Quantcast

Postfix, Dmarc, and Dkim for multiple domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postfix, Dmarc, and Dkim for multiple domains

David Mehler
Hello,

I'm not sure if this is the right place to ask this question, but it
is mail related.

I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and
dmarc (with OpenDMARC). At the time of initial setup I had one virtual
mailbox domain and things were working fine.

Now I've added two more virtual mailbox domains and need to configure
both opendkim and opendmarc to handle them. I believe I have this with
OpenDKIM here's the config:

AllowSHA1Only no
AlwaysAddARHeader yes
AuthservID hostname.example.com
AutoRestart Yes
AutoRestartRate 5/1h
Canonicalization relaxed/simple
ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts
InternalHosts refile:/usr/local/etc/mail/TrustedHosts
KeyTable /usr/local/etc/mail/KeyTable
MinimumKeyBits 2048
Mode sv
PidFile /var/run/milteropendkim/opendkim.pid
SigningTable /usr/local/etc/mail/SigningTable
Socket inet:8891@localhost
SoftwareHeader yes
SubDomains              yes
Syslog Yes
SyslogSuccess yes
UserID opendkim

# OPENDKIM TRUSTED HOSTS
127.0.0.1
::1
localhost
host.example.com
example.com
host.example2.com
example2.com
host.example3.com
example3.com

# KeyTable
selector._domainkey.example.com
example.com:selector:/usr/local/etc/mail/keys/example.com/selector
selector._domainkey.example2.com
example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector
selector._domainkey.example3.com
example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector

# SigningTable
example.com selector._domainkey.example.com
example2.com selector._domainkey.example2.com
example3.com selector._domainkey.example3.com

With regards dkim will having an AuthservID of hostname.example.com
mess up dkim checks for any of the other virtual mailbox domains as
they are all on the one server?

I am not sure how to do this using opendmarc as I can't use a table.
If anyone has this working with these filters please let me know.

Thanks.
Dave.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix, Dmarc, and Dkim for multiple domains

Christian Kivalo


Am 21. Februar 2017 19:52:42 MEZ schrieb David Mehler <[hidden email]>:

>Hello,
>
>I'm not sure if this is the right place to ask this question, but it
>is mail related.
>
>I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and
>dmarc (with OpenDMARC). At the time of initial setup I had one virtual
>mailbox domain and things were working fine.
>
>Now I've added two more virtual mailbox domains and need to configure
>both opendkim and opendmarc to handle them. I believe I have this with
>OpenDKIM here's the config:
>
>AllowSHA1Only no
>AlwaysAddARHeader yes
>AuthservID hostname.example.com
>AutoRestart Yes
>AutoRestartRate 5/1h
>Canonicalization relaxed/simple
>ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts
>InternalHosts refile:/usr/local/etc/mail/TrustedHosts
>KeyTable /usr/local/etc/mail/KeyTable
>MinimumKeyBits 2048
>Mode sv
>PidFile /var/run/milteropendkim/opendkim.pid
>SigningTable /usr/local/etc/mail/SigningTable
>Socket inet:8891@localhost
>SoftwareHeader yes
>SubDomains              yes
>Syslog Yes
>SyslogSuccess yes
>UserID opendkim
>
># OPENDKIM TRUSTED HOSTS
>127.0.0.1
>::1
>localhost
>host.example.com
>example.com
>host.example2.com
>example2.com
>host.example3.com
>example3.com
>
># KeyTable
>selector._domainkey.example.com
>example.com:selector:/usr/local/etc/mail/keys/example.com/selector
>selector._domainkey.example2.com
>example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector
>selector._domainkey.example3.com
>example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector
>
># SigningTable
>example.com selector._domainkey.example.com
>example2.com selector._domainkey.example2.com
>example3.com selector._domainkey.example3.com
>
>With regards dkim will having an AuthservID of hostname.example.com
>mess up dkim checks for any of the other virtual mailbox domains as
>they are all on the one server?
No.
If you don't set the AuthservID configuration parameter the name of the MTA is used, when looking at the emails in my inbox this is the systems hostname.
The AuthservID has nothing to do with your virtual domains and is just a label that e.g. opendmarc uses to get the input for its decisions, when checking SPF then there is probably another AR header with the same authservid name.

>I am not sure how to do this using opendmarc as I can't use a table.
Why would you need a table for opendmarc?
Opendmarc uses the authentication-result headers of SPF and dkim checks and then retrieves the sending domains dmarc policy from DNS and makes its decision based on that information.

>If anyone has this working with these filters please let me know.
I'm running such a setup with 6 domains for which I dkim sign and i receive for 11 domains. The AuthservID is the receiving systems hostname (postfix $myhostname and the real fqdn are the same, did not test which name is used when they differ)

--
Christian Kivalo
>
>Thanks.
>Dave.
Loading...