[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Dismas Axel (Thomas) dismasc at protonmail.com
Mon Apr 8 16:18:40 UTC 2019 

This is not resolved yet. I need to be able to send using @brand1.com email and got it signed by @maincorp.com domain dkim key.

I was able to setup with opendkim but not with rspamd dkim signing module...

So is it really possible to use a sine dkim key to sign multiple domains?

Pls help... Thank you!




Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, April 8, 2019 9:14 PM, Dismas Axel \(Thomas\) via Users <users at lists.rspamd.com> wrote:

> Thanks for the suggestions so far, I have been trying it out without a success.
>
> So, here is my situation:
>
> I need to setup a Single DKIM Key for other company brands domains. Usually, I would do this normally in OPENDKIM SigningTable:
>
> *@maincorp.com mail._domainkey.maincorp.com
> *@brand1.com mail._domainkey.maincorp.com
> *@brand2.com mail._domainkey.maincorp.com
>
> But now they are replacing Spamassassin with RSPAMD (which is a positive thing), and I do not know how to set a single dkim key for all brand domain names to maincorp.com.
>
> So, here is my current local.d/dkim_signing.conf:
>
> enabled = true;
>
> #If false, messages with empty envelope from are not signed
>
> allow_envfrom_empty = true;
>
> # If true, envelope/header domain mismatch is ignored
>
> allow_hdrfrom_mismatch = false;
>
> # If true, multiple from headers are allowed (but only first is used)
>
> allow_hdrfrom_multiple = false;
>
> # If true, username does not need to contain matching domain
>
> allow_username_mismatch = true;
>
> # If false, messages from authenticated users are not selected for signing
>
> auth_only = true;
>
> # Default path to key, can include '$domain' and '$selector' variables
>
> #path = "/etc/opendkim/userkeys/$domain/$selector.private";
>
> path = "/etc/opendkim/keys/mailcorp.com/mail.private";
>
> # Default selector to use
>
> #selector = "default";
>
> selector = "mail";
>
> # If false, messages from local networks are not selected for signing
>
> sign_local = true;
>
> # Map file of IP addresses/subnets to consider for signing
>
> # sign_networks = "/some/file"; # or url
>
> # Symbol to add when message is signed
>
> symbol = "DKIM_SIGNED";
>
> # Whether to fallback to global config
>
> try_fallback = false;
>
> selector_map = "/etc/rspamd/dkim_selectors.map";
>
> path_map = "/etc/rspamd/dkim_paths.map";
>
> # Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
>
> use_domain = "header";
>
> # Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
>
> use_domain_sign_networks = "header";
>
> # Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
>
> use_domain_sign_local = "header";
>
> # Whether to normalise domains to eSLD
>
> use_esld = false;
>
> # Whether to get keys from Redis
>
> # Not using redis, keys coming from files in /etc/opendkim
>
> use_redis = false;
>
> # Hash for DKIM keys in Redis
>
> key_prefix = "DKIM_KEYS";
>
> My /etc/rspamd/dkim_selectors.map:
>
> maincorp.com mail
> brand1.com mail
> brand2.com mail
>
> And my /etc/rspamd/dkim_paths.map:
>
> maincorp.com /etc/opendkim/keys/mancorp.com/mail.private
>
> brand1.com /etc/opendkim/keys/mancorp.com/mail.private
>
> brand2.com /etc/opendkim/keys/mancorp.com/mail.private
>
> Using the configuration above at local.d/dkim_signing.conf resulting as in the following results:
>
> -   When an email is sent from @mailcorp.com, it has no problem and DKIM will be signed. Because at DNS mailcorp.com it has _domainkey.
> -   But, when an email is sent from @brand1.com and @brand2.com DKIM will not be signed, unless I added CNAME record in brand1.com and brand2.com, which I did not want to from the first time because those domains are hosted in different countries with different timezones and I do not want to wait for them to wake up to update it.
>
>     Thank you very much for the help! Very much appreciated.
>     Thomas
>
>     Sent with ProtonMail Secure Email.
>
>     ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>     On Monday, April 8, 2019 8:49 PM, J. Fahrner via Users users at lists.rspamd.com wrote:
>
>
> > Am 2019-04-08 15:37, schrieb Alex JOST:
> >
> > > You can specify default settings for 'selector' and 'path', which will
> > > be used if a specific domain is not found in the map files and
> > > 'try_fallback' is set to 'true'.
> >
> > I would not set try_fallback, because then you would sign even foreign
> > domains (in forwarded mails). Why not simply symlink the key to all your
> > domains?
> > Jochen
> >
> > ----------------------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > Users mailing list
> > Users at lists.rspamd.com
> > https://lists.rspamd.com/mailman/listinfo/users
>
> --
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list