Struggling with DKIM signing

[Nick Howitt]

Hi,
I've recently set up Postfix/Amavis/ClamAV/Dovecot/Spamassassin on a new 
Debian 12 server and I cannot for the life of me get it amavis to sign 
emails. I have used a combination of a number of references on the 
internet to set up amavis with razor and pyzor such as 
https://blog.cyberfront.org/index.php/2021/10/28/debian-postfix-amavis-spamass-clamav/, 
so I don't have exactly one set up.

I am coming from ClearOS where this DKIM howto worked on ClearOS - 
https://web.archive.org/web/20220417120215/https://documentation.clearos.com/content:en_us:kb_howtos_using_dkim_to_sign_and_validate_mail, 
but it is very similar to 
https://blog.jeanbruenn.info/2021/08/07/amavisd-new-and-dkim/.

In /etc/amavis/conf.d/50-user, I have, among other things, a section:

    # For DKIM signing
    $enable_dkim_verification = 1;
    $enable_dkim_signing = 1;
    dkim_key('howitts.co.uk', '202410',
    '/etc/amavis/dkim/202410.howitts.co.uk.pem');
    @dkim_signature_options_bysender_maps = (
       { '.' => { ttl => 21*24*3600, c => 'relaxed/simple' } } );


"amavis testkeys" gives "TESTING#1 howitts.co.uk: 
202410._domainkey.howitts.co.uk => pass"

But outgoing mails aren't signed. I can see amavis processing outbound 
emails in the mail log:

    2024-11-05T12:47:53.622762+00:00 mail-www postfix/qmgr[3637186]:
    9645070E3E9: from=<nick at howitts.co.uk>, size=1632, nrcpt=1 (queue
    active)
    2024-11-05T12:47:53.631291+00:00 mail-www amavis[3635755]:
    (3635755-03) Passed CLEAN {RelayedOpenRelay}, [172.17.2.116]:52514
    <nick at howitts.co.uk> -> <check-auth at verifier.port25.com>, Queue-ID:
    A016F70E38B, Message-ID:
    <1e1f6efd-f32f-4739-88ac-06d4684a56e4 at howitts.co.uk>, mail_id:
    CRoK8AaP7ooP, Hits: -0.199, size: 1161, queued_as: 9645070E3E9, 938 ms
    2024-11-05T12:47:53.633606+00:00 mail-www
    postfix/amavis/smtp[3637243]: A016F70E38B:
    to=<check-auth at verifier.port25.com>,
    relay=127.0.0.1[127.0.0.1]:10024, delay=0.99,
    delays=0.03/0.02/0/0.94, dsn=2.0.0, status=sent (250 2.0.0 from
    MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9645070E3E9)
    2024-11-05T12:47:53.633832+00:00 mail-www postfix/qmgr[3637186]:
    A016F70E38B: removed

But signing isn't happening.

 From the earlier link I tried adding:

    $policy_bank{'ORIGINATING'} = {
       originating => 1,
       forward_method => 'smtp:[127.0.0.1]:10025',
       notify_method => 'smtp:[127.0.0.1]:10025',
       terminate_dsn_on_notify_success => 0,

       # see: https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
       # force MTA to convert mail to 7-bit before DKIM signing
       # to avoid later conversions which could destroy signature:
       smtpd_discard_ehlo_keywords => ['8BITMIME'],
    };

but it didn't help.

If it helps in the diagnosis, I am sending emails using 
submission/STARTTLS with the following in postfix's master.cf:

    submission inet n       - y       -       -       smtpd
       -o syslog_name=postfix/submission
       -o smtpd_tls_security_level=encrypt
       -o smtpd_sasl_auth_enable=yes
       -o smtpd_tls_auth_only=yes
       -o smtpd_reject_unlisted_recipient=no
       -o smtpd_sasl_type=dovecot
       -o smtpd_sasl_path=private/auth

and I wonder if something is missing from there, but I can see the 
message going through amavis in the logs.

Can anyone point me in the right direction here? Could there be a 
mistake in the config causing the 50-user not to be read, but I cannot 
see anything in the logs.

TIA,

Nick