Current ideas on DKIM signing ?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Current ideas on DKIM signing ?

Laura Smith
Hi,

Am currently refreshing my perimeter mail infrastructure.

The current state of affairs of DKIM signing looks pretty miserable!

DKIMProxy seems to be abandonware since 2010

OpenDKIM seems to be going the way of abandonware too (last release in 2015 and the bug tracker filling up).

I've had a quick search on github for DKIM but can't find much of interest.

We all know what software is like, you have to keep it fed and watered otherwise it starts growing bugs (or worse).  I'm not too keen on using software of 2015 vintage.

What is everybody using these days ?  Or have I missed something in the world of email and everyone's moved from DKIM to the Next Best Thing (TM).

Looking forward to your suggestions

Laura

Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Dominic Raferd
On Sat, 6 Apr 2019 at 17:57, Laura Smith <[hidden email]> wrote:
Am currently refreshing my perimeter mail infrastructure.
The current state of affairs of DKIM signing looks pretty miserable!
DKIMProxy seems to be abandonware since 2010
OpenDKIM seems to be going the way of abandonware too (last release in 2015 and the bug tracker filling up).
I've had a quick search on github for DKIM but can't find much of interest.
We all know what software is like, you have to keep it fed and watered otherwise it starts growing bugs (or worse).  I'm not too keen on using software of 2015 vintage.
What is everybody using these days ?  Or have I missed something in the world of email and everyone's moved from DKIM to the Next Best Thing (TM).

I use opendkim and don't have any problems with it (also opendmarc 1.3.2).
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

André Rodier
In reply to this post by Laura Smith
On Sat, 2019-04-06 at 16:55 +0000, Laura Smith wrote:

> Hi,
>
> Am currently refreshing my perimeter mail infrastructure.
>
> The current state of affairs of DKIM signing looks pretty miserable!
>
> DKIMProxy seems to be abandonware since 2010
>
> OpenDKIM seems to be going the way of abandonware too (last release in 2015 and the bug tracker filling up).
>
> I've had a quick search on github for DKIM but can't find much of interest.
>
> We all know what software is like, you have to keep it fed and watered otherwise it starts growing bugs (or worse).  I'm not too keen on using software of 2015 vintage.
>
> What is everybody using these days ?  Or have I missed something in the world of email and everyone's moved from DKIM to the Next Best Thing (TM).
>
> Looking forward to your suggestions
>
> Laura
>

Hello Laura,

I am using OpenDKIM on Debian Stretch, no issue at all.

One explanation might be the standard has not changed since 2015, so
neither the binaries. If a major or even a minor change rise in the
standard, I am sure the binaries will be updated.

If you check the DKIM web site, you will see most of the documentation
is old as well. http://www.dkim.org/.

Adding new features on a software that works is also a nice way to add
more bugs ;-). Perhaps the libraries are actually working for most of
people.

Kind regards,
André

--
André Rodier
HomeBox: https://github.com/progmaticltd/homebox
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Ralph Seichter-2
In reply to this post by Laura Smith
* Laura Smith:

> OpenDKIM seems to be going the way of abandonware too (last release in
> 2015 and the bug tracker filling up).

Pre-release 2.11.0-Beta2 is dated 2018-11-15. Michael Orlitzky and I are
currently working on a pull request to introduce improvements for OpenRC
and systemd, which we already have made available for Gentoo Linux. Not
that this PR has been met with any reaction by Murray so far, but we're
not giving up hope yet. ;-)

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Scott Kitterman-4
In reply to this post by Laura Smith
On Saturday, April 06, 2019 04:55:58 PM Laura Smith wrote:

> Hi,
>
> Am currently refreshing my perimeter mail infrastructure.
>
> The current state of affairs of DKIM signing looks pretty miserable!
>
> DKIMProxy seems to be abandonware since 2010
>
> OpenDKIM seems to be going the way of abandonware too (last release in 2015
> and the bug tracker filling up).
>
> I've had a quick search on github for DKIM but can't find much of interest.
>
> We all know what software is like, you have to keep it fed and watered
> otherwise it starts growing bugs (or worse).  I'm not too keen on using
> software of 2015 vintage.
>
> What is everybody using these days ?  Or have I missed something in the
> world of email and everyone's moved from DKIM to the Next Best Thing (TM).
>
> Looking forward to your suggestions

I've written https://launchpad.net/dkimpy-milter

It is not yet particularly suitable for complex, multi-domain setups, but for
smaller users works well (I use it - this message will be signed by it).  
Unlike any other released postfix option (the OpenDKIM beta has limited
support) it supports both RSA and Ed25519 signing/verifying.  It's
configuration syntax is almost entirely compatible with OpenDKIM's (It
supports a subset of OpenDKIM's options and has a few of it's own added to
support Ed25519).

I feel your pain.  I wrote it in part so we could have multiple Ed25519
implementations for the IETF DCRUP working group and in part due to
frustration with lack of progress with OpenDKIM.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Scott Kitterman-4
In reply to this post by André Rodier
On Saturday, April 06, 2019 06:32:18 PM André Rodier wrote:

> On Sat, 2019-04-06 at 16:55 +0000, Laura Smith wrote:
> > Hi,
> >
> > Am currently refreshing my perimeter mail infrastructure.
> >
> > The current state of affairs of DKIM signing looks pretty miserable!
> >
> > DKIMProxy seems to be abandonware since 2010
> >
> > OpenDKIM seems to be going the way of abandonware too (last release in
> > 2015 and the bug tracker filling up).
> >
> > I've had a quick search on github for DKIM but can't find much of
> > interest.
> >
> > We all know what software is like, you have to keep it fed and watered
> > otherwise it starts growing bugs (or worse).  I'm not too keen on using
> > software of 2015 vintage.
> >
> > What is everybody using these days ?  Or have I missed something in the
> > world of email and everyone's moved from DKIM to the Next Best Thing
> > (TM).
> >
> > Looking forward to your suggestions
> >
> > Laura
>
> Hello Laura,
>
> I am using OpenDKIM on Debian Stretch, no issue at all.
>
> One explanation might be the standard has not changed since 2015, so
> neither the binaries. If a major or even a minor change rise in the
> standard, I am sure the binaries will be updated.
>
> If you check the DKIM web site, you will see most of the documentation
> is old as well. http://www.dkim.org/.
>
> Adding new features on a software that works is also a nice way to add
> more bugs ;-). Perhaps the libraries are actually working for most of
> people.
>
> Kind regards,
> André

The standard has changed.  See RFC 8301 and RFC 8463.

Scott K

Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

André Rodier
On 07/04/2019 01:58, Scott Kitterman wrote:

> On Saturday, April 06, 2019 06:32:18 PM André Rodier wrote:
>> On Sat, 2019-04-06 at 16:55 +0000, Laura Smith wrote:
>>> Hi,
>>>
>>> Am currently refreshing my perimeter mail infrastructure.
>>>
>>> The current state of affairs of DKIM signing looks pretty miserable!
>>>
>>> DKIMProxy seems to be abandonware since 2010
>>>
>>> OpenDKIM seems to be going the way of abandonware too (last release in
>>> 2015 and the bug tracker filling up).
>>>
>>> I've had a quick search on github for DKIM but can't find much of
>>> interest.
>>>
>>> We all know what software is like, you have to keep it fed and watered
>>> otherwise it starts growing bugs (or worse).  I'm not too keen on using
>>> software of 2015 vintage.
>>>
>>> What is everybody using these days ?  Or have I missed something in the
>>> world of email and everyone's moved from DKIM to the Next Best Thing
>>> (TM).
>>>
>>> Looking forward to your suggestions
>>>
>>> Laura
>>
>> Hello Laura,
>>
>> I am using OpenDKIM on Debian Stretch, no issue at all.
>>
>> One explanation might be the standard has not changed since 2015, so
>> neither the binaries. If a major or even a minor change rise in the
>> standard, I am sure the binaries will be updated.
>>
>> If you check the DKIM web site, you will see most of the documentation
>> is old as well. http://www.dkim.org/.
>>
>> Adding new features on a software that works is also a nice way to add
>> more bugs ;-). Perhaps the libraries are actually working for most of
>> people.
>>
>> Kind regards,
>> André
>
> The standard has changed.  See RFC 8301 and RFC 8463.
>
> Scott K

Thanks, I was not aware of this, I try to follow DKIM, but perhaps I was
not using the right site. None of these standards are referenced on
opendkim.org.

André
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Philip Paeps
In reply to this post by Laura Smith
On 2019-04-07 00:55:58 (+0800), Laura Smith wrote:

> Hi,
>
> Am currently refreshing my perimeter mail infrastructure.
>
> The current state of affairs of DKIM signing looks pretty miserable!
>
> DKIMProxy seems to be abandonware since 2010
>
> OpenDKIM seems to be going the way of abandonware too (last release in
> 2015 and the bug tracker filling up).
>
> I've had a quick search on github for DKIM but can't find much of
> interest.
>
> We all know what software is like, you have to keep it fed and watered
> otherwise it starts growing bugs (or worse).  I'm not too keen on
> using software of 2015 vintage.
>
> What is everybody using these days ?  Or have I missed something in
> the world of email and everyone's moved from DKIM to the Next Best
> Thing (TM).
>
> Looking forward to your suggestions

I'm using rspamd for DKIM signing (and spam filtering).

It plugs into Postfix as a milter and I've not had any difficulties with
it.

I used to run OpenDKIM but when I switched from SpamAssassin to rspamd,
I configured it to do DKIM signing too.

Philip

--
Philip Paeps
Senior Reality Engineer
Ministry of Information
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Micah Anderson-2
In reply to this post by Scott Kitterman-4
Scott Kitterman <[hidden email]> writes:

> On Saturday, April 06, 2019 04:55:58 PM Laura Smith wrote:
>> Hi,
>>
>> Am currently refreshing my perimeter mail infrastructure.
>>
>> The current state of affairs of DKIM signing looks pretty miserable!
>>
>> DKIMProxy seems to be abandonware since 2010
>>
>> OpenDKIM seems to be going the way of abandonware too (last release in 2015
>> and the bug tracker filling up).
>>
>> I've had a quick search on github for DKIM but can't find much of interest.
>>
>> We all know what software is like, you have to keep it fed and watered
>> otherwise it starts growing bugs (or worse).  I'm not too keen on using
>> software of 2015 vintage.
>>
>> What is everybody using these days ?  Or have I missed something in the
>> world of email and everyone's moved from DKIM to the Next Best Thing (TM).
>>
>> Looking forward to your suggestions
>
> I've written https://launchpad.net/dkimpy-milter
>
> It is not yet particularly suitable for complex, multi-domain setups, but for
> smaller users works well (I use it - this message will be signed by it).  
> Unlike any other released postfix option (the OpenDKIM beta has limited
> support) it supports both RSA and Ed25519 signing/verifying.  It's
> configuration syntax is almost entirely compatible with OpenDKIM's (It
> supports a subset of OpenDKIM's options and has a few of it's own added to
> support Ed25519).

I've been eyeing dkimpy-milter as something I'd like to switch to at
some point, but I need the multi-domain bits that opendkim has. So
definitely looking forward to advancements on dkimpy!

--
        micah
Reply | Threaded
Open this post in threaded view
|

Re: Current ideas on DKIM signing ?

Andrey Repin-2
In reply to this post by André Rodier
Greetings, André Rodier!

>>> Hello Laura,
>>>
>>> I am using OpenDKIM on Debian Stretch, no issue at all.
>>>
>>> One explanation might be the standard has not changed since 2015, so
>>> neither the binaries. If a major or even a minor change rise in the
>>> standard, I am sure the binaries will be updated.
>>>
>>> If you check the DKIM web site, you will see most of the documentation
>>> is old as well. http://www.dkim.org/.
>>>
>>> Adding new features on a software that works is also a nice way to add
>>> more bugs ;-). Perhaps the libraries are actually working for most of
>>> people.
>>>
>>> Kind regards,
>>> André
>>
>> The standard has changed.  See RFC 8301 and RFC 8463.
>>
>> Scott K

> Thanks, I was not aware of this, I try to follow DKIM, but perhaps I was
> not using the right site. None of these standards are referenced on
> opendkim.org.

That's because OpenDKIM is unsupported for several years now.
And yes, it has had issues even before standards have changed.


--
With best regards,
Andrey Repin
Saturday, April 13, 2019 1:16:05

Sorry for my terrible english...