At 12:24 26-06-2009, Nate wrote: >We run outbound spam filtering servers for many domains. We are >constantly adding and deleting domains, and the current docs seem to >imply the only way to sign all these domains is to specify each >domain in the keylist file. > >While this could be done, it would be a severely long file, and our >purpose is to sign ALL outgoing messages for every domain using the same key.
You can use: *...@*:example.net:/var/dkim/keys/default >The result would be if the sender's IP matches an IP within the >trusted-hosts file, it signs the message using the default key no >matter what from the sender domain. We can publish the public key in >DNS for each domain as well. You don't need to publish the public key for each domain as you are only using example.net as the signing domain. >Note, this configuration works, but it signs messages from any domain >with the genericdomain.com key. This method seems to somewhat defeat >the purpose of DKIM because I think the recipient's server would >ideally like the key signed from the domain in the FROM address for >maximum reliability. As you do not want to edit the keylist file, the only way to do this is to modify the dkim-filter.c code and get the signing domain from the "From:" header. The problem is that you can end up signing the "wrong" domain. Regards, -sm ------------------------------------------------------------------------------ _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
