So, it's doing what it should.
If you have another virtual domain (in this case 'dom.com') that you'd
like to sign with a different signature do this:
# openssl genrsa -out dom.com.key 2048 && chmod 644 dom.com.key
# openssl rsa -in dom.com.key -pubout -out dom.com.txt
# perl -pi -e 's/-----BEGIN PUBLIC KEY-----/dkim1._domainkey IN TXT "k=rsa; p=/g;
s/-----END PUBLIC KEY-----/"/g; s/\n//g' dom.com.txt
signconf.xml file (updated) :
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
<dom.com algorithm="rsa-sha256" domain="dom.com"
keyfile="/var/qmail/control/dkim/dom.com.key" method="simple"
selector="dkim1">
<types id="dkim" />
</dom.com>
</dkimsign>
Add TXT to domain DNS
Eric
On 6/22/2024 12:19 PM, Jeff Koch wrote:
Hi Philip - this is it:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
</dkimsign>
Note that the 'domain' attribute is defined as 'me' which is the
mailserver's name and that is what shows up as the 'd' attribute in
the dkim signing that gmail sees.
Jeff
On 6/22/2024 1:14 PM, Philip Nix Guru wrote:
Hello
post your
signconf.xml
Regards
On 6/22/24 18:52, Jeff Koch wrote:
Hi:
We must be doing something wrong. Maybe one of you can help. No
matter how we setup the contents of signconf.xml we can't get
qmail-remote to sign emails with anything other than the
mailserver's name unless we specify each domain in a separate stanza
of the xml file.
For example: If we use a signconf.xml file with just the global
stanza as in:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
</dkimsign>
and then sign an email from say 'j...@domain1.com' and send that
email to a gmail account. Gmail's dkim analysis shows:
---------------
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h=
message-id:date:subject:from:to:mime-version:content-type
:content-transfer-encoding; s=dkim1;
-------------------
and it pulls the dkim dns record from 'mymailserver.com' based on
the 'd' attribute to verify the signature.
But what we really want is for the dkim signature to show
'd=domain1.com' so that gmail uses the dkim record in domain1.com's
DNS record and the only way we've been able to make that happen is
to have a separate signconf.xml stanza for 'domain1.com' like:
<domain1.com domain="domain1.com"
keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</domain1.com>
Somehow qmail-remote should be extracting sending domain name from
'from address' and using that in the 'd' attribute when signing the
email. But it's not doing that for us.
Jeff
