Below is a working KeyTable and SigningTable example for OpenDKIM that uses the percent character (%) to replace the domain of the sender while generating the signature.
# If the first field contains only a "%" character, it
# will be replaced by the domain found in the From:
# header field. Similarly, within the optional second
# field, any "%" character will be replaced by the
# domain found in the From: header field.
# If the
# first value consists solely of a percent sign ("%")
# character, it will be replaced by the apparent domain
# of the sender when generating a signature. If the
# third value starts with a slash ("/") character, or
# "./" or "../", then it is presumed to refer to a file
# from which the private key should be read, otherwise
# it is itself a PEM-encoded private key or a
# base64-encoded DER private key; a "%" in the third
# value in this case will be replaced by the apparent
# domain name of the sender.
This ensures that the d=domain.tld and s=default selector gets set for any domains that you are hosting on the mail server. Adding new domains does not require any changes to the SigningTable or KeyTable files.
You however still need to add the DKIM TXT record for each domain that you have.
Been porting workloads from AWS to GCE lately and one big piece of infrastructure that I rely on is pfSense.
pfSense is a FreeBSD based appliance which does advanced routing, firewall and VPN for your cloud-based infrastructure. Using pfSense, one can establish IPSEC tunnels between the various AWS regions and the clients office network. While pfSense is available from the AWS Marketplace, it’s currently not yet available on Google Cloud.
StrongSwan is a viable replacement for environments where pfSense is not an option. Below is a working “site to site” StrongSwan configuration running on Ubuntu 14.04 LTS GCE instance and works with pfSense 2.2. Please note that pfSense 2.2 has moved from racoon to StrongSwan.
# apt-get install strongswan
reqid = 1
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
rekey = yes
installpolicy = yes
type = tunnel
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = 10.240.x.x # my private IP as assigned to eth0 on GCE instance
right = 103.x.x.x # the site I am connecting to
leftid = 22.214.171.124 # my GCE ephemeral / static IP
ikelifetime = 28800s
lifetime = 3600s
ike = aes256-sha1-modp1024!
esp = aes256-sha1!
leftauth = psk
rightauth = psk
rightid = 103.x.x.x # the site I am connecting to
aggressive = no
rightsubnet = 192.168.x.0/24 # my office private subnet
leftsubnet = 10.240.0.0/16 # my GCE private network
Nginx Plus can be run in a 2 node HA cluster as a replacement for ELBs. Please see my previous previous post on situations where it might make sense to use Nginx Plus instead of AWS ELB services.
Below are the steps for launching an Nginx Plus cluster in Classic EC2:
Continue reading Configuring Nginx Plus For HA On AWS Cloud