Comments (7)
marcbradshaw
commented on July 20, 2024
2
@pgnd This is not an official timeline, however I expect verification will be added quite soon. For signing the majority of the work lies in updating the key rotation algorithms to rotate the 2 types of key, and I have no timeline to share for that.
from mail-dkim.
marcbradshaw
commented on July 20, 2024
1
It's something on the roadmap, I don't have a timeline.
from mail-dkim.
mnalis
commented on July 20, 2024
1
Any progress on this? I'm too getting more and more failures with amavis/spamassassin which trace down to Mail::DKIM leading to reason="invalid (unsupported algorithm ed25519-sha256)"
It would be really nice if it could be supported, especially as RFC 8463 has been mandating for years now that
"verifiers MUST implement the Ed25519-SHA256 algorithm".
from mail-dkim.
pgnd
commented on July 20, 2024
@marcbradshaw
is this still 'on the roadmap' ?
currently, for ref,
with DKIM dns zone data for a domain, example.com
; SELECTOR (ed25519): 42c4465ce19e2af6
dkim-42c4465ce19e2af6-ed25519._domainkey.example.com. 5 IN TXT "v=DKIM1; k=ed25519; p=8fD...=;"
selector-ed25519._domainkey.example.com. 5 IN CNAME dkim-42c4465ce19e2af6-ed25519._domainkey.example.com.
; SELECTOR (rsa): 42c4465ce19e2af6
dkim-42c4465ce19e2af6-rsa._domainkey.example.com. 5 IN TXT (
"v=DKIM1; k=rsa; h=sha256; s=email; t=s;"
"p=MII..."
...
"0wIDAQAB;"
)
selector-rsa._domainkey.example.com. 5 IN CNAME dkim-42c4465ce19e2af6-rsa._domainkey.example.com.
and dkimpy-milter config
cat dkimpy-milter.conf
...
SigningTable refile:/opt/etc/dkimpy-milter/signing_table
KeyTable /opt/etc/dkimpy-milter/key_table_rsa
KeyTableEd25519 /opt/etc/dkimpy-milter/key_table_ed25519
Canonicalization relaxed/relaxed
Mode s
MacroList daemon_name/DKIM_ORIGINATING
SubDomains No
grep example.com /opt/etc/dkimpy-milter/signing_table
*@example.com dkim-42c4465ce19e2af6-name.example.com
grep example.com /opt/etc/dkimpy-milter/key_table_rsa
dkim-42c4465ce19e2af6-name.example.com example.com:dkim-42c4465ce19e2af6-rsa:/opt/etc/dkim/dkim.1662932824.1661990400.1678233600.example.com.rsa.key.pem
grep example.com /opt/etc/dkimpy-milter/key_table_ed25519
dkim-42c4465ce19e2af6-name.example.com example.com:dkim-42c4465ce19e2af6-ed25519:/opt/etc/dkim/dkim.1662932824.1661990400.1678233600.example.com.ed25519.key
dkimpy-milter signs outbound correctly
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed;
d=example.com; [email protected]; q=dns/txt;
s=dkim-42c4465ce19e2af6-ed25519; t=1662936130; h=message-id : date :
from : subject : reply-to : to : content-type :
content-transfer-encoding : from;
bh=nos...=;
b=w9u...==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=example.com; [email protected]; q=dns/txt;
s=dkim-42c4465ce19e2af6-rsa; t=1662936130; h=message-id : date : from
: subject : reply-to : to : content-type : content-transfer-encoding :
from; bh=nos...=;
b=PMi...==
but inbound authentication check with Authentication-Milter @FastMailreports
Authentication-Results: mx4.example.net;
dkim=pass (2048-bit rsa key sha256) header.d=example.com
[email protected] header.b=PMirdrv4 header.a=rsa-sha256
header.s=dkim-42c4465ce19e2af6-rsa x-bits=2048;
!!!! dkim=invalid (unsupported algorithm ed25519-sha256, 0-bit key)
header.d=example.com [email protected]
header.b=w9uQT3c3 header.a=- header.s=dkim-42c4465ce19e2af6-ed25519
x-bits=0;
from mail-dkim.
pgnd
commented on July 20, 2024
Can you please provide some comment/guidance on plans for Ed25519-SHA256 support?
from mail-dkim.
marcbradshaw
commented on July 20, 2024
Hi, I don't have any additional clarity on a timeline or priority for this work. It remains in the backlog but is not scheduled.
from mail-dkim.
pgnd
commented on July 20, 2024
@marcbradshaw
Thx for the update. Works as expected so far in local installs.
Do you have an estimate of when Ed25519 support will find its way into Fastmail itself?
from mail-dkim.
Related Issues (10)
- Add support for l= tag HOT 3
- Verifier accepts tag duplicates HOT 2
- dkimsign.pl: default algorithm and documentation HOT 2
- opendkim and Mail::DKIM disagree HOT 3
- misleading error message if missing Domain property in Mail::DKIM::Signer->finish_header HOT 1
- Verify DKIM ed25519 crash HOT 1
- Argument isn't numeric error in PublicKey.pm when using test version of Net::DNS
- incorrect 'unsupported algorithm' when 'v='-tag is missing
- Argument "1.20200513.1" isn't numeric HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mail-dkim.