Domainkeys & Virtual Hosts

Discussion in 'HOWTO-Related Questions' started by iyeat, Feb 5, 2008.

  1. iyeat

    iyeat New Member


    I just read the awesome howto on Implementing Domainkeys in postfix using dk-milter.

    The problem is, that my mail server uses virtually hosted domains, and I don't think that the tutorial accounts for that. From what I can see in the "Configuration" step, the file "/etc/sysconfig/dk-milter" is only config'd for one domain. My server being a virtual host, I have several domains.

    Any thoughts from anyone on applying this setup for virtual mail hosting?


  2. topdog

    topdog Active Member

    Yes the guide is for a server hosting a single domain, I am rebuilding the rpm's to install a configuration that will work easily for multiple hosts i will post an update soon.
  3. topdog

    topdog Active Member

    There is a quick fix for this, change the KEYFILE variable in /etc/sysconfig/df-milter to something like
    If you have a key there with a domain name rename it to the above.

    Then add the same public key to all the virtual domains that you want to support as you will use a single key to sign all these domains.

    The add all the domains you want to sign to the SIGNING_DOMAIN variable in /etc/sysconfig/dk-milter

    Restart your milter and you should be signing mail for all the domains you specified.
  4. iyeat

    iyeat New Member

    I will give this a shot! Thank you!
  5. iyeat

    iyeat New Member

    Only one problem so far... When I tried to send a test mail to yahoo, I got a bunch of errors in my maillog:

    Feb 11 21:42:18 echo postfix/smtpd[14944]: NOQUEUE: milter-reject: CONNECT from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 11 21:42:18 echo postfix/smtpd[14944]: NOQUEUE: milter-reject: EHLO from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=SMTP
    Feb 11 21:42:18 echo postfix/smtpd[14944]: NOQUEUE: milter-reject: MAIL from unknown[]: 451 4.7.1 Service unavailable - try again later; proto=ESMTP helo=<localhost>
    So I looked at my processes and saw that dk-milter wasn't running. I tried to start it, and got a permission denied error on the dk_key.pem file. Here is the ls -l from that directory:

    [[email protected] domainkeys]# ls -l
    total 4
    -rw------- 1 root root 493 2008-02-11 13:21 dk_key.pem
    In the mean time, I chmod'd the dk_key.pem 777 to get the milter to work... but I'd rather leave it at the proper setup. Can you guide me as to the proper ownership/permissions on that file?


  6. iyeat

    iyeat New Member

    OK so maybe i spoke too soon.. I hadn't installed domainkeys for all of my domains, just one domain to test... It appears that the domains I didn't have installed stopped working, and the domain I configured with domainkeys worked fine.
    Last edited: Feb 11, 2008
  7. topdog

    topdog Active Member

    The key needs to be owned by the user dk-milt and permissions should be 600, 777 makes the key readable by anyone so they can still it and begin signing mail as you.
  8. topdog

    topdog Active Member

    Let me know how this works out for you i have tested on multiple domains on my side and its working as for the milter reject if you still want to accept mail if the milter has failed our some thing you need to add this to your postfix configuration (
    milter_default_action = accept
  9. iyeat

    iyeat New Member

    So when you say that "if the milter has failed" -- does that mean (a) if the domainkey is not available for an incoming mail; or (b) if the domainkey is not set up for a specific domain....

    I guess my point is... for incoming and outgoing, I want to be able to utilize domainkeys if the other mail server supports it, but deliver mail normally if it doesn't.

    Am I good if I add the "milter_default_action = accept" line?

    And last question... I don't have a "milter" section of -- so I appended all of the config options to the bottom of the file.

    Last edited: Feb 12, 2008
  10. topdog

    topdog Active Member

    That is if the milter for any reason stops working then your mail will still be delivered the default action is to reject until the milter is running again.
    Yes all your incoming mail will be verified, all your outgoing mail will be signed if the domain is configured to be signed, if the other side does not support dk then the mail is treated as normal if they do then they can verify and give you higher scoring and also reject mail that is not signed.
    Am I good if I add the "milter_default_action = accept" line?
    It does not really matter where you put it.
  11. iyeat

    iyeat New Member

    It seems like everything is working out great so far... One problem that I had was with the list of domains.

    The SIGNING_DOMAIN variable in the /etc/sysconfig/dk-milter file should be a comma-separated list of the domains you want to configure. My original list was space-separated, which didn't work.

    I think I've got a pretty good setup going.. my only potential request would be to be able to store the domain list in a MySQL table so that it's more easily manageable, or to configure it to handle it for all the domains on the server rather than having to specify the long list.

    Thank You for your help!!


Share This Page