1

Topic: Generating multiple DKIM keys and records, one per domain

==== Required information ====
- iRedMail version (check /etc/iredmail-release):  0.9.5-1
- Linux/BSD distribution name and version: FreeBSD 10.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:

Greetings. For administrative reasons I will need to define different DKIM certs and keys and DNS records for each domain hosted on this iRedMail server.

Various websites about OpenSSL say this is OK (and some encourage periodic regeneration of DKIM keys and records),
but how to do this with iRedMail?

The documents cover generating the DKIM record in DNS but not creation of the cert/key pair. Also, what changes to amavisd configuration are needed? I searched the forums but didn't find this, though maybe I missed it.

Finally, a bug note: At least on FreeBSD, the existing private key in /var/lib/dkim is world-readable. Should it be 0440?

Thanks in advance.

====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Generating multiple DKIM keys and records, one per domain

Here seems to be pretty good explanation how to set up DKIM for multiple domains, worked for me perfectly: http://www.iredmail.org/docs/sign.dkim. … omain.html

3

Re: Generating multiple DKIM keys and records, one per domain

RikuS wrote:

Here seems to be pretty good explanation how to set up DKIM for multiple domains, worked for me perfectly: http://www.iredmail.org/docs/sign.dkim. … omain.html

Thanks for this. It worked fine for me.

A couple of notes:

1. The DKIM key generated at system installation time has insecure permissions, and is world-readable. It should be not be group- or world-readable. Several of the sources I read today recommended periodic rotation of DKIM keys (say, once per quarter), and amavsid generates new keys with 0600 permissions.

Also, I generated 2048-bit keys, vs. the 1024-bit one generated on installation, and had no trouble loading it into DNS (I run my own DNS).

2. The docs give the command as "amavisd-new" which is true on some Linuxes. On others, and on FreeBSD, it's "amavsid."

Thanks again!

4

Re: Generating multiple DKIM keys and records, one per domain

cvcvelo wrote:

Finally, a bug note: At least on FreeBSD, the existing private key in /var/lib/dkim is world-readable. Should it be 0440?

The key was generated by Amavisd, and it will set correct owner and permission, so i don't get it why it's not 0400 on FreeBSD. Will check this later.

BTW, it's 0400 on Linux/OpenBSD.

cvcvelo wrote:

Several of the sources I read today recommended periodic rotation of DKIM keys (say, once per quarter), and amavsid generates new keys with 0600 permissions.

I didn't find any article mentions this, would you mind sharing the articles (link)?

By the way, i don't get it why you need to change DKIM key periodic, because no one knows your private key (the one under /var/lib/dkim/).

cvcvelo wrote:

Also, I generated 2048-bit keys, vs. the 1024-bit one generated on installation, and had no trouble loading it into DNS (I run my own DNS).

Not all DNS vendors support 2048-bit key for TXT type record, so we use 1024 instead.

cvcvelo wrote:

2. The docs give the command as "amavisd-new" which is true on some Linuxes. On others, and on FreeBSD, it's "amavsid."

Updated doc to mention this.