Apple Event: May 7th at 7 am PT
Is there anyway to implement DKIM in any simply fashion (without getting into code) in Mac OS X Lion Server?
I have continuing issues with Mail Authentication at gmail, AT&T and yahoo and it seems this is the best approach.
Thanks,
Bill
Hello,
I am wondering if Apple knows this Security functionnality.
I am searching the same things but I am saying that I will need to put my hands in the code ...
But, if you found any news on that, it will be fine for the community 🙂
Searfus wrote:
Is there anyway to implement DKIM in any simply fashion (without getting into code) in Mac OS X Lion Server?
I have continuing issues with Mail Authentication at gmail, AT&T and yahoo and it seems this is the best approach.
For everyone reading DKIM appears to be the same thing as DomainKeys since DKIM stands for DomainKeys Identified Mail, as such this document might beworth reading http://downloads.topicdesk.com/docs/Implementing_DomainKeys_on_OS_X_Server.pdf
It does appear to involve installing various perl modules and hence will need XCode to be installed. However at least it is a Mac oriented document. A brief skim of that document suggests it hooks in to spamassassin which is still part of the mail server setup on Lion Server so hopefully the general points of this document will still apply.
Thank you John,
But, in this document that I saw before posting here, we need to install/configure some additional packages.
Then, modify some configuration files of the Mail server.
I am not sure that the Apple Software Update will not break the modified configuration file to the default configuration file and spend a lot of time to rebuilt the entire configuration.
So, If you have another built-in (but hidden) solution, It will be very appreciated 🙂
Thank you again for your help.
Mirrdhyn wrote:
Thank you John,
But, in this document that I saw before posting here, we need to install/configure some additional packages.
Then, modify some configuration files of the Mail server.
I am not sure that the Apple Software Update will not break the modified configuration file to the default configuration file and spend a lot of time to rebuilt the entire configuration.
So, If you have another built-in (but hidden) solution, It will be very appreciated 🙂
Since Mac OS X does not have a built-in DKIM capability it is unfortunately the case that one has to install something extra to do it. I can certainly understand where your coming from though.
The method I pointed to could I believe be done by 'only' adding some extra components, and modifying some config files. It is possible this would not affect installing Apple updates. However the only other solution I can see which would definitely avoid a problem with Apple updates is to simply not use Apple's Mail Server at all.
I normally recommend Kerio Connect as an alternative to Apple's own Mail Server but Kerio do not support DKIM. You could try looking at Communigator their website is http://www.communigator.co.uk
Doing it the Lion way...
Actually there is a built in hidden solution if you use amavisd and you probably should. If you take a close look at the /etc/amavisd.conf you will see that not only there is a built in option, but it is actually almost activated(!!!):
$enable_dkim_verification = 1; # enable DKIM signatures verification
$enable_dkim_signing = 1; # load DKIM signing code, keys defined by dkim_key
There are a couple of more things to do though. First create the DKIM key:
amavisd genrsa /var/amavis/dkim_key
chmod 644 /var/amavis/dkim_key
Then add something like the following to your /etc/amavisd.conf:
dkim_key('example.com', 'mail', '/var/amavisd/dkim_key');
@dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );
If you google around you will find a lot more info if you want to customize your network(s) further more.
If your server is not behind a firewall and you do not use a private network then you need to add your client's IP to:
@mynetworks = qw( 127.0.0.0/8......192.168.0.0/16 YOURIP/NET );
Time to set your DNS key, run:
amavisd showkeys
and include the output to your forward zone(s). If everything is set correctly then run:
amavisd testkeys
and you should see a "pass" at the end of each domain key. Final step is to reload amavisd. Do not use "amavisd reload". You only have to kill the master process and it will restart in 10 sec. To find out the process id use something like this:
ps aux | grep amavisd | grep master
kill "PID#"
Of course, you should have root access to do all of the above.
Enjoy your DKIM signing Mac OS X mail server!
PS: Well done Apple for putting together the best unix tools around but please don't leave things almost done...
More...
There is another quick hack if your remote client(s) always authenticate to your mail server, some or all use dynamic IPs and don't exclusively use webmail, until Apple fixes this in a way that makes more sense. This probably was one of the reasons for Apple not fully implementing DKIM keys yet in the first place.
Instead of changing:
@mynetworks = qw( 127.0.0.0/8......192.168.0.0/16 YOURIP/NET);
leave as is and change instead the following line from:
$interface_policy{'10026'} = 'ORIGINATING';
to this:
$interface_policy{'10024'} = 'MYNETS';
Hi LefterisT,
Instead of "pass" at the end of my only domain key I see:
bash-3.2# amavisd testkeys
TESTING#1: mail._domainkey.myrealdomain.com => invalid (public key: not available)
By the way there seems to be a typo in your post:
dkim_key('example.com', 'mail', '/var/amavisd/dkim_key');
Shouldn't that be?:
dkim_key('example.com', 'mail', '/var/amavis/dkim_key');
I only replaced example.com with my own domain name, is that correct?
Regards,
Mark
I've Googled some more and dicided to drop DKIM alltogether, since SPF is more widely used and way easier than DKIM.
When I had Google Apps both DKIM and SPF were used, bit of an overkill?
I've contacted Apple through apple.com/feedback to have DKIM implemented out of the box:
Lion Server 10.7.3 (not selectable below) doesn't have out-of-the-box facilities to implement DKIM. Now, I would like to implement DKIM very much without having to alter an code. The purpose of DKIM is to fight SPAM and should be used analogous to the Sender Policy Framework and domain keys as Yahoo and Google Demonstrate. Maybe there are other mechanisms under development at Apple of which I do not know, but I would like to see them released in the 10.7.4 Server update, if not sooner.
Maybe Apple can release a document of how to make the DKIM component of 10.7 Server operational?
I don't want to drop it any longer as all mechanisms to fight SPAM contribute to that cause.
You should setup your DNS correctly => invalid (public key: not available)
No, there is no typo anywhere. This is the correct path for Lion. Not all Unixs have the same paths so be careful what you do, what you read and how to implement it.
You were right about my DNS, your response gave me the extra push I needed! Thank you very much 🙂
Everything now works, although the folder you refered to - dkim_key('/var/amavisd/'); - doesn't actually exists (only /var/amavis - withoud the d - does), at least not on my OS X 10.7.3 Lion Server...
Thanks to your instructions DKIM now works! 🙂
Together with SPF, I now have two anti-spam measures. I'll be looking in to Domainkeys (I know where DKIM stands for, but Yahoo lists it separately) tomorrow.
mta1411.mail.mud.yahoo.com from=mydomain.com; domainkeys=neutral (no sig); from=mydomain.com; dkim=pass (ok)
You are right about the typo. The correct path is without the "d"
dkim_key('example.com', 'mail', '/var/amavis/dkim_key');
Implementing DKIM on Lion Server
