iRedMail
// Document IndexThis tutorial is available in other languages. Help translate more
Italiano /
Attention
Check out the lightweight on-premises email archiving software developed by iRedMail team: Spider Email Archiver.
Don't know what DKIM is? Check our tutorial here: What is a DKIM DNS record.
Don't know where Amavisd config file is? check this tutorial: Locations of configuration and log files of major components.
iRedMail configures Amavisd to sign outgoing emails for the first mail domain you added during iRedMail installation. If you added new mail domain, you should update Amavisd config file to sign DKIM signature for it.
Let's say your first mail domain added during iRedMail installation is
mydomain.com, and new mail domain is new_domain.com, please follow below
steps to enable DKIM signing for outgoing emails of this domain.
if you already have a working DKIM and valid DKIM DNS record, it's ok to use this existing DKIM key to sign emails sent by other hosted mail domains. This way, you don't need to ask your customer who owns this new domain to add DKIM DNS record.
amavisd.conf (find its location
on different Linux/BSD distributions):dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
Copy the dkim_key('mydomain.com........ line, changing to new hostname, but keep same cert path. You should now have 2 lines starting with dkim_key with differetent domains, but same file path.
Next, add one line in @dkim_signature_options_bysender_maps, after "mydomain.com"
line like below:
@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
"new_domain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
amavisd testkeys and both domains should print with a passIf you or your customer prefer to use their own DKIM key, you can generate a new DKIM key and ask your customer to add DKIM DNS record. Refer to our tutorial to add DKIM DNS record.
Generate new DKIM key (key length 1024) for new domain, and set correct
file owner and permission
amavisd, user/group is amavis:amavis.amavisd-new, user/group is amavis:amavis.amavisd, user/group is vscan:vscan.amavisd, user/group is _vscan:_vscan.amavisd-new genrsa /var/lib/dkim/new_domain.com.pem 1024
chown amavis:amavis /var/lib/dkim/new_domain.com.pem
chmod 0400 /var/lib/dkim/new_domain.com.pem
Note
amavisd# amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem
# amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem 2048
amavisd.conf:dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
Add one line after above line like below:
dkim_key('new_domain.com', "dkim", "/var/lib/dkim/new_domain.com.pem");
amavisd.conf:@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
Add one line after "mydomain.com" line like below:
@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
"new_domain.com" => { d => "new_domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
Again, don't forget to add DKIM DNS record for this new domain. The value of DKIM record can be checked with command below:
# amavisd-new showkeys
After added DKIM DNS record, please verify it with command:
# amavisd-new testkeys
Note: DNS vendor usually cache DNS records for 2 hours, so if above command shows "invalid" instead of "pass", you should try again later.
If you want to use one DKIM key for all mail domains, please follow steps below:
amavisd.conf):dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
@dkim_signature_options_bysender_maps, and set it to:@dkim_signature_options_bysender_maps = ({
# catch-all (one dkim key for all domains)
'.' => {d => 'mydomain.com',
a => 'rsa-sha256',
c => 'relaxed/simple',
ttl => 30*24*3600 },
});