-
Notifications
You must be signed in to change notification settings - Fork 241
-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DKIM support (signing & verfication) #7
Comments
DefaultsVerification is enabled by default for all incoming messages. New modules
dkim_sign configurationpub_key, priv_key directives with a path to keys, defaults to $MADDYSTATE/dkim_public_<config_block_name> and $MADDYSTATE/dkim_private_<config_block_name>. If both files don't exist - keys are generated (algorithm to use by default? RSA-2048?) and saved (format to use for keys? probably we want to interoperate with OpenDKIM). If only one of the files exists - we refuse to start, this is a configuration error. If both files exist - we use keys from them. We also probably want to add params to tweak key generation (algo? params?). dkim_verify configuration
Insert Authentication-Result header and accept the message even if it contains invalid DKIM signature(s).
Reject messages with invalid DKIM signature(s). Default?
Reject messages without a DKIM signature.
Don't send bounce messages if DKIM verification fails for any reason. |
Updated my post, there are some questions in bold, but in overall that's how I would design/implement it. |
We should probably write it in a file. But that can be done as a second step.
Probably. It would be neat to use ECC, but I don't know how well this is supported.
PEM
Other e-mail servers quarantine. In my experience DKIM signatures still break a lot so we probably shouldn't be too harsh, at least at first. (The DMARC policy of the sender can request to quarantine/bounce/… messages)
So the message is just lost in limbo? Or just reports are not sent? |
DKIM also has things like selector and other parameters, we probably want to make them configurable |
AFAIK, ECC is not supported by OpenDKIM (the most widespread implementation?) so we are out of luck here.
Okay, so then the following set of values for the
|
|
go-msgauth/dkim buffers the whole message in memory if multiple signatures are present. |
We really should do the verification in parallel instead of buffering. Requires feeding data from a single |
I will take a look. |
We can potentially use |
Verification:
Signing:
Src: https://noxxi.de/research/breaking-dkim-on-purpose-and-by-chance.html |
Signing is implemented in beef9e2. |
No description provided.
The text was updated successfully, but these errors were encountered: