diff --git a/TODO.md b/TODO.md index cd870263..d4bfc990 100644 --- a/TODO.md +++ b/TODO.md @@ -2,6 +2,7 @@ # New +* Use same DKIM PEM file for all mail domains. * How to enable per-recipient policy lookup in Amavisd (@lookup_sql_dsn). * How to enable DNSBL in Postfix. * ~~ How to sign DKIM signature on sent emails for new mail domain. mention how diff --git a/howto/1-sign.dkim.signature.for.new.domain.md b/howto/1-sign.dkim.signature.for.new.domain.md index 1fb838d7..8a39cc10 100644 --- a/howto/1-sign.dkim.signature.for.new.domain.md +++ b/howto/1-sign.dkim.signature.for.new.domain.md @@ -11,6 +11,44 @@ Let's say your first mail domain added during iRedMail installation is `mydomain.com`, and new mail domain is `newdomain.com`, please follow below steps to enable DKIM signing for outgoing emails of this domain. +## Use existing DKIM key for new mail domain + +if you already have a working DKIM and valid DKIM DNS record, it's ok to +use this existing DKIM key. This way, you don't need to ask your customer +who owns this new domain to add DKIM DNS record. + +* Find below setting in Amavisd config file `amavisd.conf`: + +``` +dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem"); + +@dkim_signature_options_bysender_maps = ( { + ... + "mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 }, + ... +}); +``` + +Add one line in `@dkim_signature_options_bysender_maps`, after `"mydomain.com"` +line like below: + +``` +@dkim_signature_options_bysender_maps = ( { + ... + "mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 }, + "newdomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 }, + ... +}); +``` + +* Restart Amavisd service. + +## Generate new DKIM key for new mail domain + +If you or your customer prefer to use their own DKIM key, you can generate +a new DKIM key and ask your customer to add DKIM DNS record. Refer to our +tutorial to [add DKIM DNS record](setup_dns.html#dkim-record-for-your-mail-domain-name). + * Generate new DKIM key for new domain. ```shell @@ -52,7 +90,9 @@ Add one line after `"mydomain.com"` line like below: * Restart Amavisd service. -## Use one DKIM key for all mail domains +Again, don't forget to ask your customer to add DKIM DNS record. + +## Use one DKIM key for all mail domains without updating Amavisd config file For compatibility with dkim_milter the signing domain can include a '*' as a wildcard - this is not recommended as this way amavisd could produce diff --git a/html/sign.dkim.signature.for.new.domain.html b/html/sign.dkim.signature.for.new.domain.html index 03059e55..fa57b603 100644 --- a/html/sign.dkim.signature.for.new.domain.html +++ b/html/sign.dkim.signature.for.new.domain.html @@ -21,6 +21,39 @@ should update Amavisd config file to sign DKIM signature for it.
Let's say your first mail domain added during iRedMail installation is
mydomain.com
, and new mail domain is newdomain.com
, please follow below
steps to enable DKIM signing for outgoing emails of this domain.
if you already have a working DKIM and valid DKIM DNS record, it's ok to +use this existing DKIM key. This way, you don't need to ask your customer +who owns this new domain to add DKIM DNS record.
+amavisd.conf
:dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
+
+@dkim_signature_options_bysender_maps = ( {
+ ...
+ "mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
+ ...
+});
+
+
+Add one line in @dkim_signature_options_bysender_maps
, after "mydomain.com"
+line like below:
@dkim_signature_options_bysender_maps = ( {
+ ...
+ "mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
+ "newdomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
+ ...
+});
+
+
+If you or your customer prefer to use their own DKIM key, you can generate +a new DKIM key and ask your customer to add DKIM DNS record. Refer to our +tutorial to add DKIM DNS record.
Again, don't forget to ask your customer to add DKIM DNS record.
+For compatibility with dkim_milter the signing domain can include a '*' as a wildcard - this is not recommended as this way amavisd could produce signatures which have no corresponding public key published in DNS.