# setfacl -m u:amavis:r-- mydefaultdomain.net.pem

Sweet, that worked great.

So was I right about the following code?

'dkim_key(".", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

As long as I replace a specific signing domain with "." it will sign all emails from all domains?

Thanks again for all your help.

'-rw-r-----+  1 root   root    887 Jul 14 16:43 mydefaultdomain.net.pem'

Please use 'getfacl' command to check advance access control:

# getfacl mydefaultdomain.net.pem

For security reason, it's not a good idea to make it world-readable, so we restrict it like this:

# setfacl -m u:amavis:r-- mydefaultdomain.net.pem

You can search 'setfacl' in iRedMail-x.y.z/functions/amavisd.sh.

Just make sure you have one 'dkim_key()', and it will use it as default DKIM pem.

'amavisd genrsa /var/lib/dkim/mydomain1.com.pem'

I had issues with the default permissions though.

This first site is the default site that the install script asked for when setting up this box initially. I can't seem to find any documentation on how to duplicate these permission. The plus sign throws me off here.

'-rw-r-----+  1 root   root    887 Jul 14 16:43 mydefaultdomain.net.pem'

When I run the 'amavisd genrsa' command I get the following permission set and when I add the appropriate lines in the '/etc/amavisd.conf' file and restart the amavisd service, it will not come back up complaining about permissions.

'-rw-------   1 root   root    891 Jul 16 00:56 mydomain1.com.pem'

A third site I have set up on the system works after doing a:

'chmod 777 mydomain2.com.pem'

resulting in the following:

'-rwxrwxrwx   1 root   root    887 Jul 15 15:06 mydomain2.com.pem'

So I am looking for THE magic chmod command to fix permissions for any sites I add and still have a secure file.

In regards to the catchall signing of every outgoing email by default I assume you are referring the last line in the '/etc/amavisd.conf' file that says the following?

'    # catchall defaults
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },'

This line doesn't seem to be pointing to a key file like the 'dkim_key' line does. So would I still need to add a line similar to the following?

'dkim_key(".", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Then comment out the one that was created by the install script?

'dkim_key("mydefaultdomain.net", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Thank you for you assistance with these issues.

DKIM signing works great for my default domain. I'm sure I've missed something but what is the "correct" way of signing emails from multiple virtual domains?

You can use a catchall or a per-domain signing, both are 'correct'.

It uses catchall signing by default, and you must add all your domains in 'local_domains_maps' (/etc/amavisd.conf).

No.

So far it doesn't seem obvious how to do this. The two parts to the equation that I can see so far are that I need new key files in /var/lib/dkim/ and the /etc/amavisd.conf file needs to be modified. Is there a simple command that I can run to add other keys and that adds the new config lines to the appropriate files?

Or was there a different way to set up the box initially that would have done all this for me for multiple domains?