1

So, at the moment I am signing mails from specific domains using opendkim and this works. But when I try to send mails from domains that opendkim does not know, they they are not signed.

What I want to do, is to make opendkim sign all emails going through postfix using a single domain, just like mailchimp etc is doing.

Example: I am sending emails from myname@mydomain.com using mailchimp, and the signeture is something like the following:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=k1; 
  d=mail2.suw13.rsgsv.net;
  h=Subject:From:Reply-To:To:Date:Message-ID:
    List-ID:List-Unsubscribe:Sender:Content-Type:MIME-Version; 
  i=*****mydomain.com@mail2.suw13.rsgsv.net; 
  bh=4Rla76/wHV31ER3IZqXOuA09j3OG2SuFbfD5Jc7Kn94=;  
  b=17jmyvz05JfeNC+avqWJmtESF2A58LA/CievFVtQ0sqwo4FYKAP
    0Gfpjtc5LSG7tr9ntS5CziAgSOa+UyEjRP3AhZOOXDFoQMUG0gn
    tqxg/gP074Vi7Hy0XvFzAiJYZfAhijwvaroY45hjuX+RN3nQ0xT
    fhWem5mv3+VVYpwvUo=

How do I achieve this?

Robert Siemer
  • 593
BQffen
  • 11

3 Answers3

1

opendkim always decides “itself” if it signs or not (then it verifies). You can only manipulate it’s decision and convince it to sign with:

  1. have key material available for the email in question
  2. let the MTA send a predetermined key-value pair to opendkim

The following lines are the crucial elements to my “sign all” configuration:

/etc/opendkim.conf

SigningTable csl:*=key1
KeyTable     csl:key1=example.org:selector:/etc/dkimkeys/key.private
MacroList    csl:{dkimsign}=yes,dkimsign=yes
Socket       local:/var/spool/postfix/opendkim/opendkim.sock

Line 1: use “key1” for all domains
Line 2: In the DKIM-Signature header use “d=example.org; s=selector;” and use that private key for signing
Line 3: request {dkimsign} and dkimsign from the MTA and sign the email if any of them is set to yes (see Notes below)
Line 4: socket for communication with MTA
Line 1 and 2 fulfill the 1. from above, Line 3 is for 2. from above.

/etc/postfix/main.cf

milter_macro_defaults = dkimsign=yes
smtpd_milters = unix:opendkim/opendkim.sock
non_smtpd_milters = unix:opendkim/opendkim.sock

Line 1: set dkimsign attribte to yes Line 2 and 3: socket to use to reach the filter app (same as for opendkim above, but relative to postfix chroot...)

Notes:

  • opendkim’s surprises
    • option Mode=s does not force signing
    • option LogWhy does not log why
    • there is nothing on standard out/error even without SysLog
  • neither opendkim nor postfix have proper
  • something is buggy: opendkim needs to request {dkimsign} and dkimsign (or any other attribute, but with and without braces), otherwise it does not work; might also be the fault of postfix
Robert Siemer
  • 593
1

like this answer the trick lies in the use of SigningTable and KeyTable:

/etc/opendkim.conf

...
SigningTable    refile:/etc/mail/dkim_signing_table
KeyTable        csl:keyname=example.com:selector:/etc/mail/selector.key

/etc/mail/dkim_signing_table

* keyname

So the SigningTable maps all domains to a key, and the KeyTable provides a domain/selector for the keyname.

danblack
  • 1,299
  • 13
  • 15
0

In your example, the message isn't signed for your own domain, but for d=mail2.suw13.rsgsv.net, instead. MailChimp has that as their default authentication, but it recommends using Custom Domain Authentication i.e. having an own DKIM authentication for every domain.

It removes the default MailChimp authentication information ( "via mcsv.net" or "on behalf of mcsv.net") that shows up next to your campaign's From name in certain email clients.

For the same reason you shouldn't try to have a single domain for signing messages for all domains.

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151