如何让 DKIM 对子域和根域地址进行签名?

如何让 DKIM 对子域和根域地址进行签名?

我在 Ubuntu 20.04 上使用最新版本的 DKIM + Postfix,我获得了 DKIM 来签署电子邮件 [电子邮件保护]。但是它拒绝签署来自 @mydomain.com 的电子邮件。是否可以为两个电子邮件地址签名?如果可以,我该怎么做?

下面是我的 opendkim.conf

# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.

# Log to syslog
Syslog          yes
# Added later
SyslogSuccess           Yes
LogWhy                  Yes

# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask           007

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
Domain          smtpmail.rapidseohost.com
KeyFile         /etc/dkimkeys/smtpmail.private
Selector        smtpmail

# Commonly-used options; the commented-out versions show the defaults.
Canonicalization    relaxed/simple
#Mode           sv
SubDomains      yes

# Socket smtp://localhost
#
# ##  Socket socketspec
# ##
# ##  Names the socket where this filter should listen for milter connections
# ##  from the MTA.  Required.  Should be in one of these forms:
# ##
# ##  inet:port@address           to listen on a specific interface
# ##  inet:port                   to listen on all interfaces
# ##  local:/path/to/socket       to listen on a UNIX domain socket
#
Socket                  inet:8891@localhost
#Socket         local:/run/opendkim/opendkim.sock

##  PidFile filename
###      default (none)
###
###  Name of the file where the filter should write its pid before beginning
###  normal operations.
#
PidFile               /run/opendkim/opendkim.pid


# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier.  From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders     From

##  ResolverConfiguration filename
##      default (none)
##
##  Specifies a configuration file to be passed to the Unbound library that
##  performs DNS queries applying the DNSSEC protocol.  See the Unbound
##  documentation at http://unbound.net for the expected content of this file.
##  The results of using this and the TrustAnchorFile setting at the same
##  time are undefined.
##  In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
##  unbound package

# ResolverConfiguration     /etc/unbound/unbound.conf

##  TrustAnchorFile filename
##      default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol.  See the Unbound documentation
## at http://unbound.net for the expected format of this file.

TrustAnchorFile       /usr/share/dns/root.key

##  Userid userid
###      default (none)
###
###  Change to user "userid" before starting normal operation?  May include
###  a group ID as well, separated from the userid by a colon.
#
UserID                opendkim

答案1

您也可以使用SigningTableKeyTable选项来解决这个问题。

编辑您的示例时,我注释掉了旧的DomainKeyFile、 &Selector选项。这并不是严格要求的,因为当SigningTableKeyTable存在时,它们会被忽略:

# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
# These options are ignored if you use SigningTable / KeyTable
# Domain          smtpmail.rapidseohost.com
# KeyFile         /etc/dkimkeys/smtpmail.private
# Selector        smtpmail

# Use tables to map domain (host) names to keys
SigningTable      refile:/etc/opendkim/signing_table
# This doesn’t necessarily need to be a refile, a plain file works most of the time
KeyTable          refile:/etc/opendkim/key_table

然后您需要创建/etc/opendkim/signing_table从通配符电子邮件到键名的映射:

# email                         key name
*@smtpmail.rapidseohost.com     smtpmail
*@rapidseohost.com              smtpmail

并创建/etc/opendkim/key_table将键名映射到元组的domain:selector:key_file

# key name  domain:selector:key_file
smtpmail    rapidseohost.com:smtpmail-2023-07:/etc/dkimkeys/smtpmail-2023-07.private

domain记录的部分可以KeyTable用 替换%。在这种情况下,“表观域”(包括任何主机名)将被替换。元组%部分中key_file的 也被“表观域”替换。这样您就可以在 中为多个域设置一条记录KeyTable,并为每个域创建密钥文件。

举例来说:

all_domains     %:dkim-2023-07:/etc/dkimkeys/%-2023-07.private

笔记:建议您定期轮换 DKIM 密钥。建议每 6 个月轮换一次。这就是我在选择器和密钥文件上添加年份和月份的原因。

需要旋转时,你可以

  1. 用新的选择器和密钥文件替换此行。
  2. 添加将新的选择器记录添加到您的 DNS,而不是替换现有的。

这样做应该可以避免下游服务器尝试验证您已替换的密钥时出现任何竞争条件。

答案2

我能够使用以下帖子中的信息解决这个问题: DKIM 具有相同的密钥但不同的域

基本上我在 opendkim.conf 中添加了一个根域:

Domain                  smtpmail.rapidseohost.com,rapidseohost.com

然后添加相应的域名TXT记录DNS。

相关内容