1

Topic: amavis DKIM 2 matches

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Deployed with iRedMail Easy or the downloadable installer? Download
- Linux/BSD distribution name and version: Debian 9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): Mariadb
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hello,

I am trying to find a problem with signing DKIM emails, and in the logs I found such a record:

amavis[1079]: (01079-01) lookup [dkim_signature_options_bysender], 2 matches for "pnowosielski@ekonferencja.pl", results: "ekonferencja.pl"=>{d=>"ekonferencja.pl",a=>"rsa-sha256",ttl=>"864000"}, "."=>{a=>"rsa-sha256",c=>"relaxed/simple",ttl=>"2592000"}

Is this the correct operation?
Each e-mail has two (2) rules assigned.
One for the right domain and the other (last) general.
I do not know if the latter overwrites the right one?

Best regards,
Pawel

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: amavis DKIM 2 matches

First one (ekonferencja.pl) is used. the last one "." is a catch-all, if no per-domain DKIM setting, catchall setting will be applied.

3

Re: amavis DKIM 2 matches

So if I have this configuration:

dkim_key("ekonferencja.pl", "dkim", "/var/lib/dkim/ekonferencja.pl.pem");
@dkim_signature_options_bysender_maps = ( {
    "ekonferencja.pl"  => { d => "ekonferencja.pl", a => 'rsa-sha256', ttl => 10*24*3600 },
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },
} );

does it mean that the appropriate DKIM is assigned to the corresponding e-mail?

Thanks and regards,
Pawel

4

Re: amavis DKIM 2 matches

paweln wrote:

does it mean that the appropriate DKIM is assigned to the corresponding e-mail?

Yes, BUT:

paweln wrote:

    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },

You missed "d => '<some-domain>'" in catchall, if no particular dkim key found, no dkim key will be signed.

Note: iRedMail default configuration has "d => <first-mail-domain>".

5

Re: amavis DKIM 2 matches

Aaaaa ok. I will change it.

But that would mean that there is an error in the script installation / configuration, which creates the first domain.

'.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },

This record has not been changed by me, it is the default one.

regards,
Pawel

6

Re: amavis DKIM 2 matches

Probably a bug of old iRedMail release. Could you help test it:

- Comment all other domains in @dkim_signature_options_bysender_maps setting, and just keep the catch-all line ('.').
- Restart amavisd service.
- Send out a testing email with smtp authentication.
- On recipient side, check the mail header, does it contain DKIM header?