Szerző: Richard James Salts Dátum: Címzett: exim users, Odhiambo Washington Tárgy: Re: [exim] DKIM signing for multiple domains
On Friday, 28 September 2018 2:19:10 PM AEST Odhiambo Washington wrote: > On Wed, 26 Sep 2018 at 08:47, Richard James Salts via Exim-users <
>
> exim-users@???> wrote:
> > On Tuesday, 25 September 2018 10:28:42 AM AEST Odhiambo Washington via
> > Exim-users
> >
> > wrote:
> > > Hi everyone,
> > >
> > > I have multiple domains hosted on the same server. They are virtual
> > > domains. The server has just one IP address and one Exim instance.
> > > I am wondering how to easily do DKIM signing for these domains. I
> > > decided
> > > to use the same selector for all the domains to make life easy. Would
> > > the
> > > following transport work? If not, what is the best way to do this for
> > > multiple domains sharing the same IP address?
> > >
> > > remote_smtp_DK:
> > > driver = smtp
> > > dkim_domain = ${sender_address_domain}
> > > dkim_selector = csl
> > > dkim_private_key =
> > >
> > > "/etc/pki/tls/dk/${sender_address_domain}-dkim.priv.key"
> > >
> > > dkim_canon = relaxed
> > > dkim_strict = true
> >
> > I use dkim_domain =
> > ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}
> > {match_domain{$item}{+local_domains}}}
> > which will match any addresses in a from field that are local, in addition
> > if dkim_domain is a
> > list it will sign with multiple signatures (e.g. From: <user1@local1>,
> > <user2@local2>,
> > <user3@remote> will add dkim signature for local1 and local2 domains.
>
> Hi Richard
>
> When I use your dkim_domain option, the mail does not get signed, but mails
> get signed using my option
>
> dkim_domain = ${if
> exists{/etc/pki/tls/dk/${lc:$sender_address_domain}-dkim.priv.key}{${lc:$sen
> der_address_domain}}{}} #dkim_domain =
> ${filter{${map{${addresses:$h_from:}}{${domain:$item}}}}{match_domain{$item}
> {+local_domains}}}
>
> How can I test your expansion manually? As Jeremy suggested you can use exim -bem /path/to/message, you probably want
a combination of mine and yours in the expansion as you're testing on the
existence of a key for a particular domain whereas I'm signing for all domains
considered local with the same key. Maybe instead of the {match_domain ...}
part of the filter you should instead use your {${if exists{/etc/pki/tls/dk/$
{lc:$item}-dkim.priv.key}} or something like that.