Hello Jean,
Multi-hosted DKIM is a common need I have seen poping several time and support
an initiative to improve this.
Your diagnostic is correct. Today this can only be achieved by writing a
complex mailetcontainer.xml file with one DKIMSign mailet per domain.
I would see a generic loading mechanism, where:
- We create a DKIMConfigurationLoader interface
- Implement a DefaultDKIMConfiguration loader defaulting to todays behaviour
- Have a DKIMConfigurationLoaderClass property within DKIMSign configuration
- Use a guice loader to instanciate configured configuration loader,
potentially reading user supplied value from external-jars
- We *could* then supply storage based solutions (jpa, cassandra, postgres,
etc...) that can be relied upon as extensions (present on the classpath but
needing explicit configuration to be "activated") and administered via a
dedicated webadmin interface.
(This is a ticket I have on the Linagora backlog for quite some time)
I am interested in taking part in such an effort.
(Hopefully in the coming month I should have the infrastructure to host a Lyon
based code camp on the topic!)
> Shouldn't dkim information be configured/provided in the same place as the
> domains are configured ?
My point of view:
This would make sense for a *static* list of domains explicitly configured.
In the above proposal this *could* be a possible DKIMConfigurationLoader
implementation.However, eventhough this is an improvment over the current
situation, this behaviour is not dynamic: adding a new domain requires
re-configuration and reboot.
Best regards,
Benoit
On Aug 28, 2024 9:01 AM, from Jean Helou Hello,
I'm not sure how to configure the DKIM mailet in a multi hosting scenario.
The documentation at james.apache.org/howTo/dkim.html offers the
following snippet
<processors>
<processor state="relay" enableJmx="true">
<mailet match="All" class="org.apache.james.jdkim.mailets.DKIMSign">
<signatureTemplate>v=1; s=james3; d=domain.example.com ; h=from
: reply-to : subject : date : to : cc : resent-date : resent-from :
resent-sender : resent-to : resent-cc : in-reply-to : references :
list-id : list-help : list-unsubscribe : list-subscribe : list-post :
list-owner : list-archive; a=rsa-sha256; bh=; b=;</signatureTemplate>
<privateKey>
-----BEGIN RSA PRIVATE KEY-----
[Your Private Key]
-----END RSA PRIVATE KEY-----
</privateKey>
</mailet>
</processor>
</processors>
However this means that the domain is hard coded and works only in a single
domain hosting scenario.
Am I supposed to configure a dkim processor for each domain I'm hosting
even if the rest of the configuration is the same ?
This doesn't seem to align well with configuring the hosted domains through
the REST API and even when using the domainlist.xml file it means duplicate
declarations ...
(maybe I misunderstand the use of the api for administering domains in
james.apache.org/server/manage-webadmin.html#Administrating_domains)
Shouldn't dkim information be configured/provided in the same place as the
domains are configured ?
Thanks !
jean
