docker-mailserver/target
Brennan Kinney e9f04cf8a7
chore: Change setup config dkim default key size to 2048 (open-dkim) (#3508)
* chore: Adjust default DKIM size (`open-dkim`) from 4096-bit to 2048-bit

4096-bit is excessive in size for DKIM key. 2048-bit is plenty.

* chore: Additional revisions to `open-dkim` command help output

- The examples use `keysize 2048`, but as that's the new default it makes sense to change that.
- Other help text was also revised.
- Last example for domains did not need to demonstrate the other options. Changed example domains to more appropriate values.

* docs: Revise DKIM docs

Primarily for the change in default key size, but does revise some text to better communicate to the user.
- While the referenced RFC advises 512-bit to 2048-bit key size, we now explicitly discourage `512-bit` as it's not secure. `1024-bit` is still likely safe for most, but `2048-bit` is a good default for those not rotating their keys.
- Adjusted the domains example to match the new `setup config dkim domain` domains example.
- Tip for changing default key size changed to "info" with added clarity of lowering security or increasing it (excessively).
- Rspamd section is minor formatting changes, with the exception of clarifying the "main domain" for the mail accounts is assumed as the DMS FQDN with any subdomain (like `mail.`) stripped away. This is not great, but a legacy issue that needs to be addressed in future.
- `docs-rspamd-override-d` ref removed, and usage replaced with equivalent ref `docs-rspamd-config-dropin`, while `docs-rspamd-config-declarative` ref was not in use and also removed.
- Revised the `<selector>.txt` DNS formatting info section to better communicate with the reader. Additionally it had mixed usage of default `mail` and custom `dkim-rsa` selectors (_file content and output_).

* docs: Sync DKIM commands help messages and update DKIM docs for LDAP

- Adopt the help options format style from the `rspamd-dkim` into `open-dkim` command. And convert `./setup.sh` to `setup`. `selector` option has been implemented. for a while now.
- Update `rspamd-dkim` examples help output to align with `open-dkim` command examples.
- Give both DKIM command tools a consistent description. The two tools differ in support for the `domain` option (_implicit domain sourcing for default account provisioner, and support for multiple domains as input_).
- DKIM docs for LDAP domain support revised to better communicate when explicit domain config is necessary.

* tests: Adjust test-cases for `setup config dkim` change

`rspamd_dkim.bats`:
- Update assert for command help output.
- Don't bother creating a DKIM key at 512-bit size.

`setup_cli.bats`:
- Update assert for command help output of the `setup config dkim` (OpenDKIM) command.

* docs: Update DKIM section for large keys to newer RFC

The linked discussion from 2021 does mention this updated RFC over the original. That removes outdated advice about `512-bit` key length support.

The discussion link is still kept to reference a comment for the reader to better understand the security strength of 2048-bit RSA keys and why larger keys are not worthwhile, especially for DKIM.

* docs: Extract out common DKIM generation command from content tabs

Should be fine to be DRY here, not specific to `open-dkim` or `rspamd` generation/support. Previously rspamd lacked support of an equivalent command in DMS.

* docs: DKIM refactoring

- Shifted out the info admonition on key size advice out of the content tabs as it's now generic information.
- Indented the 4096-bit warning into this, which is less of a concern as the default for our DKIM generation tools is consistently 2048-bit now.
- Reworked the LDAP and Rspamd multi-domain advice. To avoid causing a bad diff, these sections haven't been moved/merged yet.

* docs: Revise DKIM docs

Advice for managing domains individually with LDAP and Rspamd extracted out of the content tabs. Default domain behaviour explained with extra info about OpenDKIM + FILE provisioner sourcing extra domains implicitly.
2023-08-29 09:40:02 +12:00
..
amavis chore(Amavis): only add configuration to Postfix when enabled (#3046) 2023-02-03 17:32:07 +01:00
bin chore: Change setup config dkim default key size to 2048 (open-dkim) (#3508) 2023-08-29 09:40:02 +12:00
dovecot Dovecot: make home dir distinct from mail dir (#3335) 2023-05-15 20:10:29 +02:00
fail2ban F2B: update F2B after discussion in #3256 (#3288) 2023-05-01 15:00:35 +02:00
fetchmail Implement fetchmail (#260) (#271) 2016-08-21 22:13:13 +02:00
getmail feature: adding getmail as an alternative to fetchmail (#2803) 2023-05-23 17:25:08 +02:00
logwatch Add logwatch maillog.conf file to support /var/log/mail/ (#2112) 2021-08-11 11:31:00 +02:00
opendkim Fixed KeyTable refile in opendkim.conf https://serverfault.com/a/861701/377751 (#2249) 2021-10-16 19:04:51 +02:00
opendmarc fix: Change the default OpenDMARC policy to reject (#2933) 2022-12-19 08:54:38 +13:00
postfix chore(main.cf): Add note advising caution changing mydestination (#3316) 2023-05-10 23:23:02 +00:00
postgrey change if style (#3361) 2023-05-24 09:06:59 +02:00
postsrsd config: remove chroot for Dovecot & PostSRSd (#3208) 2023-03-31 12:17:44 +02:00
rspamd/local.d rspamd: disable checks for authenticated users (#3440) 2023-08-08 10:43:21 +02:00
scripts scripts: add wrapper to update Postfix configuration safely (follow up) (#3503) 2023-08-28 09:40:24 +12:00
shared init tests cases ffdhe4096 2020-04-26 22:23:51 +02:00
supervisor fix: postsrsd restart loop (#3160) 2023-03-13 12:39:03 +13:00