From 143bbf37f425c27632caced8998a3fdbf57a606d Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Mon, 16 Feb 2015 18:13:49 -0500 Subject: [PATCH] all mail domains, not just (top-level) zones, must have an entry in the opendkim key tables so that such outgoing mail gets signed If you had both x.y.com and y.com configured here, x.y.com mail would not get DKIM-signed. --- management/dns_update.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 331ab764..970b53a8 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -122,7 +122,7 @@ def do_dns_update(env, force=False): shell('check_call', ["/usr/sbin/service", "nsd", "restart"]) # Write the OpenDKIM configuration tables. - if write_opendkim_tables(zonefiles, env): + if write_opendkim_tables(domains, env): # Settings changed. Kick opendkim. shell('check_call', ["/usr/sbin/service", "opendkim", "restart"]) if len(updated_domains) == 0: @@ -616,8 +616,9 @@ def sign_zone(domain, zonefile, env): ######################################################################## -def write_opendkim_tables(zonefiles, env): - # Append a record to OpenDKIM's KeyTable and SigningTable for each domain. +def write_opendkim_tables(domains, env): + # Append a record to OpenDKIM's KeyTable and SigningTable for each domain + # that we send mail from (zones and all subdomains). opendkim_key_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private') @@ -636,7 +637,7 @@ def write_opendkim_tables(zonefiles, env): "SigningTable": "".join( "*@{domain} {domain}\n".format(domain=domain) - for domain, zonefile in zonefiles + for domain in domains ), # The KeyTable specifies the signing domain, the DKIM selector, and the @@ -645,7 +646,7 @@ def write_opendkim_tables(zonefiles, env): "KeyTable": "".join( "{domain} {domain}:mail:{key_file}\n".format(domain=domain, key_file=opendkim_key_file) - for domain, zonefile in zonefiles + for domain in domains ), }