DKIM keys for specific domains + multiple domains

Marc Pujol shadow+amavis at la3.org
Wed Mar 27 11:52:55 CET 2019 


A 27/03/2019 01:47, John Luk escrigué:

> The funny thing is, there is no dkim_signature_options_bysender_maps 
> found
> in our amavis conf, yet it has no problem signing for domain1 and 
> domain2
> for years.
> 
> https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign 
> is a
> great link, thanks.  Although its point 7 for
> dkim_signature_options_bysender_maps said it is "Optional".

The thing is that if there is no match in 
dkim_signature_options_bysender_maps amavis falls back to trying to sign 
with d=sender_domain.tld. In your previous setup you were using that 
fallback mechanism.

However, once you setup dkim_signature_options_bysender_maps with a 
catchall entry ('.' matches everything) then amavis would start signing 
with d=others.com because it does find a match for "domain1.tld" saying 
so. That is, since there's a match, amavis won't be using the fallback 
logic anymore.

> And in point 2
> and point 3 one can already do "showkeys" and "testkeys" without adding
> dkim_signature_options_bysender_maps.  Also point 2 is for:
> 
> "*2.* Add commands to amavisd.conf to load private keys, associate them
> with signing domains and selectors, and describe constraints (tags) to 
> be
> published with public keys."
> 
> So does it mean, "dkim_key" has already defined the signing key for 
> that
> sender domain?

You can read:

dkim_key('domain.tld', 'selector', '/path/to/file.key.pem');

As saying:

You have a key available to sign e-mails under the domain.tld domain 
(d=domain.tld) using the file.key.pem private key whose public 
counterpart should be published in the DNS record 
"selector._domainkey.domain.tld".

Then showkeys just shows you these definitions, and testkeys checks that 
the DNS records are actually published and correspond to the public 
counterpart of the specified private key file.

This is completely independent from the logic of deciding which signing 
domain (d=xxxx.tld) sould be used for each particular e-mail (of course 
you can only sign with one of the signatures you have previously 
defined, but which one to use specifically is where 
dkim_signature_options_bysender_maps comes in).

More information about the amavis-users mailing list