Re: DKIM keys for specific domains + multiple domains

Wed, 27 Mar 2019 03:53:14 -0700 



A 27/03/2019 01:47, John Luk escrigué:


The funny thing is, there is no dkim_signature_options_bysender_maps 
found
in our amavis conf, yet it has no problem signing for domain1 and 
domain2

for years.


https://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim-am-sign 
is a

great link, thanks.  Although its point 7 for
dkim_signature_options_bysender_maps said it is "Optional".



The thing is that if there is no match in 
dkim_signature_options_bysender_maps amavis falls back to trying to sign 
with d=sender_domain.tld. In your previous setup you were using that 
fallback mechanism.



However, once you setup dkim_signature_options_bysender_maps with a 
catchall entry ('.' matches everything) then amavis would start signing 
with d=others.com because it does find a match for "domain1.tld" saying 
so. That is, since there's a match, amavis won't be using the fallback 
logic anymore.



And in point 2
and point 3 one can already do "showkeys" and "testkeys" without adding
dkim_signature_options_bysender_maps.  Also point 2 is for:

"*2.* Add commands to amavisd.conf to load private keys, associate them

with signing domains and selectors, and describe constraints (tags) to 
be

published with public keys."


So does it mean, "dkim_key" has already defined the signing key for 
that

sender domain?


You can read:

dkim_key('domain.tld', 'selector', '/path/to/file.key.pem');

As saying:


You have a key available to sign e-mails under the domain.tld domain 
(d=domain.tld) using the file.key.pem private key whose public 
counterpart should be published in the DNS record 
"selector._domainkey.domain.tld".



Then showkeys just shows you these definitions, and testkeys checks that 
the DNS records are actually published and correspond to the public 
counterpart of the specified private key file.



This is completely independent from the logic of deciding which signing 
domain (d=xxxx.tld) sould be used for each particular e-mail (of course 
you can only sign with one of the signatures you have previously 
defined, but which one to use specifically is where 
dkim_signature_options_bysender_maps comes in).





















					Reply via email to