DKIM Signing

Using Domain Keys / DKIM with Mac OS Server 5.X

DISCLAIMER: The author(s) / CTCI claim(s) no responsibility for any damage that may occur to your system or loss of data that may occur as a result of using the information found in this instructional post. It is your responsibility and your responsibility alone to ensure you have proper backups of your system and files that may be affected by using this guide. These instructions are done utilizing the command line if you are not comfortable with using the command line, it is recommended you contact us to have us do the configuration of your mail server for you. You can contact our sales department by clicking here.

What are Domain Keys and What are there purpose?

Domain Keys also known as DKIM are implemented by domain administrators so those receiving communications from a server know that the communication is coming from the server that it claims to be coming from. The process is most commonly used on mail servers to prevent spammers from spoofing the server. When configured properly all emails coming from a server will be signed with a key string that is also found in the domains DNS records. For additional information on what domain keys are and how they are used in email communications you can visit DKIM.org.

Before You Begin

Before making any significant changes to your server configuration files you should always make sure you have a current back up that you can restore to in the event your changes cause unexpected problems. Before you begin the steps presented below be sure you have a backup of your server. We highly suggest that you read through the entire post and ensure you understand what you are doing before you proceed through these steps. If you do not understand the changes you are about to make and how they will affect your server, we suggest you speak to one of our engineers first.

Using DKIM to verify incoming messages

When utilizing Mac OS Server 5.X nothing needs to be done in order for you to utilize DKIM to verify incoming email everything is already configured for you. The directions provided here are provided to optimize the settings that are preconfigured to a more useful configuration.

By default, the configuration of SPAM Assassin that is preconfigured with Server 5.X is set to a very passive state allowing almost any email to arrive in your inbox. For most a passive filtering level is good as it allows individual users to define their own level of filtering using their individual email clients. Sadly in this day and age the amount of SPAM traffic can be cumbersome and the vast majority of legitimate does include DKIM signatures. To adjust these settings we are going to modify the primary local configuration settings for SPAM Assasin which can be located at /Library/Server/Mail/Config/spamassassin/local.cf

cp /Library/Server/Mail/Config/spamassassin/local.cf /Library/Server/Mail/Config/spamassassin/local.cf-bk
sudo pico /Library/Server/Mail/Config/spamassassin/local.cf

Add the following lines to your configuration file to tell spam assassin how to adjust spam scoring based on DKIM signatures. Please note you should adjust the below provided scores based on what is best for your environment. If you do not understand SPAM Assassin scoring, you should consider contacting CTCI for assistance.

score DKIM_SIGNED 0.100
score DKIM_VALID -0.150

Now that we adjusted the scoring, we want to adjust our email headers to actually display scores inside the headers of emails. We do this via the file: /Library/Server/Mail/Config/amavisd/amavisd.conf.

cp /Library/Server/Mail/Config/amavisd/amavisd.conf /Library/Server/Mail/Config/amavisd/amavisd.conf-bk
sudo pico /Library/Server/Mail/Config/amavisd/amavisd.conf

Once the file is open press ctrl-w on your keyboard to enter search mode and search for “sa_tag_level_deflt”, change the value to -999. BY default the value is set to 2, which means scores will only be displayed when the overall score is 2 or higher. This adjustment will cause the score to display regardless of the final value.

Once all your changes have been made you will need to restart the SPAM Assassin service known as “amavisd-new”, this is easily done by stopping and restarting the mail service with Server 5.X. Its worth noting that if you plan on also enabling DKIM signing you can do this once you have finished making all your adjustments.

sudo serveradmin stop mail
sudo serveradmin start mail

Using DKIM to sign outgoing messages

In order to sign outgoing emails with Domain Keys you must first create the domain keys for signing the messages. Be sure you replace yourdomainname.com with your actual domain name in the following commands.

sudo mkdir -p /var/db/dkim

sudo chown _amavisd /var/db/dkim

sudo -u _amavisd -H amavisd genrsa /var/db/dkim/yourdomainname.com.default.pem

sudo chown root:_amavisd /var/db/dkim/yourdomainname.com.default.pem

sudo chmod 640 /var/db/dkim/yourdomainname.com.default.pem

The above set of commands will create your private key for signing outgoing messages in the following file /var/db/dkim/yourdomainname.com.default.pem.

Now that we have a set of domain keys you we need to modify the configuration files for amavisd-new and postfix to actually use the keys.

cp /Library/Server/Mail/Config/amavisd/amavisd.conf /Library/Server/Mail/Config/amavisd/amavisd.conf-bk
sudo pico /Library/Server/Mail/Config/amavisd/amavisd.con

Press “ctrl-w” to enter search mode and search for “enable_dkim”. Ensure that the setting for dkim_verification and dkim_signing are both set to the number 1. On the line directly below $enable_dkim_signing = 1; add the following (remember to change the file name):

dkim_key('mydomain.tld', 'default', '/var/db/dkim/yourdomainname.com.default.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

Now that the system knows the keys to use for signing message we need to let the public know to expect to see the keys and also what the key they should see is.

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys 

You should see something similar to what is below, which is the entry you need to add to your DNS record. Note that the jumble of characters after p= is all going to be one single line in your DNS record.

; key#1, domain mydomain.tld, /var/db/dkim/circletechcollective.com.default.pem
default._domainkey.circletechcollective.com.    3600 TXT ( 
"v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6uSVVsQY1+ZVnXJRQK+ASC9R"
  "xT+zdLK/v8Ur+dOa9E+1WwlJyhtfyrITqX6EbYNbbOVcI2me3FyevPC9/PPNyTxx"
  "/wZqylkGtM2ZE1I9pbnvUTYsQn3tGPLV3AOSGsz9GkpL3xPFvuGsL8WrvgN+6V9D"
  "aEaTPYWjTBNFw2/6tQIDAQAB")

The exact method for adjusting your DNS records is going vary based on where you host your DNS records. It’s very important that you add the DNS record not only to your outside DNS provider but also to your internal DNS server on your own network. Including on the mail server itself. Propergation of DNS records do take some time, normally it will be less than 4 hours but could take up to 72 hours. Once you are sure your DNS has propergated you can issue the following command to test your keys.

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys

If you did everything correctlty you should see something similar to the following:

TESTING#1 circletechcollective.com: default._domainkey.circletechcollective.com => pass

Now that we know the domain keys are working we now need to configure the server to sign messages that are originating from email clients, instead of just form the server itself. To do this we are going to need to edit a few files so before anything else lets ensure we have backups of those files.

cp /Library/Server/Mail/Config/postfix/master.cf /Library/Server/Mail/Config/postfix/master.cf-bk
cp /Library/Server/Mail/Config/postfix/main.cf /Library/Server/Mail/Config/postfix/main.cf-bk

Now on to editing, starting with the postfix main.cf file.

sudo pico cp /Library/Server/Mail/Config/postfix/main.cf

Once the file is open go to the very bottom of the file and add the follow:

smtpd_sender_restrictions = check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_signing permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_scanning permit

Exit and save the main.cf file. Then create a new file called tag_for_signing and add the follow: “/^/ FILTER smtp-amavis:[127.0.0.1]:10026“:

sudo pico /Library/Server/Mail/Config/postfix/tag_for_signing

Exit and save the file. Then create a new file called tag_for_scanning and add the follow: “/^/ FILTER smtp-amavis:[127.0.0.1]:10024“:

sudo pico /Library/Server/Mail/Config/postfix/tag_for_scanning

Exit and save the file and now move on to editing the postfix master.cf file:

sudo pico /Library/Server/Mail/Config/postfix/master.cf

Scroll the to bottom of the file and add the following block:

127.0.0.1:10027 inet n  -       y       -       -       smtpd
   -o content_filter=
   -o smtpd_tls_security_level=none
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o smtpd_restriction_classes=
   -o mynetworks=127.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
   -o local_header_rewrite_clients=
   -o smtpd_milters=
   -o local_recipient_maps=
   -o relay_recipient_maps=

Exit the file and save it. Now We are going to edit the AMAVISD config file.

sudo pico /Library/Server/Mail/Config/amavisd/amavisd.conf

Press “ctrl-w” and search for “$policy_bank{‘ORIGINATING’}“, at the bottom of the policy bank block add the following:

bypass_spam_checks_maps   => [1],

Exit and save the file. Then restart the mail services on the server.

sudo serveradmin stop mail
sudo serveradmin start mail

Trouble Shooting & Testing

Once all your configurations are done, you are going to want to test your DKIM keys to ensure they are working properly. The easiest way to do this is by sending an email to [email protected]. Form this email you will get a response back that should have content that looks similar to the following:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

If the DKIM check says anything other than pass you have done something wrong. Its worth noting that you may see different results for the other tested items based on your configurations. If you are not seeing pass and ham on everything check for other posts in our knowledge base for directions on how to fix those issues as well.

Please be aware that if you update your OS or Server.app some of these settings could get changed by Apple. So following any update you will want to retest. If you previously passed, did an update and now fail. Go back and confirm all the changes you made are still present.

If it is failing the most common issues are the following:

• The DNS records for your server are not yet propagated.
• You typed something wrong
• You forgot to change one of the spots that say yourdomainname.com to your domain name.
• When you copied a line of code and pasted it a line break was inserted somewhere.
• Your file ownership or permissions could be incorrectly set.

If you are getting the message none when sending from outside of your own network but it functions when you are inside your own network the problem is you have a different set of rules defined for @mynetworks within the amavisd.conf which results in the originating policy block not being executed. Be aware making adjustments to these could result in any email sent through your server from within your own network being signed regardless of who the sender is.

If all else fails you can contact our sales department to have one our engineers configure your DKIM keys for you.

19 Comments

  • Scott Lyons

    I did this set up and when I check through an external source, it says my DKIM is correct and appears valid.

    But when I do the testkeys line on the server, I get:

    TESTING#1 prepress.com: default._domainkey.prepress.com => invalid (public key: not available)

    Is there something I missed? You mention that the public key should also be on the server, but you don’t say anything about where it goes or how to set it up. Could this be may problem?

    Thanks!

    • Avery Chipka

      The error your getting is because you don’t have the DNS records installed locally on the server. In Server.app go to the DNS settings there and add the previously listed DNS settings to the local DNS as well as the external.

      • Scott Lyons

        But I do have proper DNS settings in the server.app for the domain, otherwise I assume my site and email would not be working.

        But if you are talking about putting the public key inside the server, I cannot figure out where the key goes.

        Can you give a clue? Thanks!

        • Avery Chipka

          Your domain key entry (default._domainkey.prepress.com) needs to be added to your local DNS server as a TXT record just like you did for your external record. It is set for the primary domain entry in your DNS section of server.app. Alternatively, you can manually add it to the DNS files.

          • Scott Lyons

            Avery,
            Thanks for continuing to help!

            There is no place to put TXT like in the external registrar. In my server.app, I have an A record for each prepress.com and mail.prepress.com, and in those there is a field simply labeled Text: But if I put the public key in there, it doesn’t do anything.

            So would you mind helping me and letting me know how to add the key to my local server in either of the ways you mention above?

            Thanks so much!

            Scott

          • Avery Chipka

            Your Raw DNS files are located at:

            /Library/Server/named

            You can manually edit the DNS records there.

  • Scott

    Tried answering but it didn’t post. Sorry if this shows up twice.

    This is great. All my files there are these:

    db.8RussianHillPlace2.com
    db.65.24.136.in-addr.arpa
    db.221.65.24.136.in-addr.arpa
    db.design1.prepressmedia.com
    db.design1dev.prepressmedia.com
    db.new1.prepress.com
    db.prepress.com
    db.prepressmedia.com
    localhost.zone
    named.ca
    named.conf
    named.local
    rndc.key

    So do I put the public key in one of these files, or do I make new file? If a new file, what should the file be named?

    Thanks!!

    • Avery Chipka

      If your not familiar with manual edits of DNS files I would not advise you make the adjustments yourself. I have sent you an email with one of our account reps CCed. They will be happy to setup a time for you to have connect in and do it for you.

      Your edit needs to occur in the file associated with the domain you are adding dkim for, based on your previous posts that would be db.prepress.com. but it also appears your running multiple domains on the server which means you need to setup DKIM for each one of them individually.

      • Scott Lyons

        Great!
        It’s so nice of you to offer help, but I really just need to figure out this one error. I’m not squeamish about editing files. See, I found an almost identical dkim tutorial on topicdesk.com, but he makes no mention of putting the public key on the internal server.

        Also, those other domains are either used for testing only or don’t even exist anymore, so there is no mail service on them and no dkim needed.

        So, do I just need to put the key in the file you mention, the same as it is on the registrar? like:

        v=DKIM1;
        p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeRBYJHBvatE0KGqHLgV+LWba6btvl44H/lns9NWDs92VtZY3DTyXHUfjfgjjfjsMmNK8tjiLVVaTp+tvFzgdVjfDDS/JX2MJlvUGH’gjkhjjZ2I56trx+5SjNbaPHhsDtlURUW2NJIT2hEVBni4GDLa02V5/wytUvh1ZVMJaCz69yrQIDAQAB

        (altered so it’s not the actual key)

        Thank so much!

        • Avery Chipka

          You need to include the entire dns entry include the default domain key field TTL and type of dns entry line item.

          But yes it will be similar to the one you do with your external dns but I cant provide you with the exact entry as it would be different for each individual domain.

          • Scott Lyons

            OK great, thanks for trying to answer.

            It’s just that this was such a detailed tutorial, right down to the exact OS and 5.x server app. But no detail of how to put the public key on the internal server.

            And since the key info needed and it’s format is pretty much the same for everyone, as you showed in the tutorial (to go on the public dns), I would have thought you would show where in the server that same data goes, since anyone reading this would have the server.app to enter what you show in the dns correctly, or even manually in the named folder.

          • Avery Chipka

            We didnt include details on that because that is a function of how to configure DNS not how to enable DKIM. Apple’s Server Documentation (use the 10.10 version of docs) includes how to add a TXT record through Server.app what they dont include in the docs is how to actually make DKIM work properly. How you got it working and if you need anything else feel free to contact us.

  • Scott Lyons

    It’s not really a function of dns configuration since you state that the TXT of the key needs to go on the internal server. It would have been cool if you could have included how to do just that bit.

    I have found Apple server docs useless in the past, but I’ll see if I can find what you mention.

    From the clues you have given, I’ll see if I can piece this together. If I get something not too involved that works, maybe I’ll write it up and you could add it to your tutorial.

  • Scott Lyons

    Wow, with all your clues, and some additional looking around, I got it. I really didn’t think it was going to work, but here’s my testkeys result:

    TESTING#1 prepress.com: default._domainkey.prepress.com => pass

    I got the zone file from my registrar (where the public key is) and copied out the line:

    default._domainkey 3600 TXT “v=DKIM1;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCeRBYJHBvatE0KGqHLgV+LWba6btvl44H/lns9NWDs92VtZY3Ddfdf99h0JbMmNK8tjiLVVaTp+tvFzgdVjfDDS/JX2MJlvUqfDPeDDZ2I56trx+5SjNbaPHhllhl54JIT2hEVBni4GDLa02V5/wytUvh1ZVMJaCz69yrQIDAQAB”

    And pasted it in at the bottom of file: /Library/Server/named/db.prepress.com

    I turned off DNS in server app first, then turned it on after.

    Thanks again for the help!

    • Scott Lyons

      One other thing.

      When you said above it needed to be on “your internal DNS server,” you also said “Including on the mail server itself.”

      Does what I have done cover that, or is there something else?

      Thanks!

      • Avery Chipka

        As a general best practice for Mac OS running mail, you should have DNS running locally on the mail server with your local domains, this will reduce the need for lookups to be performed on a different machine.

        Setup your mail server to also run DNS for itself only, add copies of things like your DKIM keys, MX records etc, then set your forwarding server to your main dns server.

        • Scott Lyons

          OK, I think I got that. DNS runs on the same server as domains and mail, –> Server.app

          I didn’t see anything in server.app for mail to run DNS for itself only. Or is this a custom thing that can only be done in terminal?

          Thanks!

        • Avery Chipka

          In the DNS options of Server.app there is a setting available for who can use the server for DNS lookups. If your running DNS and mail on the same server, you are already set.

          • Scott Lyons

            OK great, I’m set for:

            “Only some clients”
            and
            “The server itself”

            Is this still good for DKIM with the TXT I have added?

            Thanks!

  • Write a Comment

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.