AEGEE DKIM Structure

General Information

[As of 31.03.2012, all emails are signed with, s=lists, in test mode, having differnt . The idea is to disable the test mode and switch to signatures in the domain, according to the followin scheme.]

AEGEEserv receives and sends emails for the domains,,, and On AEGEEserv run several MTA and MSA (mail transfer and submit agents):
MTA/MSA Namelistens on IP[:port]DKIM-SignatureDescription; s=k4096; i=dkim+sm-80@aegee.orgAccepts mails for, and, verifies the incoming mails for DKIM signatures, adds Authentication-Results headers, and then proceeds the email (delivers locally, forwards, or sends to listserv).; s=k4096; i=dkim+sm-localhost@aegee.orgAccepts mails from the chrooted PHP-environments (sent with mini_sendmail to localhost:25).
sm-lists129.13.131.81-Accepts mails for, does not sign them, and most probably forwards them to listserv; s=k4096; i=dkim+sm-mail@aegee.orgAccepts mails for; s=k4096; i=dkim+MSA-ssl@aegee.orgAccepts mails from MSA sent over SSL, and does not verify them; s=k4096; i=dkim+MSA-tls@aegee.orgAccepts mails from MSA sent over TLS and does not verify them; s=lists; i=dkim+sm-karlsruhe@lists.aegee.orgAccepts only and all emails leaving listserv, thus having in Sender:.

Serverside Configuration

The configuration files for opendkim are in /etc/mail/dkim. All differnt MTA/MSA connect to the same instance of OpenDKIM. OpenDKIM distinguisches them based on the {daemon_name} macro, and the logic in /etc/mail/dkim/setup.lua . Note, that it is not possible to code in setup.lua that a mail is both signed and verified, this leads to several hours debugging to resolve it.

Opendkim is compiled with ./configure --enable-adsp_lists --enable-diffheaders --enable-identity_header --enable-ldap_caching --enable-oversign --enable-rate_limit --enable-replace_rules --enable-redirect --enable-resign --enable-stats --enable-statsext --enable-rbl --enable-vbr --enable-xtags --with-db --with-db-incdir=/usr/include/ --with-db-libdir=/usr/lib64 --with-tre --with-milter --with-openssl --with-sasl --with-unbound --with-lua --with-odbx --enable-query_cache --enable-debug. Please note, that "-flto" shall be disabled (as the project does not compile otherwise), and ./configure must be patched to search for libmilter in lib64/ instead of lib/, and in the resulting config.status the path to libunbound shall be changed to /usr/lib64, and then config.status must be rerun to regenrate the makefiles. Then you can compile.
Written in March 2012 by Дилян Палаузов.