rimas-kudelis
commented
8 years ago We're not against DKIM, if that's what you're asking. :)
By the way, did you really just overwrote all the work you did while porting Vexim to Bootstrap?..
Open MrSleeps opened 8 years ago
rimas-kudelis
commented
8 years ago We're not against DKIM, if that's what you're asking. :)
By the way, did you really just overwrote all the work you did while porting Vexim to Bootstrap?..
Udera
commented
8 years ago DKIM is a feature I'd like to implement as well. I don't know if it is worth spending too much time on old code when we are considering a new rewrite: https://groups.google.com/forum/#!topic/vexim/3c-EWu7EgE8
Recently, we implemented some security fixes and didn't really add new features. Now, we struggle to push a new version to the benefit of all users.
MrSleeps
commented
8 years ago Yeah I did delete everything, I figured I'd start from scratch, wasn't happy with the results. So I'm currently rewriting it.
I'll have a play with DKIM over the next few days, I've got a basic version working but still relies on having a text file so I need to figure out what I'm doing wrong on there, then I'll push it to here
Udera
commented
8 years ago Do you want to put the keys into the database?
Udera
commented
8 years ago I needed to implement DKIM for a few domains. I did a quick&dirty solution:
We could add a button for the siteadmin to turn DKIM on and off for a specific domain (and for the domain admin). That would be really easy.
Managing the certificates via the interface gives the domain-admin more options. Should we be able to generate certificates via webinterface? If we import certificates, we need to check the syntax. The problem is that the domain-owner does not get any feedback from the mailserver if anything fails. In the end, is there a real advantage for the admin?
MrSleeps
commented
7 years ago Sorry, GitHub never notified me that you'd replied!
I did roughly the same hack as you, free time has been a rarity, so one day I will sit down and work through a proper solution. Though, that hack does work and has served me well for the last 10 months or so.. I can't see the problem with domains using the same key etc. I don't know what other peoples opinions are..
My personal preference is to allow domain admins to do it via the webpage (I'm slowly untangling my own admin interface (it's currently all linked in with other system adminy stuff)) which I'll upload at some point in the (hopefully not so) distant future. If it's set up the same way as we have both done, it shouldn't be too difficult to implement?
rimas-kudelis
commented
7 years ago @Udera:
We could add a button for the siteadmin to turn DKIM on and off for a specific domain (and for the domain admin). That would be really easy.
Managing the certificates via the interface gives the domain-admin more options. Should we be able to generate certificates via webinterface? If we import certificates, we need to check the syntax. The problem is that the domain-owner does not get any feedback from the mailserver if anything fails. In the end, is there a real advantage for the admin?
I think generation can wait until the rewrite, but for now, we could allow pasting the private key into a textarea and saving it, and then of course making use of it in the backend. This shouldn't be difficult (like you said above), and might be worthy doing even before the rewrite.
On the other hand, generating keys from within PHP is possible too, so if anyone is willing to write an agreeable user interface for that, it's definitely an option. Or perhaps it would be even better to do it from JavaScript?
rimas-kudelis
commented
5 years ago I just set up my own DKIM records, following the Debian guide. This seems easier than I expected. If it works out well (I should know by next Monday), adding a few extra fields to the domain admin page should really be a no-brainer.
rimas-kudelis
commented
4 years ago Note: when we implement this, we should consider what to set dkim_sign_headers to in Exim config. It seems like Exim's default DKIM configuration may cause cause problems with messages that would be forwarded later on.
https://lists.gt.net/exim/users/110651 https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html#spoofed_body_dhl
For example, Outlook.com adds a Resent-From: header (as well as a bunch of other headers) when message forwarding is enabled for a mailbox, but Exim signs that header even when it's absent (in other words, the lack of that header is signed when it doesn't exist), so after the forward, the signature becomes invalid.
EDIT: my observations are based on Exim 4.89. It's possible that my issue wouldn't have surfaced if I used a later version.
Also note: starting with version 4.90 (which it seems was released in December 2017), it's allowed to prefix header names with + or = when listing them in dkim_sign_headers. This allows greater control over header signing. I definitely want to make use of that.
Is there any reason why DKIM hasn't been touched so far? I'm pondering converting my text based dkim lookups into SQL lookups to integrate with vexim but before I dive in... :)