04 Jun 18:20

7b6b75e

PhoenixDKIM 1.0.0-beta3 Pre-release

Pre-release

PhoenixDKIM 1.0.0-beta3

Date: 4 June 2026

New: metrics and observability

PhoenixDKIM now maintains in-process counters and can expose them two ways.
No extra library is linked; both exporters are switched on by configuration
alone.

Prometheus (textfile collector):

MetricsFile /var/lib/prometheus/node-exporter/phoenixdkim.prom
MetricsInterval 15 # seconds; default 15

A background thread writes atomically (temp file + rename(2)) every interval
and on clean shutdown. Place the file in the node_exporter textfile collector
directory; no network listener is added to the daemon. On Debian/Ubuntu the
directory is /var/lib/prometheus/node-exporter; other distributions commonly
use /var/lib/node_exporter/textfile_collector. Both systemd service files
carry the appropriate ReadWritePaths= entry.

StatsD (UDP push):

StatsDHost 127.0.0.1:8125
StatsDPrefix phoenixdkim # default

Events are pushed over a non-blocking UDP socket; packets drop silently if
the collector is unreachable, so a stalled collector never throttles mail.

Per-message log line (LogResults yes):

: summary action=verify result=pass d=example.com a=rsa-sha256 sigs=1

Exported series: phoenixdkim_messages_total, phoenixdkim_signatures_total
(result, algorithm), phoenixdkim_verifications_total (result mirrors RFC 8601
dkim= vocabulary), phoenixdkim_dns_queries_total, phoenixdkim_dns_responses_total
(result), phoenixdkim_dns_duration_seconds (histogram), phoenixdkim_build_info
(version). See the Metrics guide on the website for the full table and PromQL
examples.

Build fix

CMake: accept Lua >= 5.4 rather than exactly 5.4; fixes builds on
distributions shipping Lua 5.5 (e.g. Fedora Rawhide).

Assets 2

02 Jun 07:07

edmundlod

v1.0.0-beta1

27dfb8f

PhoenixDKIM 1.0.0-beta1 Pre-release

Pre-release

PhoenixDKIM 1.0.0-beta1 release notes

Date: 2 June 2026

This is the first release under the PhoenixDKIM 1.0.0 line. It completes the
rename from opendkim / opendkim-ng to PhoenixDKIM, resets the version to 1.0.0,
and introduces dynamic key backends (HTTP/HTTPS and HashiCorp Vault) with
zero-downtime key rotation.

PhoenixDKIM is a standalone DKIM signing and verification milter; it is not a
drop-in replacement for OpenDKIM. See the "Coming From" guide on the website for
migrating an OpenDKIM or Rspamd setup -- in most cases you keep your existing
keys and DNS records and only change the milter.

Version reset

The version line restarts at 1.0.0. The earlier 3.0.0-beta series carried the
numbering of the orphaned upstream beta this project forked from (and the interim
opendkim-ng name); it is unrelated to this 1.0.0 line. A package manager may note
the apparent version decrease -- that is expected (no epoch is used).

Rename (opendkim -> phoenixdkim)

Binary: phoenixdkim (was opendkim). Tools: phoenixdkim-genkey,
phoenixdkim-testkey, phoenixdkim-genzone, phoenixdkim-testmsg.
Configuration: /etc/phoenixdkim/phoenixdkim.conf. PhoenixDKIM never reads
/etc/opendkim, so it coexists with an OpenDKIM install; copy config and keys
over manually.
Library: libphoenixdkim, fresh SONAME libphoenixdkim.so.0; headers in
/usr/include/phoenixdkim/; pkg-config phoenixdkim.pc.
Lua policy API: pdkim.* (odkim.* kept as a deprecated in-process alias).
systemd unit phoenixdkim.service; Debian packages libphoenixdkim0,
libphoenixdkim-dev, phoenixdkim, phoenixdkim-tools, phoenixdkim-keygen.
Config keywords are unchanged and the KeyTable / SigningTable formats are the
same, so configurations port across with minimal edits.

New: dynamic key backends and key rotation (optional, -DWITH_CURL=ON)

http: / https: data-set backends -- look keys up over an HTTP GET; point
them at a small bridge to reach SQL, LDAP, or a secrets manager.
vault: backend -- read keys from HashiCorp Vault (KV v1 and v2).
redis: backend.
Zero-downtime key rotation: a Vault secret may carry a "selectors" array, and
PhoenixDKIM signs with every currently-valid selector at once -- old and new,
RSA and Ed25519 -- across the rotation overlap, so a key roll needs no flag
day. The secret layout matches Rspamd's (rspamadm vault), so the same store
signs in both.
pdkim.http_get() helper available in the Lua sandbox.

Security and correctness

RSA-SHA1 signing removed; an RSA-SHA1 signature is never treated as valid on
verification (reported dkim=neutral, never dkim=pass, per RFC 8301), with
On-WeakAlgorithm selecting only the message disposition.
2048-bit minimum RSA signing key.
Unmaintained subsystems removed: LDAP, SQL (OpenDBX), BerkeleyDB, VBR, ATPS,
RBL, reputation, statistics, ADSP, GnuTLS. The configuration keywords that
drove them are no longer accepted (see the Removed Features page).
Memory-safety auditing of the parsers and data-set backends; hardened build
(warnings-as-errors, sanitiser-clean, link hardening).

Build

OpenSSL 3 or LibreSSL via the EVP API; CMake + CTest; LMDB; Lua 5.4.

Assets 2

21 May 11:57

edmundlod

v3.0.0-beta11

849b739

v3.0.0-beta11 Pre-release

Pre-release

This release completes the compiler-warning remediation work started in earlier
betas and adds several new features, security hardening, and bug fixes.

Security

Fix A-R stripping bypass via trailing-dot authserv-id
Fix TXT chunk-length OOB read in DNS key extraction
Sandbox Lua policy hooks against dangerous standard libraries (os/io/debug)
Zero per-signrequest private key data before free
Fix mlfi_connect config-refcount race (curconf dereferenced without refcnt)
Fix dkimf_add_signrequest reading global curconf instead of per-connection config

Bug fixes

Fix dkim_ohdrs z= decode: plist storage overwrite, wrong strlcpy size, scratch buffer ignored
Fix header.b quoting in Authentication-Results (bug #235)
Fix header.b substring for duplicate signatures (bug #233)
Fix header fields wrapped before any content (bug #226)
Fix RequiredHeaders to report specific error and reject (issue #28)
Fix body skip when only one canonicalization mode finished (issue #15)
Fix A-R leading space when noleadspc is negotiated
Fix standard resolver DNSSEC-awareness
Fix ub_ctx_config() unprotected concurrent calls (issue #14)
Widen password file critical section in dkimf_securefile (issue #8)
Fix reportaddr buffer too small for user@host worst case
Fix UB from (int) buflen cast when buflen > INT_MAX
Fix dkim_options API: split into const-correct dkim_setopt / dkim_getopt

New features

Add header.a and header.s to Authentication-Results output
Add SyslogName configuration option
Add odkim.internal_ip() to screen and final Lua policy hooks
Reject non-printable characters in domain/selector in dkim_sign() (feature #190)
Additional cross-implementation DKIM test suite (additional-test-suite/)

Build system

Port missing autotools HAVE_* probes to CMake; add HAVE_LIBCURL
Add OpenSSL version string to build-config.h and -V output
Support OpenSSL 4 builds by deferring version probe to runtime
Add CMake hardening infrastructure (-D_FORTIFY_SOURCE, stack protector, etc.)
Fix USE_LUA / WITH_REDIS propagation to build-config.h
Warn when SHA1 RSA verification is blocked by active crypto policy
Probe realpath() / strsep() in CMake; enable secure-path check

Legacy removal

Remove POPAUTH (POP-before-SMTP) support
Remove QUERY_CACHE (BerkeleyDB-backed DNS-result cache)
Remove USE_GNUTLS conditionals from test programs

Compiler warning remediation (PR #3)

Systematic elimination of all -Wcast-qual, -Wshadow, -Wpointer-sign,
-Wsign-compare, -Wmissing-prototypes, and -Wunused-parameter diagnostics
across libopendkim, the daemon, miltertest, and all test programs. This
required propagating const through the entire libopendkim public API,
splitting dkim_options() into const-correct dkim_setopt() / dkim_getopt(),
and touching approximately 100 source files.