mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
chore: Change setup config dkim
default key size to 2048
(open-dkim
) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit 4096-bit is excessive in size for DKIM key. 2048-bit is plenty. * chore: Additional revisions to `open-dkim` command help output - The examples use `keysize 2048`, but as that's the new default it makes sense to change that. - Other help text was also revised. - Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values. * docs: Revise DKIM docs Primarily for the change in default key size, but does revise some text to better communicate to the user. - While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys. - Adjusted the domains example to match the new `setup config dkim domain` domains example. - Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively). - Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future. - `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed. - Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_). * docs: Sync DKIM commands help messages and update DKIM docs for LDAP - Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now. - Update `rspamd-dkim` examples help output to align with `open-dkim` command examples. - Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_). - DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary. * tests: Adjust test-cases for `setup config dkim` change `rspamd_dkim.bats`: - Update assert for command help output. - Don't bother creating a DKIM key at 512-bit size. `setup_cli.bats`: - Update assert for command help output of the `setup config dkim` (OpenDKIM) command. * docs: Update DKIM section for large keys to newer RFC The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support. The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM. * docs: Extract out common DKIM generation command from content tabs Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS. * docs: DKIM refactoring - Shifted out the info admonition on key size advice out of the content tabs as it's now generic information. - Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now. - Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet. * docs: Revise DKIM docs Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
This commit is contained in:
parent
855d9acb53
commit
e9f04cf8a7
|
@ -35,14 +35,67 @@ DKIM requires a public/private key pair to enable **signing (_via private key_)*
|
||||||
|
|
||||||
### Generating Keys
|
### Generating Keys
|
||||||
|
|
||||||
|
You'll need to repeat this process if you add any new domains.
|
||||||
|
|
||||||
You should have:
|
You should have:
|
||||||
|
|
||||||
- At least one [email account setup][docs-accounts-add]
|
- At least one [email account setup][docs-accounts-add]
|
||||||
- Attached a [volume for config][docs-volumes-config] to persist the generated files to local storage
|
- Attached a [volume for config][docs-volumes-config] to persist the generated files to local storage
|
||||||
|
|
||||||
!!! warning "RSA Key Sizes >= 4096 Bit"
|
!!! example "Creating DKIM Keys"
|
||||||
|
|
||||||
Keys of 4096 bits could be denied by some mail servers. According to [RFC 6376][rfc-6376], keys are [preferably between 512 and 2048 bits][github-issue-dkimlength].
|
DKIM keys can be generated with good defaults by running:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker exec -it <CONTAINER NAME> setup config dkim
|
||||||
|
```
|
||||||
|
|
||||||
|
If you need to generate your keys with different settings, check the `help` output for supported config options and examples:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
docker exec -it <CONTAINER NAME> setup config dkim help
|
||||||
|
```
|
||||||
|
|
||||||
|
As described by the help output, you may need to use the `domain` option explicitly when you're using LDAP or Rspamd.
|
||||||
|
|
||||||
|
??? info "Changing the key size"
|
||||||
|
|
||||||
|
The keypair generated for using with DKIM presently defaults to RSA-2048. This is a good size but you can lower the security to `1024-bit`, or increase it to `4096-bit` (_discouraged as that is excessive_).
|
||||||
|
|
||||||
|
To generate a key with different size (_for RSA 1024-bit_) run:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
setup config dkim keysize 1024
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! warning "RSA Key Sizes >= 4096 Bit"
|
||||||
|
|
||||||
|
According to [RFC 8301][rfc-8301], keys are preferably between 1024 and 2048 bits. Keys of size 4096-bit or larger may not be compatible to all systems your mail is intended for.
|
||||||
|
|
||||||
|
You [should not need a key length beyond 2048-bit][github-issue-dkimlength]. If 2048-bit does not meet your security needs, you may want to instead consider adopting key rotation or switching from RSA to ECC keys for DKIM.
|
||||||
|
|
||||||
|
??? note "You may need to specify mail domains explicitly"
|
||||||
|
|
||||||
|
Required when using LDAP and Rspamd.
|
||||||
|
|
||||||
|
`setup config dkim` will generate DKIM keys for what is assumed as the primary mail domain (_derived from the FQDN assigned to DMS, minus any subdomain_).
|
||||||
|
|
||||||
|
When the DMS FQDN is `mail.example.com` or `example.com`, by default this command will generate DKIM keys for `example.com` as the primary domain for your users mail accounts (eg: `hello@example.com`).
|
||||||
|
|
||||||
|
The DKIM generation does not have support to query LDAP for additionanl mail domains it should know about. If the primary mail domain is not sufficient, then you must explicitly specify any extra domains via the `domain` option:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# ENABLE_OPENDKIM=1 (default):
|
||||||
|
setup config dkim domain 'example.com,another-example.com'
|
||||||
|
|
||||||
|
# ENABLE_RSPAMD=1 + ENABLE_OPENDKIM=0:
|
||||||
|
setup config dkim domain example.com
|
||||||
|
setup config dkim domain another-example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
!!! info "OpenDKIM with `ACCOUNT_PROVISIONER=FILE`"
|
||||||
|
|
||||||
|
When DMS uses this configuration, it will by default also detect mail domains (_from accounts added via `setup email add`_), generating additional DKIM keys.
|
||||||
|
|
||||||
DKIM is currently supported by either OpenDKIM or Rspamd:
|
DKIM is currently supported by either OpenDKIM or Rspamd:
|
||||||
|
|
||||||
|
@ -50,68 +103,27 @@ DKIM is currently supported by either OpenDKIM or Rspamd:
|
||||||
|
|
||||||
OpenDKIM is currently [enabled by default][docs-env-opendkim].
|
OpenDKIM is currently [enabled by default][docs-env-opendkim].
|
||||||
|
|
||||||
The command `docker exec <CONTAINER NAME> setup config dkim help` details supported config options, along with some examples.
|
After running `setup config dkim`, your new DKIM key files (_and OpenDKIM config_) have been added to `/tmp/docker-mailserver/opendkim/`.
|
||||||
|
|
||||||
!!! example "Creating a DKIM key"
|
|
||||||
|
|
||||||
Generate the DKIM files with:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
docker exec -ti <CONTAINER NAME> setup config dkim
|
|
||||||
```
|
|
||||||
|
|
||||||
Your new DKIM key(s) and OpenDKIM config files have been added to `/tmp/docker-mailserver/opendkim/`.
|
|
||||||
|
|
||||||
??? note "LDAP accounts need to specify domains explicitly"
|
|
||||||
|
|
||||||
The command is unable to infer the domains from LDAP user accounts, you must specify them:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
setup config dkim domain 'example.com,example.io'
|
|
||||||
```
|
|
||||||
|
|
||||||
??? tip "Changing the key size"
|
|
||||||
|
|
||||||
The private key presently defaults to RSA-4096. To create an RSA 2048-bit key run:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
setup config dkim keysize 2048
|
|
||||||
```
|
|
||||||
|
|
||||||
!!! info "Restart required"
|
!!! info "Restart required"
|
||||||
|
|
||||||
After restarting DMS, outgoing mail will now be signed with your new DKIM key(s) :tada:
|
After restarting DMS, outgoing mail will now be signed with your new DKIM key(s) :tada:
|
||||||
|
|
||||||
You'll need to repeat this process if you add any new domains.
|
|
||||||
|
|
||||||
=== "Rspamd"
|
=== "Rspamd"
|
||||||
|
|
||||||
Opt-in via [`ENABLE_RSPAMD=1`][docs-env-rspamd] (_and disable the default OpenDKIM: `ENABLE_OPENDKIM=0`_).
|
Requires opt-in via [`ENABLE_RSPAMD=1`][docs-env-rspamd] (_and disable the default OpenDKIM: `ENABLE_OPENDKIM=0`_).
|
||||||
|
|
||||||
Rspamd provides DKIM support through two separate modules:
|
Rspamd provides DKIM support through two separate modules:
|
||||||
|
|
||||||
1. [Verifying DKIM signatures from inbound mail][rspamd-docs-dkim-checks] is enabled by default.
|
1. [Verifying DKIM signatures from inbound mail][rspamd-docs-dkim-checks] is enabled by default.
|
||||||
2. [Signing outbound mail with your DKIM key][rspamd-docs-dkim-signing] needs additional setup (key + dns + config).
|
2. [Signing outbound mail with your DKIM key][rspamd-docs-dkim-signing] needs additional setup (key + dns + config).
|
||||||
|
|
||||||
!!! example "Creating DKIM Keys"
|
|
||||||
|
|
||||||
You can simply run
|
|
||||||
|
|
||||||
```bash
|
|
||||||
docker exec -ti <CONTAINER NAME> setup config dkim help
|
|
||||||
```
|
|
||||||
|
|
||||||
which provides you with an overview of what the script can do. Just running
|
|
||||||
|
|
||||||
```bash
|
|
||||||
docker exec -ti <CONTAINER NAME> setup config dkim
|
|
||||||
```
|
|
||||||
|
|
||||||
will execute the helper script with default parameters.
|
|
||||||
|
|
||||||
??? warning "Using Multiple Domains"
|
??? warning "Using Multiple Domains"
|
||||||
|
|
||||||
Unlike the current script for OpenDKIM, the Rspamd script will **not** create keys for all domains DMS is managing, but only for the one it assumes to be the main domain (derived from DMS' domain name). Moreover, the default `dkim_signing.conf` configuration file that DMS ships will also only contain one domain. If you have multiple domains, you need to run the command `docker exec -ti <CONTAINER NAME> setup config dkim domain <DOMAIN>` multiple times to create all the keys for all domains, and then provide a custom `dkim_signing.conf` (for which an example is shown below).
|
If you have multiple domains, you need to:
|
||||||
|
|
||||||
|
- Create a key wth `docker exec -it <CONTAINER NAME> setup config dkim domain <DOMAIN>` for each domain DMS should sign outgoing mail for.
|
||||||
|
- Provide a custom `dkim_signing.conf` (for which an example is shown below), as the default config only supports one domain.
|
||||||
|
|
||||||
!!! info "About the Helper Script"
|
!!! info "About the Helper Script"
|
||||||
|
|
||||||
|
@ -121,7 +133,9 @@ DKIM is currently supported by either OpenDKIM or Rspamd:
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
In case you have not already provided a default DKIM signing configuration, the script will create one and write it to `/etc/rspamd/override.d/dkim_signing.conf`. If this file already exist, it will not be overwritten. When you're already using [the `rspamd/override.d/` directory][docs-rspamd-override-d], the file is created inside your volume and therefore persisted correctly. If you are not using `rspamd/override.d/`, you will need to persist the file yourself (otherwise it is lost on container restart).
|
In case you have not already provided a default DKIM signing configuration, the script will create one and write it to `/etc/rspamd/override.d/dkim_signing.conf`. If this file already exists, it will not be overwritten.
|
||||||
|
|
||||||
|
When you're already using [the `rspamd/override.d/` directory][docs-rspamd-config-dropin], the file is created inside your volume and therefore persisted correctly. If you are not using `rspamd/override.d/`, you will need to persist the file yourself (otherwise it is lost on container restart).
|
||||||
|
|
||||||
An example of what a default configuration file for DKIM signing looks like can be found by expanding the example below.
|
An example of what a default configuration file for DKIM signing looks like can be found by expanding the example below.
|
||||||
|
|
||||||
|
@ -190,8 +204,6 @@ DKIM is currently supported by either OpenDKIM or Rspamd:
|
||||||
|
|
||||||
If there is a mismatch, a warning will be emitted to the Rspamd log `/var/log/supervisor/rspamd.log`.
|
If there is a mismatch, a warning will be emitted to the Rspamd log `/var/log/supervisor/rspamd.log`.
|
||||||
|
|
||||||
[docs-rspamd-override-d]: ../security/rspamd.md#manually
|
|
||||||
|
|
||||||
### DNS Record { #dkim-dns }
|
### DNS Record { #dkim-dns }
|
||||||
|
|
||||||
When mail signed with your DKIM key is sent from your mail server, the receiver needs to check a DNS `TXT` record to verify the DKIM signature is trustworthy.
|
When mail signed with your DKIM key is sent from your mail server, the receiver needs to check a DNS `TXT` record to verify the DKIM signature is trustworthy.
|
||||||
|
@ -221,11 +233,13 @@ When mail signed with your DKIM key is sent from your mail server, the receiver
|
||||||
|
|
||||||
??? info "`<selector>.txt` - Formatting the `TXT` record value correctly"
|
??? info "`<selector>.txt` - Formatting the `TXT` record value correctly"
|
||||||
|
|
||||||
This file was generated for use within a [DNS zone file][dns::wikipedia-zonefile]. DNS `TXT` records values that are longer than 255 characters need to be split into multiple parts. This is why the public key has multiple parts wrapped within double-quotes between `(` and `)`.
|
This file was generated for use within a [DNS zone file][dns::wikipedia-zonefile]. The file name uses the DKIM selector it was generated with (default DKIM selector is `mail`, which creates `mail.txt`_).
|
||||||
|
|
||||||
A DNS web-interface may handle this internally instead, while [others may not, but expect the input as a single line][dns::webui-dkim]_). You'll need to manually format the value as described below.
|
For your DNS setup, DKIM support needs to create a `TXT` record to store the public key for mail clients to use. `TXT` records with values that are longer than 255 characters need to be split into multiple parts. This is why the generated `<selector>.txt` file (_containing your public key for use with DKIM_) has multiple value parts wrapped within double-quotes between `(` and `)`.
|
||||||
|
|
||||||
Your DNS record file (eg: `mail.txt`) should look similar to this:
|
A DNS web-interface may handle this separation internally instead, and [could expect the value provided all as a single line][dns::webui-dkim] instead of split. When that is required, you'll need to manually format the value as described below.
|
||||||
|
|
||||||
|
Your generated DNS record file (`<selector>.txt`) should look similar to this:
|
||||||
|
|
||||||
```txt
|
```txt
|
||||||
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
|
mail._domainkey IN TXT ( "v=DKIM1; k=rsa; "
|
||||||
|
@ -243,7 +257,7 @@ When mail signed with your DKIM key is sent from your mail server, the receiver
|
||||||
To test that your new DKIM record is correct, query it with the `dig` command. The `TXT` value response should be a single line split into multiple parts wrapped in double-quotes:
|
To test that your new DKIM record is correct, query it with the `dig` command. The `TXT` value response should be a single line split into multiple parts wrapped in double-quotes:
|
||||||
|
|
||||||
```console
|
```console
|
||||||
$ dig +short TXT dkim-rsa._domainkey.example.com
|
$ dig +short TXT mail._domainkey.example.com
|
||||||
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39" "KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB"
|
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqQMMqhb1S52Rg7VFS3EC6JQIMxNDdiBmOKZvY5fiVtD3Z+yd9ZV+V8e4IARVoMXWcJWSR6xkloitzfrRtJRwOYvmrcgugOalkmM0V4Gy/2aXeamuiBuUc4esDQEI3egmtAsHcVY1XCoYfs+9VqoHEq3vdr3UQ8zP/l+FP5UfcaJFCK/ZllqcO2P1GjIDVSHLdPpRHbMP/tU1a9mNZ5QMZBJ/JuJK/s+2bp8gpxKn8rh1akSQjlynlV9NI+7J3CC7CUf3bGvoXIrb37C/lpJehS39" "KNtcGdaRufKauSfqx/7SxA0zyZC+r13f7ASbMaQFzm+/RRusTqozY/p/MsWx8QIDAQAB"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -328,10 +342,9 @@ volumes:
|
||||||
[docs-env-opendkim]: ../environment.md#enable_opendkim
|
[docs-env-opendkim]: ../environment.md#enable_opendkim
|
||||||
[docs-env-rspamd]: ../environment.md#enable_rspamd
|
[docs-env-rspamd]: ../environment.md#enable_rspamd
|
||||||
[docs-rspamd-config-dropin]: ../security/rspamd.md#manually
|
[docs-rspamd-config-dropin]: ../security/rspamd.md#manually
|
||||||
[docs-rspamd-config-declarative]: ../security/rspamd.md#with-the-help-of-a-custom-file
|
|
||||||
[cloudflare-dkim-dmarc-spf]: https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
|
[cloudflare-dkim-dmarc-spf]: https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
|
||||||
[rfc-6376]: https://tools.ietf.org/html/rfc6376
|
[rfc-8301]: https://datatracker.ietf.org/doc/html/rfc8301#section-3.2
|
||||||
[github-issue-dkimlength]: https://github.com/docker-mailserver/docker-mailserver/issues/1854
|
[github-issue-dkimlength]: https://github.com/docker-mailserver/docker-mailserver/issues/1854#issuecomment-806280929
|
||||||
[rspamd-docs-dkim-checks]: https://www.rspamd.com/doc/modules/dkim.html
|
[rspamd-docs-dkim-checks]: https://www.rspamd.com/doc/modules/dkim.html
|
||||||
[rspamd-docs-dkim-signing]: https://www.rspamd.com/doc/modules/dkim_signing.html
|
[rspamd-docs-dkim-signing]: https://www.rspamd.com/doc/modules/dkim_signing.html
|
||||||
[dns::example-webui]: https://www.vultr.com/docs/introduction-to-vultr-dns/
|
[dns::example-webui]: https://www.vultr.com/docs/introduction-to-vultr-dns/
|
||||||
|
|
|
@ -8,7 +8,7 @@ if [[ -f /etc/dms-settings ]] && [[ $(_get_dms_env_value 'ENABLE_RSPAMD') -eq 1
|
||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
KEYSIZE=4096
|
KEYSIZE=2048
|
||||||
SELECTOR=mail
|
SELECTOR=mail
|
||||||
DOMAINS=
|
DOMAINS=
|
||||||
|
|
||||||
|
@ -16,37 +16,40 @@ function __usage() {
|
||||||
printf '%s' "${PURPLE}OPEN-DKIM${RED}(${YELLOW}8${RED})
|
printf '%s' "${PURPLE}OPEN-DKIM${RED}(${YELLOW}8${RED})
|
||||||
|
|
||||||
${ORANGE}NAME${RESET}
|
${ORANGE}NAME${RESET}
|
||||||
open-dkim - configure DomainKeys Identified Mail (DKIM)
|
open-dkim - Configure DKIM (DomainKeys Identified Mail)
|
||||||
|
|
||||||
${ORANGE}SYNOPSIS${RESET}
|
${ORANGE}SYNOPSIS${RESET}
|
||||||
./setup.sh config dkim [ OPTIONS${RED}...${RESET} ]
|
setup config dkim [ OPTIONS${RED}...${RESET} ]
|
||||||
|
|
||||||
${ORANGE}DESCRIPTION${RESET}
|
${ORANGE}DESCRIPTION${RESET}
|
||||||
Configures DKIM keys. OPTIONS can be used to configure a more complex setup.
|
Creates DKIM keys and configures them within DMS for OpenDKIM.
|
||||||
LDAP setups require these options.
|
OPTIONS can be used when your requirements are not met by the defaults.
|
||||||
|
When not using 'ACCOUNT_PROVISIONER=FILE' (default), you may need to explicitly
|
||||||
|
use the 'domain' option to generate DKIM keys for your mail account domains.
|
||||||
|
|
||||||
${ORANGE}OPTIONS${RESET}
|
${ORANGE}OPTIONS${RESET}
|
||||||
${BLUE}Generic Program Information${RESET}
|
${BLUE}Generic Program Information${RESET}
|
||||||
help Print the usage information.
|
help Print the usage information.
|
||||||
|
|
||||||
${BLUE}Configuration adjustments${RESET}
|
${BLUE}Configuration adjustments${RESET}
|
||||||
keysize Set the size of the keys to be generated. Possible are 1024, 2048 and 4096 (default).
|
keysize Set the size of the keys to be generated.
|
||||||
selector Set a manual selector (default is 'mail') for the key. (${LCYAN}ATTENTION${RESET}: NOT IMPLEMENTED YET!)
|
Possible values: 1024, 2048 and 4096
|
||||||
domain Provide the domain(s) for which keys are to be generated.
|
Default: 2048
|
||||||
|
selector Set a manual selector for the key.
|
||||||
|
Default: mail
|
||||||
|
domain Provide the domain(s) for which to generate keys for.
|
||||||
|
Default: The FQDN assigned to DMS, excluding any subdomain.
|
||||||
|
'ACCOUNT_PROVISIONER=FILE' also sources domains from mail accounts.
|
||||||
|
|
||||||
${ORANGE}EXAMPLES${RESET}
|
${ORANGE}EXAMPLES${RESET}
|
||||||
${LWHITE}./setup.sh config dkim keysize 2048${RESET}
|
${LWHITE}setup config dkim keysize 4096${RESET}
|
||||||
Creates keys of length 2048 bit in a default setup where domains are obtained from
|
Creates keys with their length increased to a size of 4096-bit.
|
||||||
your accounts.
|
|
||||||
|
|
||||||
${LWHITE}./setup.sh config dkim keysize 2048 selector 2021-dkim${RESET}
|
${LWHITE}setup config dkim keysize 1024 selector 2023-dkim${RESET}
|
||||||
Creates keys of length 2048 bit in a default setup where domains are obtained from
|
Creates 1024-bit sized keys, and changes the DKIM selector to '2023-dkim'.
|
||||||
your accounts. The DKIM selector used is '2021-dkim'.
|
|
||||||
|
|
||||||
${LWHITE}./setup.sh config dkim keysize 2048 selector 2021-dkim domain 'whoami.com,whoareyou.org'${RESET}
|
${LWHITE}setup config dkim domain 'example.com,another-example.com'${RESET}
|
||||||
Appropriate for an LDAP setup. Creates keys of length 2048 bit in a default setup
|
Only generates DKIM keys for the specified domains: 'example.com' and 'another-example.com'.
|
||||||
where domains are obtained from your accounts. The DKIM selector used is '2021-dkim'.
|
|
||||||
The domains for which DKIM keys are generated are 'whoami.com' and 'whoareyou.org'.
|
|
||||||
|
|
||||||
${ORANGE}EXIT STATUS${RESET}
|
${ORANGE}EXIT STATUS${RESET}
|
||||||
Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
|
Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
|
||||||
|
|
|
@ -16,14 +16,14 @@ function __usage() {
|
||||||
echo -e "${PURPLE}RSPAMD-DKIM${RED}(${YELLOW}8${RED})
|
echo -e "${PURPLE}RSPAMD-DKIM${RED}(${YELLOW}8${RED})
|
||||||
|
|
||||||
${ORANGE}NAME${RESET}
|
${ORANGE}NAME${RESET}
|
||||||
rspamd-dkim - Configure DomainKeys Identified Mail (DKIM) via Rspamd
|
rspamd-dkim - Configure DKIM (DomainKeys Identified Mail)
|
||||||
|
|
||||||
${ORANGE}SYNOPSIS${RESET}
|
${ORANGE}SYNOPSIS${RESET}
|
||||||
setup config dkim [ OPTIONS${RED}...${RESET} ]
|
setup config dkim [ OPTIONS${RED}...${RESET} ]
|
||||||
|
|
||||||
${ORANGE}DESCRIPTION${RESET}
|
${ORANGE}DESCRIPTION${RESET}
|
||||||
This script aids in creating DKIM signing keys. The keys are created and managed by Rspamd.
|
Creates DKIM keys and configures them within DMS for Rspamd.
|
||||||
OPTIONS can be used to configure a more complex setup.
|
OPTIONS can be used when your requirements are not met by the defaults.
|
||||||
|
|
||||||
${ORANGE}OPTIONS${RESET}
|
${ORANGE}OPTIONS${RESET}
|
||||||
${BLUE}Generic Program Information${RESET}
|
${BLUE}Generic Program Information${RESET}
|
||||||
|
@ -32,30 +32,27 @@ ${ORANGE}OPTIONS${RESET}
|
||||||
help Print the usage information.
|
help Print the usage information.
|
||||||
|
|
||||||
${BLUE}Configuration adjustments${RESET}
|
${BLUE}Configuration adjustments${RESET}
|
||||||
keytype Set the type of key you want to use
|
keytype Set the type of key you want to use.
|
||||||
Possible values: rsa, ed25519
|
Possible values: rsa, ed25519
|
||||||
Default: rsa
|
Default: rsa
|
||||||
keysize Set the size of the keys to be generated
|
keysize Set the size of the keys to be generated.
|
||||||
Possible values: 1024, 2048 and 4096
|
Possible values: 1024, 2048 and 4096
|
||||||
Default: 2048
|
Default: 2048
|
||||||
Only applies when using keytype=rsa
|
Only applies when using keytype=rsa
|
||||||
selector Set a manual selector for the key
|
selector Set a manual selector for the key.
|
||||||
Default: mail
|
Default: mail
|
||||||
domain Provide the domain for which keys are to be generated
|
domain Provide the domain for which to generate keys for.
|
||||||
Default: primary domain name of DMS
|
Default: The FQDN assigned to DMS, excluding any subdomain.
|
||||||
|
|
||||||
${ORANGE}EXAMPLES${RESET}
|
${ORANGE}EXAMPLES${RESET}
|
||||||
${LWHITE}setup config dkim keysize 2048${RESET}
|
${LWHITE}setup config dkim keysize 4096${RESET}
|
||||||
Creates keys of length 2048 bit in a default setup where domains are obtained from
|
Creates keys with their length increased to a size of 4096-bit.
|
||||||
your accounts.
|
|
||||||
|
|
||||||
${LWHITE}setup config dkim keysize 512 selector 2023-dkim${RESET}
|
${LWHITE}setup config dkim keysize 1024 selector 2023-dkim${RESET}
|
||||||
Creates keys of length 512 bit in a default setup where domains are obtained from
|
Creates 1024-bit sized keys, and changes the DKIM selector to '2023-dkim'.
|
||||||
your accounts. The DKIM selector used is '2023-dkim'.
|
|
||||||
|
|
||||||
${LWHITE}setup config dkim keysize 1024 selector 2023-dkim domain whoami.com${RESET}
|
${LWHITE}setup config dkim domain example.com${RESET}
|
||||||
Creates keys of length 1024 bit in a default setup where domains are obtained from your accounts.
|
Generate the DKIM key for a different domain (example.com).
|
||||||
The DKIM selector used is '2023-dkim'. The domain for which DKIM keys are generated is whoami.com.
|
|
||||||
|
|
||||||
${ORANGE}EXIT STATUS${RESET}
|
${ORANGE}EXIT STATUS${RESET}
|
||||||
Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
|
Exit status is 0 if command was successful. If wrong arguments are provided or arguments contain
|
||||||
|
|
|
@ -49,7 +49,7 @@ function teardown_file() { _default_teardown ; }
|
||||||
_run_in_container setup config dkim help
|
_run_in_container setup config dkim help
|
||||||
__log_is_free_of_warnings_and_errors
|
__log_is_free_of_warnings_and_errors
|
||||||
assert_output --partial 'Showing usage message now'
|
assert_output --partial 'Showing usage message now'
|
||||||
assert_output --partial 'rspamd-dkim - Configure DomainKeys Identified Mail (DKIM) via Rspamd'
|
assert_output --partial 'rspamd-dkim - Configure DKIM (DomainKeys Identified Mail)'
|
||||||
}
|
}
|
||||||
|
|
||||||
@test 'default signing config is created if it does not exist and not overwritten' {
|
@test 'default signing config is created if it does not exist and not overwritten' {
|
||||||
|
@ -143,7 +143,7 @@ function teardown_file() { _default_teardown ; }
|
||||||
}
|
}
|
||||||
|
|
||||||
@test "argument 'keysize' is applied correctly for RSA keys" {
|
@test "argument 'keysize' is applied correctly for RSA keys" {
|
||||||
for KEYSIZE in 512 1024 2048 4096; do
|
for KEYSIZE in 1024 2048 4096; do
|
||||||
__create_key 'rsa' 'mail' "${DOMAIN_NAME}" "${KEYSIZE}"
|
__create_key 'rsa' 'mail' "${DOMAIN_NAME}" "${KEYSIZE}"
|
||||||
assert_success
|
assert_success
|
||||||
__log_is_free_of_warnings_and_errors
|
__log_is_free_of_warnings_and_errors
|
||||||
|
|
|
@ -237,7 +237,7 @@ function teardown_file() { _default_teardown ; }
|
||||||
@test "config dkim (help correctly displayed)" {
|
@test "config dkim (help correctly displayed)" {
|
||||||
run ./setup.sh -c "${CONTAINER_NAME}" config dkim help
|
run ./setup.sh -c "${CONTAINER_NAME}" config dkim help
|
||||||
assert_success
|
assert_success
|
||||||
assert_line --index 3 --partial " open-dkim - configure DomainKeys Identified Mail (DKIM)"
|
assert_line --index 3 --partial "open-dkim - Configure DKIM (DomainKeys Identified Mail)"
|
||||||
}
|
}
|
||||||
|
|
||||||
# debug
|
# debug
|
||||||
|
|
|
@ -113,14 +113,14 @@ function teardown() { _default_teardown ; }
|
||||||
__init_container_without_waiting '/tmp/docker-mailserver'
|
__init_container_without_waiting '/tmp/docker-mailserver'
|
||||||
|
|
||||||
# generate first key (with a custom selector)
|
# generate first key (with a custom selector)
|
||||||
__should_generate_dkim_key 4 '2048' 'domain1.tld' 'mailer'
|
__should_generate_dkim_key 4 '1024' 'domain1.tld' 'mailer'
|
||||||
__assert_outputs_common_dkim_logs
|
__assert_outputs_common_dkim_logs
|
||||||
# generate two additional keys different to the previous one
|
# generate two additional keys different to the previous one
|
||||||
__should_generate_dkim_key 2 '2048' 'domain2.tld,domain3.tld'
|
__should_generate_dkim_key 2 '1024' 'domain2.tld,domain3.tld'
|
||||||
__assert_logged_dkim_creation 'domain2.tld'
|
__assert_logged_dkim_creation 'domain2.tld'
|
||||||
__assert_logged_dkim_creation 'domain3.tld'
|
__assert_logged_dkim_creation 'domain3.tld'
|
||||||
# generate an additional key whilst providing already existing domains
|
# generate an additional key whilst providing already existing domains
|
||||||
__should_generate_dkim_key 1 '2048' 'domain3.tld,domain4.tld'
|
__should_generate_dkim_key 1 '1024' 'domain3.tld,domain4.tld'
|
||||||
__assert_logged_dkim_creation 'domain4.tld'
|
__assert_logged_dkim_creation 'domain4.tld'
|
||||||
|
|
||||||
__should_have_tables_trustedhosts_for_domain
|
__should_have_tables_trustedhosts_for_domain
|
||||||
|
@ -197,7 +197,7 @@ function __should_support_creating_key_of_size() {
|
||||||
__assert_logged_dkim_creation 'localhost.localdomain'
|
__assert_logged_dkim_creation 'localhost.localdomain'
|
||||||
__assert_logged_dkim_creation 'otherdomain.tld'
|
__assert_logged_dkim_creation 'otherdomain.tld'
|
||||||
|
|
||||||
__should_have_expected_files "${EXPECTED_KEYSIZE:-4096}"
|
__should_have_expected_files "${EXPECTED_KEYSIZE:-2048}"
|
||||||
_run_in_container rm -r /tmp/docker-mailserver/opendkim
|
_run_in_container rm -r /tmp/docker-mailserver/opendkim
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue