I’m using virtualmin GPL version and wondering to upgrade to Pro, however i tried to figure out some issues and all was unsuccesfull.
The issue is if in virtualmin we are able to create multiple DKIM selectors for different virtual servers and domains?
As a result i can say that every new domain and virtual server using only one DKIM selector and process DNS record of the same key.
Isnt it a potential security risk to use the same key for all domains ?
I think DKIM is mainly about the mail server which in reality is one Postfix instance and configuration.
Sorry, couldn’t help but think of this.
“Behold, the fool saith, “Put not all thine eggs in the one basket” - which is but a matter of saying, “Scatter your money and your attention”; but the wise man saith, “Pull all your eggs in the one basket and - WATCH THAT BASKET.” - Pudd’nhead Wilson’s Calendar”
Hi, thank you for reply.
postfix server is one, but if one of reseller users miss the key for domain, so the other clients using the same key may be vulnerable for spam on behalf of them ?
End systems don’t ban on domain names. They ban on IP addresses. So no matter what the set up on your end, one user gets blocked, your server is blocked unless you can set them all up with different IP’s in Postfix.
Generally the default settings work and are there for a purpose. Not saying they can’t be improved or tweaked, but in general, we end users tend to overthink some of this.
It’s a non-issue. Multiple DKIM selectors cannot be created and are not created in Virtualmin. The hostname is used with a user specified selector, absent which a selector based on the current year is applied by default.
I don’t know DKIM in detail, so I want to ask what is the problem of using one selector and key if Virtualmin is the server from which mail for the domain can be sent? If you wanted to use a server for outgoing mail for a domain managed in Virtualmin other than the one with the Virtualmin installation, you would generate a new pair for the corresponding server and in Virtualmin you would insert the new set into the DNS record. It would always be signed by the server from which the mail leaves. Therefore, for one specific server, regardless of the number of domains, only one selector and one key are enough.
