1 Topic by Steve

  • Steve
  • Member
  • Offline
  • Registered: 2009-06-30
  • Posts: 11

Topic: DKIM signing for multiple virtual domains?

DKIM signing works great for my default domain. I'm sure I've missed something but what is the "correct" way of signing emails from multiple virtual domains? It appears I can use the same key or use a catchall in the amavisd.conf file to sign ALL outgoing emails. But what are the best practices for DKIM signing in this situation?

So far it doesn't seem obvious how to do this. The two parts to the equation that I can see so far are that I need new key files in /var/lib/dkim/ and the /etc/amavisd.conf file needs to be modified. Is there a simple command that I can run to add other keys and that adds the new config lines to the appropriate files?

Or was there a different way to set up the box initially that would have done all this for me for multiple domains?

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 4,807

Re: DKIM signing for multiple virtual domains?

Steve wrote:

DKIM signing works great for my default domain. I'm sure I've missed something but what is the "correct" way of signing emails from multiple virtual domains?

You can use a catchall or a per-domain signing, both are 'correct'.

So far it doesn't seem obvious how to do this. The two parts to the equation that I can see so far are that I need new key files in /var/lib/dkim/ and the /etc/amavisd.conf file needs to be modified.

It uses catchall signing by default, and you must add all your domains in 'local_domains_maps' (/etc/amavisd.conf).

Is there a simple command that I can run to add other keys and that adds the new config lines to the appropriate files?

No.

3 Reply by Steve

  • Steve
  • Member
  • Offline
  • Registered: 2009-06-30
  • Posts: 11

Re: DKIM signing for multiple virtual domains?

Ok, I got everything to work after adding separate 'dkim_key' lines to the '/etc/amavisd.conf' file and creating my own keys by running the following command:

'amavisd genrsa /var/lib/dkim/mydomain1.com.pem'

I had issues with the default permissions though.

This first site is the default site that the install script asked for when setting up this box initially. I can't seem to find any documentation on how to duplicate these permission. The plus sign throws me off here.

'-rw-r-----+  1 root   root    887 Jul 14 16:43 mydefaultdomain.net.pem'

When I run the 'amavisd genrsa' command I get the following permission set and when I add the appropriate lines in the '/etc/amavisd.conf' file and restart the amavisd service, it will not come back up complaining about permissions.

'-rw-------   1 root   root    891 Jul 16 00:56 mydomain1.com.pem'

A third site I have set up on the system works after doing a:

'chmod 777 mydomain2.com.pem'

resulting in the following:

'-rwxrwxrwx   1 root   root    887 Jul 15 15:06 mydomain2.com.pem'

So I am looking for THE magic chmod command to fix permissions for any sites I add and still have a secure file.


In regards to the catchall signing of every outgoing email by default I assume you are referring the last line in the '/etc/amavisd.conf' file that says the following?

'    # catchall defaults
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },'

This line doesn't seem to be pointing to a key file like the 'dkim_key' line does. So would I still need to add a line similar to the following?

'dkim_key(".", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Then comment out the one that was created by the install script?

'dkim_key("mydefaultdomain.net", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Thank you for you assistance with these issues.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 4,807

Re: DKIM signing for multiple virtual domains?

Steve wrote:

'-rw-r-----+  1 root   root    887 Jul 14 16:43 mydefaultdomain.net.pem'

Please use 'getfacl' command to check advance access control:

# getfacl mydefaultdomain.net.pem

So I am looking for THE magic chmod command to fix permissions for any sites I add and still have a secure file.

For security reason, it's not a good idea to make it world-readable, so we restrict it like this:

# setfacl -m u:amavis:r-- mydefaultdomain.net.pem

You can search 'setfacl' in iRedMail-x.y.z/functions/amavisd.sh.

In regards to the catchall signing of every outgoing email by default I assume you are referring the last line in the '/etc/amavisd.conf' file that says the following?

'    # catchall defaults
    '.' => { a => 'rsa-sha256', c => 'relaxed/simple', ttl => 30*24*3600 },'

This line doesn't seem to be pointing to a key file like the 'dkim_key' line does. So would I still need to add a line similar to the following?

'dkim_key(".", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Then comment out the one that was created by the install script?

'dkim_key("mydefaultdomain.net", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

Thank you for you assistance with these issues.

Just make sure you have one 'dkim_key()', and it will use it as default DKIM pem.

5 Reply by Steve

  • Steve
  • Member
  • Offline
  • Registered: 2009-06-30
  • Posts: 11

Re: DKIM signing for multiple virtual domains?

# setfacl -m u:amavis:r-- mydefaultdomain.net.pem

Sweet, that worked great.

Just make sure you have one 'dkim_key()', and it will use it as default DKIM pem.

So was I right about the following code?

'dkim_key(".", "dkim", "/var/lib/dkim/mydefaultdomain.net.pem");'

As long as I replace a specific signing domain with "." it will sign all emails from all domains?

Thanks again for all your help.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 4,807

Re: DKIM signing for multiple virtual domains?

hmm, Why not just give it a try?