DKIM Signing

Using Domain Keys / DKIM with Mac OS Server 5.X

DISCLAIMER: The author(s) / CTCI claim(s) no responsibility for any damage that may occur to your system or loss of data that may occur as a result of using the information found in this instructional post. It is your responsibility and your responsibility alone to ensure you have proper backups of your system and files that may be affected by using this guide. These instructions are done utilizing the command line if you are not comfortable with using the command line, it is recommended you contact us to have us do the configuration of your mail server for you. You can contact our sales department by clicking here.

What are Domain Keys and What are there purpose?

Domain Keys also known as DKIM are implemented by domain administrators so those receiving communications from a server know that the communication is coming from the server that it claims to be coming from. The process is most commonly used on mail servers to prevent spammers from spoofing the server. When configured properly all emails coming from a server will be signed with a key string that is also found in the domains DNS records. For additional information on what domain keys are and how they are used in email communications you can visit DKIM.org.

Before You Begin

Before making any significant changes to your server configuration files you should always make sure you have a current back up that you can restore to in the event your changes cause unexpected problems. Before you begin the steps presented below be sure you have a backup of your server. We highly suggest that you read through the entire post and ensure you understand what you are doing before you proceed through these steps. If you do not understand the changes you are about to make and how they will affect your server, we suggest you speak to one of our engineers first.

Using DKIM to verify incoming messages

When utilizing Mac OS Server 5.X nothing needs to be done in order for you to utilize DKIM to verify incoming email everything is already configured for you. The directions provided here are provided to optimize the settings that are preconfigured to a more useful configuration.

By default, the configuration of SPAM Assassin that is preconfigured with Server 5.X is set to a very passive state allowing almost any email to arrive in your inbox. For most a passive filtering level is good as it allows individual users to define their own level of filtering using their individual email clients. Sadly in this day and age the amount of SPAM traffic can be cumbersome and the vast majority of legitimate does include DKIM signatures. To adjust these settings we are going to modify the primary local configuration settings for SPAM Assasin which can be located at /Library/Server/Mail/Config/spamassassin/local.cf

cp /Library/Server/Mail/Config/spamassassin/local.cf /Library/Server/Mail/Config/spamassassin/local.cf-bk
sudo pico /Library/Server/Mail/Config/spamassassin/local.cf

Add the following lines to your configuration file to tell spam assassin how to adjust spam scoring based on DKIM signatures. Please note you should adjust the below provided scores based on what is best for your environment. If you do not understand SPAM Assassin scoring, you should consider contacting CTCI for assistance.

score DKIM_SIGNED 0.100
score DKIM_VALID -0.150

Now that we adjusted the scoring, we want to adjust our email headers to actually display scores inside the headers of emails. We do this via the file: /Library/Server/Mail/Config/amavisd/amavisd.conf.

cp /Library/Server/Mail/Config/amavisd/amavisd.conf /Library/Server/Mail/Config/amavisd/amavisd.conf-bk
sudo pico /Library/Server/Mail/Config/amavisd/amavisd.conf

Once the file is open press ctrl-w on your keyboard to enter search mode and search for “sa_tag_level_deflt”, change the value to -999. BY default the value is set to 2, which means scores will only be displayed when the overall score is 2 or higher. This adjustment will cause the score to display regardless of the final value.

Once all your changes have been made you will need to restart the SPAM Assassin service known as “amavisd-new”, this is easily done by stopping and restarting the mail service with Server 5.X. Its worth noting that if you plan on also enabling DKIM signing you can do this once you have finished making all your adjustments.

sudo serveradmin stop mail
sudo serveradmin start mail

Using DKIM to sign outgoing messages

In order to sign outgoing emails with Domain Keys you must first create the domain keys for signing the messages. Be sure you replace yourdomainname.com with your actual domain name in the following commands.

sudo mkdir -p /var/db/dkim

sudo chown _amavisd /var/db/dkim

sudo -u _amavisd -H amavisd genrsa /var/db/dkim/yourdomainname.com.default.pem

sudo chown root:_amavisd /var/db/dkim/yourdomainname.com.default.pem

sudo chmod 640 /var/db/dkim/yourdomainname.com.default.pem

The above set of commands will create your private key for signing outgoing messages in the following file /var/db/dkim/yourdomainname.com.default.pem.

Now that we have a set of domain keys you we need to modify the configuration files for amavisd-new and postfix to actually use the keys.

cp /Library/Server/Mail/Config/amavisd/amavisd.conf /Library/Server/Mail/Config/amavisd/amavisd.conf-bk
sudo pico /Library/Server/Mail/Config/amavisd/amavisd.con

Press “ctrl-w” to enter search mode and search for “enable_dkim”. Ensure that the setting for dkim_verification and dkim_signing are both set to the number 1. On the line directly below $enable_dkim_signing = 1; add the following (remember to change the file name):

dkim_key('mydomain.tld', 'default', '/var/db/dkim/yourdomainname.com.default.pem');

@dkim_signature_options_bysender_maps = (
{ '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );

Now that the system knows the keys to use for signing message we need to let the public know to expect to see the keys and also what the key they should see is.

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys 

You should see something similar to what is below, which is the entry you need to add to your DNS record. Note that the jumble of characters after p= is all going to be one single line in your DNS record.

; key#1, domain mydomain.tld, /var/db/dkim/circletechcollective.com.default.pem
default._domainkey.circletechcollective.com.    3600 TXT ( 
"v=DKIM1; p="
  "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQ6uSVVsQY1+ZVnXJRQK+ASC9R"
  "xT+zdLK/v8Ur+dOa9E+1WwlJyhtfyrITqX6EbYNbbOVcI2me3FyevPC9/PPNyTxx"
  "/wZqylkGtM2ZE1I9pbnvUTYsQn3tGPLV3AOSGsz9GkpL3xPFvuGsL8WrvgN+6V9D"
  "aEaTPYWjTBNFw2/6tQIDAQAB")

The exact method for adjusting your DNS records is going vary based on where you host your DNS records. It’s very important that you add the DNS record not only to your outside DNS provider but also to your internal DNS server on your own network. Including on the mail server itself. Propergation of DNS records do take some time, normally it will be less than 4 hours but could take up to 72 hours. Once you are sure your DNS has propergated you can issue the following command to test your keys.

sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf testkeys

If you did everything correctlty you should see something similar to the following:

TESTING#1 circletechcollective.com: default._domainkey.circletechcollective.com => pass

Now that we know the domain keys are working we now need to configure the server to sign messages that are originating from email clients, instead of just form the server itself. To do this we are going to need to edit a few files so before anything else lets ensure we have backups of those files.

cp /Library/Server/Mail/Config/postfix/master.cf /Library/Server/Mail/Config/postfix/master.cf-bk
cp /Library/Server/Mail/Config/postfix/main.cf /Library/Server/Mail/Config/postfix/main.cf-bk

Now on to editing, starting with the postfix main.cf file.

sudo pico cp /Library/Server/Mail/Config/postfix/main.cf

Once the file is open go to the very bottom of the file and add the follow:

smtpd_sender_restrictions = check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_signing permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access regexp:/Library/Server/Mail/Config/postfix/tag_for_scanning permit

Exit and save the main.cf file. Then create a new file called tag_for_signing and add the follow: “/^/ FILTER smtp-amavis:[127.0.0.1]:10026“:

sudo pico /Library/Server/Mail/Config/postfix/tag_for_signing

Exit and save the file. Then create a new file called tag_for_scanning and add the follow: “/^/ FILTER smtp-amavis:[127.0.0.1]:10024“:

sudo pico /Library/Server/Mail/Config/postfix/tag_for_scanning

Exit and save the file and now move on to editing the postfix master.cf file:

sudo pico /Library/Server/Mail/Config/postfix/master.cf

Scroll the to bottom of the file and add the following block:

127.0.0.1:10027 inet n  -       y       -       -       smtpd
   -o content_filter=
   -o smtpd_tls_security_level=none
   -o smtpd_delay_reject=no
   -o smtpd_client_restrictions=permit_mynetworks,reject
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=reject_unauth_pipelining
   -o smtpd_end_of_data_restrictions=
   -o smtpd_restriction_classes=
   -o mynetworks=127.0.0.0/8
   -o smtpd_error_sleep_time=0
   -o smtpd_soft_error_limit=1001
   -o smtpd_hard_error_limit=1000
   -o smtpd_client_connection_count_limit=0
   -o smtpd_client_connection_rate_limit=0
   -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
   -o local_header_rewrite_clients=
   -o smtpd_milters=
   -o local_recipient_maps=
   -o relay_recipient_maps=

Exit the file and save it. Now We are going to edit the AMAVISD config file.

sudo pico /Library/Server/Mail/Config/amavisd/amavisd.conf

Press “ctrl-w” and search for “$policy_bank{‘ORIGINATING’}“, at the bottom of the policy bank block add the following:

bypass_spam_checks_maps   => [1],

Exit and save the file. Then restart the mail services on the server.

sudo serveradmin stop mail
sudo serveradmin start mail

Trouble Shooting & Testing

Once all your configurations are done, you are going to want to test your DKIM keys to ensure they are working properly. The easiest way to do this is by sending an email to [email protected]. Form this email you will get a response back that should have content that looks similar to the following:

==========================================================
Summary of Results
==========================================================
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham

If the DKIM check says anything other than pass you have done something wrong. Its worth noting that you may see different results for the other tested items based on your configurations. If you are not seeing pass and ham on everything check for other posts in our knowledge base for directions on how to fix those issues as well.

Please be aware that if you update your OS or Server.app some of these settings could get changed by Apple. So following any update you will want to retest. If you previously passed, did an update and now fail. Go back and confirm all the changes you made are still present.

If it is failing the most common issues are the following:

• The DNS records for your server are not yet propagated.
• You typed something wrong
• You forgot to change one of the spots that say yourdomainname.com to your domain name.
• When you copied a line of code and pasted it a line break was inserted somewhere.
• Your file ownership or permissions could be incorrectly set.

If you are getting the message none when sending from outside of your own network but it functions when you are inside your own network the problem is you have a different set of rules defined for @mynetworks within the amavisd.conf which results in the originating policy block not being executed. Be aware making adjustments to these could result in any email sent through your server from within your own network being signed regardless of who the sender is.

If all else fails you can contact our sales department to have one our engineers configure your DKIM keys for you.

Write a Comment

Your email address will not be published. Required fields are marked *