[enhancement]: Double DKIM sign using Ed25519 and RSA by default

stalwartlabs / mail-server

Secure & Modern All-in-One Mail Server (IMAP, JMAP, POP3, SMTP)

https://stalw.art

4.45k stars 169 forks source link

[enhancement]: Double DKIM sign using Ed25519 and RSA by default #77

Closed Avamander closed 4 months ago

Avamander commented 1 year ago

Which feature or improvement would you like to request?

I'd like to see this feature: That by-default Stalwart would generate a configuration for DKIM double-signing with both RSA and Ed25519.

Increased adoption of newer EC DKIM algorithms (such as Ed25519) would encourage other software to add support for it. The very least it would be an useful test-case and an example of a (popular) MTA that supports EC DKIM.

In the end this would help reduce ossification of the email ecosystem with basically no cost.

Is your feature request related to a problem?

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

johansmitsnl commented 11 months ago

You can already do this:

[auth.dkim]
verify = "relaxed"
  sign = [ { if = "listener", ne = "smtp", then = ["ed25519", "rsa"] },
           { else = [] } ]

Or did I miss something?

mdecimus commented 11 months ago

I think @Avamander means that the install script should generate both ED an RSA certificates and include them in the config file by default.

mdecimus commented 4 months ago

This has been implemented in v0.7.0.

hadleyrich commented 4 months ago

Just a note in case it's useful to anyone searching. Amazon SES appears to be a bit silly and won't accept messages over SMTP with more than one DKIM-Signature header so if you happen to be forwarding mail out through SES then you may need to pick one to sign with for that path.

With the default of both signatures SES responds such:

Action: failed Status: 5.5.4 Diagnostic-Code: smtp;554 Transaction failed: Duplicate header 'DKIM-Signature'. Remote-MTA: dns;email-smtp.ap-southeast-2.amazonaws.com

flufftronix commented 4 months ago

Just a note in case it's useful to anyone searching. Amazon SES appears to be a bit silly and won't accept messages over SMTP with more than one DKIM-Signature header so if you happen to be forwarding mail out through SES then you may need to pick one to sign with for that path.

With the default of both signatures SES responds such:

Action: failed Status: 5.5.4 Diagnostic-Code: smtp;554 Transaction failed: Duplicate header 'DKIM-Signature'. Remote-MTA: dns;email-smtp.ap-southeast-2.amazonaws.com

I'm using the admin UI to select only either ED for outgoing emails when the sender_domain matches the one I'm trying to use Amazon SES with, but I can't seem to prevent this error from occurring. Can anyone either duplicate this problem, or share the configuration they're using which allows for a single DKIM Signature to be sent?

mdecimus commented 4 months ago

@flufftronix Are you using an expression to select which signatures to include? If so please provide the expression you are using.

flufftronix commented 4 months ago

@flufftronix Are you using an expression to select which signatures to include? If so please provide the expression you are using.

On the Outbound > DKIM Settings page under DKIM Signing, my if condition is sender_domain = 'domain.tld' and the then is ['ed25519-' + sender_domain]. I've also tried with 'ed25519-domain.tld' as the then statement. DKIM Verification strategy is set to relaxed.

I've also tried doing a similar if>then for DKIM reporting, but it looks like that's for a different process.

mdecimus commented 4 months ago

There are other places in the configuration where DKIM signing is done using two keys by default. For example in DSN, DMARC, DKIM and SPF reports. Perhaps the error you're seeing is coming from a report with double signature?

johansmitsnl commented 4 months ago

My experience with SES is that you can't use it if you sign it by yourself. In my previous setup I just let SES do the signing and stalwart none.

flufftronix commented 3 months ago

There are other places in the configuration where DKIM signing is done using two keys by default. For example in DSN, DMARC, DKIM and SPF reports. Perhaps the error you're seeing is coming from a report with double signature?

No luck making any adjustments, including setting false via sender domain via if>then, as well as setting entire sections to false for DSN, DMARC, DKIM and SPF.

Every attempt yields:

<[destination@address.com](mailto:destination@address.com)> (host [email-smtp.us-east-2.amazonaws.com]( rejected command 'DATA' with code 554 (0.0.0) 'Transaction failed: Duplicate header 'DKIM-Signature'.')

mdecimus commented 3 months ago

Have you reloaded the configuration after making these changes? If you did, try changing the logging level to trace, send a message and check the logs which should now contain how each one of the expressions were evaluated. Look for the ones containing dkim or sign.