How to sign mails using DKIM on an additional server using same key as on server with the DNS record ?

We have one server with Virtualmin Pro that is setup using following instructions: http://www.virtualmin.com/documentation/email/dkim

(it is using "default" as name for the key, as the remark of the bug in the "current version" wasn't there when we did it, so first side-question: is that bug still actual?)

We now have a second server sending emails with same domain name, and we need to sign the emails from that server using DKIM too but: 1) that second server doesn't control the DNS of the first server 2) we need to use the same DKIM key as on the first server

How to setup that ? (in particular, must the "Selector for DKIM record name" match, and if yes, can/must we use "default" same way as on the first server, or should we regenerate a new DKIM key using "2011" ?

A reply "we updated the doc with instructions for how to setup a second server sending emails for same domain, and removed the warning for default-name bug" would be ok too here :)

Thanks a lot in advance for your reply and instructions/updated manual, Beat

Status: 
Closed (fixed)

Comments

Perhaps one simple solution would be to relay email from the 2nd server through the first one, so that mail is DKIM signed before being delivered to its destination?

Hi Jamie,

No, that's not really a solution, as we need to separate the email streams from both servers, for load and avoiding getting system-messages catched by anti-spam measures, as advised by Yahoo here (see second picture): http://help.yahoo.com/l/us/yahoo/mail/postmaster/basics/postmaster-15.html

. One server sends newsletters to subscribers, while the second sends only system-messages. Additionally when sending the newsletter, the output queue of postfix is quite full (we apply slow delivery to avoid overloading any email server), and thus system-mails would be delayed too much.

But emails from both servers need to have the DKIM signature on them as advised in the URL shown above.

In that case, what you need to do is copy across the DKIM private key file, then enable DKIM in Virtualmin on the second server with the same settings. Because the 2nd server doesn't host the DNS domain, you will need to enter it in the "Additional domains to sign for" box.

ok. Thanks. Just 2 quick questions:

  • where is that DKIM private key file located ?

  • is that bug deleting /etc/default directory (quoted doc below) still present in Virtualmin Pro 3.87 ?

  • If yes, do I need to regenerate the DKIM key with the existing name "default" changed to "2011" on the first server before doing this ?

http://www.virtualmin.com/documentation/email/dkim : 3. In the Selector for DKIM record name field enter a short name that you will use to identify the signing key. This is typically just the current year, like 2010. Do NOT enter default, as this can trigger a bug in the current Virtualmin release which deletes the /etc/default directory!

Many thanks for the fast replies.

  1. It depends on your linux distro .. but on Ubuntu it should be at /etc/dkim.key

  2. This bug is fixed in Webmin 3.86 and later.

  1. It depends on your linux distro .. but on Ubuntu it should be at /etc/dkim.key

  2. This bug is fixed in Webmin 3.86 and later.

I tried enabling on second server, but I do get this error message:

Enable DomainKeys Identified Mail
Finding virtual servers to enable DKIM for .. .. no servers with both DNS and email enabled were found! DKIM setup failed!

That's a nice safeguard against user errors, but... How to set it up without "DNS domain enabled?" active in "Enabled features" for the virtual servers on that second server?

I figured out that i needed to create another domain with virtual server which had email services. Then I could activate DKIM in Virtualmin, but I still had to use 2011, as the "default" was not allowed due to that bizzare link created from /etc/2011 to /etc/dkim.key (and of course as /etc/default directory exists, it didn't work, at least didn't delete it in 3.87).

So this support request can be closed, once the manual is updated to still avoid "default" but that there is no bug anymore, just an error message when attempting to use "default" as name.

That way, now I have 2 different DKIM keys for both servers, and added the second one to the DNS of the first server, and it even seems to work and pass online DKIM tests.

Thanks for your help and for the great implementation.

Cool, glad you got it working. The hack of needing to add a single domain with email enabled is a bug, since you are entering extra domains .. I will fix that in the next release.

Well, as long as you don't activate DKIM the first time, the field to enter extra-domains isn't even there. ;-)

So when fixing you also need to add that field before first DKIM activation (for sending emails).

I had already activated DKIM for checking received emails, but that didn't show that field.

That's odd, the code to show that extra domains field doesn't hide it (unless DKIM is not installed at all).

Automatically closed -- issue fixed for 2 weeks with no activity.