[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains
Vsevolod Stakhov
vsevolod at rspamd.com
Tue Apr 9 08:11:23 UTC 2019
Dismas,
On 09/04/2019 08:35, Dismas Axel (Thomas) via Users wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, April 9, 2019 1:47 PM, Carsten Rosenberg <cr at ncxs.de> wrote:
>
>> Hi D.A.T,
>>
>> Could you please detail a bit, what you want to achieve? Please bring
>> examples and debug logs.
>>
>> Signing a mail for brand1.com using brand1.com also as signing domain is
>> not verifiable without a DNS entry. Also impossible in OpenDKIM ;)
>>
>> What is possible and what you maybe have done before is to sign
>> brand1.com using maincorp.com as signing domain.
>>
>> But you don't have asked about that. Maybe the feature is already
>> implemented.
>>
>> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> Carsten
>>
>
>
> Hi Carsten and Vsevolod,
>
> Thank you for your replies. Yes, please if you have time, please help.
>
> Please allow me to summarize:
>
>
> The situation:
>
> Let's say I have 3 domains:
> <pre>
> maincorp.com, brand1.com, brand2.com
> </pre>
>
> I generated a DKIM Key for maincorp.com:
>
> Added the generated key to the OpenDKIM KeyTable:
>
> <pre>
> mail._domainkey.maincorp.com maincorp.com:mail:/etc/opendkim/keys/maincorp.com/mail.private
> </pre>
>
> Added TXT Record for mail_.domainkey.maincorp.com for maincorp.com:
>
> <pre>
> mail._domainkey.maincorp.com IN TXT ( "v=DKIM1; k=rsa; "
> "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiWKBgQKQlg6RRngSt6ctCrdSzWJekQttma0dpIuBY3O0wI1einS/NNp4uPJznkiLvJoqAT8LoSJzEM8EtzSGK5dowL9gEGkTM/SowRHRN97cdfxuWeq2Pjn+MMAjxrdaXoZuGWq5n2zFNcJv6tVOVnH6SbOSXu4BWr3Op1iexw2Ps8Ll7QIDAQAB" ) ; ----- DKIM key mail for maincorp.com
> </pre>
>
> Then, on my SigningTable in /etc/opendkim, I added:
>
> OpenDKIM SigningTable:
>
> <pre>
> *@maincorp.com mail._domainkey.maincorp.com
> *@brand1.com mail._domainkey.maincorp.com
> *@brand2.com mail._domainkey.maincorp.com
> </pre>
>
> Final Result:
>
> All emails from @brand1.com and @brand2.com would also be signed with mail._domainkey.maincorp.com. When you check with gmail it will tell me that @brand1.com signed-by mailcorp.com and not brand1.com.
>
> To achieve this, I gained flexibility to the facts that:
>
> 1) I did not need to generate DKIM Keys for brand1.com and brand2.com.
> 2) I did not need to add a CNAME Record, e.g:
> <pre>
> mail._domainkey.brand1.com IN CNAME mail._domainkey.maincorp.com
> </pre>
>
Again: DKIM signing has *nothing* about DNS itself, but I see your point.
You can use static signing domain for all signatures but it will be tricky.
First, you need to set something like
use_domain_sign_local = "maincorp.com"; (or use_domain_sign_auth)
Then you need to ensure that a symbol is enabled merely for the domains
you'd like to sing (e.g. via users settings) and disable it for
everything else.
Probably, OpenDKIM style maps are better indeed. I will investigate
OpenDKIM configuration style and will probably add something similar to
simplify transition to Rspamd.
More information about the Users
mailing list