0

So, at the moment I am signing mails from specific domains using opendkim and this works. But when I try to send mails from domains that opendkim does not know, they they are not signed.

What I want to do, is to make opendkim sign all emails going through postfix using a single domain, just like mailchimp etc is doing.

Example: I am sending emails from myname@mydomain.com using mailchimp, and the signeture is something like the following:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; 
  d=mail2.suw13.rsgsv.net;
  h=Subject:From:Reply-To:To:Date:Message-ID:
    List-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; 
  i=*****mydomain.com@mail2.suw13.rsgsv.net; 
  bh=4Rla76/wHV31ER3IZqXOuA09j3OG2SuFbfD5Jc7Kn94=;  
  b=17jmyvz05JfeNC+avqWJmtESF2A58LA/CievFVtQ0sqwo4FYKAP
    0Gfpjtc5LSG7tr9ntS5CziAgSOa+UyEjRP3AhZOOXDFoQMUG0gn
    tqxg/gP074Vi7Hy0XvFzAiJYZfAhijwvaroY45hjuX+RN3nQ0xT
    fhWem5mv3+VVYpwvUo=

How do I achieve this?

Robert Siemer
  • 543
  • 9
  • 19
BQffen
  • 1
  • 1
  • You cannot achieve this at all, as DKIM has two parts to configure. opendkim is one side, the other side is to put the public keys for your domain into a DNS record. So a "catch all" configuration cannot work as opendkim does not which key to use for which domain or even if one of its keys is correct for the domain. – allo Jan 29 '18 at 15:49
  • If you want to use some automation, you can try a tool like ansible to generate opendkim configurations and DNS zonefiles for your domains. – allo Jan 29 '18 at 15:50
  • I see your point. But what am I missing? I received an email from and would like to do the same. Example: Company Support via mail136-21.atl41.mandrillapp.com, and later: signed by: mail136-21.atl41.mandrillapp.com How do they achieve this? – BQffen Feb 27 '18 at 20:09
  • @allo A “catchall” configuration can indeed sign with _your_ domain all Email, no matter where from. – If the receiver gives credit to signatures like that is a different topic. (The receiver can at least be sure, that it passed the signing mail server.) – Robert Siemer Feb 03 '22 at 19:24

3 Answers3

1

like this answer the trick lies in the use of SigningTable and KeyTable:

/etc/opendkim.conf

...
SigningTable    refile:/etc/mail/dkim_signing_table
KeyTable        csl:keyname=example.com:selector:/etc/mail/selector.key 

/etc/mail/dkim_signing_table

* keyname

So the SigningTable maps all domains to a key, and the KeyTable provides a domain/selector for the keyname.

danblack
  • 1,179
  • 10
  • 14
0

opendkim always decides “itself” if it signs or not (then it verifies). You can only manipulate it’s decision and convince it to sign with:

  1. have key material available for the email in question
  2. let the MTA send a predetermined key-value pair to opendkim

The following lines are the crucial elements to my “sign all” configuration:

/etc/opendkim.conf

SigningTable csl:*=key1
KeyTable     csl:key1=example.org:selector:/etc/dkimkeys/key.private
MacroList    csl:{dkimsign}=yes,dkimsign=yes
Socket       local:/var/spool/postfix/opendkim/opendkim.sock

Line 1: use “key1” for all domains
Line 2: In the DKIM-Signature header use “d=example.org; s=selector;” and use that private key for signing
Line 3: request {dkimsign} and dkimsign from the MTA and sign the email if any of them is set to yes (see Notes below)
Line 4: socket for communication with MTA
Line 1 and 2 fulfill the 1. from above, Line 3 is for 2. from above.

/etc/postfix/main.cf

milter_macro_defaults = dkimsign=yes
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = unix:opendkim/opendkim.sock

Line 1: set dkimsign attribte to yes Line 2 and 3: socket to use to reach the filter app (same as for opendkim above, but relative to postfix chroot...)

Notes:

  • opendkim’s surprises
    • option Mode=s does not force signing
    • option LogWhy does not log why
    • there is nothing on standard out/error even without SysLog
  • neither opendkim nor postfix have proper
  • something is buggy: opendkim needs to request {dkimsign} and dkimsign (or any other attribute, but with and without braces), otherwise it does not work; might also be the fault of postfix
Robert Siemer
  • 543
  • 9
  • 19
0

In your example, the message isn't signed for your own domain, but for d=mail2.suw13.rsgsv.net, instead. MailChimp has that as their default authentication, but it recommends using Custom Domain Authentication i.e. having an own DKIM authentication for every domain.

It removes the default MailChimp authentication information ( "via mcsv.net" or "on behalf of mcsv.net") that shows up next to your campaign's From name in certain email clients.

For the same reason you shouldn't try to have a single domain for signing messages for all domains.

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
  • according the the sprit of the RFCs you should even try to sign each type of message in a domain with different signing domain. – danblack Aug 19 '18 at 11:48