RE: how to setup opendkim for signing all outgoing mails from Murray S. Kucherawy on 2012-05-08 (OpenDKIM Users mailing list)

From: Murray S. Kucherawy <msk_at_cloudmark.com>
Date: Tue, 8 May 2012 16:53:18 +0000

> -----Original Message-----
> From: opendkim-users-bounce_at_lists.opendkim.org [mailto:opendkim-users-bounce_at_lists.opendkim.org] On Behalf Of Matthias Weiss
> Sent: Tuesday, May 08, 2012 2:17 AM
> To: opendkim-users_at_lists.opendkim.org
> Subject: how to setup opendkim for signing all outgoing mails
>
> We are running a website that also has a blogging feature. A reader can
> contact the author via a webform where he/she can enter his/her email
> address, specify a subject and write a message body. When they click on the "send"
> button the website generates an email and sends it via the postfix MTA.
>
> So we have the situation where the generated emails have different "From"
> entries, always the same envelope "MAIL FROM" and always the same "Sender"
> address entry. We also want to sign *all* of our mails with opendkim.
>
> The problem is - I haven't found a configuration setup with opendkim
> that allowes us to sign all mails with the key of our domain when the "From"
> address is not from our domain.
> A solution is using the "SenderHeaders csl:Sender"
> configuration but I'm
> little bit concerned that if we have an error in our website
> configuration and the "Sender" field isn't set than we're sending
> unsigned emails.
>
> Can anyone suggest a solution where all of our mails are always signed
> with our domain key?

If the Sender field is always the same, then you can use that to make the signing choice. So you're on the right track with your use of SenderHeaders. Then, I suggest a SigningTable that reads:

your-sender-address somekey

...and a KeyTable that reads:

somekey signing-domain:selector:/path/to/signing/key

This will sign all mail with a Sender: header field containing "your-sender-address" by adding a signature with a "d=" of "signing-domain" and an "s=" of "selector" using the private key found in /path/to/signing/key. It will sign everything this way, regardless of what's in the Sender: field.

Let us know if that works.

-MSK
Received on Tue May 08 2012 - 16:53:32 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:40 PST