Implement Openkdim

[llucps]

Since dkim-filter is deprecated it would be great to implement its replacement Openkdim.

I set up dmarc reports on my server and neither Yahoo and [email protected] don't like the current dkim-filter implementation. On [email protected] complains about the dkim selector having an underscore. Fortunately Google doesn't complain and passes de dmarc test.

----------------------------------------------------------
DKIM check details:
----------------------------------------------------------
Result:         permerror (syntax error in s= tag: Error in "dkim_1": invalid character U+005F ('_') in domain label)
ID(s) verified: 

DNS record(s):

NOTE: DKIM checking has been performed based on the latest DKIM specs
(RFC 4871 or draft-ietf-dkim-base-10) and verification may fail for
older versions.  If you are using Port25's PowerMTA, you need to use
version 3.2r11 or later to get a compatible version of DKIM.

[d00p]

Froxlors DKIM implementation is really really old - don't use that currently

[negrusti]

It will be easier to have a hook to run a script on (sub)domain creation - there we can create DKIM keys for OpenDKIM, Rspamd etc. etc.

[d00p]

creation of key is not the problem...the using service and integration is

[negrusti]

I don't think any other integration is needed IF DNS is not managed on the server. At the moment I just run the script that pulls domains from Froxlor DB and generates the keys, everything else works (OpenDKIM or Rspamd). But I need to remember to run that script after domain creation

[Logicbloke]

I could probably work on this. Should I just ditch dkim-milter and implement OpenDKIM or let the user select between the 2?

[negrusti]

I think I've not seen dkim-milter in production for quite a while... Can assist with OpenDKIM config if necessary

[d00p]

dkim-milter is not really used anymore. Config templates for OpenDKIM would be nice

[negrusti]

/etc/opendkim.conf:

AutoRestart Yes AutoRestartRate 10/1h UMask 002 Syslog yes SyslogSuccess Yes LogWhy Yes ReportAddress [email protected] Canonicalization relaxed/simple ExternalIgnoreList refile:/etc/opendkim/TrustedHosts InternalHosts refile:/etc/opendkim/TrustedHosts KeyTable refile:/etc/opendkim/KeyTable SigningTable refile:/etc/opendkim/SigningTable Mode sv PidFile /var/run/opendkim/opendkim.pid SignatureAlgorithm rsa-sha256 UserID opendkim:opendkim Socket inet:12301@localhost

/etc/opendkim/KeyTable:

default._domainkey.example.com example.com:default:/etc/opendkim/keys/example.com/default.private

/etc/opendkim/SigningTable:

*@example.com default._domainkey.example.com

/etc/opendkim/TrustedHosts:

127.0.0.1 localhost

[negrusti]

Key generation: mkdir -p /etc/opendkim/keys/example.com
opendkim-genkey -r -d example.com -D /etc/opendkim/keys/example.com
chown opendkim:opendkim /etc/opendkim/keys/example.com/default.private

public key will be in /etc/opendkim/keys/example.com/default.txt

[negrusti]

Postfix:

milter_protocol = 2 milter_default_action = accept smtpd_milters = inet:localhost:12301 non_smtpd_milters = inet:localhost:12301

[negrusti]

Rspamd Key generation:

rspamadm dkim_keygen -b 2048 -d example.com -s default -k /var/lib/rspamd/dkim/example.com.default.key > /var/lib/rspamd/dkim/example.com.default.public

dkim_signing.conf:

path = "/var/lib/rspamd/dkim/$domain.$selector.key";

and it will pick up the keys automatically

[d00p]

Ehm, lib/configfiles/*.xml and pull request?

[negrusti]

I hope @Logicbloke can help with that :)

[Logicbloke]

It seems that while opendkim.conf can be configured manually, things like KeyTable, SigningTable or TrustedHosts will need to be generated.

Also even within opendkim.conf some people would want the SignatureAlgorithm and the port in Socket configurable.

As far as key generation is involved, I think Froxlor is already doing it. Needs another standardized name for the keys (preferably without the underscore) which is what this ticket is about.

I'll see what I can do with the configuration, I have the project forked.

[d00p]

Also even within opendkim.conf some people would want the SignatureAlgorithm and the port in Socket configurable.

Yeah but openDKIM is, like postfix/docecot, a one-time-configuration. Nothing froxlor generates regularly via cronjob. And same as FTP or mail-services, the user can adjust any part of it or ports according to his needs. But not from within the GUI, that would be madness, too many options :)

[d00p]

So please stay as close to the standaed/default configuration and only adjust necessary parts (like we do that for every service)

[negrusti]

Absolutely, so the only thing Froxlor needs to do is to create/update these two: /etc/opendkim/KeyTable /etc/opendkim/SigningTable generate the keys, and be able to restart opendkim

[d00p]

Is there any SQL interface to let OpenDKIM read that from the database?

[negrusti]

Yes there is: https://github.com/cyrusimap/opendkim/blob/master/opendkim/README.SQL But this will require additional systemd configuration for OpenDKIM to start it after MySQL

[d00p]

then it would be nice if the one doing the configs could do it the SQL way, as we do that the same with postfix, ftp, etc.

[Logicbloke]

@d00p Do you know of a handy GUI XML editor? The files are huge and the structure isn't well-outlined when opening it on a text-editor.

[pquerner]

Any IDE can handle XML fine. I like PhpStorm as my IDE.

[makuser]

What's the problem here? Is anybody working on OpenDKIM? I have been running it with Froxlor the last few years and would be able to copy my implementation into a PR, and make it look a bit nicer, etc if nobody else has done anything for OpenDKIM.

[d00p]

Problem as always, time time time and no one wants to do it for ALL supported systems (config templates are required for this for sure). If you want to get this going, hell yeah go for it :)

[makuser]

Config templates are so damn easy. Near stock actually. OpenDKIM is much easier to implement compared to dkim-milter, as it already supports SQL OOTB.

Will do.

[Logicbloke]

@d00p Can we just ditch the underscore in the dkim txt record?

root@server:/var/www/froxlor# grep -rwb . -e dkim_ ./lib/Froxlor/Dns/Dns.php:4939: self::addRequiredEntry('dkim_' . $domain['dkim_id'] . '.domainkey', 'TXT', $required_entries); ./lib/Froxlor/Dns/Dns.php:10261: } elseif ($record == 'dkim' . $domain['dkim_id'] . '.domainkey' && ! empty($dkim_entries)) { ./lib/Froxlor/Cron/Dns/DnsBase.php:6225: $privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim' . $domain['dkim_id']); ./lib/Froxlor/Cron/Dns/DnsBase.php:6351: $pubkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim_' . $domain['dkim_id'] . '.public'); ./lib/Froxlor/Cron/Dns/DnsBase.php:6811: $privkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim_' . $domain['dkim_id']); ./lib/Froxlor/Cron/Dns/DnsBase.php:7231: $pubkey_filename = \Froxlor\FileDir::makeCorrectFile(Settings::Get('dkim.dkim_prefix') . '/dkim_' . $domain['dkim_id'] . '.public');

I guess this should solve OP's issue.

[makuser]

Even though removing the underscore was the right thing, I did not cover or update that in my opendkim config, and it bit me just now, when I contacted one (non-Google) mail server that actually did check this.

[Neustradamus]

To follow this important ticket :)