Hi.
I have used a couple of hours on Google, trying to figure out how to
send signed mails from one domain using another. I hope someone here
can help me out.
Here is my setup:
I have a Postfix setup on a server with multiple domains. I have a
mail server called mail.example.com and three other domains called
huey-duck.com, dewey-duck.com and louie-duck.com .
I use the huey-duck.com, dewey-duck.com and louie-duck.com as "From:"
address in my emails, but use mail.example.com in the Message-ID, the
Return-Path and for reverse IP for the domain name (mail.example.com).
I have configured OpenDKIM so it works for "From:
user_at_mail.example.com", but when I try to send using "From:
user_at_huey-duck.com", I get an error in my mail.log with the message:
Nov 23 18:19:07 s opendkim[18752]: DA3846510F3 no signing domain match
for `huey-duck.com'
Nov 23 18:19:07 s opendkim[18752]: DA3846510F3 no signing subdomain
match for `huey-duck.com'
Nov 23 18:19:08 s opendkim[18752]: DA3846510F3: no signature data
Which makes sense, since the DKIM-Signature does not hold the location
of the public key.
Here is my question: Can I use OpenDKIM to add "d=mail.example.com;
i=_at_mail.example.com;" to the DKIM-Signature, so I can send with
another "From:" address? I have seen this being done elsewhere, but I
can't figure out how I set it up -- or if it's "legal". Am I able to
do it OpenDKIM?
Hope I have posed the question so it is understandable -- also for
others with a similar problem.
Regards
Simon
From
http://tools.ietf.org/html/rfc6376: (mostly for others to search
for the solution)
d= The SDID claiming responsibility for an introduction of a message
into the mail stream (plain-text; REQUIRED). Hence, the SDID
value is used to form the query for the public key. The SDID MUST
correspond to a valid DNS name under which the DKIM key record is
published. The conventions and semantics used by a Signer to
create and use a specific SDID are outside the scope of this
specification, as is any use of those conventions and semantics.
When presented with a signature that does not meet these
requirements, Verifiers MUST consider the signature invalid.
Internationalized domain names MUST be encoded as A-labels, as
described in Section 2.3 of [RFC5890].
ABNF:
sig-d-tag = %x64 [FWS] "=" [FWS] domain-name
domain-name = sub-domain 1*("." sub-domain)
; from [RFC5321] Domain,
; excluding address-literal
i= The Agent or User Identifier (AUID) on behalf of which the SDID is
taking responsibility (dkim-quoted-printable; OPTIONAL, default is
an empty local-part followed by an "_at_" followed by the domain from
the "d=" tag).
Received on Wed Nov 23 2011 - 18:33:02 PST