[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains
Dismas Axel (Thomas)
dismasc at protonmail.com
Mon Apr 8 14:14:27 UTC 2019
Thanks for the suggestions so far, I have been trying it out without a success.
So, here is my situation:
I need to setup a Single DKIM Key for other company brands domains. Usually, I would do this normally in OPENDKIM SigningTable:
*@maincorp.com mail._domainkey.maincorp.com
*@brand1.com mail._domainkey.maincorp.com
*@brand2.com mail._domainkey.maincorp.com
But now they are replacing Spamassassin with RSPAMD (which is a positive thing), and I do not know how to set a single dkim key for all brand domain names to maincorp.com.
So, here is my current local.d/dkim_signing.conf:
enabled = true;
#If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
# If true, envelope/header domain mismatch is ignored
allow_hdrfrom_mismatch = false;
# If true, multiple from headers are allowed (but only first is used)
allow_hdrfrom_multiple = false;
# If true, username does not need to contain matching domain
allow_username_mismatch = true;
# If false, messages from authenticated users are not selected for signing
auth_only = true;
# Default path to key, can include '$domain' and '$selector' variables
#path = "/etc/opendkim/userkeys/$domain/$selector.private";
path = "/etc/opendkim/keys/mailcorp.com/mail.private";
# Default selector to use
#selector = "default";
selector = "mail";
# If false, messages from local networks are not selected for signing
sign_local = true;
# Map file of IP addresses/subnets to consider for signing
# sign_networks = "/some/file"; # or url
# Symbol to add when message is signed
symbol = "DKIM_SIGNED";
# Whether to fallback to global config
try_fallback = false;
selector_map = "/etc/rspamd/dkim_selectors.map";
path_map = "/etc/rspamd/dkim_paths.map";
# Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
use_domain = "header";
# Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
use_domain_sign_networks = "header";
# Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
use_domain_sign_local = "header";
# Whether to normalise domains to eSLD
use_esld = false;
# Whether to get keys from Redis
# Not using redis, keys coming from files in /etc/opendkim
use_redis = false;
# Hash for DKIM keys in Redis
key_prefix = "DKIM_KEYS";
My /etc/rspamd/dkim_selectors.map:
maincorp.com mail
brand1.com mail
brand2.com mail
And my /etc/rspamd/dkim_paths.map:
maincorp.com /etc/opendkim/keys/mancorp.com/mail.private
brand1.com /etc/opendkim/keys/mancorp.com/mail.private
brand2.com /etc/opendkim/keys/mancorp.com/mail.private
Using the configuration above at local.d/dkim_signing.conf resulting as in the following results:
- When an email is sent from @mailcorp.com, it has no problem and DKIM will be signed. Because at DNS mailcorp.com it has _domainkey.
- But, when an email is sent from @brand1.com and @brand2.com DKIM will not be signed, unless I added CNAME record in brand1.com and brand2.com, which I did not want to from the first time because those domains are hosted in different countries with different timezones and I do not want to wait for them to wake up to update it.
Thank you very much for the help! Very much appreciated.
Thomas
Sent with [ProtonMail](https://protonmail.com) Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 8, 2019 8:49 PM, J. Fahrner via Users users at lists.rspamd.com wrote:
> Am 2019-04-08 15:37, schrieb Alex JOST:
>
>> You can specify default settings for 'selector' and 'path', which will
>> be used if a specific domain is not found in the map files and
>> 'try_fallback' is set to 'true'.
>
> I would not set try_fallback, because then you would sign even foreign
> domains (in forwarded mails). Why not simply symlink the key to all your
> domains?
> Jochen
> ---------------------------------------------------------------
>
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users
More information about the Users
mailing list