[Rspamd-Users] A Single DKIM Key Signing for Multiple Domains

Tue Apr 9 11:50:25 UTC 2019

Dismas,

Here is another reminder about top posting: it is forbidden in this
list. Please see my reply below.

On 09/04/2019 09:47, Dismas Axel (Thomas) via Users wrote:
> Vsevolod,
> 
> Well, unfortunately, I am not familiar to RSPAMD just yet, but will give it a try to what you have instructed as tricky. It takes some time to get used to something new (and for me RSPAMD is something new ( what a lame me :) ).
> 
> But, as a temporary solution, I prefer to just add the brand1.com and brand2.com CNAME.
> 
> I do very much appreciate, the fact that you would add the ability to simplify transition from Opendkim to Rspamd. Thank you!
> 
> BR,
> D.A. Thomas.
> 
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Tuesday, April 9, 2019 3:11 PM, Vsevolod Stakhov <vsevolod at rspamd.com> wrote:
> 
>> Dismas,
>>
>> On 09/04/2019 08:35, Dismas Axel (Thomas) via Users wrote:
>>
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Tuesday, April 9, 2019 1:47 PM, Carsten Rosenberg cr at ncxs.de wrote:
>>>
>>>> Hi D.A.T,
>>>> Could you please detail a bit, what you want to achieve? Please bring
>>>> examples and debug logs.
>>>> Signing a mail for brand1.com using brand1.com also as signing domain is
>>>> not verifiable without a DNS entry. Also impossible in OpenDKIM ;)
>>>> What is possible and what you maybe have done before is to sign
>>>> brand1.com using maincorp.com as signing domain.
>>>> But you don't have asked about that. Maybe the feature is already
>>>> implemented.
>>>>
>>>> Carsten
>>>
>>> Hi Carsten and Vsevolod,
>>> Thank you for your replies. Yes, please if you have time, please help.
>>> Please allow me to summarize:
>>> The situation:
>>> Let's say I have 3 domains:
>>> <pre>
>>> maincorp.com, brand1.com, brand2.com
>>> </pre>
>>> I generated a DKIM Key for maincorp.com:
>>> Added the generated key to the OpenDKIM KeyTable:
>>> <pre>
>>> mail._domainkey.maincorp.com maincorp.com:mail:/etc/opendkim/keys/maincorp.com/mail.private
>>> </pre>
>>> Added TXT Record for mail_.domainkey.maincorp.com for maincorp.com:
>>> <pre>
>>> mail._domainkey.maincorp.com IN TXT ( "v=DKIM1; k=rsa; "
>>> "p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiWKBgQKQlg6RRngSt6ctCrdSzWJekQttma0dpIuBY3O0wI1einS/NNp4uPJznkiLvJoqAT8LoSJzEM8EtzSGK5dowL9gEGkTM/SowRHRN97cdfxuWeq2Pjn+MMAjxrdaXoZuGWq5n2zFNcJv6tVOVnH6SbOSXu4BWr3Op1iexw2Ps8Ll7QIDAQAB" ) ; ----- DKIM key mail for maincorp.com
>>> </pre>
>>> Then, on my SigningTable in /etc/opendkim, I added:
>>> OpenDKIM SigningTable:
>>> <pre>
>>> *@maincorp.com mail._domainkey.maincorp.com
>>> *@brand1.com mail._domainkey.maincorp.com
>>> *@brand2.com mail._domainkey.maincorp.com
>>> </pre>
>>> Final Result:
>>> All emails from @brand1.com and @brand2.com would also be signed with mail._domainkey.maincorp.com. When you check with gmail it will tell me that @brand1.com signed-by mailcorp.com and not brand1.com.
>>> To achieve this, I gained flexibility to the facts that:
>>>
>>> 1.  I did not need to generate DKIM Keys for brand1.com and brand2.com.
>>> 2.  I did not need to add a CNAME Record, e.g:
>>>     <pre>
>>>     mail._domainkey.brand1.com IN CNAME mail._domainkey.maincorp.com
>>>     </pre>
>>>
>>
>> Again: DKIM signing hasnothing about DNS itself, but I see your point.
>>
>> You can use static signing domain for all signatures but it will be tricky.
>>
>> First, you need to set something like
>>
>> use_domain_sign_local = "maincorp.com"; (or use_domain_sign_auth)
>>
>> Then you need to ensure that a symbol is enabled merely for the domains
>> you'd like to sing (e.g. via users settings) and disable it for
>> everything else.
>>
>> Probably, OpenDKIM style maps are better indeed. I will investigate
>> OpenDKIM configuration style and will probably add something similar to
>> simplify transition to Rspamd.

I have added support for `signing_table` and `key_table` in the similar
matter as OpenDKIM does in the recent Rspamd version.