AEGEE DKIM Structure

General Information

[As of 31.03.2012, all emails are signed with d=lists.aegee.org, s=lists, in test mode, having differnt i=dkim+...@lists.aegee.org . The idea is to disable the test mode and switch to signatures in the @aegee.org domain, according to the followin scheme.]

AEGEEserv receives and sends emails for the domains aegee.org, mail.aegee.org, lists.aegee.org, aegee.uka.de and aegee.uni-karlsruhe.de. On AEGEEserv run several MTA and MSA (mail transfer and submit agents):
MTA/MSA Namelistens on IP[:port]DKIM-SignatureDescription
sm-80129.13.131.80d=aegee.org; s=k4096; i=dkim+sm-80@aegee.orgAccepts mails for aegee.org, aegee.uka.de and aegee.uni-karlsruhe.de, verifies the incoming mails for DKIM signatures, adds Authentication-Results headers, and then proceeds the email (delivers locally, forwards, or sends to listserv).
sm-localhost127.0.0.1d=aegee.org; s=k4096; i=dkim+sm-localhost@aegee.orgAccepts mails from the chrooted PHP-environments (sent with mini_sendmail to localhost:25).
sm-lists129.13.131.81-Accepts mails for @lists.aegee.org, does not sign them, and most probably forwards them to listserv
sm-mail129.13.131.82d=aegee.org; s=k4096; i=dkim+sm-mail@aegee.orgAccepts mails for @mail.aegee.org
MSA-ssl129.13.131.82:465d=aegee.org; s=k4096; i=dkim+MSA-ssl@aegee.orgAccepts mails from MSA sent over SSL, and does not verify them
MSA-tls129.13.131.82:587d=aegee.org; s=k4096; i=dkim+MSA-tls@aegee.orgAccepts mails from MSA sent over TLS and does not verify them
sm-karlsruhe129.13.131.86d=lists.aegee.org; s=lists; i=dkim+sm-karlsruhe@lists.aegee.orgAccepts only and all emails leaving listserv, thus having @lists.aegee.org in Sender:.

Serverside Configuration

The configuration files for opendkim are in /etc/mail/dkim. All differnt MTA/MSA connect to the same instance of OpenDKIM. OpenDKIM distinguisches them based on the {daemon_name} macro, and the logic in /etc/mail/dkim/setup.lua . Note, that it is not possible to code in setup.lua that a mail is both signed and verified, this leads to several hours debugging to resolve it.

Opendkim is compiled with ./configure --enable-adsp_lists --enable-diffheaders --enable-identity_header --enable-ldap_caching --enable-oversign --enable-rate_limit --enable-replace_rules --enable-redirect --enable-resign --enable-stats --enable-statsext --enable-rbl --enable-vbr --enable-xtags --with-db --with-db-incdir=/usr/include/ --with-db-libdir=/usr/lib64 --with-tre --with-milter --with-openssl --with-sasl --with-unbound --with-lua --with-odbx --enable-query_cache --enable-debug. Please note, that "-flto" shall be disabled (as the project does not compile otherwise), and ./configure must be patched to search for libmilter in lib64/ instead of lib/, and in the resulting config.status the path to libunbound shall be changed to /usr/lib64, and then config.status must be rerun to regenrate the makefiles. Then you can compile.
Written in March 2012 by Дилян Палаузов.