[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains
Dismas Axel (Thomas)
dismasc at protonmail.com
Tue Apr 9 04:35:19 UTC 2019
Hi again,
The goal is to be able for brand1.com and brand2.com got signed by an existing single DKIM Key which was already implemented in TXT Record in maincorp.com, without the need to add either CNAME or TXT Record _domainkey in each brand1.com and brand2.com DNS Panel.
As for maincorp.com it is already working because it has TXT Record of the mail._domainkey.maincorp in the DNS Panel.
Again, here is my configuration:
local.d/dkim_signing.conf
<code>
enabled = true;
#If false, messages with empty envelope from are not signed
allow_envfrom_empty = true;
If true, envelope/header domain mismatch is ignored
====================================================
allow_hdrfrom_mismatch = false;
If true, multiple from headers are allowed (but only first is used)
====================================================================
allow_hdrfrom_multiple = false;
If true, username does not need to contain matching domain
===========================================================
allow_username_mismatch = true;
If false, messages from authenticated users are not selected for signing
=========================================================================
auth_only = true;
Default path to key, can include '$domain' and '$selector' variables
=====================================================================
COMMENTED AND INTENDED, WE USE MAP
===================================
#path = "/etc/opendkim/userkeys/$domain/$selector.private";
#path = "/etc/opendkim/keys/maincorp.com/mail.private";
Default selector to use
========================
COMMENTED AND INTENDED, WE USE MAP
===================================
#selector = "default";
#selector = "mail";
If false, messages from local networks are not selected for signing
====================================================================
sign_local = true;
Map file of IP addresses/subnets to consider for signing
=========================================================
#sign_networks = "/some/file"; # or url
sign_networks = "/etc/rspamd/sign_networks.map";
Symbol to add when message is signed
=====================================
symbol = "DKIM_SIGNED";
Whether to fallback to global config
=====================================
try_fallback = false;
selector_map = "/etc/rspamd/dkim_selectors.map";
path_map = "/etc/rspamd/dkim_paths.map";
Domain to use for DKIM signing: can be "header" (MIME From), "envelope" (SMTP From) or "auth" (SMTP username)
==============================================================================================================
use_domain = "header";
Domain to use for DKIM signing when sender is in sign_networks ("header"/"envelope"/"auth")
============================================================================================
#use_domain_sign_networks = "header";
use_domain_sign_networks = "envelope";
Domain to use for DKIM signing when sender is a local IP ("header"/"envelope"/"auth")
======================================================================================
#use_domain_sign_local = "header";
use_domain_sign_local = "envelope";
Whether to normalise domains to eSLD
=====================================
use_esld = false;
Whether to get keys from Redis
===============================
Not using redis, keys coming from files in /etc/opendkim
=========================================================
use_redis = false;
Hash for DKIM keys in Redis
============================
key_prefix = "DKIM_KEYS";
</code>
dkim_paths.map
<code>
maincorp.com /etc/opendkim/keys/maincorp.com/$selector.private
brand1.com /etc/opendkim/keys/maincorp.com/$selector.private
brand2.com /etc/opendkim/keys/maincorp.com/$selector.private
</code>
dkim_selectors.map
<code>
maincorp.com mail
brand1.com mail
brand2.com mail
</code>
sign_networks.map
<code>
my.public.ip/24
</code>
Kindly help. Thank you!
More information about the Users
mailing list