[SOLVED] PMG DKIM keys renewal procedure

A

arukashi

Member
Jan 21, 2023
14
12
8
Hello!
I would like to know is there any way for PMG to not to apply new DKIM key, which was generated via GUI (or CLI, no matter) right away? As far as i concerned generated key immediately used to sign all of the mail.

I want first generate the key and corresponding DNS TXT record, populate DNS record, wait about 24h to make sure it is available everywhere in the world, and only after these steps apply DKIM key in PMG?

Right now the only workaround that comes in mind is generate the key, copy DNS record and choose old key immediately. If there is better way to do this, please, let us know. Thanks
 
From a quick check your analysis is correct - creating a new selector in the GUI/CLI/pmgsh will set it as the currently used one and the TXT record is only shown for the currently set selector.

Options if your workaround does not work for you:
* stop postfix while creating the new selector, until you generated your new one and got the public-key record, start it after setting the old selector (then no mail will get signed with the new selector)

creating and getting and setting the old selector can be done via commandline as well:
Code: 
pmgconfig dkim_set --keysize 4096 --selector newselector
pmgconfig dkim_record
pmgconfig dkim_set --keysize <oldselectorsize> --selector oldselector

I do see your use-case - this could be improved. If you want - please open a feature request at https://bugzilla.proxmox.com explaining the use-case (and include a link to this forum-thread).
No promises when/if we get around to adapting this though!
 
  • Like
Reactions: arukashi
Stoiko Ivanov said:
From a quick check your analysis is correct - creating a new selector in the GUI/CLI/pmgsh will set it as the currently used one and the TXT record is only shown for the currently set selector.

Options if your workaround does not work for you:
* stop postfix while creating the new selector, until you generated your new one and got the public-key record, start it after setting the old selector (then no mail will get signed with the new selector)

creating and getting and setting the old selector can be done via commandline as well:
Code: 
pmgconfig dkim_set --keysize 4096 --selector newselector
pmgconfig dkim_record
pmgconfig dkim_set --keysize <oldselectorsize> --selector oldselector

I do see your use-case - this could be improved. If you want - please open a feature request at https://bugzilla.proxmox.com explaining the use-case (and include a link to this forum-thread).
No promises when/if we get around to adapting this though!
Click to expand...
Thank you, for now I'll stick to this workflow. Meanwhile I'll file a feature request.
 
You must log in or register to reply here.
Top Bottom