3

Motivation

The private shopping website GILT, send periodical update emails from giltgroupe.bounce.ed10.net however all of the mails are signed with domain keys of giltgroupe.com.

mailed-by giltgroupe.bounce.ed10.net

signed-by giltgroupe.com

My Story

I couldn't manage to sign x.com with y.com 's domain key using dk-filter under Debian Lenny with postfix.

If I try to init dk-filter service with following arguments:

DAEMON_OPTS="$DAEMON_OPTS -d x.com,y.com -c nofws -k -i /var/dk-filter/internal_hosts -s /etc/dk-keys.conf"

dk-filter service signs with domain x.com (d=x.com)

If I change the daemon arg.s as following:

DAEMON_OPTS="$DAEMON_OPTS -d x.com -c nofws -k -i /var/dk-filter/internal_hosts -s /etc/dk-keys.conf"

then emails sent From y.com is not being signed.

the dk-keys.conf file is as follows:

*:/var/dk-filter/y.com/mail

I managed to do same thing with DKIM, works perfect. However DK doesn't seem to work. I don't have any problem signing y.com's emails with y.com's key and x.com's emails x.com's key, which indicates there is no configuration problem.

Do you have any experience/advice to make it possible to sign emails from multiple domains by a specific chosen domain?

Lashae
  • 183
  • 1
  • 12
  • I'm running into this problem as well. Currently I'm forced to just create DNS entries for every domain I may send from which works but is time consuming. As you pointed out DKIM has a solution for this problem, so it seems reasonable DomainKeys would as well. – Brian Armstrong Jan 20 '11 at 09:24

3 Answers3

1

I'm finding that with dkim this works fine as you can specify a domain to "sign" from. ie. email is from y.com, but in the DKIM-Signature: d=x.com. With dk-filter, though, each signing-domain remains the host domain in the from: address. ie. From: name@y.com == DomainKeys-Signature: d=y.com, even if you're using the KEY from x.com.

So even though you may be able to sign y.com's emails from x.com's key, the signing-domain will always be y.com and as such you still need to create separate s._domainkey entries for EACH domain.

Jeff
  • 11
  • 1
1

Though it's been a while, ran into this problem, found this post, found some other docs here:

http://www.elandsys.com/resources/sendmail/dkim.html

-d domain [,...] A comma-separated list of domains whose mail should be signed by this filter. Mail from other domains will be verified rather than being signed. [ ... ] In either case, the domain name(s) may contain the special char- acter "*" which is treated as a wildcard character matching zero or more characters in a domain name.

So, i used something like

-d *.ro,*.eu

for signing all of the .ro and .eu domains. Works beautifully, signatures matching sending domain. Of course, you still have to insert the public key in each domain's DNS zone, but that's easy if you use the same key for all the domains.

Using Ubuntu 10.04, postfix 2.7.0, dk-filter 1.0.0

Adrian
  • 11
  • 1
0

You need to create a txt file (for example /etc/dk-domains.conf) with one domain per line and add it to the d-filter config file (/etc/default/dk-filter in debian & derivates).

Don't forget to change the owner of this file to "df-filter"

My /etc/default/dk-filter file look like this:

DAEMON_OPTS="-l -i /etc/mail/dkim/trusted_hosts -k -s /etc/dk-keys.conf -d /etc/dk-domains.conf"
SOCKET="inet:12345@localhost

Good luck.

Jefferson Pugliese Network Manager at Enter On Line

quanta
  • 50,327
  • 19
  • 152
  • 213
  • Hi Jefferson - I tried this approach just now, and while it does sign emails for all those domains, the signature still has the wrong domain in it which is I think what Lashae was asking about. So unfortunately this doesn't solve it. As a small side note, you can also just enter '*' in that file and it will sign mail for all domains (still with the wrong domain in the header). – Brian Armstrong Jan 20 '11 at 09:12