Add support of ED25519-SHA256 for signing DKIM Keys

[saldru]

Hi everyone,

I ask for a feature that could be interesting. Actually the mailCow suite only support DKIM keys signed with RSA through the web UI. Since 04/02/2019, Rspamd added support for signing DKIM keys with ED25519 with SHA256 regarding the new RFC 8463.

So it could be good to add the option of generating/importing and supporting DKIM keys signed with ED25519-SHA256 in addition of RSA keys.

Thank you for you time :) Saldru

[andryyy]

I will add it as FR, but I don't think we will add it very soon. Not many servers can actually validate them, btw.

We could double-sign, but that's just overly complicated for most people running a mailcow. Same with this multi-cert stuff with RSA and ECDSA. Multiple different TLSA records per domains sound fun for most people, who chose mailcow to reduce the hassle. We will eventually move forward, yes, but I don't think we should add more hacky solutions for something not yet fully supported or established.

I think DKIM with ED25519 is not too far away though. :)

Thanks for your FR!

[saldru]

Hi @andryyy, thank you for your reply !

Yeah I know that it's new and it's better for mails when the policy is the most open and not too "modern" to be able to receive and send mail from/to everyone. :)

But I think it's a feature that can say to everyone that "mailcow support it !" and yeah I know it's not in the top of priority. :)

[ghost]

I think DKIM with ED25519 is not too far away though. :)

@andryyy Is support for signing mails with ED25519 DKIM keys still on the roadmap for mailcow?

[andryyy]

Yes, in the future. We will do dual signing at some point.

As of today it is pretty much not checked at all...

[andryyy]

It is.

[JJ1LFC]

Hi, It's been 4yrs now. We should not keep messing up our TXT RR with very long RSA 1024/2048 bit pubkey - or should we go to RSA 4096 seriously? It's a stupid idea. Let's boost the entire world to use shorter elliptic curve algo.