BUG: DKIM keys must rotate/regenerate monthly.

[chris001]

This is a security vulnerability bug. Currently, Virtualmin generates the DKIM key one time, once, then uses it forever. As evidence, the DKIM key tag is the same as the year Virtualmin generated the DKIM key, on this server for example, the DKIM key tag is 2014. Not rotating/regenerating the DKIM key monthly, is considered poor security, and not recommended by the OpenDKIM organization.

Virtualmin must generate fresh new DKIM keys monthly (by default, one unique DKIM key per DNS domain/zone would be best), insert the new DKIM keys into their corresponding DNS zones, and delete the old key(s) after their TTLs expire.

NOTE: Very important. The "key tag"/ "selector" in DNS, for each zone's DKIM key, is supposed to be YYYYMM, ie the current DKIM key for secure Virtualmin DNS zones today is supposed to be 201910. Date stamp as tag/selector proves that work has been done to generate a new key this month, and the key actively in use for mail signing is fresh and rotated and it's unlikely to be old enough to allow attackers the time required to brute force hack it.

Reference + Step by step details on how exactly to rotate keys so that email messages in transit don't refer to a key no longer existing in the DNS zone: https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/#key-rotation

[jcameron]

Thanks for pointing this out - we don't yet have a way of automatically rotating DKIM keys, so this would require some work to implement.

[PitWenkin]

Please consider that not every website managed by virtualmin has DNS enabled. Therefore existing DKIM DNS-entries (as well as all other DNS-Records) might have been added manually to the Nameserver.

Automatically renewing/changing the DKIM-key used by a server/website would render the DNS-entry obsolete, which would flag emails as spam …?

[chris001]

Please consider that not every website managed by virtualmin has DNS enabled. Therefore existing DKIM DNS-entries (as well as all other DNS-Records) might have been added manually to the Nameserver.

Automatically renewing/changing the DKIM-key used by a server/website would render the DNS-entry obsolete, which would flag emails as spam …?

• If you're hosting your domain on Virtualmin (assuming you're hosting your domain's website and your domain's email on your Virtualmin server), while you host the domain's DNS on another, outside, third-party server (ie that server is not managed by VirtualMin/CloudMin), then Virtualmin settings for your domain should have DNS "disabled" for your domain.
• Therefore, Virtualmin should already be smart enough to prevent you from using/generating/rotating a DKIM key locally for your domain, because, while Virtualmin is hosting your email, Virtualmin does NOT have DNS enabled/managed by itself, for your domain.
• Even if Virtualmin did "rotate" some DKIM key for your domain, since Virtualmin is disconnected from DNS for your domain, it should fail to be able to update the DKIM key on the active live running external third party DNS server hosting your domain's DNS, because Virtualmin doesn't know of that external DNS system's existence, and isn't set to manage that external DNS system.

[jcameron]

Yeah, if we were to implement this, it would only happen on domains where DNS is locally hosted.

[nekohayo]

If you're hosting your domain on Virtualmin (assuming you're hosting your domain's website and your domain's email on your Virtualmin server), while you host the domain's DNS on another, outside, third-party server (ie that server is not managed by VirtualMin/CloudMin), then Virtualmin settings for your domain should have DNS "disabled" for your domain.

As far as I can tell, you can't really make that assumption in the way the app currently operates... because if you turn off DNS domain enabled in "Enabled features" in "Edit Virtual Server", currently that will entirely turn off the existence of the Server Configuration > DNS Options and Server Configuration > DNS Records configuration pages... which prevents you from being able to enable and configure SPF and various other things, not just DKIM... I spent half an hour wondering why I couldn't find "DNS Options" today because I had turned off that DNS domain enabled feature checkbox for that vServer, thinking "Well the DNS/nameservers are managed by the registrar rather than my server, so I guess I don't need this?"

So for that to be possible, things would probably need to be split even more granularly somehow, i.e. the distinction between "VirtualMin has full control over everything" vs "The DNS records are set on some other server, but I still want some DNS-related features to be exposed in virtualmin"...

[jcameron]

Other than SPF, what options would you like to be able to manage when DNS isn't hosted locally?

[PitWenkin]

I'm using the DKIM with the 'Keys and records for offsite hosting' thingy … A Website with emails hosted on a virtualmin-server can benefit from SPF, DKIM, DMARC if the right entries are added to a DNS Server to which the virtualmin-server has no access. For example in case of a subdomain where the domain owner does no want to point the whole nameserver entry to a server I manage, but is willing to add some DNS entry manually.

I can simply tell him the IP's to add to SPF, and the keys already generated by the server for DKIM … this works fine. Having to update those keys manually after an automatic system update will break stuff … Sending a wrong key is worse then using nokey …

[jcameron]

Ok I'll look into this..

[jcameron]

So I looked into this a bit more, a found that it is possible to have the SPF and DMARC records included on the Suggested page already. Just make sure they are enabled by default at System Settings -> Server Templates -> Default Settings -> DNS Domain.