0

I am setting up DKIM on MacOS X/Server using Amavis-new. Everything seems ok, by when I try to test it using 

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys

I get:

invalid (public key: invalid data)

In the same time, the DNS record seems to be set correctly (ar least - according to my experience with normal Linux based systems) and selector working.

How could I get anything more on what is the reason for amavis to return such message?

Janis
  • 1
  • 1

1 Answers1

1

I was able to get this working awhile ago on Server 5.3.1. Using your terminal command, I get:

TESTING#1 example.com: default._domainkey.example.com => pass

Here's what I have to set it up in amavisd.conf:

dkim_key('example.com', 'default', '/var/db/dkim/example.com.default.pem');

The following allows me to use the single key to work for all of the virtual sites hosted on the server:

@dkim_signature_options_bysender_maps = ({
    '.' => {d => 'example.com',a => 'rsa-sha256',c => 'relaxed/simple',ttl => 30*24*3600 },} );

I just checked my notes and realized that there was another piece to the puzzle to get this working.

Not sure which version of Server you are using, but there is a bug in Amavisd in certain versions of Server 5 that requires you to make a change. The details are here: https://discussions.apple.com/thread/7684786

Note that the directions tell you to insert the patch beneath the line : 

Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;

There are two instances of that line, at least in Server V 5.3.1. You'll want to work with the second instance further down, which actually has the blank line underneath. Be aware that any future updates to the Server app may overwrite this patch.

Depending on your setup, you also may wish to move the originating port from the default 10024 to 10026 in amavisd.conf.

wdkelper
  • 11
  • 3
  • Unfortunately is does not help. I my case there are four instances of mentioned line, one - with blank line after it. I still get => invalid (public key: invalid data). I put in the DNS record the info I got using showkeys. What if I'd generate required keys according to opendkim setup procedure? Actualy, it is first time I am trying to get DKIM alive using amavis. – Janis May 03 '19 at 19:39
  • Actually, it is not yet finally clear - unfortunately the DNS service provider uses outdated customer interface not allowing to manage DKIM record myself, so it seems some mistakes are introduced. – Janis May 03 '19 at 20:49
  • Sounds like you are on the right track. I used the tutorial here: https://topicdesk.com/downloads/tutorials/implementing-domainkeys-dkim-on-os-x-10-10-x-yosemite-and-os-x-10-11-x-el-capitan-with-server-5-x/ and used the Advanced Configuration Options. That involved enabling/configuring port 10026 to handle mail originating from our trusted users. Past that, I'm not sure what to suggest....I'm assuming that the mail server is being restarted after changed are made? – wdkelper May 04 '19 at 21:52
  • Evrth finally seems ok, except the messages are not signed with DKIM. I checked with dkimvalidator.com and got no result, but one line at sprf test makes me suspicious: Using local nameserver for SPF resolution. This will probably be cached! - could it mean macosx server has its own dns server and not rlies on external one/hosts?what I observe - if i send a test msg from console, at the recipient end the message heders do not have anything spf-related. If the test message is sent using GUI client, spf shows un in header. Do these two mail clients use different sending mechanisms? – Janis May 08 '19 at 17:40
  • what else surprises me a lot is a heavy load on perl receiving plain text messages - cpu load jumps to ~50% and remains such for considerable time – Janis May 09 '19 at 18:11
  • I find the mail config on macosx server to be a little pervert on various shifting this and that around for some unclear reson. So, I got dkim signing working, in the same time breaking smth. – Janis May 10 '19 at 17:00
  • I I followed the tutorial you mentioned, but still there is something wrong. May you share what values you have in amavis config for: $inet_socket_port (I have 10024 and 10026); $notify_method; $forward_method (I have 10025 for these two), and, if I may be so bold - how the master.cf looks like. Its not the first time I am configuring postfix, but I am afraid to neglect something vital for mac world. – Janis May 10 '19 at 17:24
  • Actually - what is funny - server repairs postfix config on its own: I am trying to change 10024 to 10026 in master.cf: [code] pickup fifo n - n 60 1 pickup -o content_filter=smtp-amavis:[127.0.0.1]:10024 [/code] but server is editing it back to he initial value – Janis May 10 '19 at 17:27