Q: DKIM sig missing from IOS using Server 5 originated messages only
Hi,
I have been testing out my new DKIM setup (many thanks to the kind folks at topic desk for the Implementing DomainKeys/DKIM on OS x 10.8.x Mountain Lion server.....) and I see the DKIM signature on some messages and not on others when I receive my server's emails on gmail. I have narrowed it down to IOS originated messages, but only those from my own OS X Server 5 accounts.
Signed Examples: (as seen on a gmail account (gmailacc1) using OS X mail show headers)
gmailacc2 to gmailacc1 from MACBOOK
gmailacc2 to gmailacc1 from iPhone
UNSIGNED example: (as seen on gmail account (gmailacc1) using OS X mail show headers)
serveracc1 to gmailacc1 from iPhone1
serveracc2 to gmailacc1 from iPhone1
In short it only has the DKIM signature missing from iOS devices but only when originating from accounts that my server hosts.
Setups:
iPhone1 on 9.2
macbook is on OS X El Capitan 10.11.2
server is version 5.0.15
server OS is OS X El Capitan 10.11.2
Header differences: (I do see that DKIM is still not working quite right but that should not be causing this discrepancy- place advise if you disagree)
Following two lines are only in the macbook originated header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.com; h=
x-mailer:mime-version:date:date:message-id:subject:subject
:content-transfer-encoding:content-type:content-type:from:from
:received:received; s=default; t=1451843424; x=1453657825; bh=vN
aAS12lrLmuVbNt9e3bDfxq/890NGY77wOelrIV0cI=; b=LSGPeIY+vQvOHpOJk3
ZwP8L5NkTgKtWKWrdRK8bBrcx90QV5+MkghM59IfHH5tD0M7OQ5Q9npCDj+rp7R7
ZKEdLGm99Zy1Yj9c6swliTZ7MRyq4lZDUaxboZKoTvs9LCg63BsMQejgrQihsmS3
W00In+uQUEGyflFMmqRNYI/xo=
dkim=fail header.i=@example.com;
Besides timestamp, sequence/CR,CR/LF and message related differences there are a few modified lines: (seem insignificant to me)
iPhone:
Received: from [192.168.1.2] (server.example.com [123.456.789.123])
by server.example.com (Postfix) with ESMTPSA id C5D641D5A69C
for <gmailacc1@gmail.com>; Sun, 3 Jan 2016 10:50:24 -0700 (MST)
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (13C75)
Macbook:
Received: from [192.168.1.12] (unknown [192.168.1.12])
by server.example.com (Postfix) with ESMTPSA id E20431D5A6A6
for <gmailacc1@gmail.com>; Sun, 3 Jan 2016 10:50:24 -0700 (MST)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
Any help would be greatly appreciated, thanks.
Mac mini (Late 2012), OS X Server, Latest rev of all SW/HW/Timecapsule
Posted on Jan 3, 2016 11:18 AM
Setting up DKIM on OS X 10.11.2 and OS X Server 5.0.15
This is based on the information at https://classicyuppie.com/protecting-your-domain-with-spf-and-dkim/, I have expanded and clarified various points.
Working Folder
The standard folder location for mail in Server.app 5.x is:
/Library/Server/Mail
we will be making changes to Amavis in the following folder:
/Library/Server/Mail/Config/amavisd
Even though the commands use the full path to files you may find it helpful to change to that folder.
Create the DKIM private key
Notes:
- This creates a 1024 bit RSA private key, a 2048 length key can be made by appending a space then 2048 at the end of the command. I don't believe a 2048 bit key is strictly necessary.
- The permissions are set to world readable. I don't believe that is desirable, you could try 640 and see how it works.
sudo amavisd genrsa /Library/Server/Mail/Config/amavisd/dkim_key
sudo chmod 644 /Library/Server/Mail/Config/amavisd/dkim_key
Edit the amavisd.conf file
Notes:
- In the website this is shown as one line, I enter as two for readability as they are actually two commands
- This assumes the key file has the name and location as created in the previous commands
- Enter the lines replacing 'example.com' for your Internet legal domain name.
dkim_key('example.com', 'mail', '/Library/Server/Mail/Config/amavisd/dkim_key');
@dkim_signature_options_bysender_maps = ( { '.' => { a => 'rsa-sha256', ttl => 30*24*3600, c => 'relaxed/relaxed' } } );
Change the following line:
$interface_policy{'10026'} = 'ORIGINATING';
to:
$interface_policy{'10024'} = 'MYNETS';
I am not 100% sure of the purpose of this change, I believe it is to change the scope the DKIM function will apply to.
Save the amavisd.conf file and exit your editor.
Generate the Public Key
Run the following command
sudo -u _amavisd -H amavisd -c /Library/Server/Mail/Config/amavisd/amavisd.conf showkeys
which will output the public key for the dkim_key private key you generated earlier. It will look something like this:
; key#1 1024 bits, i=mail, d=example.com, /Library/Server/Mail/Config/amavisd/dkim_key
mail._domainkey.example.com. 3600 TXT (
"v=DKIM1; p="
"MIGfMA0GCSqGSIb3BQEBAQUA12345678iQKBgQDczdNsPrmwkI0spKJDEzhWuaEh"
"MFwB4kIunu0E+yrAbcDeFgHiJkLmNoPQXPdpi0fWyONV0qQuzA3HGMfnsEo5OIO9"
"vpV69I333333333333444444RtIarnpYlaB2a+5wRGfHlj61YhWdIjGrsh4IUztq"
"edr3456789BBDDIDAQAB")
Enter the DKIM DNS record
The first line describes the public key — the key length, the domain it is for etc. The second line is a DNS record format line if you were going to import it into BIND, in our case we will (most likely) be entering it into the management screen of our external DNS provider. Each provider will have a different format screen but the values you will enter are assuming the provider auto fills in the domain portion of the DNS record i.e. example.com. The lines of the TXT text value are joined together into one line enclosed in double quotes.
DNS Record Type: TXT
TTL: 3600
Key: mail._domainkey
Text: "v=DKIM1; p=MIGfMA0GCSqGSIb3BQEBAQUA12345678i [....] edr3456789BBDDIDAQAB"
Restart the Amavis daemon
You can either just restart the amavis daemon or restart the whole mail server.
sudo ps aux | grep amavisd | grep master
sudo kill <PID#>
Test the installation
Send an email to — check-auth@verifier.port25.com — from different clients, Macs & iOS devices, and from your LAN and the Internet. It will send you back a detailed email but what you are looking for is the DKIM check = pass in the summary at the top.
==========================================================
Summary of Results
==========================================================
SPF check: pass
DomainKeys check: neutral
DKIM check: pass
Sender-ID check: pass
SpamAssassin check: ham
I also have SPF setup on my domain so it shows a pass on SPF check.
Posted on Jan 4, 2016 1:12 PM