6

I have a postfix/amavis relay server, with the domain name mail.example.com. It will be a relay for dozens of VPS's, which will have domains like hostname.example.net.

So i have actually two questions. Is it possible to use dkim to sign the mails originating from the VPS's over the postfix relay on the relay server? Or have the mails to be signed on the VPS's where they are actually from?

Would an amavis configuration like this be ok?

# DKIM key
dkim_key('example.com', 'dkim',       '/var/dkim/DKIMkey.pem');

# Cover subdomains in @dkim_signature_options_bysender_maps= ():
@dkim_signature_options_bysender_maps = ( {

# Cover subdomains example.net.
'.example.net'                => { d => 'example.com' },
});

Or have I misunderstood the whole concept? Do I even need to sign subdomains if they are going over an relay server, or is it enough to just sign the relay server domain?

Rex
  • 7,815
  • 3
  • 28
  • 44
Danijel Krmar
  • 129
  • 1
  • 1
  • 4

2 Answers2

4

I have resolved this question with OpenDKIM by using SigningTable, KeyTable and TrustedHost parameters.

  • /etc/opendkim/KeyTable – a list of keys available for signing
  • /etc/opendkim/SigningTable - a list of domains and accounts allowed to sign
  • /etc/opendkim/TrustedHosts – a list of servers to trust when signing or verifying

The guide I used can be found on this blog

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Danijel Krmar
  • 129
  • 1
  • 1
  • 4
  • Never a good idea to just send us out to another site without copying the important details here. The link you reference is now dead! – wruckie May 14 '21 at 14:59
0

I know that this is really old, but I fought this for days.

I am presuming that you already have 1) DKim installed, 2) dkim is working on messages that are generated in the main relay server for each domain in question and 3) that your relayed messages are sending (just unsigned). If you do not, take the time to fix that part before you add the complexity of signing mail from other sending VPS's.

After it was working on the main relay server, the only thing that I had to do to get dkim signing enabled for messages from a new VPS was...

  • On the main relay, Add the VPS IP/domain name to the /etc/opendkim/TrustedHosts file. This gave the necessary trust.
  • On the each VPS, add the domain name that I wanted my messages signed as in the /etc/hosts file. This has to match working dkim domains already in use in the main relay. This helped set the correct value in the email headers.

The last step is a little counterintuitive. But it was the last step that made everything else work.


    127.0.0.1   localhost
    127.0.1.1    example.com sub.example.com
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ...
wruckie
  • 546
  • 5
  • 18