Re: Postfix, Dmarc, and Dkim for multiple domains

[Christian Kivalo]

Am 21. Februar 2017 19:52:42 MEZ schrieb David Mehler :
>Hello,
>
>I'm not sure if this is the right place to ask this question, but it
>is mail related.
>
>I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and
>dmarc (with OpenDMARC). At the time of initial setup I had one virtual
>mailbox domain and things were working fine.
>
>Now I've added two more virtual mailbox domains and need to configure
>both opendkim and opendmarc to handle them. I believe I have this with
>OpenDKIM here's the config:
>
>AllowSHA1Only  no
>AlwaysAddARHeader  yes
>AuthservID hostname.example.com
>AutoRestartYes
>AutoRestartRate5/1h
>Canonicalization   relaxed/simple
>ExternalIgnoreList refile:/usr/local/etc/mail/TrustedHosts
>InternalHosts  refile:/usr/local/etc/mail/TrustedHosts
>KeyTable   /usr/local/etc/mail/KeyTable
>MinimumKeyBits 2048
>Mode   sv
>PidFile/var/run/milteropendkim/opendkim.pid
>SigningTable   /usr/local/etc/mail/SigningTable
>Socket inet:8891@localhost
>SoftwareHeader yes
>SubDomains  yes
>Syslog Yes
>SyslogSuccess  yes
>UserID opendkim
>
># OPENDKIM TRUSTED HOSTS
>127.0.0.1
>::1
>localhost
>host.example.com
>example.com
>host.example2.com
>example2.com
>host.example3.com
>example3.com
>
># KeyTable
>selector._domainkey.example.com
>example.com:selector:/usr/local/etc/mail/keys/example.com/selector
>selector._domainkey.example2.com
>example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector
>selector._domainkey.example3.com
>example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector
>
># SigningTable
>example.com selector._domainkey.example.com
>example2.com selector._domainkey.example2.com
>example3.com selector._domainkey.example3.com
>
>With regards dkim will having an AuthservID of hostname.example.com
>mess up dkim checks for any of the other virtual mailbox domains as
>they are all on the one server?
No.
If you don't set the AuthservID configuration parameter the name of the MTA is 
used, when looking at the emails in my inbox this is the systems hostname.
The AuthservID has nothing to do with your virtual domains and is just a label 
that e.g. opendmarc uses to get the input for its decisions, when checking SPF 
then there is probably another AR header with the same authservid name.

>I am not sure how to do this using opendmarc as I can't use a table.
Why would you need a table for opendmarc?
Opendmarc uses the authentication-result headers of SPF and dkim checks and 
then retrieves the sending domains dmarc policy from DNS and makes its decision 
based on that information.

>If anyone has this working with these filters please let me know.
I'm running such a setup with 6 domains for which I dkim sign and i receive for 
11 domains. The AuthservID is the receiving systems hostname (postfix 
$myhostname and the real fqdn are the same, did not test which name is used 
when they differ)

-- 
Christian Kivalo
>
>Thanks.
>Dave.

Postfix, Dmarc, and Dkim for multiple domains

[David Mehler]

Hello,

I'm not sure if this is the right place to ask this question, but it
is mail related.

I've got Postfix 3.1, and two milter filters dkim (with OpenDKIM), and
dmarc (with OpenDMARC). At the time of initial setup I had one virtual
mailbox domain and things were working fine.

Now I've added two more virtual mailbox domains and need to configure
both opendkim and opendmarc to handle them. I believe I have this with
OpenDKIM here's the config:

AllowSHA1Only   no
AlwaysAddARHeader   yes
AuthservID  hostname.example.com
AutoRestart Yes
AutoRestartRate 5/1h
Canonicalizationrelaxed/simple
ExternalIgnoreList  refile:/usr/local/etc/mail/TrustedHosts
InternalHosts   refile:/usr/local/etc/mail/TrustedHosts
KeyTable/usr/local/etc/mail/KeyTable
MinimumKeyBits  2048
Modesv
PidFile /var/run/milteropendkim/opendkim.pid
SigningTable/usr/local/etc/mail/SigningTable
Socket  inet:8891@localhost
SoftwareHeader  yes
SubDomains  yes
Syslog  Yes
SyslogSuccess   yes
UserID  opendkim

# OPENDKIM TRUSTED HOSTS
127.0.0.1
::1
localhost
host.example.com
example.com
host.example2.com
example2.com
host.example3.com
example3.com

# KeyTable
selector._domainkey.example.com
example.com:selector:/usr/local/etc/mail/keys/example.com/selector
selector._domainkey.example2.com
example2.com:selector:/usr/local/etc/mail/keys/example2.com/selector
selector._domainkey.example3.com
example3.com:selector:/usr/local/etc/mail/keys/example3.com/selector

# SigningTable
example.com selector._domainkey.example.com
example2.com selector._domainkey.example2.com
example3.com selector._domainkey.example3.com

With regards dkim will having an AuthservID of hostname.example.com
mess up dkim checks for any of the other virtual mailbox domains as
they are all on the one server?

I am not sure how to do this using opendmarc as I can't use a table.
If anyone has this working with these filters please let me know.

Thanks.
Dave.