Mark23

Q: DKIM for OS X Server's mail server

I'm trying to enable DKIM for OS X Server (Mountain Lion) just as easily as it was to do so in Lion Server.

 

I did try, based upon the 10.7 manual - changing to the new location, but I'm stuck at running amavisd showkeys

 

It tells me:


Config file "/etc/amavisd.conf" does not exist, at /Applications/Server.app/Contents/ServerRoot/usr/bin/amavisd line 1992.

OS X Server, 8GB, 2,93 GHz Intel Core 2 Duo

Posted on Sep 28, 2012 8:22 AM

Close

Q: DKIM for OS X Server's mail server

  • All replies
  • Helpful answers

  • by Mark23,Helpful

    Mark23 Mark23 Sep 28, 2012 8:40 AM in response to Mark23
    Level 3 (975 points)
    Sep 28, 2012 8:40 AM in response to Mark23

    Solved by copying the edited amavisd.conf to /etc/

    I will post the instructions on how to do it in OS X Server when I'm finished.

  • by Mark23,Solvedanswer

    Mark23 Mark23 Oct 1, 2012 3:06 PM in response to Mark23
    Level 3 (975 points)
    Oct 1, 2012 3:06 PM in response to Mark23

    To activate DKIM, first create the DKIM key (on the server):

     

    sudo amavisd genrsa /etc/dkim_key

    sudo chmod 644 /Library/Server/Mail/Config/amavisd/dkim_key

     

    Copy your amavisd.conf file like so:

    sudo cp /Library/Server/Mail/Config/amavisd/amavisd.conf /etc/

     

     

    Then add something like the following to your /etc/amavisd.conf, while replacing example.com with your domain:

     

    dkim_key('example.com', 'mail', '/Library/Server/Mail/Config/amavisd/dkim_key');

    @dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );

     

     

    Change the following line from:

     

    $interface_policy{'10026'} = 'ORIGINATING';

     

    to this:

     

    $interface_policy{'10024'} = 'MYNETS';

     

     

     

    To show your DNS key, run:

     

    sudo amavisd showkeys

     

    and include the output to your public DNS as a TXT record. Final step is to reload amavisd. Do not use "amavisd reload". You only have to kill the master process and it will restart in 10 sec. To find out the process id use something like this:

     

    sudo ps aux | grep amavisd | grep master

     

    sudo kill "PID#"

  • by OoO_Bailey_OoO,

    OoO_Bailey_OoO OoO_Bailey_OoO Nov 28, 2012 9:38 AM in response to Mark23
    Level 1 (0 points)
    Nov 28, 2012 9:38 AM in response to Mark23

    Hi, that's great. Thank you very much for posting this!

     

    I happened to read this article today which made me go search how to add DKIM for a Mac server.

  • by pterobyte,

    pterobyte pterobyte Dec 4, 2012 10:02 AM in response to Mark23
    Level 6 (11,101 points)
    Servers Enterprise
    Dec 4, 2012 10:02 AM in response to Mark23

    In addition to Mark's excellent write-up: One can avoid copying amavisd.conf to /etc by using the -c flag to point to the configuration file and ideally using the _amavisd system user:

     

     

    sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys
  • by bdemore,

    bdemore bdemore Dec 18, 2012 8:19 AM in response to Mark23
    Level 1 (0 points)
    Dec 18, 2012 8:19 AM in response to Mark23

    Hello,

     

    To be clear, the command "sudo amavisd genrsa /etc/dkim_key" should actually be "sudo amavisd genrsa /Library/Server/Mail/Config/amavisd/dkim_key" correct? 

  • by pterobyte,

    pterobyte pterobyte Dec 18, 2012 9:10 AM in response to bdemore
    Level 6 (11,101 points)
    Servers Enterprise
    Dec 18, 2012 9:10 AM in response to bdemore

    @bdemore: Correct. In reality it doesn't really matter which path you use as long as it is consistent, but given Mark23's example above it should be /Library/Server/Mail/Config/amavisd/dkim_key

  • by bdemore,

    bdemore bdemore Dec 18, 2012 9:25 AM in response to pterobyte
    Level 1 (0 points)
    Dec 18, 2012 9:25 AM in response to pterobyte

    pterobyte,

     

    Thank you very much.  Would a cleaner method be toissue the following?:

     

    "sudo amavisd genrsa/Library/Server/Mail/Config/amavisd/dkim_key"

    "sudo chmod 644 /Library/Server/Mail/Config/amavisd/dkim_key"

     

    And then modify /Library/Server/Mail/Config/amavisd/amavisd.conf to reflect:

     

     

    dkim_key('example.com', 'mail', '/Library/Server/Mail/Config/amavisd/dkim_key');

    @dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );

     

    And

     

    $interface_policy{'10024'} = 'MYNETS';

     

    Finally issue command:

     

    sudo -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys

     

    Thanks for your help.  For some reason, when I followed Mark23's example my DKIM key is not being recognized.

  • by pterobyte,

    pterobyte pterobyte Dec 18, 2012 9:50 AM in response to bdemore
    Level 6 (11,101 points)
    Servers Enterprise
    Dec 18, 2012 9:50 AM in response to bdemore

    You are welcome.

    Yes, that should work. I wouldn't call it cleaner though, just consistent. As long as the path you choose is accessible by amavisd, you can pick any directory.

     

    FYI: In Mountain Lion, Apple has started moving server related paths to /Library/Server/Mail/Config/ for configuration files and /Applications/Server.app/Contents/ServerRoot for binaries.

    This is a good thing as it puts everything in well defined locations. There are however some glitches with software that is available for Client and Server as well. Postfix is one example where things become inconsistent.

     

    So, it makes sense to have the keys in /Library/Server/Mail/Config, but you need to make sure you point all related commands and configuration settings to that path.

     

    HTH,

    Alex

  • by bdemore,

    bdemore bdemore Dec 18, 2012 9:55 AM in response to Mark23
    Level 1 (0 points)
    Dec 18, 2012 9:55 AM in response to Mark23

    Thank you Alex!

  • by George Qualley,

    George Qualley George Qualley Feb 14, 2013 1:06 PM in response to Mark23
    Level 1 (25 points)
    Feb 14, 2013 1:06 PM in response to Mark23

    First, thanks for the great instructions, however I do have to ask one thing...

     

    What's the rationale behind this:

     

    $interface_policy{'10026'} = 'ORIGINATING';

     

    to this:

     

    $interface_policy{'10024'} = 'MYNETS';


     

    In my particular configuration, no mail would send with this setting. Conversly, leaving the setting at its stock configuration allows me to send mail and it's signed by DKIM.

     

    Just wondering!

  • by Trismegister,

    Trismegister Trismegister Jul 5, 2013 4:48 AM in response to George Qualley
    Level 1 (22 points)
    Servers Enterprise
    Jul 5, 2013 4:48 AM in response to George Qualley

    @George Qualley Me too. With a more-or-less standard setup of Server 2.2.1 running on OS X 10.8.4 I think it would be wisest to leave as is:

    $interface_policy{'10026'} = 'ORIGINATING';

    Moreover, unless the dkim_key calls ends up in /Library/Server/Mail/Config/amavisd/amavisd.conf they will have no effect. So, with Server 2.2.1 I would try the recipe above without first copying amavisd.conf to /etc. (But certainly making a local backup copy of it.)

    ORIGINATING messages include those submitted via sasl-authorized clients, not just mail originating from the MTA.