Re: [exim] DKIM key configuration for multiple domains

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Smarthost 432, exim-users
Subject: Re: [exim] DKIM key configuration for multiple domains
If it's working and you understand it, you're good.

...Todd

On Thu, Jul 10, 2014 at 12:14 AM, Smarthost 432 <smarthost432@???> wrote:
> Hi Todd Lyons,
>
> Thanks for your response.
>
> Its working now. I have configured EXIM4 in un-split configuration and added
> DKIM entries in /etc/exim4/exim.conf.template file.
>
> Earlier, exim was on split configuration. I modified the required changes as
> per the instruction given in this site on routers and transport, while
> adding DKIM entries and restarting exim, it was showing duplicate transport
> found.
>
> My goal was to setup DKIM for single domain, and same key should be validate
> to other domains.
>
> Now, in unsplit configuration, its working. I do not know if this is right
> way..I welcome your suggestion and advise on this matter.
>
>
>
>
>
> On Tue, Jul 8, 2014 at 5:37 PM, Todd Lyons <tlyons@???> wrote:
>>
>> On Mon, Jul 7, 2014 at 5:56 AM, Smarthost 432 <smarthost432@???>
>> wrote:
>> > Hi,
>> >
>> > I setup DKIM for one domain and DKIM result is pass. And when I use same
>> > DKIM public key for my another domain, DKIM signature is attached but
>> > message header shows DKIM=fail.
>> >
>> > *Mydomain2.com - DKIM results*
>> >
>> > Authentication-Results: mx.google.com;
>> >        spf=hardfail (google.com: domain of test@??? does not
>> > designate SERVER-IP as permitted sender) smtp.mail=test@???;
>> >        dkim=fail header.i=@mydomain2.com
>> > DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
>> > d=infiserver.com; s=fusion5;
>> >         h=Date:From:Message-Id;
>> > bh=f7kChJIPrUaTEZXIizmQd6A20Xu2MUdYf3GaZ5bir08=;

>> >
>> > How do I resolve this., can anyone let me know where and what steps need
>> > to
>> > take for resolving this issue?
>>
>> Step 1: Make sure that the DNS record with the public key that you are
>> signing with actually exists:
>>
>> [todd@tlyons ~]$ dig -t txt fusion5._domainkey.infiserver.com
>>
>> ; <<>> DiG 9.8.1-P1 <<>> -t txt fusion5._domainkey.infiserver.com
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34423
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;fusion5._domainkey.infiserver.com. IN    TXT

>>
>> ;; AUTHORITY SECTION:
>> infiserver.com.        10800    IN    SOA    ns1.infiserver.com.
>> yogendra.m.ligerhost.com. 2014070705 86400 7200 3600000 86400

>>
>> ;; Query time: 275 msec
>> ;; SERVER: 192.168.100.10#53(192.168.100.10)
>> ;; WHEN: Tue Jul 8 05:00:00 2014
>> ;; MSG SIZE rcvd: 112
>>
>> Since it does not exist, add that record, reload the zone, and then
>> repeat the test. You are still subject to negative cache timeout in
>> whatever DNS resolvers are being used by whatever mail service you are
>> testing with (appears to be Gmail in this case). The negative cache
>> time is defined in your SOA record, which as shown above, is 86400
>> seconds, which is 24 hours. That means it may take up to 24 hours for
>> Google's caching resolvers to "forget" the previous answers it got
>> from your DNS server and ask for the zone again. You can do a
>> relatively accurate check by doing a direct dig against Google's
>> public DNS resolvers at 8.8.8.8 and 8.8.4.4.
>>
>> ...Todd
>> --
>> The total budget at all receivers for solving senders' problems is $0.
>> If you want them to accept your mail and manage it the way you want,
>> send it the way the spec says to. --John Levine
>
>




--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine