dkim multiple domain
- Thread starter virus
- Start date
Yes - just add them to the DKIM domains, and set the DNS record in all three domains
see section 4.7.10 at https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration
see section 4.7.10 at https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration
Can I set separate 2048-bit keys for the domains test.com and test1.test.com with only access to the Proxmox GUI and not the shell? Is it enough to generate keys using a DKIM key generator online and add them to the DNS? And if the key is long enough, how do I include it in the DNS?
no currently each PMG cluster only uses one key for signing
no need for any generators (I would also recommend against using an external web-service to generate private keys) - just create the selector in the GUI - you can view the necessary DNS-record (in the format that opendkim also outputs) there as well
Proxmox doesn't have all the required details in their documentation for properly configuring DKIM signing. Here is how I got it configured and working correctly:
1. Create a new DKIM record for your primary domain here: https://easydmarc.com/tools/dkim-record-generator. You will be provided with a DNS record, public and private key. Keep this page open!
2. Be sure to create the DKIM record in your DNS for that domain using the appropriate selector
3. In Proxmox Mail Gateway, navigate to Configuration > Mail Proxy > DKIM
4. In the Settings area, click the Selector row and then the Edit button
5. Enter the name of the selector you just created in the record generator tool. Ex. relay (do not include the ._domainkey portion of the record!)
6. Choose a key size of 2048 and tick the Overwrite existing file
7. Click update
8. Now SSH to the master Proxmox host
9. Change to /etc/pmg/dkim folder
10. Edit the file named relay.private (the file will be named in the format [selector].private
11. Empty the file and paste the private key into provided in step 1 into the file and save the changes
12. The file only needs permissions of 0600
13. DO NOT change this file unless you generate a new DKIM record!!!!
14. Add the SAME DKIM record to each domain that for which you want the gateway to sign outbound messages. This key will have the same selector name and same content for every domain that your gateway signs!
15. Once you save the private key, it will get replicated to other hosts in the cluster.
16. Now your outbound relayed domains will be DKIM signed and will validate so long as the DKIM records exist in DNS for the domain.
If you change the DKIM record on your main domain, you will need to change the record on EVERY domain that your gateway is signing to match.
Also make sure you SPF records are correct so DKIM is used correctly.
1. Create a new DKIM record for your primary domain here: https://easydmarc.com/tools/dkim-record-generator. You will be provided with a DNS record, public and private key. Keep this page open!
2. Be sure to create the DKIM record in your DNS for that domain using the appropriate selector
3. In Proxmox Mail Gateway, navigate to Configuration > Mail Proxy > DKIM
4. In the Settings area, click the Selector row and then the Edit button
5. Enter the name of the selector you just created in the record generator tool. Ex. relay (do not include the ._domainkey portion of the record!)
6. Choose a key size of 2048 and tick the Overwrite existing file
7. Click update
8. Now SSH to the master Proxmox host
9. Change to /etc/pmg/dkim folder
10. Edit the file named relay.private (the file will be named in the format [selector].private
11. Empty the file and paste the private key into provided in step 1 into the file and save the changes
12. The file only needs permissions of 0600
13. DO NOT change this file unless you generate a new DKIM record!!!!
14. Add the SAME DKIM record to each domain that for which you want the gateway to sign outbound messages. This key will have the same selector name and same content for every domain that your gateway signs!
15. Once you save the private key, it will get replicated to other hosts in the cluster.
16. Now your outbound relayed domains will be DKIM signed and will validate so long as the DKIM records exist in DNS for the domain.
If you change the DKIM record on your main domain, you will need to change the record on EVERY domain that your gateway is signing to match.
Also make sure you SPF records are correct so DKIM is used correctly.