我在 Ubuntu 20.04 上使用最新版本的 DKIM + Postfix,我获得了 DKIM 来签署电子邮件 [电子邮件保护]。但是它拒绝签署来自 @mydomain.com 的电子邮件。是否可以为两个电子邮件地址签名?如果可以,我该怎么做?
下面是我的 opendkim.conf
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Added later
SyslogSuccess Yes
LogWhy Yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain smtpmail.rapidseohost.com
KeyFile /etc/dkimkeys/smtpmail.private
Selector smtpmail
# Commonly-used options; the commented-out versions show the defaults.
Canonicalization relaxed/simple
#Mode sv
SubDomains yes
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
Socket inet:8891@localhost
#Socket local:/run/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
答案1
您也可以使用SigningTable
和KeyTable
选项来解决这个问题。
编辑您的示例时,我注释掉了旧的Domain
、KeyFile
、 &Selector
选项。这并不是严格要求的,因为当SigningTable
和KeyTable
存在时,它们会被忽略:
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
# These options are ignored if you use SigningTable / KeyTable
# Domain smtpmail.rapidseohost.com
# KeyFile /etc/dkimkeys/smtpmail.private
# Selector smtpmail
# Use tables to map domain (host) names to keys
SigningTable refile:/etc/opendkim/signing_table
# This doesn’t necessarily need to be a refile, a plain file works most of the time
KeyTable refile:/etc/opendkim/key_table
然后您需要创建/etc/opendkim/signing_table
从通配符电子邮件到键名的映射:
# email key name
*@smtpmail.rapidseohost.com smtpmail
*@rapidseohost.com smtpmail
并创建/etc/opendkim/key_table
将键名映射到元组的domain:selector:key_file
# key name domain:selector:key_file
smtpmail rapidseohost.com:smtpmail-2023-07:/etc/dkimkeys/smtpmail-2023-07.private
domain
记录的部分可以KeyTable
用 替换%
。在这种情况下,“表观域”(包括任何主机名)将被替换。元组%
部分中key_file
的 也被“表观域”替换。这样您就可以在 中为多个域设置一条记录KeyTable
,并为每个域创建密钥文件。
举例来说:
all_domains %:dkim-2023-07:/etc/dkimkeys/%-2023-07.private
笔记:建议您定期轮换 DKIM 密钥。建议每 6 个月轮换一次。这就是我在选择器和密钥文件上添加年份和月份的原因。
需要旋转时,你可以
- 用新的选择器和密钥文件替换此行。
- 添加将新的选择器记录添加到您的 DNS,而不是替换现有的。
这样做应该可以避免下游服务器尝试验证您已替换的密钥时出现任何竞争条件。
答案2
我能够使用以下帖子中的信息解决这个问题: DKIM 具有相同的密钥但不同的域
基本上我在 opendkim.conf 中添加了一个根域:
Domain smtpmail.rapidseohost.com,rapidseohost.com
然后添加相应的域名TXT记录DNS。