DKIM keys for specific domains + multiple domains

John Luk john.luk98 at gmail.com
Wed Mar 27 01:47:12 CET 2019


On Tue, Mar 26, 2019 at 3:56 PM Marc Pujol <shadow+amavis at la3.org> wrote:

> A 26/03/2019 19:42, John Luk escrigué:
>
> > dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
> > dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
> > dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
> > @dkim_signature_options_bysender_maps = ( {
> >     "."  => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600
> > },
> > });
> >
> > In my understanding the above would:
> >
> > * sign domain1.com using that domain1.com key
> > * sign domain2.com using that domain2.com key
> >
> > * sign domainX.com using that others.com key
> > * sign domainY.com using that others.com key
> >
> > Is that true?
>
> I don't think it is. The dkim_key entries only setup which keys are
> available, and then @dkim_signature_options_bysender_maps is what
> defines which signing domain to use depending on the sender address.
> Double-check the docs:
>
> https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign
> (point 7).
>
> In your case, you only have a catchall entry specifying that everything
> should be signed with under the others.com domain (and you only have one
> kay for that domain, so everything will be signed under d=others.com
> with the /var/lib/dkim/others.com.pem key).
>
> The correct setup would be:
>
> dkim_key('domain1.com', "dkim", "/var/lib/dkim/domain1.com.pem");
> dkim_key('domain2.com', "dkim", "/var/lib/dkim/domain2.com.pem");
> dkim_key('others.com', "dkim", "/var/lib/dkim/others.com.pem");
> @dkim_signature_options_bysender_maps = ( {
>      ".domain1.com"  => { d => "domain1.com", a => 'rsa-sha256', ttl =>
> 10*24*3600 },
>      ".domain2.com"  => { d => "domain2.com", a => 'rsa-sha256', ttl =>
> 10*24*3600 },
>      "."  => { d => "others.com", a => 'rsa-sha256', ttl => 10*24*3600 },
> });
>
> Comments:
>
> - Notice that the signing domain doesn't need to be the same as the
> sender domain. For instance, gmail will sign all its outgoing mails
> under the gmail.com domain, even gmail for businesses with their own
> domain. In this example all emails except those of domain1.com and
> domain2.com would be signed under the others.com domain (not under their
> own).
>
> - Like in other maps, ".domain1.com" (with the initial dot) matches both
> domain1.com domain and any of its subdomains, whereas "domain1.com"
> doesn't match subdomains.
>
> - Of course you can adapt the extra parameters (a, ttl, whatever) to
> your liking.
>
> Thanks for your timely reply, and for the explanation.

The funny thing is, there is no dkim_signature_options_bysender_maps found
in our amavis conf, yet it has no problem signing for domain1 and domain2
for years.

https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign is a
great link, thanks.  Although its point 7 for
dkim_signature_options_bysender_maps said it is "Optional".  And in point 2
and point 3 one can already do "showkeys" and "testkeys" without adding
dkim_signature_options_bysender_maps.  Also point 2 is for:

"*2.* Add commands to amavisd.conf to load private keys, associate them
with signing domains and selectors, and describe constraints (tags) to be
published with public keys."

So does it mean, "dkim_key" has already defined the signing key for that
sender domain?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190326/9e7fb038/attachment.html>


More information about the amavis-users mailing list