[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Dismas Axel (Thomas) dismasc at protonmail.com
Tue Apr 9 08:47:00 UTC 2019 

Vsevolod,

Well, unfortunately, I am not familiar to RSPAMD just yet, but will give it a try to what you have instructed as tricky. It takes some time to get used to something new (and for me RSPAMD is something new ( what a lame me :) ).

But, as a temporary solution, I prefer to just add the brand1.com and brand2.com CNAME.

I do very much appreciate, the fact that you would add the ability to simplify transition from Opendkim to Rspamd. Thank you!

BR,
D.A. Thomas.


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday, April 9, 2019 3:11 PM, Vsevolod Stakhov <vsevolod at rspamd.com> wrote:

> Dismas,
>
> On 09/04/2019 08:35, Dismas Axel (Thomas) via Users wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Tuesday, April 9, 2019 1:47 PM, Carsten Rosenberg cr at ncxs.de wrote:
> >
> > > Hi D.A.T,
> > > Could you please detail a bit, what you want to achieve? Please bring
> > > examples and debug logs.
> > > Signing a mail for brand1.com using brand1.com also as signing domain is
> > > not verifiable without a DNS entry. Also impossible in OpenDKIM ;)
> > > What is possible and what you maybe have done before is to sign
> > > brand1.com using maincorp.com as signing domain.
> > > But you don't have asked about that. Maybe the feature is already
> > > implemented.
> > >
> > > Carsten
> >
> > Hi Carsten and Vsevolod,
> > Thank you for your replies. Yes, please if you have time, please help.
> > Please allow me to summarize:
> > The situation:
> > Let's say I have 3 domains:
> > <pre>
> > maincorp.com, brand1.com, brand2.com
> > </pre>
> > I generated a DKIM Key for maincorp.com:
> > Added the generated key to the OpenDKIM KeyTable:
> > <pre>
> > mail._domainkey.maincorp.com maincorp.com:mail:/etc/opendkim/keys/maincorp.com/mail.private
> > </pre>
> > Added TXT Record for mail_.domainkey.maincorp.com for maincorp.com:
> > <pre>
> > mail._domainkey.maincorp.com IN TXT ( "v=DKIM1; k=rsa; "
> > "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiWKBgQKQlg6RRngSt6ctCrdSzWJekQttma0dpIuBY3O0wI1einS/NNp4uPJznkiLvJoqAT8LoSJzEM8EtzSGK5dowL9gEGkTM/SowRHRN97cdfxuWeq2Pjn+MMAjxrdaXoZuGWq5n2zFNcJv6tVOVnH6SbOSXu4BWr3Op1iexw2Ps8Ll7QIDAQAB" ) ; ----- DKIM key mail for maincorp.com
> > </pre>
> > Then, on my SigningTable in /etc/opendkim, I added:
> > OpenDKIM SigningTable:
> > <pre>
> > *@maincorp.com mail._domainkey.maincorp.com
> > *@brand1.com mail._domainkey.maincorp.com
> > *@brand2.com mail._domainkey.maincorp.com
> > </pre>
> > Final Result:
> > All emails from @brand1.com and @brand2.com would also be signed with mail._domainkey.maincorp.com. When you check with gmail it will tell me that @brand1.com signed-by mailcorp.com and not brand1.com.
> > To achieve this, I gained flexibility to the facts that:
> >
> > 1.  I did not need to generate DKIM Keys for brand1.com and brand2.com.
> > 2.  I did not need to add a CNAME Record, e.g:
> >     <pre>
> >     mail._domainkey.brand1.com IN CNAME mail._domainkey.maincorp.com
> >     </pre>
> >
>
> Again: DKIM signing hasnothing about DNS itself, but I see your point.
>
> You can use static signing domain for all signatures but it will be tricky.
>
> First, you need to set something like
>
> use_domain_sign_local = "maincorp.com"; (or use_domain_sign_auth)
>
> Then you need to ensure that a symbol is enabled merely for the domains
> you'd like to sing (e.g. via users settings) and disable it for
> everything else.
>
> Probably, OpenDKIM style maps are better indeed. I will investigate
> OpenDKIM configuration style and will probably add something similar to
> simplify transition to Rspamd.
>
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Users mailing list
> Users at lists.rspamd.com
> https://lists.rspamd.com/mailman/listinfo/users

More information about the Users mailing list