001
score DKIM_VALID -0.001
score DKIM_VALID_AU -0.001

(replace 0.001 with the score you want)

Remember to restart amavisd-new after score changes.

Note: If you don’t see any X-Spam-Status in your e-mail’s headers, you need to edit:

/Library/Server/Mail/Config/amavisd/amavisd.conf  

and make sure the following parameter is set (by default it is set to 2.0 which will not tag low scoring mails):

$sa_tag_level_deflt  = -999.0;  

Remember to restart amavisd-new after changes to amavisd.conf.

4. Using amavisd-new to sign outgoing messages

As mentioned, we will use amavisd-new together with Postfix to sign outgoing messages.

4.1. The first step is to generate a set of keys to be used for our signature.

To do so issue:

sudo mkdir -p /var/db/dkim

sudo chown _amavisd /var/db/dkim

sudo -u _amavisd -H amavisd genrsa /var/db/dkim/mydomain.tld.default.pem

sudo chown root:_amavisd /var/db/dkim/mydomain.tld.default.pem

sudo chmod 640 /var/db/dkim/mydomain.tld.default.pem

The following file:

/var/db/dkim/mydomain.tld.default.pem

now contains the private key used for DKIM signing.

4.2. The next step is to modify the configuration files for amavisd-new and Postfix.

Edit:

/Library/Server/Mail/Config/amavisd/amavisd.conf  

and make sure the following 2 settings are enabled as shown:

$enable_dkim_verification = 1;
$enable_dkim_signing = 1;

next , right below

$enable_dkim_signing  

add:

dkim_key('mydomain.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

Note: you need to replace mydomain.tld with your actual domain.

So far so good. Now all we need to do is to add the keys to our DNS and we are all set.

To display the key(s), issue:

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys 

You should see something along the lines of:

; key#1, domain mydomain.tld, /var/db/dkim/mydomain.tld.default.pem
default._domainkey.mydomain.tld.    3600 TXT ( 
"v=DKIM1; p=MIGfCSXUZqGSIb7DKIBQLOQA6GNAMNWiQKBgQCdtxXkwuk2d8ZUeq5W0gy3l39M9trMfI+1ieMshy4DaIF6pFrGqmo7aNFZqcjFBoKdziEarHvcoY9IyaAFH5L6FOxZsvyjniJW3Z76GWMH6JvQsl8vfn7FxM19YqNchBn/lU60V/A7R0IDFgyk53Y4sPj4sEoTFtR0FkUN+43bMQIDAQAB")

This is your public key inside a DNS TXT record.

4.3. The next step is to prepare your DNS records.

This procedure can differ based on what DNS software/provider you use. Many providers use different control panels, so you may have to adjust as needed. If you manage your own DNS, you’ll know what to do.

In essence you need to create the following 2 TXT records for each domain you handle and want to sign. One for the DomainKeys policy record and one for the DomainKeys selector record.

_domainkey.mydomain.tld  TXT  "o=~"

default._domainkey.mydomain.tld TXT "v=DKIM1; p=MIGfCSXUZqGSIb7DKIBQLOQA6GNAMNWiQKBgQCdtxXkwuk2d8ZUeq5W0gy3l39M9trMfI+1ieMshy4DaIF6pFrGqmo7aNFZqcjFBoKdziEarHvcoY9IyaAFH5L6FOxZsvyjniJW3Z76GWMH6JvQsl8vfn7FxM19YqNchBn/lU60V/A7R0IDFgyk53Y4sPj4sEoTFtR0FkUN+43bMQIDAQAB"

The long string looking like gibberish (after p=) is your public key and should be replaced with the key shown above when issuing:

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys 

Note that it is a single long line.

Also you should replace mydomain.tld with your actual domain name.

When done and after you are sure your new DNS records have propagated, issue:

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys

If all is well, you’ll see something like:

TESTING#1: default._domainkey.mydomain.tld => pass

To verify your policy record go here:
http://domainkeys.sourceforge.net/cgi-bin/check_policy?domain=mydomain.tld&Submit=Submit

To verify your DomainKeys Selector record go here:
http://domainkeys.sourceforge.net/cgi-bin/check_selector?selector=default._domainkey.mydomain.tld&Submit=Submit

Note: you need to replace mydomain.tld with your actual domain.

If all checks out, you are set and from now on your outgoing e-mail will be signed with your DKIM key and amavisd-new/spamassassin will check incoming mails for valid DKIM keys.

Try and send an e-mail using your server. If all went well, you should see your signature in the full/raw headers of your message.

Something along these lines:

DomainKey-Signature: a=rsa-sha1; c=simple; d=mydomain.tld; q=dns; s=default; MIGfCSXUZqGSIb7DKIBQLOQA6GNAMNWiQKBgQCdtxXkwuk2d8ZUeq5W0gy3l39M9trMfI+1ieMshy4DaIF6pFrGqmo7aNFZqcjFBoKdziEarHvcoY9IyaAFH5L6FOxZsvyjniJW3Z76GWMH6JvQsl8vfn7FxM19YqNchBn/lU60V/A7R0IDFgyk53Y4sPj4sEoTFtR0FkUN+43bMQIDAQAB
5. Advanced configuration options

Above configuration will make sure that all outgoing mail for a configured domain will be signed as well as scanned for spam and viruses.

Sometimes it is preferable to offer multiple paths through the content filter. For example you might want to sign all of your outgoing mail, but at the same time would prefer if mail from your authenticated users is not scanned for spam or maybe assigned more lenient scores (this can be important when trying to send through your server from a dynamic IP).

I prefer having a setup where the content filter treats incoming and outgoing mail differently and thus will show you how to differentiate it through Postfix checks and separate amavisd-new policy banks. There are several advantages to this. First you will be able to send mail through your server without the risk of any false positives. Second, you keep CPU load down by signing only outgoing messages from your legit users.

This requires editing of

/Library/Server/Mail/Config/postfix/master.cf
/Library/Server/Mail/Config/postfix/main.cf
/Library/Server/Mail/Config/amavisd/amavisd.conf

Now on to editing:

/Library/Server/Mail/Config/postfix/main.cf

At the end of the file, add:

smtpd_sender_restrictions = check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_signing permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_scanning permit

Save main.cf and create a new file called tag_for_signing:

sudo touch /Library/Server/Mail/Config/postfix/tag_for_signing

Edit it and add:

/^/  FILTER smtp-amavis:[127.0.0.1]:10026

Save it and create a new file called tag_for_scanning:

sudo touch /Library/Server/Mail/Config/postfix/tag_for_scanning

Edit it and add:

/^/  FILTER smtp-amavis:[127.0.0.1]:10024

Save and next edit

/Library/Server/Mail/Config/postfix/master.cf

add a new block:

127.0.0.1:10027 inet n  -       y       -       -       smtpd
   -o content_filter=
   -o smtpd_tls_security_level=none
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o smtpd_restriction_classes=
   -o mynetworks=127.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
   -o local_header_rewrite_clients=
   -o smtpd_milters=
   -o local_recipient_maps=
   -o relay_recipient_maps=

Save it and now edit:

/Library/Server/Mail/Config/amavisd/amavisd.conf

Look for $policy_bank{'ORIGINATING'} 

inside the policy bank block, add:

bypass_spam_checks_maps   => [1],

Save and issue:

sudo postfix reload

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf reload

Now try sending mail from and to your server. Outgoing mail from authenticated users of yours should now be signed, but not scanned. Incoming mail from outside senders will be scanned but not signed.

The command we entered into the policy bank above prevents mail for outgoing mail from being scanned. You can of course add anything you like to the policy bank. For example instead of not scanning you could assign lower spam scores if mail is coming from your users. The amavisd-new documentation is a good starting point for this.

NOTE: The settings chosen are based on my personal preference and experience. You may want to change them as you deem fit.

6. Caveats

The most frequent issues to watch out for are:

a) Incompatible perl modules
b) Typos made when applying this tutorial
c) Long lines seen as multiple lines. Watch for incorrect line breaks

Also, if you have modified any paths and or environment variables, make sure you check them against above instructions.

Hope this helps.


Document Version 1.3, 1.2.2016

55 replies
  1. David Muszynski
    David Muszynski says:

    I’ve followed the article to the letter and keep getting:

    server:named bhpolicesupply$ sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys
    TESTING#1 bhpolicesupply.com: default._domainkey.bhpolicesupply.com => invalid (public key: not available)

    Reply
  2. Gavin Lawrie
    Gavin Lawrie says:

    Thanks for posting this.
    OS X Server 5.1 is using Spamassassin 3.4.0 – and the DKIM flags for Spamassassin after version 3.3.0 are different from earlier versions. In particular, the DKIM_POLICY_* flags are now no longer valid – and are set to a zero score whatever value you give them…
    So it might be useful to update this part of your tutorial.
    An updated set of rules for DKIM plugin is given here: http://spamassassin.apache.org/full/3.3.x/doc/Mail_SpamAssassin_Plugin_DKIM.html#administrator_settings

    Reply
      • Gavin Lawrie
        Gavin Lawrie says:

        No worries.
        Minor thing – but maybe something. When I try the test…
        sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys
        I get this error:
        Config file “/Library/Server/Mail/Config/amavisd/amavisd.conf” should be owned by root (uid 0), at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 2160.

        If you change the ownership of the file using…
        sudo chown root:_amavisd /Library/Server/Mail/Config/amavisd/amavisd.conf

        And the problem went away…

        Reply
        • Gavin Lawrie
          Gavin Lawrie says:

          Ahah. OK – thanks for clarification.
          Sadly doesn’t work for me – everything appears to be set as per your guide, but doesn’t appear that the signing step is actually working – i.e. nothing similar to DomainKey-Signature in header for sent emails… 🙁
          Will keep plugging away at it, but anything spring to mind about likely causes?

          Reply
          • Athanasios Alexandrides
            Athanasios Alexandrides says:

            Any chance your server has been upgraded overtime from older system versions? This could explain certain permissions discrepancies.
            On a plain vanilla server above steps work, so I’d probably just carefully look at everything again step by step. Also make sure your DNS records are OK by testing them.

  3. Gavin Lawrie
    Gavin Lawrie says:

    Hi – appears to be a limit to the number of replies you can do…
    Thanks for the ideas – yes it is a very old / many-fold updated server, so quite possibly that’s the problem. I’ll go hunting for gremlins.
    The DNS records are set correctly, but not validating (DNS time-out) – but not sure why. But would a DNS timeout affect the signing step?

    Reply
    • Athanasios Alexandrides
      Athanasios Alexandrides says:

      No, it wouldn’t affect signing, but validating.
      If the DNS records are not validating, then either the TTL has not expired and the old records are still cached, or they are not set up correctly (bar general networking issues of course).

      Reply
      • Gavin Lawrie
        Gavin Lawrie says:

        Hello again – sorry to be in your ear about this stuff, but could you also clarify another point in the text. You show at one point that the output of sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys and refer to the p= output as “your public key inside a DNS TXT record”. Later you suggest that the DNS public key entry (the p=”…” entry in the DNS record) should be replaced with the content of /var/db/dkim/mydomain.tld.default.pem (which is the private key generated earlier).
        This is a mistake? Or am I missing something? I think you mean the p="..." element from the showkeys output…

        Reply
        • Athanasios Alexandrides
          Athanasios Alexandrides says:

          You are correct. Sorry about that. A leftover from a previous procedure. The public key to be added to your DNS record is the one displayed when issuing:

          sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys 
          
          Reply
  4. Sergio Sanchez
    Sergio Sanchez says:

    Thank you very much for your guides.
    I’m sad, it does not work in my case.
    I configured everything as described and triple checked everything but I don’t get the DomainKey-Signature in my outgoing mails.
    My DNS TXT records are both ok.
    When I run
    sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys
    I get a pass, everything seems to be ok.
    The Server is a plain vanilla one, fresh clean install install.
    Mac OS 10.11.5, Server 5.1.5
    I have no idea what todo, is there a special log to check?
    I cannot find anything about signing, errors or whatsoever in the mail logs.
    Maybe you or others have some ideas.
    Thanks in advance for any help.

    Reply
    • Gavin Lawrie
      Gavin Lawrie says:

      I can’t get it to work either. I can’t work out if there is a missing step, or some other bit of configuration that is assumed but is not present on our systems. Very frustrating 🙁

      Reply
        • Athanasios Alexandrides
          Athanasios Alexandrides says:

          If changing the interface policy made it work, chances are you have either set things up incorrectly in master.cf or are not sending via the correct port.

          amavis.log or mail.log (depending on setup) will show you the path a sent mail takes.

          Reply
          • Sergio Sanchez
            Sergio Sanchez says:

            But I did not touch anything in master.cf, Server 5.1.5 did it all.
            I added only dkim_key and @dkim_signature_options_bysender_maps in the amavisd.conf,as explained in your tutorial.

            All from a fresh Mac OS X 10.11.5 and Server 5.1.5 install.
            The Server is located in a NAT env.
            I will check soon the logs and report.

            It works now, what implications has the interface policy change?
            Any bad ones using MYNETS instead of ORIGINATING?

          • Timothy J
            Timothy J says:

            I have precisely the same issue. I have been through your tutorial, have a successful test of the DKIP DNS, but not signing outbound.

            Note that I have an open access policy with ports restricted, as I am using IPv6 services, and have opened ports 10024-10025 for TCP to local networks. What other ports are necessary to make this work?

          • Timothy J
            Timothy J says:

            Perhaps it is something missing in 4.2 above? 4.2 mentions that we are going to modify postfix’s configuration file, but the changes listed in 4.2 are all to amavisd.conf. Nothing seems to redirect the outbound message to post 10026, so the outbound message never seems to get signed.

  5. Timothy J
    Timothy J says:

    How does one set up separate keys for multiple virtual domains? I have two additional domains hosted on my server, but these instructions only sign the primary one.

    Thanks! Great tutorial

    Reply
    • Athanasios Alexandrides
      Athanasios Alexandrides says:

      Simply add multiple dkim_key lines:

      dkim_key('domain1.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');
      dkim_key('domain2.tld', 'default', '/var/db/dkim/mydomain.tld.default.pem');

      etc.

      You can use the same key for all domains or assign a different one for each domain.

      Reply
  6. Avery Z Chipka
    Avery Z Chipka says:

    So following the directions above made signing work perfectly through Round Cube but it doesn’t result in incoming mail from a client machine get signed????

    Reply
    • Avery Z Chipka
      Avery Z Chipka says:

      By incoming mail I mean mail that is incoming to the server from a client mail app like Mail.app which is being sent through the server.

      Reply
      • Athanasios Alexandrides
        Athanasios Alexandrides says:

        Have you tried following mail sent from Mail.app through the logs to see if it is being processed?
        Any difference in the sending domain when sending from Roundcube vs. sending from Mail.app.
        Any difference in the respective raw headers (besides the missing signature).

        Reply
  7. Michael Ricardo
    Michael Ricardo says:

    Thanks for the great article.

    I am hosting 10 x email domains would I need to create a separate file for each domain?

    sudo -u _amavisd -H amavisd genrsa /var/db/dkim/mydomain.tld.default.pem

    Reply
  8. Vic
    Vic says:

    Requires a manual patching to make it work (2.10 / 2.11)

    — amavisd.orig Tue Apr 26 21:24:33 2016
    +++ amavisd Fri Jul 1 01:03:15 2016
    @@ -34338,6 +34329,7 @@ sub collect_some_dkim_info($) {
    $sig_ind++;
    }
    Amavis::load_policy_bank($_,$msginfo) for @bank_names;
    + $msginfo->originating(c(‘originating’));
    $msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid;
    # if (ll(5) && $sig_ind > 0) {
    # # show which header fields are covered by which signature

    Reply
  9. Ted Dively
    Ted Dively says:

    Hey gang. Am I missing something? I used the actual TLD in the command below, instead of the placeholder text, but it generates an error.

    mail:config localadministrator$ sudo -u _amavisd -H genrsa /var/db/dkim/domain.tld.default.pem
    sudo: genrsa: command not found

    Reply
      • Ted Dively
        Ted Dively says:

        Ah, I found it: a path issue to amavisd:

        sudo -u _amavisd -H /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd genrsa /var/db/dkim/mydomain.tld.default.pem
        Amavis::Util, Encode::decode() taint laundering bug, fixed in Encode 2.50 at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 2951.
        Private RSA key successfully written to file “/var/db/dkim/mydomain.tld.default.pem” (1024 bits, PEM format)

        Should I worry about the bug error in the above output?

        Reply
  10. Jim
    Jim says:

    anyone else having this issue with 10.13 Server?

    When I try to:
    sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

    I get the error-

    Amavis::Util, Encode::decode() taint laundering bug, fixed in Encode 2.50 at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 2951.
    Error in config file “/Library/Server/Mail/Config/amavisd/amavisd.conf”: Error reading from IO::File=GLOB(0x7ff43af499d0): Is a directory at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 4285.

    Reply
  11. Ben Greenfield
    Ben Greenfield says:

    I have this mostly working on a 10.13.2 with server 5.4.

    My one noticeable hang up is that authenticated senders from outside my local network do not get dkim signed emails.
    If my iPhone is on my wifi network it will dkim sign the email. If I turn off wifi the email passes through unsigned!?

    I suppose this may indicate a problem with the postfix side…

    Reply
    • Ben Greenfield
      Ben Greenfield says:

      The problem seems to have cleared it’s self up. I probably overlooked a reload to get use the new config

      Reply
  12. Kristin
    Kristin says:

    OK, I’ve been working on this for a few days and this tutorial really helped. But, running into a bit of an issue.

    I have Server.app running and the Mail service is configured so there’s a single email address associated with the domain ([email protected]).

    If I send mail using this account, via Mail.app, the message is signed, no issues (and passes SPF, DKIM and DMARC). All good.

    But, if I attempt to send email via the command line, for example, using the following terminal command…

    mail -s DKIM_TEST [email protected]

    I receive the message, but it’s unsigned.

    And same thing with Alert/Notification emails coming from Server.app (for example, when I certificate is going to expire, I receive an alert email from Server.app, from [email protected])—these emails, even though being sent from the server itself, aren’t being signed.

    I can only get messages signed when sending via Mail.app.
    Anything else, they’re sent/received, but not signed.

    I assume this has something to do with the port the messages are being sent through, but for the life of me, I can’t figure out why? Messages sent via Mail.app seem to be going through 10026 (aka “ORIGINATING”) and the command line mail is going through another port (and thus isn’t being signed).

    Any ideas on how I can deal with this?

    Running macOS 10.13.3 and Server.app 5.5.

    Thanks,
    Kristin.

    Reply
    • Kristin
      Kristin says:

      Just a follow up with some additional info from the logs.

      Both Mail.app and command line sends seem to be going through port 10024 as logs for both sends start with pretty much the exact same output…

      Feb 28 12:11:31 mydomain.com /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd[60889]: (60889-05) ESMTP [127.0.0.1]:10024 /Library/Server/Mail/Data/scanner/amavis/tmp/amavis-20180228T114909-60889-7grDBnmT: kmaling@mydomain.com -> kmaling@anotherdomain.com SIZE=623 Received: from mydomain.com ([127.0.0.1]) by localhost (mydomain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for kmaling@anotherdomain.com; Wed, 28 Feb 2018 12:11:31 -0500 (EST)

      But, it’s the next line in the log entries that differ and this is where things seem to result in signing vs not signed.

      For messages sent via Mail.app, I get the following entry…

      Feb 28 12:11:31 mydomain.com /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd[60889]: (60889-05) Checking: go8R5l3yyrZh MYNETS [192.168.XX.XX] kmaling@mydomain.com -> kmaling@anotherdomain.com

      But, from the command line, I get…

      Feb 28 12:09:11 mydomain.com /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd[60890]: (60890-04) Checking: umrH_Nn3qA1D [127.0.0.1] <kmaling@ mydomain.com > -> kmaling@anotherdomain.com

      Looks like messages sent from Mail.app fall into MYNETS and get signed, while messages sent from the command line don’t (and don’t get signed).

      I’m at a loss.
      Any advice would be appreciated.

      Reply
  13. Scott
    Scott says:

    Anyone still reading or answering here?

    I did this set up and when I check through an external source, it says my DKIM is correct and appears valid.

    But when I do the testkeys line on the server, I get:

    TESTING#1 prepress.com: default._domainkey.prepress.com => invalid (public key: not available)

    Is there something I missed? Thanks!

    Reply
  14. Athanasios Alexandrides
    Athanasios Alexandrides says:

    Your DNS record seems correct. Most likely something in your amavisd.conf file is not correct or the private keys you have on the server don’t match the public keys. Try and regenerate them and change the DNS record to the new key.

    Reply
  15. Scott
    Scott says:

    Wow Alex, Thanks so much for answering. The instructions seemed straightforward, so I was baffled as to what could have gone wrong. I found another tutorial almost like yours, but that one said the public key needs to also go on the server as a text file, but he didn’t say how or where to put it. Besides, I trust you more, so I used your tutorial.

    Anyway, to regenerate, do I just delete the mydomain.tld.default.pem file and run the commands in instruction 4.1 again?

    Reply
  16. Scott
    Scott says:

    So yes, I regenerated by removing the file and running the RSA key command again. But I still get the same error.

    Also, when I run the showkeys or testkeys commands, I also get this before the result:

    Amavis::Util, Encode::decode() taint laundering bug, fixed in Encode 2.50 at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 2951.

    Is this something I need to fix somehow?

    Thanks!!

    Reply
    • Athanasios Alexandrides
      Athanasios Alexandrides says:

      The taint laundering bug you can ignore.
      Do you get any other errors?
      Does the showkeys command work?
      Most likely there is something wrong in amavisd.conf, but this almost impossible to diagnose this way.
      Try and retrace your steps and start from scratch if you can.

      Reply
      • Scott
        Scott says:

        Alex,
        Thanks so much for your help. I really feel like it is something small somewhere. I combed through amavisd.conf and I only find the the area in the tutorial to be changed, like this:

        $enable_dkim_verification = 1; # enable DKIM signatures verification
        $enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key
        dkim_key(‘prepress.com’, ‘default’, ‘/var/db/dkim/prepress.com.default.pem’);

        @dkim_signature_options_bysender_maps = (
        { ‘.’ => { ttl => 21243600, c => ‘relaxed/simple’ } } );
        #@local_domains_maps = ( [“.$mydomain”] ); # list of all local domains

        showkeys works and I get this:

        ; key#1 1024 bits, i=default, d=prepress.com, /var/db/dkim/prepress.com.default.pem
        default._domainkey.prepress.com. 3600 TXT (
        “v=DKIM1; p=”
        “MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeRBYJHBvatE0KGqHLgV+LWba6”
        “btvl44H/lns9NWDs92VtZY3DTyXHUHn5h0JbMmNK8tjiLVVaTp+tvFzgdVjfDDS/”
        “JX2MJlvUqfDPeDDZ2I56trx+5SjNbaPHhsDtlURUW2NJIT2hEVBni4GDLa02V5/w”
        “ytUvh1ZVMJaCz69yrQIDAQAB”)

        Now, besides the TXT record that only contains the “o=~”, I only put the key in the other one, staring with “v=DKIM1 but without quotes, spaces or parentheses.

        So maybe this is my problem: I didn’t use or do anything with the whole first section that is this:

        ; key#1 1024 bits, i=default, d=prepress.com, /var/db/dkim/prepress.com.default.pem
        default._domainkey.prepress.com. 3600 TXT (

        I thought this part was just informational, but should any of it go somewhere?

        Thanks again!
        Scott

        Reply
        • Athanasios Alexandrides
          Athanasios Alexandrides says:

          The key only should have a quote at the beginning and at the end. Some DNS providers’ Control Panels will add the quotes themselves, so you may want to try with and without.
          Other that that, it is impossible to diagnose via comments. If you need more help, drop us a note.

          Reply
  17. Celia Wessen
    Celia Wessen says:

    It seems like, Server 5.2 and up deliberately separates messages routed through 10024 and 10026. Thus, Roundcube mail from localhost will be signed with DKIM but OS X Mail through the same STMP server will not. Changing the whole interface and signing every message doesn’t sound secure. Changing the code for amavisd itself sounds dangerous too. I think we can filter messages that are not from localhost and let DKIM sign those from authenticated STMP users?

    Also, the DKIM tester on SourceForge does not work for me – just used another one.

    Reply
  18. Celia Wessen
    Celia Wessen says:

    Sorry, I must’ve lost the last page from the PRINT OUT 🙁

    I didn’t see the “Advanced configuration option”. This did let localhost messages bypass scanning, but didn’t let DKIM sign messages sent though SMTP by authenticated users.

    … and I guess amavisd does have a bug(?) that the Linux crowd has been patching on their own. Adding “$msginfo->originating(c(‘originating’));” may be the way to go.

    Reply
  19. Scott
    Scott says:

    Hi Alex,

    Are you still reading this?

    Two years ago when you helped me above, I was on El Capitan and server 5.2 and got it working. I updated that server to High sierra and server 5.6.3 and it continued to sign messages just fine.

    Our other server was on Yosemite and server app 5.0.15 and I didn’t install DKIM at all. I have since updated that server to High sierra and server 5.6.3. Now I’m trying to install DKIM and when I do:

    sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

    I get this error:

    Amavis::Util, Encode::decode() taint laundering bug, fixed in Encode 2.50 at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 2951.
    Error in config file “/Library/Server/Mail/Config/amavisd/amavisd.conf”: Can’t open PEM file /var/db/dkim/norfolkpress.default.pem: No such file or directory at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 642.

    Would happen to know what the problem is here?

    Thanks!
    Scott

    Reply
  20. Scott
    Scott says:

    The key file is where you say to put it in /var/db/dkim/ with the key in it. And I ran the permissions as you say. What puzzles me is that it says no such file and it’s looking inside the Server.app itself and not in /var/db/dkim/.

    After asking here, I found another tutorial that says to put the key file in the amavisd folder at /Library/Server/Mail/Config/amavisd/. Then the error was “Can’t open PEM file /Library/Server/Mail/Config/amavisd/dkim_key: Permission denied at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 642.”

    But this tutorial hadn’t run a chown, so I ran “sudo chown root:_amavisd /Library/Server/Mail/Config/amavisd/dkim_key” and it generated my public key to put in my DNS. Great!

    I tested sending to the port25.com verifier and got all passes and sending messages all get signed. So then I added your advanced options and everything seems to be working great. But just one thing now:

    Even though it’s working, I ran the testkeys command and got:
    TESTING#1 norfolkpress.com: mail._domainkey.norfolkpress.com => invalid (public key: DNS query timeout for mail._domainkey.norfolkpress.com at /System/Library/Perl/Extras/5.18/Mail/DKIM/DNS.pm line 156.)

    So my question is:
    Should I try to fix this error (and do you have a clue about it,) or should I let it go because messages are getting signed?

    Thanks again for your help!
    Scott

    Reply
    • Athanasios Alexandrides
      Athanasios Alexandrides says:

      It is not looking inside the server app itself. It is only pointing out that the error occurs on line 642 of amavisd which is exactly where it should be.

      If it works, leave as is. Don’t expect things to work perfectly with old OS versions. Lots of things have changed since and a production mail server will increasing run into issues on a 3-4 year old OS.

      Reply
  21. Rohin Hattiangadi
    Rohin Hattiangadi says:

    Hi!
    I followed your guide and it worked.

    One Important NOTE for everyone having issues getting this to work –
    AFTER completing steps – please remember to turn mail OFF .. and back ON so new configuration loads
    (Last step to get it to work)

    p.s. My biggest issue was trying to figure out how to put the public Dkim on my DNS host Network solutions…
    (If anyone needs help please reply here and will email me)

    Reply
  22. FORZY
    FORZY says:

    I follow all steps successfully(show keys, testkeys), but when I send email, I don’t get any signature , I still have dkim:none.
    I’ m desperating, spending hours with no result. what I am missing ?

    Reply
    • FORZY
      FORZY says:

      I follow all steps successfully(show keys, testkeys), but when I send email, I don’t get any signature , I still have dkim:none.
      I’ m desperating, spending hours with no result. what I am missing ?
      I’m using macOS 10.13.6

      Reply
  23. Imre
    Imre says:

    Hi Everyone,

    I hope, you can help my with my problem and I think I’m not alone with this.
    Everything working fine and the outgoing mails are signed well when I’m sending it from the mail.app installed on the server and/or sending messages with Roundcube.
    But no DKIM signature when sending mail from other computers in our intranet and from internet.
    What I need to do? 🙂

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply to FORZY Cancel reply

Your email address will not be published. Required fields are marked *