Closed ricardopolo closed 5 years ago
Just lack of need from the person/people who wrote the plugin.
Can you define how you envision the config looking for such a setup?
I second this request. We allow sending over our Haraka from many domains. We tell our customers to use a cname dns entry for our dkim record. Would be great if Haraka would allow that, too.
https://github.com/haraka/Haraka/blob/7632d69d73f42c8b616ee2d4337230e58e13416e/docs/plugins/dkim_sign.md Will not it be match? I think, already implemented...
I'm with logvik here. I think this is possible with the current version? I don't see why this wouldn't work? The dkim generated by the tool is not domain specific: https://github.com/haraka/Haraka/blob/master/config/dkim/dkim_key_gen.sh#L36 so you can simply duplicate the directory to another domain.
Even better than duplicating is symlinks (not tested, YMMV)
I just completed a plugin that does this exact thing, based on @msimerson recommendation: https://github.com/niiknow/dockers/blob/master/haraka/rootfs/sysprepz/plugins/dkim_bouncer.js#L41
Migrated to wiki.
Currently this feature can be achieved by creating a DKIM key In The Usual Way for example.com
. Then, for each additional domain, create a symlink (ln -s example.com domain2.com
) to the initial DKIM key directory. When the DKIM signing plugin checks for the existence of domain2.com
, it exists and signs with that key and the domain domain2.com
.
Create a specially named DKIM signing key, such as default
. Extend the DKIM signing plugin to check for the existence of domain2.com
and then default
. That avoids the need to create lots of symlinks in config/dkim/
for each additional domain.
In our infrastructure we allow to sign from multiple domains but using the same keys.
Base in the question I can understand that is secure. http://serverfault.com/questions/785151/dkim-with-same-key-but-different-domains
You currently allow:
We found very difficult to mantain a new key for every domain. So we ended using the same key but using different domains. Why dont allow that?