Home / server / Questions / 724847
Accepted
Mike Purcell
Asked: 2015-09-26 07:53:40 +0800 CST

DKIM - Single host - Multiple IPs

  • 772

Trying to figure out the best practice for implementing DKIM on a single EC2 which will have multiple, elastic IPS.

# /etc/opendkim.conf
...
Mode                    sv
Canonicalization        relaxed/simple
ExternalIgnoreList      refile:/etc/opendkim/TrustedHosts
InternalHosts           refile:/etc/opendkim/TrustedHosts
KeyTable                refile:/etc/opendkim/KeyTable
SigningTable            refile:/etc/opendkim/SigningTable
SignatureAlgorithm      rsa-sha256
...

# /etc/opendkim/KeyTable
default._domainkey.example.com example.com:hp-hv-1:/etc/opendkim/keys/default.private
default._domainkey.example.com example.com:hp-hv-2:/etc/opendkim/keys/default.private

# /etc/opendkim/SigningTable
*@example.com default._domainkey.example.com

Then I have two DNS records:

hp-hv-1._domainkey.example.com TXT "v=DKIM1;k=rsa;p=default.txt_key_goes_here"

hp-hv-2._domainkey.example.com TXT "v=DKIM1;k=rsa;p=default.txt_key_goes_here"

For both postfix instances on the same EC2 instance, each have the following $myhostname:

# postfixmulti instance #1
myhostname = hp-hv-1

# postfixmulti instance #2
myhostname = hp-hv-2

Both postfix instances are on the same EC2 instance, so they both share the same default.private/default.txt private/public key pair, so there is no need to add more rows to KeyTable and SigningTable. As far as I can tell, I only need to add extra rows to KeyTable and SigningTable if I want to implement multiple domains (which I do not).

But when I test my DKIM settings I keep getting 'pass: neutral' responses, saying that the emails are not signed, but they are, I can see it in the log file:

# snippet from /var/log/maillog
Sep 25 15:15:31 service-a-4 opendkim[27420]: 5B4A3625F0: DKIM-Signature field added (s=hp-hv-1, d=example.com)

What am I missing?

Versions:

CentOS 6.5
Postfix v2.6.6
Opendkim v2.9
linux

1 Answers

  1. Best Answer

    Ok, I was obviously confused, I kept thinking that "s" in the DKIM signature field was supposed to identify $myhostname from the postfix config, but actually it does not. After reading more about DKIM key rotation, it finally donned on me, the "s" is simply the selector to use from the KeyTable, SigningTable, and DNS.

    Check this:

    # /etc/opendkim/KeyTable
#  Format: selector(1) domain:selector(2):/path/to/key
#    selector(1) is used in the /etc/opendkim/SigningTable
#    selector(2) is built into the DKIM signature for every email sent, which is used to lookup the DNS TXT entry: mail-1_r-1._domainkey.example.com
mail-1_r-1._domainkey.example.com example.com:mail-1_r-1:/etc/opendkim/keys/mail-1_r-1.private

    And now if I want to rotate the keys I would do this:

    # /etc/opendkim/KeyTable
#  Generate new private/public key pair, and rename accordingly
mail-1_r-1._domainkey.example.com example.com:mail-1_r-1:/etc/opendkim/keys/mail-1_r-1.private
mail-1_r-2._domainkey.example.com example.com:mail-1_r-2:/etc/opendkim/keys/mail-1_r-2.private

    Then in the signing table:

    # /etc/opendkim/SigningTable
*@shouttag.com mail_r-1._domainkey.example.com
*@shouttag.com mail_r-2._domainkey.example.com

    Then for DNS entries you will have the following

    mail_r-1.domainkey.example.com "v=DKIM1;k=rsa;p=mail_r-1.txt_key_goes_here"
mail_r-2.domainkey.example.com "v=DKIM1;k=rsa;p=mail_r-2.txt_key_goes_here"

    These DNS entries are what is used to help validate that email was truly sent from your domain (hence Domain Key Identified Mail). Then after 7 days or so, you can remove the mail_r-1.domainkey.example.com.

    • 1