DKIM keys stored in sql?

Quanah Gibson-Mount via amavis-users amavis-users at
Wed May 7 23:24:10 CEST 2014

--On May 7, 2014 at 10:33:53 PM +0200 Mark Martinec via amavis-users 
<amavis-users at> wrote:

> Tom,
>> We would like to provide DKIM signing for a large number of customer
>> domains (many thousand) - loading them from the conf file isn't very
>> practical.  We prefer to load them from a sql table.
>> We are currently using opendkim for this purpose, but would prefer to
>> consolidate this into amavisd-new.
>> Is there some way to do this in amavisd- new that I am missing? Or is
>> it a planned feature ?
> Currently I don't have a satisfying answer to this question.
> There are some tools in place, but some customization is still needed.
> The main reason why amavisd does not take private signing keys from
> an SQL or LDAP database is privilege separation. An application
> (amavisd) that is regularly processing untrusty information should
> better not have a direct access to secret information (signing keys),
> if at all it can be avoided.

Thankfully, OpenDKIM was built to use LDAP for DKIM keys, and does so quite 
well.  I use it rather than amavis for signing for this very reason.


Quanah Gibson-Mount
Server Architect
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration

More information about the amavis-users mailing list