[Enhancement] Expose finer-grained DKIM configuration through the builder api and disable 'l-param' by default #499
Comments
|
Interesting. To be honest I have no idea and I'm glad you referenced the relevant RFC's. I'll do some research, but know that the DKIM library used under the hood has been passed on to different hands a few times, so it's entirely possible there's no real reason behind it (anymore). |
bbottema
changed the title
|
I've released 8.8.0, which updates the DKIM builder api in a similar fashion as the recent S/MIM update for #498. You can now configure lengthParam, headerCanonicalization, bodyCanonicalization and signingAlgorithm for DKIM. Here's an example from the DKIM documentation: currentEmailBuilder.signWithDomainKey(
DkimConfig.builder()
.dkimPrivateKeyData(byte[] / File / InputStream)
.dkimSigningDomain("your_domain.org")
.dkimSelector("your_selector")
.useLengthParam(true) // default is false
.excludedHeadersFromDkimDefaultSigningList("From", "Subject") // default is none
.headerCanonicalization(DkimConfig.Canonicalization.SIMPLE) // default is RELAXED
.bodyCanonicalization(DkimConfig.Canonicalization.SIMPLE) // default is RELAXED
.signingAlgorithm("SHA256_WITH_ED25519") // default is SHA256_WITH_RSA
.build()
); |
|
How fast you done with bunch of codes 😅 |
|
I wonder how can I extract the dkim signature after build it, to use it as header ? When I reconvert it from EmailBuilder to MimeMessage it broke the dkim and bh fails. |
|
Hi @furkan-atak, If I understand correctly, you want to pull out the DKIM signature to add it in your email headers directly, but you're hitting a wall with the bh field after switching from EmailBuilder to MimeMessage? Just to clear things up, Simple Java Mail is pretty solid when it comes to converting Email objects to MimeMessages right before sending, since this is the primary use case of using DKIM. This step is meant to keep everything, including DKIM signatures, intact. It seems like there might be a mix-up or a special case with your issue. Normally, the DKIM signature is part of the email headers, added automatically when you send the email to make sure it's legit and hasn't been tampered with. Messing with the DKIM signature manually isn't typically done because it can easily make the signature invalid, especially if you change parts of the email that the signature covers (like the bh field for the body hash). If you really need to get at the DKIM signature before sending, I'm curious to know why. Perhaps it's a use case I might want to support. However, I'd advise caution with manual manipulations of DKIM signatures due to the precise nature of email authentication processes. |
|
It's because I am trying to use dkim in milter (mail filter). So it's actually does not send a mail to anywhere but it communicates with postfix (if you do not know much about postfix and milter protocol stages: https://www.postfix.org/MILTER_README.html) so because of that instead of directly signing and sending an email, I need the dkim header to add the mail headers in the related milter stage which is eom(end of message). |
|
Uh... I read about milter and it seems thing to filter invalid mail when
receieving one at mail service provider. Im curious why do you try to use
milter when sending mail?
And thus agenda isn't match what I wrote here.
You may write your own PR.
Best regards, SaeGon-Heo
|
Hhm, you could try creating your own CustomMailer implementation. This gives you access to the converted MimeMessage without sending it. Would that be of help? |
|
I think I found something.
I can't sure but have you tried this written in docs you mentions?
Workarounds
To avoid breaking DKIM etc. signatures with an SMTP-based content filter,
update the before-filter SMTP client in master.cf, and add a line with "-o
disable_mime_output_conversion=yes" (note: no spaces around the "="). For
details, see the advanced content filter example.
Best regards, SaeGon-Heo
|
|
@bbottema My issue is not about sending stuff or related about the main purpose of the library. I mainly use the library for content replacement and dkim sign for the mail so my problem is about that. However, even if a did not change the body and just convert byte[] to EmailPopulatingBuilder than Email than MimeMessage than have a dkim header and adding that to the header did not work well. And this is what I do: MimeMessage dkimMimeMessage = genereateDkimMimeMessage(email); /* returns String dkimEmailContent = EmailConverter.mimeMessageToEML(dkimMimeMessage); String dkimHeader = FormatUtils.findFirstWithRegex(DKIM_HEADER_VALUE_FINDER_PATTERN, dkimEmailContent); @SaeGon-Heo thanks for the idea. However, it's a protocol level config not related to the application layer I am implementing and before that, I have my own test cases. And in that tests bh (body hash) fails in dkim. |
|
@furkan-atak Apologies, but I still don't understand what you're doing or trying to accomplish. You want to send an email to postfix. Signed or unsigned? I'm assuming unsigned, because if signed, the header would already be there. So you first sign the email just to get the header and then send the unsigned email plus header separately to postfix? And how does it break DKIM, where? At which stage? |
|
@furkan-atak
likely you want to add And add Then I wonder why you need this process... And I guess here, as you saw in your test, In short, when make
Your You may solve this by choose If you want to simply check DKIM header is added correctly before send it, how about use |
Hello bbottema!
I'm working on DKIM Signing and I have a question about default DKIMSigner config.
https://github.com/bbottema/simple-java-mail/blob/master/modules/dkim-module/src/main/java/org/simplejavamail/internal/dkimsupport/DKIMSigner.java#L47
In
DKIMSigner.javait seems setl-paramastruealways.But this optional param is not recommended to set in RFC6376.
And mailtrap mail service provider's DKIM document says too.
l-paramis not found ingoogle gmail's DKIM headertooIs there any reason to use
l-param?If not I think
l-parammust be set as not use it.The text was updated successfully, but these errors were encountered: