mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
merge #451 - Increase DKIM key length to 2048
This commit is contained in:
commit
1367816b04
@ -4,6 +4,9 @@ CHANGELOG
|
|||||||
In Development
|
In Development
|
||||||
--------------
|
--------------
|
||||||
|
|
||||||
|
Advisories:
|
||||||
|
* This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records.
|
||||||
|
|
||||||
Mail:
|
Mail:
|
||||||
* Greylisting will now let some reputable senders pass through immediately.
|
* Greylisting will now let some reputable senders pass through immediately.
|
||||||
* Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin.
|
* Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin.
|
||||||
@ -11,6 +14,7 @@ Mail:
|
|||||||
* Fix for deleting admin@ and postmaster@ addresses.
|
* Fix for deleting admin@ and postmaster@ addresses.
|
||||||
* Roundcube is updated to version 1.1.2, plugins updated.
|
* Roundcube is updated to version 1.1.2, plugins updated.
|
||||||
* Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL.
|
* Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL.
|
||||||
|
* The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key.
|
||||||
|
|
||||||
Web:
|
Web:
|
||||||
* 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate).
|
* 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate).
|
||||||
|
@ -250,8 +250,8 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
|
|||||||
# Skip if the user has set a DKIM record already.
|
# Skip if the user has set a DKIM record already.
|
||||||
opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
|
opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
|
||||||
with open(opendkim_record_file) as orf:
|
with open(opendkim_record_file) as orf:
|
||||||
m = re.match(r'(\S+)\s+IN\s+TXT\s+\( "([^"]+)"\s+"([^"]+)"\s*\)', orf.read(), re.S)
|
m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
|
||||||
val = m.group(2) + m.group(3)
|
val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
|
||||||
if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "):
|
if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "):
|
||||||
records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
|
records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
|
||||||
|
|
||||||
@ -373,9 +373,16 @@ $TTL 1800 ; default time to live
|
|||||||
zone += subdomain
|
zone += subdomain
|
||||||
zone += "\tIN\t" + querytype + "\t"
|
zone += "\tIN\t" + querytype + "\t"
|
||||||
if querytype == "TXT":
|
if querytype == "TXT":
|
||||||
value = value.replace('\\', '\\\\') # escape backslashes
|
# Divide into 255-byte max substrings.
|
||||||
value = value.replace('"', '\\"') # escape quotes
|
v2 = ""
|
||||||
value = '"' + value + '"' # wrap in quotes
|
while len(value) > 0:
|
||||||
|
s = value[0:255]
|
||||||
|
value = value[255:]
|
||||||
|
s = s.replace('\\', '\\\\') # escape backslashes
|
||||||
|
s = s.replace('"', '\\"') # escape quotes
|
||||||
|
s = '"' + s + '"' # wrap in quotes
|
||||||
|
v2 += s + " "
|
||||||
|
value = v2
|
||||||
zone += value + "\n"
|
zone += value + "\n"
|
||||||
|
|
||||||
# DNSSEC requires re-signing a zone periodically. That requires
|
# DNSSEC requires re-signing a zone periodically. That requires
|
||||||
|
@ -35,13 +35,18 @@ RequireSafeKeys false
|
|||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Create a new DKIM key. This creates
|
# Create a new DKIM key. This creates mail.private and mail.txt
|
||||||
# mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former
|
# in $STORAGE_ROOT/mail/dkim. The former is the private key and
|
||||||
# is the actual private key and the latter is the suggested DNS TXT
|
# the latter is the suggested DNS TXT entry which we'll include
|
||||||
# entry which we'll want to include in our DNS setup.
|
# in our DNS setup. Note tha the files are named after the
|
||||||
|
# 'selector' of the key, which we can change later on to support
|
||||||
|
# key rotation.
|
||||||
|
#
|
||||||
|
# A 1024-bit key is seen as a minimum standard by several providers
|
||||||
|
# such as Google. But they and others use a 2048 bit key, so we'll
|
||||||
|
# do the same. Keys beyond 2048 bits may exceed DNS record limits.
|
||||||
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
|
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
|
||||||
# Should we specify -h rsa-sha256?
|
opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
|
||||||
opendkim-genkey -r -s mail -D $STORAGE_ROOT/mail/dkim
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Ensure files are owned by the opendkim user and are private otherwise.
|
# Ensure files are owned by the opendkim user and are private otherwise.
|
||||||
|
@ -95,6 +95,11 @@ def migration_7(env):
|
|||||||
# Save.
|
# Save.
|
||||||
conn.commit()
|
conn.commit()
|
||||||
|
|
||||||
|
def migration_8(env):
|
||||||
|
# Delete DKIM keys. We had generated 1024-bit DKIM keys.
|
||||||
|
# By deleting the key file we'll automatically generate
|
||||||
|
# a new key, which will be 2048 bits.
|
||||||
|
os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private'))
|
||||||
|
|
||||||
def get_current_migration():
|
def get_current_migration():
|
||||||
ver = 0
|
ver = 0
|
||||||
|
Loading…
Reference in New Issue
Block a user