search

deltachat / chatmail

chatmail service deployment scripts and docs
https://delta.chat/en/2023-12-13-chatmail
MIT License
135 stars 13 forks source link

DKIM key rotation #195

Open link2xt opened 9 months ago

link2xt commented 9 months ago

We cannot expect admins to rotate the key or change DNS records after setting up a server because, but there should be some way to do it. E.g. a command cmdeploy dns can always suggest to add next key and then if corresponding DKIM public key is already deployed make the server switch to it. Then just running cmdeploy dns from time to time and deploying DKIM records it suggests will rotate the keys at least eventually.

For reference: https://www.m3aawg.org/DKIMKeyRotation

link2xt commented 8 months ago

Let's close this for now as not planned. We also have SSH server keys and TLS keys which are generated on the server. SSH keys are difficult to rotate unless you create a CA or use DANE. For TLS I am not sure if acmetool rotates it, opened an issue with a question: https://github.com/hlandau/acmetool/issues/350

link2xt commented 4 months ago

Reopening the issue. It seems to be feasible to rotate DKIM keys automatically by asking the admin to delegate _domainkey subdomain to config.domain_name and running nsd locally just for this purpose. The only manual action needed is setting up NS record once then.

This will actually simplify the setup for admins because copying DKIM key is usually difficult, especially if DNS provider has bad web UI for this.

Debian has a dkim-rotate package described here: https://diziet.dreamwidth.org/16025.html

link2xt commented 5 days ago

Testing NSD on c1.testrun.org.

/etc/nsd/nsd.conf:

server:
        # log only to syslog.
        log-only-syslog: yes

zone:
        name: "_domainkey.c1.testrun.org"
        zonefile: "/etc/nsd/chatmail.zone"

/etc/nsd/chatmail.zone:

$ORIGIN _domainkey.c1.testrun.org.
$TTL 86400

@  IN  SOA     c1.testrun.org. root.testrun.org (
        2024101901  ;Serial
        2H          ;Refresh
        3600        ;Retry
        1209600     ;Expire
        3600        ;Negative response caching TTL
)

; Nameservers
@  IN NS c1.testrun.org.

$INCLUDE /etc/dkimkeys/dkim.txt c1.testrun.org.

(have to explicitly specify that included file is for c1.testrun.org. as inside the OpenDKIM-generated file this is the expected origin while we only want to serve _domainkey.c1.testrun.org.)

/etc/dkimkeys/dkim.txt:

dkim._domainkey IN  TXT ( "v=DKIM1; h=sha256; k=rsa; "
      "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAme8aWfYPitZja6m/ANq78pB1xUpx8MNbXa66RHMsU8n0CffAZ//oBSAwm6CgJFkkq0XuJgDVnsBSl2Mp1mqFbBidKhXv8b2j4SfxpG29aExUKuHffGcLocMOIMN4+mZXy2VTLW38yqBlLXYt4/QJB/zvyfWErhlC1lA4ZYfK3UMLwItdyRzoQYQvouLbIvidqELQxK/2L4eZsl"
      "p79J9kcAq3UIzDiB5ToQeeTuykIBjdUwNNRDmIMAl/TYeo5HM+gwTNPiLoVPW6l1VfvZsxI15XwPY+6ifBkCM9JS+gEQMVoxAdR+UNouz632dSsm7fUZgQr3jx066E8/FrHIwPqwIDAQAB" )  ; ----- DKIM key dkim for c1.testrun.org

(autogenerated, had to change permissions of /etc/dkimkeys to 755 and /etc/dkimkeys/dkim.txt to 644 so NSD can access it).

With this configuration dig TXT dkim._domainkey.c1.testrun.org @c1.testrun.org works.

I also had to stop unbound because both nsd and unbound want to run on port 53. We will have to move unbound to another port like 5353 and point /etc/resolv.conf there).