DKIM with same key but using different domains

haraka / haraka-plugin-dkim

Haraka dkim plugin

https://www.npmjs.com/package/haraka-plugin-dkim

MIT License

0 stars 2 forks source link

DKIM with same key but using different domains #5

Closed ricardopolo closed 5 years ago

ricardopolo commented 8 years ago

In our infrastructure we allow to sign from multiple domains but using the same keys.

Base in the question I can understand that is secure. http://serverfault.com/questions/785151/dkim-with-same-key-but-different-domains

You currently allow:

Sign all email with the same domain/key (legacy and not secure)
Sign all email with differents keys per domain

We found very difficult to mantain a new key for every domain. So we ended using the same key but using different domains. Why dont allow that?

baudehlo commented 8 years ago

Just lack of need from the person/people who wrote the plugin.

Can you define how you envision the config looking for such a setup?

thenitai commented 7 years ago

I second this request. We allow sending over our Haraka from many domains. We tell our customers to use a cname dns entry for our dkim record. Would be great if Haraka would allow that, too.

logvik commented 7 years ago

https://github.com/haraka/Haraka/blob/7632d69d73f42c8b616ee2d4337230e58e13416e/docs/plugins/dkim_sign.md Will not it be match? I think, already implemented...

noogen commented 6 years ago

I'm with logvik here. I think this is possible with the current version? I don't see why this wouldn't work? The dkim generated by the tool is not domain specific: https://github.com/haraka/Haraka/blob/master/config/dkim/dkim_key_gen.sh#L36 so you can simply duplicate the directory to another domain.

msimerson commented 6 years ago

Even better than duplicating is symlinks (not tested, YMMV)

noogen commented 6 years ago

I just completed a plugin that does this exact thing, based on @msimerson recommendation: https://github.com/niiknow/dockers/blob/master/haraka/rootfs/sysprepz/plugins/dkim_bouncer.js#L41

You must have a default-domain dkim in the config/me file and under config/dkim/default-domain folder.
The plugin validate against DNS to determine if you have a valid DKIM; otherwise, it bailout. e.g. the name dkim_bouncer

msimerson commented 5 years ago

Migrated to wiki.

Status Quo

Currently this feature can be achieved by creating a DKIM key In The Usual Way for example.com. Then, for each additional domain, create a symlink (ln -s example.com domain2.com) to the initial DKIM key directory. When the DKIM signing plugin checks for the existence of domain2.com, it exists and signs with that key and the domain domain2.com.

Suggested Change

Create a specially named DKIM signing key, such as default. Extend the DKIM signing plugin to check for the existence of domain2.com and then default. That avoids the need to create lots of symlinks in config/dkim/ for each additional domain.