[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Dismas Axel (Thomas) dismasc at protonmail.com
Mon Apr 8 14:14:27 UTC 2019


Thanks for the suggestions so far, I have been trying it out without a success.

So, here is my situation:

I need to setup a Single DKIM Key for other company brands domains. Usually, I would do this normally in OPENDKIM SigningTable:

*@maincorp.com mail._domainkey.maincorp.com
*@brand1.com mail._domainkey.maincorp.com
*@brand2.com mail._domainkey.maincorp.com

But now they are replacing Spamassassin with RSPAMD (which is a positive thing), and I do not know how to set a single dkim key for all brand domain names to maincorp.com.

So, here is my current local.d/dkim_signing.conf:

    enabled = true;

    #If false, messages with empty envelope from are not signed

    allow_envfrom_empty = true;

    # If true, envelope/header domain mismatch is ignored

    allow_hdrfrom_mismatch = false;

    # If true, multiple from headers are allowed (but only first is used)

    allow_hdrfrom_multiple = false;

    # If true, username does not need to contain matching domain

    allow_username_mismatch = true;

    # If false, messages from authenticated users are not selected for signing

    auth_only = true;

    # Default path to key, can include '$domain' and '$selector' variables

    #path = "/etc/opendkim/userkeys/$domain/$selector.private";

    path = "/etc/opendkim/keys/mailcorp.com/mail.private";

    # Default selector to use

    #selector = "default";

    selector = "mail";

    # If false, messages from local networks are not selected for signing

    sign_local = true;

    # Map file of IP addresses/subnets to consider for signing

    # sign_networks = "/some/file"; # or url

    # Symbol to add when message is signed

    symbol = "DKIM_SIGNED";

    # Whether to fallback to global config

    try_fallback = false;

    selector_map = "/etc/rspamd/dkim_selectors.map";

    path_map = "/etc/rspamd/dkim_paths.map";

    # Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)

    use_domain = "header";

    # Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")

    use_domain_sign_networks = "header";

    # Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")

    use_domain_sign_local = "header";

    # Whether to normalise domains to eSLD

    use_esld = false;

    # Whether to get keys from Redis

    # Not using redis, keys coming from files in /etc/opendkim

    use_redis = false;

    # Hash for DKIM keys in Redis

    key_prefix = "DKIM_KEYS";

My /etc/rspamd/dkim_selectors.map:

maincorp.com mail
brand1.com mail
brand2.com mail

And my /etc/rspamd/dkim_paths.map:

maincorp.com /etc/opendkim/keys/mancorp.com/mail.private

brand1.com /etc/opendkim/keys/mancorp.com/mail.private

brand2.com /etc/opendkim/keys/mancorp.com/mail.private

Using the configuration above at local.d/dkim_signing.conf resulting as in the following results:

-  When an email is sent from @mailcorp.com, it has no problem and DKIM will be signed. Because at DNS mailcorp.com it has _domainkey.
-  But, when an email is sent from @brand1.com and @brand2.com DKIM will not be signed, unless I added CNAME record in brand1.com and brand2.com, which I did not want to from the first time because those domains are hosted in different countries with different timezones and I do not want to wait for them to wake up to update it.

Thank you very much for the help! Very much appreciated.
Thomas

Sent with [ProtonMail](https://protonmail.com) Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 8, 2019 8:49 PM, J. Fahrner via Users users at lists.rspamd.com wrote:

> Am 2019-04-08 15:37, schrieb Alex JOST:
>
>> You can specify default settings for 'selector' and 'path', which will
>> be used if a specific domain is not found in the map files and
>> 'try_fallback' is set to 'true'.
>
> I would not set try_fallback, because then you would sign even foreign
> domains (in forwarded mails). Why not simply symlink the key to all your
> domains?
> Jochen
> ---------------------------------------------------------------
>
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users


More information about the Users mailing list