Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DKIM with same key but using different domains #5

Closed
ricardopolo opened this issue Jul 22, 2016 · 7 comments
Closed

DKIM with same key but using different domains #5

ricardopolo opened this issue Jul 22, 2016 · 7 comments
Labels
feature request

Comments

@ricardopolo
Copy link

In our infrastructure we allow to sign from multiple domains but using the same keys.

Base in the question I can understand that is secure.
http://serverfault.com/questions/785151/dkim-with-same-key-but-different-domains

You currently allow:

  1. Sign all email with the same domain/key (legacy and not secure)
  2. Sign all email with differents keys per domain

We found very difficult to mantain a new key for every domain. So we ended using the same key but using different domains.
Why dont allow that?
@baudehlo
Copy link

Just lack of need from the person/people who wrote the plugin.

Can you define how you envision the config looking for such a setup?

@thenitai
Copy link

I second this request. We allow sending over our Haraka from many domains. We tell our customers to use a cname dns entry for our dkim record. Would be great if Haraka would allow that, too.

@logvik
Copy link

logvik commented Feb 14, 2017

https://github.com/haraka/Haraka/blob/7632d69d73f42c8b616ee2d4337230e58e13416e/docs/plugins/dkim_sign.md
Will not it be match?
I think, already implemented...

@noogen
Copy link

noogen commented Oct 2, 2018

I'm with logvik here. I think this is possible with the current version? I don't see why this wouldn't work? The dkim generated by the tool is not domain specific: https://github.com/haraka/Haraka/blob/master/config/dkim/dkim_key_gen.sh#L36 so you can simply duplicate the directory to another domain.

@msimerson
Copy link
Member

Even better than duplicating is symlinks (not tested, YMMV)

@noogen
Copy link

noogen commented Oct 2, 2018
edited
Loading

I just completed a plugin that does this exact thing, based on @msimerson recommendation: https://github.com/niiknow/dockers/blob/master/haraka/rootfs/sysprepz/plugins/dkim_bouncer.js#L41

  1. You must have a default-domain dkim in the config/me file and under config/dkim/default-domain folder.
  2. The plugin validate against DNS to determine if you have a valid DKIM; otherwise, it bailout. e.g. the name dkim_bouncer

@msimerson
Copy link
Member

Migrated to wiki.

Status Quo

Currently this feature can be achieved by creating a DKIM key In The Usual Way for example.com. Then, for each additional domain, create a symlink (ln -s example.com domain2.com) to the initial DKIM key directory. When the DKIM signing plugin checks for the existence of domain2.com, it exists and signs with that key and the domain domain2.com.

Suggested Change

Create a specially named DKIM signing key, such as default. Extend the DKIM signing plugin to check for the existence of domain2.com and then default. That avoids the need to create lots of symlinks in config/dkim/ for each additional domain.

@msimerson msimerson transferred this issue from haraka/Haraka Apr 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@noogen @msimerson @thenitai @baudehlo @ricardopolo @logvik