[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

L. Jankok ljankok at gmail.com
Mon Apr 8 18:16:04 UTC 2019 

Op ma 8 apr. 2019 om 18:19 schreef Dismas Axel (Thomas) via Users <
users at lists.rspamd.com>:

> This is not resolved yet. I need to be able to send using @brand1.com
> email and got it signed by @maincorp.com domain dkim key.
>
> I was able to setup with opendkim but not with rspamd dkim signing
> module...
>
> So is it really possible to use a sine dkim key to sign multiple domains?
>
> Pls help... Thank you!
>
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, April 8, 2019 9:14 PM, Dismas Axel \(Thomas\) via Users <
> users at lists.rspamd.com> wrote:
>
> > Thanks for the suggestions so far, I have been trying it out without a
> success.
> >
> > So, here is my situation:
> >
> > I need to setup a Single DKIM Key for other company brands domains.
> Usually, I would do this normally in OPENDKIM SigningTable:
> >
> > *@maincorp.com mail._domainkey.maincorp.com
> > *@brand1.com mail._domainkey.maincorp.com
> > *@brand2.com mail._domainkey.maincorp.com
> >
> > But now they are replacing Spamassassin with RSPAMD (which is a positive
> thing), and I do not know how to set a single dkim key for all brand domain
> names to maincorp.com.
> >
> > So, here is my current local.d/dkim_signing.conf:
> >
> > enabled = true;
> >
> > #If false, messages with empty envelope from are not signed
> >
> > allow_envfrom_empty = true;
> >
> > # If true, envelope/header domain mismatch is ignored
> >
> > allow_hdrfrom_mismatch = false;
> >
> > # If true, multiple from headers are allowed (but only first is used)
> >
> > allow_hdrfrom_multiple = false;
> >
> > # If true, username does not need to contain matching domain
> >
> > allow_username_mismatch = true;
> >
> > # If false, messages from authenticated users are not selected for
> signing
> >
> > auth_only = true;
> >
> > # Default path to key, can include '$domain' and '$selector' variables
> >
> > #path = "/etc/opendkim/userkeys/$domain/$selector.private";
> >
> > path = "/etc/opendkim/keys/mailcorp.com/mail.private";
> >
> > # Default selector to use
> >
> > #selector = "default";
> >
> > selector = "mail";
> >
> > # If false, messages from local networks are not selected for signing
> >
> > sign_local = true;
> >
> > # Map file of IP addresses/subnets to consider for signing
> >
> > # sign_networks = "/some/file"; # or url
> >
> > # Symbol to add when message is signed
> >
> > symbol = "DKIM_SIGNED";
> >
> > # Whether to fallback to global config
> >
> > try_fallback = false;
> >
> > selector_map = "/etc/rspamd/dkim_selectors.map";
> >
> > path_map = "/etc/rspamd/dkim_paths.map";
> >
> > # Domain to use for DKIM signing: can be "header" (MIME From),
> "envelope" (SMTP From) or "auth" (SMTP username)
> >
> > use_domain = "header";
> >
> > # Domain to use for DKIM signing when sender is in sign_networks
> ("header"/"envelope"/"auth")
> >
> > use_domain_sign_networks = "header";
> >
> > # Domain to use for DKIM signing when sender is a local IP
> ("header"/"envelope"/"auth")
> >
> > use_domain_sign_local = "header";
> >
> > # Whether to normalise domains to eSLD
> >
> > use_esld = false;
> >
> > # Whether to get keys from Redis
> >
> > # Not using redis, keys coming from files in /etc/opendkim
> >
> > use_redis = false;
> >
> > # Hash for DKIM keys in Redis
> >
> > key_prefix = "DKIM_KEYS";
> >
> > My /etc/rspamd/dkim_selectors.map:
> >
> > maincorp.com mail
> > brand1.com mail
> > brand2.com mail
> >
> > And my /etc/rspamd/dkim_paths.map:
> >
> > maincorp.com /etc/opendkim/keys/mancorp.com/mail.private
> >
> > brand1.com /etc/opendkim/keys/mancorp.com/mail.private
> >
> > brand2.com /etc/opendkim/keys/mancorp.com/mail.private
> >
> > Using the configuration above at local.d/dkim_signing.conf resulting as
> in the following results:
> >
> > -   When an email is sent from @mailcorp.com, it has no problem and
> DKIM will be signed. Because at DNS mailcorp.com it has _domainkey.
> > -   But, when an email is sent from @brand1.com and @brand2.com DKIM
> will not be signed, unless I added CNAME record in brand1.com and
> brand2.com, which I did not want to from the first time because those
> domains are hosted in different countries with different timezones and I do
> not want to wait for them to wake up to update it.
> >
> >     Thank you very much for the help! Very much appreciated.
> >     Thomas
> >
> >     Sent with ProtonMail Secure Email.
> >
> >     ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> >     On Monday, April 8, 2019 8:49 PM, J. Fahrner via Users
> users at lists.rspamd.com wrote:
> >
> >
> > > Am 2019-04-08 15:37, schrieb Alex JOST:
> > >
> > > > You can specify default settings for 'selector' and 'path', which
> will
> > > > be used if a specific domain is not found in the map files and
> > > > 'try_fallback' is set to 'true'.
> > >
> > > I would not set try_fallback, because then you would sign even foreign
> > > domains (in forwarded mails). Why not simply symlink the key to all
> your
> > > domains?
> > > Jochen
> > >
> > >
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
> > >
> > > Users mailing list
> > > Users at lists.rspamd.com
> > > https://lists.rspamd.com/mailman/listinfo/users
> >
> > --
> > Users mailing list
> > Users at lists.rspamd.com
> > https://lists.rspamd.com/mailman/listinfo/users
>
>
> --
>

replied in the wrong thread before :)

First:

/usr/local/etc/rspamd/local.d]$ more dkim_signing.conf

auth_only = true;

sign_local = true;

try_fallback = false;

use_domain_sign_networks = "envelope";

use_domain_sign_local = "envelope";

path_map = "/usr/local/etc/rspamd/local.d/dkim_paths.map";

selector_map = "/usr/local/etc/rspamd/local.d/dkim_selectors.map";

sign_networks = "/usr/local/etc/rspamd/local.d/sign_networks.map";

allow_username_mismatch = true;

Second:
domaina.net /var/db/rspamd/dkim/$selector.key
domainb.net /var/db/rspamd/dkim/$selector.key
domainc.net /var/db/rspamd/dkim/$selector.key

Third:
domaina.net mail
domainb.net mail
domainc.net mail


Fourth:
10.20.30.40/32
192.168.169.170/32


You can mix and match or keep it simple.
Sign_network works really well when you act as a mail relay.

Next, you can use 1 private key and 1 selector for all domains.

More information about the Users mailing list