改めてマルチドメイン鍵仕様でインストールします。
前提
- OS: FreeBSD
- MTA: Sendmail
- メールドメイン: @example.net/@mail.example.net
- メールサーバー: mail.example.net
@mail.example.netのときはホスト固有鍵を使い、@example.netのときはデフォルト鍵を使うようにします。
Milterのインストール
pkg install -y opendkim sysrc milteropendkim_enable=YES
/usr/local/etc/mail/opendkim.conf
--- opendkim.conf.sample 2026-01-17 00:20:21.000000000 +0900
+++ opendkim.conf 2026-02-23 02:57:04.833756208 +0900
@@ -159,7 +159,7 @@
## Specify for which domain(s) signing should be done. No default; must
## be specified for signing.
-Domain example.com
+Domain example.net
## DomainKeysCompat { yes | no }
## default "no"
@@ -244,7 +244,7 @@
## SigningTable and KeyTable are used. No default; must be specified for
## signing if SigningTable/KeyTable are not in use.
-KeyFile /var/db/dkim/example.private
+# KeyFile /var/db/dkim/example.private
## KeyTable dataset
## default (none)
@@ -255,7 +255,7 @@
## a base64-encoded DER format private key, or a path to a file containing
## one of those.
-# KeyTable dataset
+KeyTable refile:/usr/local/etc/mail/KeyTable
## LogWhy { yes | no }
## default "no"
@@ -501,7 +501,7 @@
## failure reports. By default, the e-mail address of the user executing
## the filter is used.
-# ReportAddress "DKIM Error Postmaster" <postmaster@example.com>
+ReportAddress "DKIM Error Postmaster" <postmaster@example.net>
## ReportBccAddress addr
## default (none)
@@ -569,7 +569,7 @@
## The name of the selector to use when signing. No default; must be
## specified for signing.
-Selector my-selector-name
+Selector mail
## SenderHeaders dataset
## default (none)
@@ -629,7 +629,7 @@
## is set, all possible lookup keys will be attempted which may result
## in multiple signatures being applied.
-# SigningTable filename
+SigningTable refile:/usr/local/etc/mail/SigningTable
## SingleAuthResult { yes | no}
## default "no"
@@ -657,7 +657,7 @@
## inet:port to listen on all interfaces
## local:/path/to/socket to listen on a UNIX domain socket
-Socket inet:port@localhost
+Socket local:/var/run/milteropendkim/socket
## SoftwareHeader { yes | no }
## default "no"
@@ -760,4 +760,4 @@
## Change to user "userid" before starting normal operation? May include
## a group ID as well, separated from the userid by a colon.
-# UserID userid
+UserID mailnull:mailnull
鍵の作成
roles/freebsd/tasks/opendkim.yaml
- name: opendkim-genkey host selector
command: |
/usr/local/sbin/opendkim-genkey -b 2048 -D /var/db/dkim -d {{ inventory_hostname }} -s {{ inventory_hostname.split('.')[0] }}
- name: opendkim-genkey default selector
command: |
/usr/local/sbin/opendkim-genkey -b 2048 -D /var/db/dkim -d example.net -s default
鍵の設定
/usr/local/etc/mail/KeyTable
default._domainkey.example.net example.net:default:/var/db/dkim/default.private mail._domainkey.example.net example.net:mail:/var/db/dkim/mail.private
/usr/local/etc/mail/SigningTable
*@example.net default._domainkey.example.net *@mail.example.net mail._domainkey.example.net
Sendmailの設定
/etc/mail/sendmail.cf
+ O InputMailFilters=dkim-milter + Xdkim-milter, S=local:/var/run/milteropendkim/socket, F=T, T=R:2m
DNSの設定
/usr/local/etc/namedb/primary/example.net.zone
+ $INCLUDE /var/db/dkim/default.txt + $INCLUDE /var/db/dkim/mail.txt