Hi Philip:
I think this is what you want:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
<domain1.com domain="domain1.com"
keyfile="/var/qmail/control/dkim/global.key" selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</domain1.com>
</dkimsign>
But in this case an email from j...@domain1.com would be signed with the
'/var/qmail/control/dkim/global.key' and the attribute "d=domain1.com".
What I'm trying to do is avoid having to list stanzas for the hundreds
of domains on this mailserver and still have emails show as being signed
by the key associated with the sender's domain.
Jeff
On 6/22/2024 2:30 PM, Philip Nix Guru wrote:
Hello Jeff
ok but I mean paste the sign.conf including the domain1.com using a
different key :)
just to make sure the format is correct
I recall a friend had issues and he just forgot to add
</dkimsign> at the end ... -P
On 6/22/24 20:19, Jeff Koch wrote:
Hi Philip - this is it:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
</dkimsign>
Note that the 'domain' attribute is defined as 'me' which is the
mailserver's name and that is what shows up as the 'd' attribute in
the dkim signing that gmail sees.
Jeff
On 6/22/2024 1:14 PM, Philip Nix Guru wrote:
Hello
post your
signconf.xml
Regards
On 6/22/24 18:52, Jeff Koch wrote:
Hi:
We must be doing something wrong. Maybe one of you can help. No
matter how we setup the contents of signconf.xml we can't get
qmail-remote to sign emails with anything other than the
mailserver's name unless we specify each domain in a separate
stanza of the xml file.
For example: If we use a signconf.xml file with just the global
stanza as in:
<dkimsign>
<!-- per default sign all mails using dkim -->
<global algorithm="rsa-sha1" domain="/var/qmail/control/me"
keyfile="/var/qmail/control/dkim/global.key" method="simple"
selector="dkim1">
<types id="dkim" />
</global>
</dkimsign>
and then sign an email from say 'j...@domain1.com' and send that
email to a gmail account. Gmail's dkim analysis shows:
---------------
DKIM-Signature: v=1; a=rsa-sha1; c=simple; d=mymailserver.com; h=
message-id:date:subject:from:to:mime-version:content-type
:content-transfer-encoding; s=dkim1;
-------------------
and it pulls the dkim dns record from 'mymailserver.com' based on
the 'd' attribute to verify the signature.
But what we really want is for the dkim signature to show
'd=domain1.com' so that gmail uses the dkim record in domain1.com's
DNS record and the only way we've been able to make that happen is
to have a separate signconf.xml stanza for 'domain1.com' like:
<domain1.com domain="domain1.com"
keyfile="/var/qmail/control/dkim/some.key" selector="dkim1">
<types id="dkim" />
<types id="domainkey" method="nofws" />
</domain1.com>
Somehow qmail-remote should be extracting sending domain name from
'from address' and using that in the 'd' attribute when signing the
email. But it's not doing that for us.
Jeff
