DKIM keys for specific domains + multiple domains
shadow+amavis at la3.org
Wed Mar 27 11:52:55 CET 2019
A 27/03/2019 01:47, John Luk escrigué:
> The funny thing is, there is no dkim_signature_options_bysender_maps
> in our amavis conf, yet it has no problem signing for domain1 and
> for years.
> is a
> great link, thanks. Although its point 7 for
> dkim_signature_options_bysender_maps said it is "Optional".
The thing is that if there is no match in
dkim_signature_options_bysender_maps amavis falls back to trying to sign
with d=sender_domain.tld. In your previous setup you were using that
However, once you setup dkim_signature_options_bysender_maps with a
catchall entry ('.' matches everything) then amavis would start signing
with d=others.com because it does find a match for "domain1.tld" saying
so. That is, since there's a match, amavis won't be using the fallback
> And in point 2
> and point 3 one can already do "showkeys" and "testkeys" without adding
> dkim_signature_options_bysender_maps. Also point 2 is for:
> "*2.* Add commands to amavisd.conf to load private keys, associate them
> with signing domains and selectors, and describe constraints (tags) to
> published with public keys."
> So does it mean, "dkim_key" has already defined the signing key for
> sender domain?
You can read:
dkim_key('domain.tld', 'selector', '/path/to/file.key.pem');
You have a key available to sign e-mails under the domain.tld domain
(d=domain.tld) using the file.key.pem private key whose public
counterpart should be published in the DNS record
Then showkeys just shows you these definitions, and testkeys checks that
the DNS records are actually published and correspond to the public
counterpart of the specified private key file.
This is completely independent from the logic of deciding which signing
domain (d=xxxx.tld) sould be used for each particular e-mail (of course
you can only sign with one of the signatures you have previously
defined, but which one to use specifically is where
dkim_signature_options_bysender_maps comes in).
More information about the amavis-users