140 lines
6.3 KiB
HTML
140 lines
6.3 KiB
HTML
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<title>Sign DKIM signature on outgoing emails for new mail domain</title>
|
|
<link href="./css/markdown.css" rel="stylesheet"></head>
|
|
</head>
|
|
<body>
|
|
|
|
<div id="navigation">
|
|
<a href="http://www.iredmail.org" target="_blank">iRedMail web site</a>
|
|
|
|
// <a href="./index.html">Document Index</a>
|
|
</div><h1 id="sign-dkim-signature-on-outgoing-emails-for-new-mail-domain">Sign DKIM signature on outgoing emails for new mail domain</h1>
|
|
<div class="toc">
|
|
<ul>
|
|
<li><a href="#sign-dkim-signature-on-outgoing-emails-for-new-mail-domain">Sign DKIM signature on outgoing emails for new mail domain</a><ul>
|
|
<li><a href="#use-existing-dkim-key-for-new-mail-domain">Use existing DKIM key for new mail domain</a></li>
|
|
<li><a href="#generate-new-dkim-key-for-new-mail-domain">Generate new DKIM key for new mail domain</a></li>
|
|
<li><a href="#use-one-dkim-key-for-all-mail-domains-without-updating-amavisd-config-file">Use one DKIM key for all mail domains without updating Amavisd config file</a></li>
|
|
<li><a href="#see-also">See also</a></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<blockquote>
|
|
<p>Don't know where Amavisd config file is? check this tutorial:
|
|
<a href="file.locations.html#amavisd">Locations of configuration and log files of mojor components</a>.</p>
|
|
</blockquote>
|
|
<p>iRedMail configures Amavisd to sign outgoing emails for the first mail domain
|
|
you added during iRedMail installation. If you added new mail domain, you
|
|
should update Amavisd config file to sign DKIM signature for it.</p>
|
|
<p>Let's say your first mail domain added during iRedMail installation is
|
|
<code>mydomain.com</code>, and new mail domain is <code>new_domain.com</code>, please follow below
|
|
steps to enable DKIM signing for outgoing emails of this domain.</p>
|
|
<h2 id="use-existing-dkim-key-for-new-mail-domain">Use existing DKIM key for new mail domain</h2>
|
|
<p>if you already have a working DKIM and valid DKIM DNS record, it's ok to
|
|
use this existing DKIM key. This way, you don't need to ask your customer
|
|
who owns this new domain to add DKIM DNS record.</p>
|
|
<ul>
|
|
<li>Find below setting in Amavisd config file <code>amavisd.conf</code>:</li>
|
|
</ul>
|
|
<pre><code>dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
|
|
@dkim_signature_options_bysender_maps = ( {
|
|
...
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
...
|
|
});
|
|
</code></pre>
|
|
|
|
<p>Add one line in <code>@dkim_signature_options_bysender_maps</code>, after <code>"mydomain.com"</code>
|
|
line like below:</p>
|
|
<pre><code>@dkim_signature_options_bysender_maps = ( {
|
|
...
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
"new_domain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
...
|
|
});
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Amavisd service.</li>
|
|
</ul>
|
|
<h2 id="generate-new-dkim-key-for-new-mail-domain">Generate new DKIM key for new mail domain</h2>
|
|
<p>If you or your customer prefer to use their own DKIM key, you can generate
|
|
a new DKIM key and ask your customer to add DKIM DNS record. Refer to our
|
|
tutorial to <a href="setup_dns.html#dkim-record-for-your-mail-domain-name">add DKIM DNS record</a>.</p>
|
|
<ul>
|
|
<li>Generate new DKIM key for new domain.</li>
|
|
</ul>
|
|
<pre><code class="shell"># amavisd-new genrsa /var/lib/dkim/new_domain.com.pem
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Find below setting in Amavisd config file <code>amavisd.conf</code>:</li>
|
|
</ul>
|
|
<pre><code>dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
</code></pre>
|
|
|
|
<p>Add one line after above line like below:</p>
|
|
<pre><code>dkim_key('new_domain.com', "dkim", "/var/lib/dkim/new_domain.com.pem");
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Find below setting in Amavisd config file <code>amavisd.conf</code>:</li>
|
|
</ul>
|
|
<pre><code>@dkim_signature_options_bysender_maps = ( {
|
|
...
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
...
|
|
});
|
|
</code></pre>
|
|
|
|
<p>Add one line after <code>"mydomain.com"</code> line like below:</p>
|
|
<pre><code>@dkim_signature_options_bysender_maps = ( {
|
|
...
|
|
"mydomain.com" => { d => "mydomain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
"new_domain.com" => { d => "new_domain.com", a => 'rsa-sha256', ttl => 10*24*3600 },
|
|
...
|
|
});
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Amavisd service.</li>
|
|
</ul>
|
|
<p>Again, don't forget to ask your customer to add DKIM DNS record.</p>
|
|
<h2 id="use-one-dkim-key-for-all-mail-domains-without-updating-amavisd-config-file">Use one DKIM key for all mail domains without updating Amavisd config file</h2>
|
|
<p>For compatibility with dkim_milter the signing domain can include a '*'
|
|
as a wildcard - this is not recommended as this way amavisd could produce
|
|
signatures which have no corresponding public key published in DNS.
|
|
The proper way is to have one dkim_key entry for each mail domain.</p>
|
|
<p>If you still want to try this, please follow below steps:</p>
|
|
<ul>
|
|
<li>Find below setting in Amavisd config file <code>amavisd.conf</code>:</li>
|
|
</ul>
|
|
<pre><code>dkim_key('mydomain.com', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Replace it by below line:</li>
|
|
</ul>
|
|
<pre><code>dkim_key('*', "dkim", "/var/lib/dkim/mydomain.com.pem");
|
|
</code></pre>
|
|
|
|
<ul>
|
|
<li>Restart Amavisd serivce.</li>
|
|
</ul>
|
|
<p>With above setting, all outbound emails with be signed with this dkim key.
|
|
And Amavisd will show a warning message when start amavisd service:</p>
|
|
<blockquote>
|
|
<p>dkim: wildcard in signing domain (key#1, *), may produce unverifiable
|
|
signatures with no published public key, avoid!</p>
|
|
</blockquote>
|
|
<h2 id="see-also">See also</h2>
|
|
<ul>
|
|
<li>Don't know what DKIM is? Check our tutorial here:
|
|
<a href="setup_dns.html#dkim-record-for-your-mail-domain-name">What is a DKIM DNS record</a>.</li>
|
|
</ul><br /><p style="text-align: center;">If you found something wrong
|
|
in this document, please do
|
|
<a href="http://www.iredmail.org/contact.html">contact us</a> to fix it.</p><p style="text-align: center; color: grey;">©© Creative Commons</p></body></html> |