How I do multiple domains with opendkim (by hand...)

Hello,

I have played a bit with virtualmin’s opendkim implementation, but don’t see what I want. Perhaps I can learn how to do it…one of these days…

Please see my notes at the end to avoid virtualmin stepping on your settings.

I configured opendkim a couple of years ago by hand according to the readme file for complex configurations. The idea is that for each domain you serve, you can have a different key that does the signing. Perhaps it’s a bit nutty on my part, but…

Warning: this might cause conflicts because you are doing things behind the virtualmin scene!

http://www.opendkim.org/opendkim-README

I will include the contents of my config files. To my knowledge, there isn’t a webmin/virtualmin module that does this type of setup.

I use ubuntu 12 and 14 but I think this COULD be os-agnostic…

So here’s how it works: (please refer to the file contents below.) I send an email FROM eroidev.com. The outgoing headers and body are passed through opendkim. Opendkim chooses the headers to encrypt, and the key to encrypt them with. The process starts with the signing table: lookup “eroidev.com” and find “eroi._domainkey.eroidev.com”. THEN lookup eroi._domainkey.eroidev.com to get the domain, selector, and private key to use. Once the relevent headers are encrypted, the encrypted string is added in its own header “DKIM-Signature:” Other information included in the dkim header are things like selector, signing algorithm, etc.

The receiving mail server (to whom the message is sent) looks up the following record in dns:

 <selector>._domainkey.<domainname>

In my examples case “eroi._domainkey.eroidev.com”, for which it receives the following reply:

eroi._domainkey.eroidev.com. 3600 IN TXT “v=DKIM1; r=postmaster; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDyp4U5Be2WsNEKI1LY12luti8YMFNostFdz4jH7XdEy
hpcoxsCt/Ds4fJ7oqRipLLH1Sju+/BUupzE6DcKG28oCdUSix/XjcTNKZQt/+Vqd4AmCX4kgiGaPuO2CoxKa1l
bQ7Q61d5Pa6txQVJZmoGD6/E7g+0NW1hTkBAMVz9ZEwIDAQAB”

This dns record contains the public-key portion and is used to decrypt the hash in the sent email and is used to verify that no one has modified any headers.

contents of my opendkim.conf file:

Syslog yes
UMask 002
KeyTable /etc/opendkim/KeyTable
SigningTable /etc/opendkim/SigningTable
ExternalIgnoreList /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts
OversignHeaders From

==================================
contents of my KeyTable:

eroi._domainkey.eroidev.com eroidev.com:eroi:/etc/opendkim/eroi.private
kesp._domainkey.eroi.com eroi.com:kesp:/etc/opendim/kesp.private

==================================
contents of my Signing Table:

eroidev.com eroi._domainkey.eroidev.com
eroi.com kesp._domainkey.eroi.com

==================================
How to avoid virtualmin stepping on your settings:

change the name of your files:
/etc/opendkim.conf becomes /etc/opendkim.conf.jason

the other datatables go into the /etc/opendkim.jason directory

in ubuntu:
change file /etc/init.d/opendkim to /etc/init.d/opendkim.jason
update-rc.d opendkim remove
update-rc.d opendkim.jason defaults

I just did all of this, and virtualmin doesn’t even think opendkim is installed.

–jason