http://www.iredmail.org/docs/sign.dkim.signature.for.new.domain.html
on RHEL/CentOS: it's /etc/amavisd/amavisd.conf.
on Debian/Ubuntu: it's /etc/amavis/conf.d/50-user.
Use existing DKIM key for new mail domain
if you already have a working DKIM and valid DKIM DNS record, it's ok to use this existing DKIM key to sign emails sent by other hosted mail domains. This way, you don't need to ask your customer who owns this new domain to add DKIM DNS record.
- Find below setting in Amavisd config file
amavisd.conf:
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
Add one line in
@dkim_signature_options_bysender_maps, after "mydomain.com" line like below:@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
"new_domain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
- Restart Amavisd service.
Generate new DKIM key for new mail domain
If you or your customer prefer to use their own DKIM key, you can generate a new DKIM key and ask your customer to add DKIM DNS record. Refer to our tutorial to add DKIM DNS record.
- Generate new DKIM key (key length
1024) for new domain.
# amavisd-new genrsa /var/lib/dkim/new_domain.com.pem 1024
Note
- on different Linux/BSD distributions, the command may be
amavisd. - on RHEL/CentOS, you must specify the config file on command line like this:
# amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem- Not all DNS vendors support 2048-bit key length as TXT type record, so iRedMail generates the key in 1024-bit. If you want to use 2048-bit instead, please specify the key length on command line:
# amavisd -c /etc/amavisd/amavisd.conf genrsa /var/lib/dkim/new_domain.com.pem 2048- Find below setting in Amavisd config file
amavisd.conf:
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
Add one line after above line like below:
dkim_key('new_domain.com', "dkim", "/var/lib/dkim/new_domain.com.pem");
- Find below setting in Amavisd config file
amavisd.conf:
@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
Add one line after
"mydomain.com" line like below:@dkim_signature_options_bysender_maps = ( {
...
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
"new_domain.com" => { d => "new_domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
...
});
- Restart Amavisd service.
Again, don't forget to add DKIM DNS record for this new domain. The value of DKIM record can be checked with command below:
# amavisd-new showkeys
After added DKIM DNS record, please verify it with command:
# amavisd-new testkeys
Note: DNS vendor usually cache DNS records for 2 hours, so if above command shows "invalid" instead of "pass", you should try again later.
Use one DKIM key for all mail domains
For compatibility with dkim_milter the signing domain can include a '*' as a wildcard - this is not recommended as this way amavisd could produce signatures which have no corresponding public key published in DNS. The proper way is to have one dkim_key entry for each mail domain.
If you still want to try this, please follow below steps:
- Find below setting in Amavisd config file
amavisd.conf:
dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
- Replace it by below line:
dkim_key('*', "dkim", "/var/lib/dkim/mydomain.com.pem");
- Restart Amavisd serivce.
With above setting, all outbound emails with be signed with this dkim key. And Amavisd will show a warning message when start amavisd service:
dkim: wildcard in signing domain (key#1, *), may produce unverifiable signatures with no published public key, avoid!
Legend! Useful even to this day :)
ReplyDeleteThanks!