Hi everyone, I'm working on an email marketing platform based on Postfix + OpenDKIM (AlmaLinux 9, OpenDKIM 2.11.x) and I'd like to know if anyone has already implemented this scenario cleanly:
*** Goal: Sign every outgoing email with two DKIM signatures: * one using the customer's domain (e.g. mycustdom.it) * one using the ESP/provider's domain (e.g. myesp.it) The requirement is to manage everything using only MySQL for KeyTable/SigningTable, without additional logic layers (no policy scripts or external hooks). *** Technical context: * OS: AlmaLinux 9.x * MTA: Postfix * DKIM: OpenDKIM 2.11.0 * OpenDKIM is configured to use MySQL via OpenDBX * All signatures are on Mysql tables * Signatures are OK when using only 1 domain on outgoing messages! My MySQL schema (simplified) looks like this: CREATE TABLE dkim ( dkimID varchar(50) NOT NULL, domain_name varchar(255) NOT NULL, selector varchar(63) NOT NULL, private_key text DEFAULT NULL, public_key text NOT NULL, PRIMARY KEY (dkimID) ); CREATE TABLE dkim_signing ( id int(11) NOT NULL AUTO_INCREMENT, author varchar(255) NOT NULL, -- pattern like username@domain dkim_id varchar(50) NOT NULL, -- logical FK to dkim.dkimID PRIMARY KEY (id), UNIQUE KEY author_2 (author,dkim_id), KEY author (author) ); *** KeyTable / SigningTable are configured like this: KeyTable dsn:mysql://DBDKIM:[email protected]/DBNAME/table=dkim?keycol=dkimID?datacol= domain_name,selector,private_key SigningTable dsn:mysql:// DBDKIM:[email protected]/DBNAME/table=dkim_signing?keycol=author?datacol=dkim _id And in opendkim.conf I have: MultipleSignatures yes *** What I'd like to achieve: For an email with From [email protected] <mailto:[email protected]> I want 2 DKIM signatures on the outgoing message: 1. d=mycustdom.it (customer's domain key) 2. d=myesp.it (ESP/provider's domain key) My idea is to populate dkim_signing with multiple rows for the same author, for example: -- Signature 1: d=mycustdom.it INSERT INTO dkim_signing (author, dkim_id) VALUES ('*@mycustdom.it', 'dkim_mycustdom_it'); -- Signature 2: d=myesp.it INSERT INTO dkim_signing (author, dkim_id) VALUES ('*@mycustdom.it', 'dkim_myesp_it'); So for any email from *@mycustdom.it the SigningTable would return two different dkim_id values, and with MultipleSignatures yes enabled, OpenDKIM should generate two signatures. *** Questions to the community: 1. Has anyone implemented a similar setup (ESP / multi-tenant) where each mail gets both a customer-domain signature and a provider-domain signature, using only MySQL-based KeyTable/SigningTable? 2. Any best practices you've found around the SigningTable mapping, for example: a. is it better to use patterns like *@mycustdom.it instead of mycustdom.it as the author key? b. do you keep the provider domain (myesp.it) in the same dkim_signing table or do you separate it in some way (e.g. with specific patterns or conventions)? 3. Do you have concrete examples where MultipleSignatures yes is used together with MySQL to manage multiple DKIM domains on the same message? For stability and simplicity reasons I'm trying to keep the whole logic inside the MySQL KeyTable/SigningTable layer, without adding extra policy engines. ===>>> If this topic is off-topic for the list, I apologize and please feel free to ignore this email. Any real-world configuration examples, opendkim.conf snippets, or SQL schema patterns used in production would be really appreciated. Thanks in advance to anyone willing to share their experience! -Francesco
_______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
