any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

PGNet Dev
i'm swapping out opendkim milter from a postfix setup.

inbound verification's been replaced with fastmail's authentication_milter -- in smtpd mode
so far, behaving well.

outbound signing on postfix sumbission has been replaced with dkimpy-milter.
seems to work nicely for rsa signing.

support's supposedly _there_ for ed25519 signing.
but, when I deploy -- simply enabling ed25519 signingtable -- I get lots of errors -- just starting to troubleshoot now.

1st question ...

... is outbound ed25519 signing with dkimpy-milter in Postfix known-to-work for anyone here?

iiuc, there's no Postfix-reason that it shouldn't work; a milter's a milter.

so, just looking for any evidence that someone's got it working at all b4 diving in.

Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

ilyak
Hello.

I haven't tried it yet, but DKIM with ed25519 is draft: 
and official RFC doesn't mention it: https://tools.ietf.org/html/rfc6376

Doesn't it mean that ed25519 support is optional and many MTAs over the Internet simply wouldn't be able to validate it?
In other words, isn't it too early?

  

On Mon, Oct 26, 2020 at 5:04 AM PGNet Dev <[hidden email]> wrote:
i'm swapping out opendkim milter from a postfix setup.

inbound verification's been replaced with fastmail's authentication_milter -- in smtpd mode
so far, behaving well.

outbound signing on postfix sumbission has been replaced with dkimpy-milter.
seems to work nicely for rsa signing.

support's supposedly _there_ for ed25519 signing.
but, when I deploy -- simply enabling ed25519 signingtable -- I get lots of errors -- just starting to troubleshoot now.

1st question ...

... is outbound ed25519 signing with dkimpy-milter in Postfix known-to-work for anyone here?

iiuc, there's no Postfix-reason that it shouldn't work; a milter's a milter.

so, just looking for any evidence that someone's got it working at all b4 diving in.

Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

Patrick Ben Koetter-2
In reply to this post by PGNet Dev
* PGNet Dev <[hidden email]>:

> i'm swapping out opendkim milter from a postfix setup.
>
> inbound verification's been replaced with fastmail's authentication_milter -- in smtpd mode
> so far, behaving well.
>
> outbound signing on postfix sumbission has been replaced with dkimpy-milter.
> seems to work nicely for rsa signing.
>
> support's supposedly _there_ for ed25519 signing.
> but, when I deploy -- simply enabling ed25519 signingtable -- I get lots of errors -- just starting to troubleshoot now.

There's only *one* SigningTable, but there are two KeyTables – one for rsa and
the other one for ed25519. Maybe you are using an older version of
dkimpy-milter. IIRC it had a related error in the man page.

> 1st question ...
>
> ... is outbound ed25519 signing with dkimpy-milter in Postfix known-to-work for anyone here?

Yes. I use it on mailop.org.


> iiuc, there's no Postfix-reason that it shouldn't work; a milter's a milter.
>
> so, just looking for any evidence that someone's got it working at all b4 diving in.

It's worth it.

p@rick


--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

PGNet Dev
On 10/26/20 4:19 AM, Patrick Ben Koetter wrote:
> There's only *one* SigningTable, but there are two KeyTables – one for rsa and
> the other one for ed25519. Maybe you are using an older version of
> dkimpy-milter. IIRC it had a related error in the man page.

oops, typo.

yep, I've one ST & 2 KTs, one each for rsa & ed25519

using latest available via pip, v1.2.2. can try master branch.

> Yes. I use it on mailop.org.

thx!

ok. so it's local ...


how are you generating your ed25519 data?

for rsa, here, _either_ 'dknewkey' or 'openssl genrsa (etc)' works fine.

for the ed25519, i get different fails -- in error logs -- with 'dknewkey' or 'openssl genpkey (etc)'.

atm, with 'dknewkey' generated data, on attempted ed25519 signing I'm seeing: "sign_dkim: The seed must be exactly 32 bytes long"

i know README says "in order to generate Ed25519 keys for dkimpy-milter, dkimpy specific tools
  must be used to be compatible
"


tho, i don't yet know _what_ the differences actually are ...





Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

Patrick Ben Koetter-2
* PGNet Dev <[hidden email]>:

> On 10/26/20 4:19 AM, Patrick Ben Koetter wrote:
> > There's only *one* SigningTable, but there are two KeyTables – one for rsa and
> > the other one for ed25519. Maybe you are using an older version of
> > dkimpy-milter. IIRC it had a related error in the man page.
>
> oops, typo.
>
> yep, I've one ST & 2 KTs, one each for rsa & ed25519
>
> using latest available via pip, v1.2.2. can try master branch.

That will suffice.


> > Yes. I use it on mailop.org.
>
> thx!
> ok. so it's local ...
>
>
> how are you generating your ed25519 data?
>
> for rsa, here, _either_ 'dknewkey' or 'openssl genrsa (etc)' works fine.
>
> for the ed25519, i get different fails -- in error logs -- with 'dknewkey' or 'openssl genpkey (etc)'.
>
> atm, with 'dknewkey' generated data, on attempted ed25519 signing I'm seeing: "sign_dkim: The seed must be exactly 32 bytes long"

I haven't had any problems either on Debian, Ubuntu or ARCH Linux using
dknewkey.

> i know README says "in order to generate Ed25519 keys for dkimpy-milter, dkimpy specific tools
>  must be used to be compatible
> "

I wouldn't know either. Maybe you should reach out to the developer.

On a sidenote: If you want to use ansible, you might want to try this:
https://github.com/sys4/dkimpy-role

p@rick


--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein

Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

PGNet Dev
On 10/26/20 8:41 AM, Patrick Ben Koetter wrote:
>> using latest available via pip, v1.2.2. can try master branch.
>
> That will suffice.

fwiw, no diff -- same problem -- with 1.2.2 or master

> I haven't had any problems either on Debian, Ubuntu or ARCH Linux using dknewkey.

tho i doubt it matters, i'm atm on Fedora32

i've compared both dknewkey & openssl methods.

so far, i can't see any obvious difference in generated content.

results are the same in either case; rsa works, ed2519 fails

> I wouldn't know either. Maybe you should reach out to the developer.

yep.  headed for @launchpad.

> On a sidenote: If you want to use ansible, you might want to try this:
> https://github.com/sys4/dkimpy-role

thx.  already found it ... and used it for comparison.

unless i'm missing details -- and pebkac's certainly possible! -- it _should_ be identical to my setup.



Reply | Threaded
Open this post in threaded view
|

Re: any success with postfix + dkimpy-milter outbound DKIM signing -- with ed25519 keys?

PGNet Dev
On 10/26/20 8:52 AM, PGNet Dev wrote:
> headed for @launchpad.

for anyone interested,

https://bugs.launchpad.net/dkimpy-milter/+bug/1901569

thx! @ here