[Rspamd-Users] Multiple dkim selectors without using a map?

George Shammas rspamd at shamm.as
Thu Jul 2 22:14:14 UTC 2020

Thanks for the pointers.

The most interesting in that list is vault. Went on a configuration bender 
today getting that working. The handling of key rotation is a nice plus.

Something that is interesting with rspamd with vault, is that it takes a token
from either a configuration file or an environment variable. But the only
non-expring token from vault are root tokens. There doesn't seem to be a
good method to have rspamd refresh the tokens.

To work-around this, I ended up rigging up systemd to get a new token every
time it starts. However even in that case, it means that if rspamd is stable
for over 32 days (the default max ttl) it will just start silently stop 
signing mail. Even if I was using a containers to pass down the secret, if the
pod was stable it would run into the same problem.

Writing a script that produces the map is what I original did, and I'll likely
stick to that in the end. It's a bit verbose, but much more bullet proof than
the alternatives.


On Wed, Jul 01, 2020 at 01:55:26PM +0200, Arno Welzel wrote:
> There are several ways to do this, not only maps.
> <https://rspamd.com/doc/modules/dkim_signing.html#use-of-signing_table>
> <https://rspamd.com/doc/modules/dkim_signing.html#http-headers-based-dkim-signing>
> <https://rspamd.com/doc/modules/dkim_signing.html#dkim-signing-using-vault>
> Another way would be to create a script which produces this map file
> based on the list of domain names.

More information about the Users mailing list