[SOLVED] Help with DKIM key pairs

Jun 10, 2021
33
5
8
Maryland, USA
use case: multi tenant mail gateway

If I understand DKIM correctly, a key pair has to be generated for each domain.

However, pmg only has the ability to use one private key.

How can pmg sign emails for multiple domains with only one key?

I don't think it'll work, or I don't fully understand how DKIM works.

Pleas help!
 
If I understand DKIM correctly, a key pair has to be generated for each domain.
Not necessarily - from RFC6376 (https://datatracker.ietf.org/doc/html/rfc6376):
Signers

Elements in the mail system that sign messages on behalf of a domain
are referred to as Signers. These may be MUAs (Mail User Agents),
MSAs (Mail Submission Agents), MTAs (Mail Transfer Agents), or other
agents such as mailing list exploders.
....

A DKIM signature should just ensure that the signing entity (your PMG) has seen that message and trusts it's origin.

Which is the private key and which is the public key?
the DNS-TXT record as presented in the GUI is just the DNS text record (it contains the public key after the 'p=' )
The format is what opendkim-genkey outputs (which is a line that you can directly enter into bind zone-file).
You need to add the DNS record to each domain's zone file for which you like to sign mail - sometimes it might be necessary to edit the output
(remove the quotes (") and stick both parts of the private key together.

The private key can be found in /etc/pmg/dkim/<selector>.private

I hope this explains it!
 
  • Like
Reactions: Wichets and fgams
I had the same question and I do not feel the above answered it. Now I know where to find the private key if I have just one domain, but I have 5 different domains. They share the same selector but the private keys generated some time ago (on a Synology MailPlus server) obviously differ from another. So, my question is: how to tie the private keys with the domains I own on PMG?
 
I had the same question and I do not feel the above answered it. Now I know where to find the private key if I have just one domain, but I have 5 different domains. They share the same selector but the private keys generated some time ago (on a Synology MailPlus server) obviously differ from another. So, my question is: how to tie the private keys with the domains I own on PMG?
Please open a fresh thread if the alternative is one that has been marked as SOLVED for 2 years.

PMG currently supports one private-key for all signing (and one selector)

just configure your domains with the same public-key record
 
  • Like
Reactions: Wichets

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!