Support custom DKIM selector

[erik-wramner]

The current version of docker-mailserver always uses the value "mail" as DKIM selector. That works and (despite some confusion) is independent of host name. However, at least two users would like to make the DKIM selector configurable.

To do that:

• Add a DKIM_SELECTOR option with mail as the default value
• Modify the setup script to use the selector
• Modify the startup script to patch the configuration to use the selector
• Update the instructions
• Write some kind of test that proves it works

[dev-comrade]

Привяу.

Английский у меня не на высоте и мне лень писать перевод, но у меня есть решение для кастомного dkim. Если кому-то будет не впадлу, переведите его)

Для начала, нам нужно получить доступ к сгенерированным DKIM ключам внутри контейнера, можете пробросить их через volumes, можете хоть зайти внутрь контейнера, не имеет значения.

Далее, находим в директории /etc/opendkim/KeyTable и открываем его на редактирование.

В нем мы имеем примерно следующее:

mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com/mail.private

Разобьем запись по ":"

1. mail._domainkey.example.com example.com тоже разбиваем по пробелу

   • mail._domainkey.example.com - имя ключа, которое у нас задано в файле в той же директории SigningTable

   • example.com - имя хоста

2. mail - сам селектор, который будет вставлен в заголовке письма

3. /etc/opendkim/keys/example.com/mail.private - путь до приватного ключика, которым мы подписываем письма

Собственно, чтобы поменять селектор с mail вы просто меняете его в файле KeyTable, отмечен он П.2, сохраняете, перезагружаете контейнер и все у вас работает.

[erik-wramner]

Please use English here. It is not my native language either, but it tends to work best.

[dev-comrade]

Hi   Sory, i wrote it for russian language speakers and asked them to translate it) Briefly, it says there, to replace the selector in the current image, you just need to fix /etc/opendkim/KeyTable   mail._domainkey.example.com example.com:MAIL:/etc/opendkim/keys/example.com/mail.private   Mail it is selector. Just replace it with the one you need   This is information so useful for developers who want use a custom DKIM selector    

[georglauterbach]

What's the status here?

[wernerfred]

Just out of curiosity: what is your reason for switching the selector?
Don't get me wrong - I'm not against it - I just want to understand the motivation behind it.

[BaileyJM02]

For me, it would allow me to correctly set a TXT record of default._domainkey instead of mail._domainkey when using the domain domain.tld instead of mail.domain.tld. There seems to be a check within the DKIM records, that I don't fully understand, that actually checks against the value of the selector and fails if I place it at default._domainkey instead of mail._domainkey.

It would also save me from having to use the work-around provided by @dev-comrade, where I can't then run ./setup.sh config dkim without having it re-written.

[shodanx2]

@wernerfred
Please explain how this issue is completed ?

I checked the documentation
https://docker-mailserver.github.io/docker-mailserver/edge/config/best-practices/dkim/
And only mail. selector is mentionned

I am here because I changed my server setup from
hostname=mail
domain=example.com

to, as the docker-compose.yml comment claim is the appropriate way

hostname=example.com
#domain=

However, it seems .mail is still the selector and I am also getting a looping dkim error in the logs
Not sure if this is the cause of my error, but there is ambiguity in the documentation as to how custom selectors are entered

[josephdpurcell]

Perhaps #1191 is related.

The use case I understand is when you introduce a new DKIM record is added you may not want to immediately expire the old DKIM record in case anyone re-validates the DKIM signature. Hence, the need for customizing the DKIM selector. For example, you may have a selector dkim2022 and a dkim2023, but you don't want to remove dkim2022 until 2024.

[nzedler]

Perhaps #1191 is related.

The use case I understand is when you introduce a new DKIM record is added you may not want to immediately expire the old DKIM record in case anyone re-validates the DKIM signature. Hence, the need for customizing the DKIM selector. For example, you may have a selector dkim2022 and a dkim2023, but you don't want to remove dkim2022 until 2024.

I have an urgent different use case. I'm using SendInBlue for my Email Marketing, which requires setting their DKIM entry in my DNS. Unfortunately, they are using mail for the DKIM selector - using two records with the same selector results in a DKIM failed. Either I manage to get to use a different selector or I have to use a different email marketing service provider :/

Any way to set a different DKIM selector?

[georglauterbach]

Have you read docker exec <CONTAINER> setup dkim help??

[polarathene]

Please explain how this issue is completed ?

Any way to set a different DKIM selector?

The docs don't seem like they got updated (technically they didn't even exist back then), but as the PR #1811 that closed this issue; the feature to support custom selectors was added and the CLI tool provides more info on using that:

docker-mailserver/target/bin/open-dkim

Lines 24 to 45 in dab7070

	${ORANGE}OPTIONS${RESET}
	${BLUE}Generic Program Information${RESET}
	help Print the usage information.
	${BLUE}Configuration adjustments${RESET}
	keysize Set the size of the keys to be generated. Possible are 1024, 2048 and 4096 (default).
	selector Set a manual selector (default is 'mail') for the key. (${LCYAN}ATTENTION${RESET}: NOT IMPLEMENTED YET!)
	domain Provide the domain(s) for which keys are to be generated.
	${ORANGE}EXAMPLES${RESET}
	${LWHITE}./setup.sh config dkim keysize 2048${RESET}
	Creates keys of length 2048 bit in a default setup where domains are obtained from
	your accounts.
	${LWHITE}./setup.sh config dkim keysize 2048 selector 2021-dkim${RESET}
	Creates keys of length 2048 bit in a default setup where domains are obtained from
	your accounts. The DKIM selector used is '2021-dkim'.
	${LWHITE}./setup.sh config dkim keysize 2048 selector 2021-dkim domain 'whoami.com,whoareyou.org'${RESET}
	Appropriate for an LDAP setup. Creates keys of length 2048 bit in a default setup
	where domains are obtained from your accounts. The DKIM selector used is '2021-dkim'.
	The domains for which DKIM keys are generated are 'whoami.com' and 'whoareyou.org'.

The default is mail otherwise.

---

The docs probably could be updated (contributions welcome), but otherwise are showing how to configure with the default mail selector, just substitute that for your own custom one.

As the start of this issue notes, the DKIM selector is not tied to the hostname. It can remain as mail, or you can use something else and still have mail.example.com.

docker-compose.yml example suggests using hostname for your mail-server FQDN, be that mail.example.com or example.com, etc, but to completely avoid domainname (misunderstood config advice from past maintainers).

[nzedler]

Have you read docker exec <CONTAINER> setup dkim help??

I didn't try it because of the NOT IMPLEMENTED YET!. Worked however flawlessly.
Thanks @georglauterbach @polarathene for the quick help.

[nzedler]

Something relevant for the docs as well:

If you want to change the DKIM selector when the mail selector already exists, generate your new one like e.g.

docker exec mailserver setup config dkim selector 2021-dkim

In order to use the new one, delete the mail.txt and mail.private files:

sudo rm docker-data/dms/config/opendkim/keys/example.com/mail.*

Just deleting the files results in a OpenDKIM error in the mailserver, because the files are linked in the KeyTable and SigningTable of OpenDKIM. Therefore, delete the corresponding line in those files.

sudo vim docker-data/dms/config/opendkim/KeyTable

as well as

sudo vim docker-data/dms/config/opendkim/KeyTable