[SOLVED] Selecting domains for DKIM signing

DerDanilo

Renowned Member
Jan 21, 2017
476
132
83
We want to be able to selectively have domain signed. Therefore we mantain domains in /etc/pmg/dkim/domains.

Code:
Sign all Outgoing Mail

    Controls whether all outbound mail should get signed or only mails from domains listed in /etc/pmg/dkim/domains if it exists and /etc/pmg/domains otherwise.

- The sentence is not 100% clear what "if it exists" means. Does this link to the file /etc/pmg/dkim/domains or a domain that has to be configured in this file?
- Does this mean that the domain will be signed anyways if it is not listed in /etc/pmg/dkim/domains but in /etc/pmg/domains instead?
- This would also mean that signing for Domains is allowed when adding them to /etc/pmg/dkim/domains, that the PMG is not an inbound relay for (outgoing mails from domains that we don't receive mails for --> SAAS where we send mails for our customers, when they configured their SPF correctly)

Currently we understand this explanation this way:
If /etc/pmg/dkim/domains exists with any content (or Domain), Domains from /etc/pmg/domains won't be used at all.

Do we understand this correctly?
 
If 'Sign all Outgoing Mail' is enabled then all mail arriving on the internal port is signed.
The domain used in the DKIM-signature is then the complete first sender email domain (no subdomain matching with the contents of /etc/pmg/dkim/domains is done).

if it is not enabled and /etc/pmg/dkim/domains exists then mails are signed for all domains (with subdomain match) in /etc/pmg/dkim/domains
if it is not enabled and /etc/pmg/dkim/domains does not exists then mails are signed for all domains (with subdomain match) in /etc/pmg/domains

I hope this helps!
 
Thanks for your reply.

State: "Sign all Outgoing Mail" is disabled.

- If I understand this correctly all domains configured under /etc/pmg/domains are signed by default if the file /etc/pmg/dkim/domains does not exist!?
- If the file /etc/pmg/domains exists only domains that are listed in that file will be signed!?

To me that manual doesn't clarify if the file itself or a domain configured in those files is beeing referred to. Maybe this could be extended in the manual.

---

- If I understand you correctly this also means that any domain that arrives on the internal port is beeing signed, as long as it's listed in /etc/pmg/dkim/domains, even if it is not listed in /etc/pmg/domains (relay domains)!?

Thanks!
 
- If I understand this correctly all domains configured under /etc/pmg/domains are signed by default if the file /etc/pmg/dkim/domains does not exist!?
if DKIM signing is enabled at all - yes - this is correct.

- If the file /etc/pmg/domains exists only domains that are listed in that file will be signed!?
yes - the code is simple - if /etc/pmg/dkim/domains exist - this is used, if not /etc/pmg/domains is used.

- If I understand you correctly this also means that any domain that arrives on the internal port is beeing signed, as long as it's listed in /etc/pmg/dkim/domains, even if it is not listed in /etc/pmg/domains (relay domains)!?
yes - if 'Sign all mail' is disabled then every mail coming from a domain listed in /etc/pmg/dkim/domains will be signed
 
  • Like
Reactions: DerDanilo
Awesome. That explains it. Maybe it would be of help to add some of this information to the manual, to clarify things there already. :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!