How to Configure DKIM | Multiple Domains

Questions and answers about how to do stuff
Post Reply
jamerson
Posts: 163
Joined: 19 Aug 2017 18:57
Location: kaaskop

How to Configure DKIM | Multiple Domains

Post by jamerson »

Dear all,
hierby i will explain how to get your EFA configured to check the DKIM signature of out /incoming emails.
lets assune your domain is efa.org
make a folder on the opendkim

Code: Select all

mkdir -p /etc/opendkim/keys/efa.org/
browse to

Code: Select all

cd /etc/opendkim/keys/efa.org/
run the below to generate the private and txt key

Code: Select all

opendkim-genkey -s efa
open the below with nano or vi

Code: Select all

 /etc/opendkim.conf
first line to check:
Mode sv
if it is just v change to sv

than look for word Socket inet= if it does exisit than its looks good
now move to

Code: Select all

SendReports     yes   

ReportAddress "efa.org Postmaster <postmaster@efa.org>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple


find the

Code: Select all

KeyTable        /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
xternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts   refile:/etc/opendkim/TrustedHosts
save the file now

next, edit /etc/opendkim/KeyTable

so open the the file /etc/opendkim/KeyTable with nano or vi

Code: Select all

 add this line to the end:
 efa._domainkey.efa.org efa.org:efa:/etc/opendkim/keys/efa.org/efa.private
save file

now edit /etc/opendkim/SigningTable

again open the file /etc/opendkim/SigningTable with nano or vi

add this at the end of the file

Code: Select all

*@efa.org efa._domainkey.efa.org
Save the file we are almost done :)

edit /etc/opendkim/TrustedHosts
so open the file /etc/opendkim/TrustedHosts with vi or nano
and add this to the end

Code: Select all

mail.efa.org
192.168.4.5/32
mail.efa.org is your mx record
192.168.4.5/32 is your exchange ip


edit /etc/postfix/main.cf

again open the file edit /etc/postfix/main.cf with nano or vi
go to very end of the file

Code: Select all

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
milter_protocol = 2

save the file

now start opendkim

Code: Select all

service opendkim start
reload post fix

Code: Select all

service postfix reload
in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org

the tutorial is finshied,
if you have any questions let me know.
Last edited by jamerson on 18 Dec 2018 00:14, edited 1 time in total.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
bvess
Posts: 4
Joined: 12 Nov 2018 07:31

Re: How to Configure DKIM | Multiple Domains

Post by bvess »

At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org
jamerson
Posts: 163
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: How to Configure DKIM | Multiple Domains

Post by jamerson »

bvess wrote: 13 Nov 2018 23:31 At the end of your tutorial you stated to add the below to your DNS. Is this just a text record like for spf? What would the hostname be? The efa hostname or the sending domain?

in your public DNS important add this DMRAC
v=DMARC1; p=reject; sp=reject; rua=mailto:postmaster@efa.org
its just your postmaster domain you will get the daily reports.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
ZimboKraut
Posts: 12
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

While this thread is already quite old, and in general, the information is very good.
I am just missing a few details:
Maybe it's just me being a little difficult.

IT is specifically stated, that it is for multiple domains.
Could someone (just to put my mind at ease ;-) )
possibly highlight where the entries for multiple domains need to be made?
I do believe I know and understand, but just would like to be certain.
for instance in the /etc/opendkim.conf

Code: Select all

SendReports     yes   
ReportAddress "domain1.net Postmaster <postmaster@domain1.net>"
ReportAddress "domain2.net Postmaster <postmaster@domain2.net>"
ReportAddress "domain3.net Postmaster <postmaster@domain3.net>"
SoftwareHeader  yes
 Canonicalization        relaxed/simple
Then for the file:
KeyTable /etc/opendkim/KeyTable

Code: Select all

 domain1._domainkey.domain1.net domain1.net:domain1:/etc/opendkim/keys/domain1.net/domain1.private
 domain1._domainkey.domain2.net domain2.net:domain2:/etc/opendkim/keys/domain2.net/domain2.private
 domain1._domainkey.domain3.net domain3.net:domain3:/etc/opendkim/keys/domain3.net/domain3.private
 
/etc/opendkim/SigningTable

Code: Select all

*@domain1.net domain1._domainkey.domain1.net
*@domain2.net domain2._domainkey.domain2.net
*@domain3.net domain3._domainkey.domain3.net
/etc/opendkim/TrustedHosts

Code: Select all

mx01.mydomain.net # 1st mail exchanger (MX-Record)
mx02.mydomain.net # 2nd mail exchanger (MX-Record)
192.168.4.5/32 (Mailhost/Exchange Server)
can someone confirm/correct this?

Thank you
User avatar
pdwalker
Posts: 1472
Joined: 18 Mar 2015 09:16

Re: How to Configure DKIM | Multiple Domains

Post by pdwalker »

for "ReportAddress" in /etc/opendkim.conf, only use 1 email address.

your /etc/opendkim/KeyTable is correct.

your /etc/opendkim/SigningTable is correct.

your /etc/opendkim/TrustedHosts looks correct.

My own multidomain configuration matches yours and it works for me.

Did you test your dkim from the 3 domains individually?

Hope that helps.
ZimboKraut
Posts: 12
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

Thank you very much for confirming.
I will test it out now.
The challenge is, that I have more than 60 active domains running.
Any one have experience with running DKIM on two mail exchangers?

Should I create a separate DKIM record for each MTA (EFA instance :-) ) or can the same keypair be used (yes, I am aware that it wouldn't be good practice ;-) )

Thank you
User avatar
pdwalker
Posts: 1472
Joined: 18 Mar 2015 09:16

Re: How to Configure DKIM | Multiple Domains

Post by pdwalker »

My first reaction would be to say "create a separate dkim record for each signing mta".

Each dns txt record would need to be unique to each mta.
e.g.
efa1: KeyTable
mta1._domainkey.example.com...

efa2: KeyTable
nta2._domainkey.example.com...

However if both machines are serving mail for all the same 60 domains, I guess it won't hurt to use the same keypairs. It does simplify configuration and management somewhat.
ZimboKraut
Posts: 12
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

Thats great!
I agree with you, that it would be good practise to have two keys, at the same time, it is also double the work having to add the keys for each and every domain.
My main thought was, if it would cause problems have the same pub-key for two hostnames.

It does make life significanlty easier, as I could otherwise just update the second MTA by syncing the keys.
As the transport between the two MTAs is completely encrypted and within an isolated infrastructure, the risk does exist, but is exceptable.

I would for instance not even think about it, if the keys had to be transported over a non-secured connection.

Thank you for the help.
I hope that the questions (and of course answers ;-) ) will also help others.
eFa just rocks. And I have yet to come across an decent mail relay, that on one hand has reasonable security settings, while still maintaining an easy setup.
As a consultant I have recomended it to many companies.
The biggest challenge is, that specially large corporates have very complicated and convoluted process.
But, on a positive note, I know that one of the two largest banks in Germany, is currently testing it, and from what I have been told, they find it very promising ;-).
If all goes well and they do implement it, I will aks if we can mentione their name as users.
I belive this would be great advertising.
Paraticularly because they have centralised relays for all their email globally.
User avatar
pdwalker
Posts: 1472
Joined: 18 Mar 2015 09:16

Re: How to Configure DKIM | Multiple Domains

Post by pdwalker »

a compromised dkim key are not the end of the world because it is only 1 part of the entire verification/authentication process. There is still the SPF record, the dmarc settings for verifying whether the message is legitimate or not.

Just the same, change the keys occassionally. Office365 creates two keys during setup of a custom domain so you can switch anytime. There is no reason why you cannot create several keys and several DNS records. The extra keys can be kept in secure storage and distributed when you need them.

Also, using rsync/scp to sync the keys over a private network should be secure enough.
User avatar
pdwalker
Posts: 1472
Joined: 18 Mar 2015 09:16

Re: How to Configure DKIM | Multiple Domains

Post by pdwalker »

ZimboKraut wrote: 11 Aug 2022 12:00If all goes well and they do implement it, I will aks if we can mentione their name as users.
I belive this would be great advertising.
Paraticularly because they have centralised relays for all their email globally.
Banks are touchy about exposing information. Don't worry about it too much.

On the other hand, if they use EFA and they like how it works, they could aid in the development/support by sending some money to Shawn Iverson, or even setting up a service contract.

That's a private discussion you should have with Shawn if it ever comes to pass.
ZimboKraut
Posts: 12
Joined: 19 Jun 2015 16:17

Re: How to Configure DKIM | Multiple Domains

Post by ZimboKraut »

I had several contracts with them, and while I agree with you that financial institutions can be a little tightlipped, they tend to be quite open (excuse the pun ;-) ) towards opensource.
Lots of Linux, KVW/Qemu and also Postfix.

The idea of trying to get some funds for Shawn sounds a like a great idea. I will get in touch with Shawn once things get to a stage where it is possible to see where they are going.

If eFa is viable for them instead of a (for instance) a CISCO ESA, this might truly be a great promotion for eFa.

Anyhow. We will see :-)

All the best everyone.

Marco
Post Reply