1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-26 02:57:04 +00:00

merge #451 - Increase DKIM key length to 2048

This commit is contained in:
Joshua Tauberer 2015-06-25 13:07:29 +00:00
commit 1367816b04
4 changed files with 32 additions and 11 deletions

View File

@ -4,6 +4,9 @@ CHANGELOG
In Development In Development
-------------- --------------
Advisories:
* This update replaces your DKIM signing key with a stronger key. Because of DNS caching/propagation, mail sent within a few hours after this update could be marked as spam by recipients. If you use External DNS, you will need to update your DNS records.
Mail: Mail:
* Greylisting will now let some reputable senders pass through immediately. * Greylisting will now let some reputable senders pass through immediately.
* Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin. * Searching mail (via IMAP) will now be much faster using the dovecot lucene full text search plugin.
@ -11,6 +14,7 @@ Mail:
* Fix for deleting admin@ and postmaster@ addresses. * Fix for deleting admin@ and postmaster@ addresses.
* Roundcube is updated to version 1.1.2, plugins updated. * Roundcube is updated to version 1.1.2, plugins updated.
* Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL. * Exchange/ActiveSync autoconfiguration was not working on all devices (e.g. iPhone) because of a case-sensitive URL.
* The DKIM signing key has been increased to 2048 bits, from 1024, replacing the existing key.
Web: Web:
* 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate). * 'www' subdomains now automatically redirect to their parent domain (but you'll need to install an SSL certificate).

View File

@ -250,8 +250,8 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
# Skip if the user has set a DKIM record already. # Skip if the user has set a DKIM record already.
opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt') opendkim_record_file = os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.txt')
with open(opendkim_record_file) as orf: with open(opendkim_record_file) as orf:
m = re.match(r'(\S+)\s+IN\s+TXT\s+\( "([^"]+)"\s+"([^"]+)"\s*\)', orf.read(), re.S) m = re.match(r'(\S+)\s+IN\s+TXT\s+\( ((?:"[^"]+"\s+)+)\)', orf.read(), re.S)
val = m.group(2) + m.group(3) val = "".join(re.findall(r'"([^"]+)"', m.group(2)))
if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "): if not has_rec(m.group(1), "TXT", prefix="v=DKIM1; "):
records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain)) records.append((m.group(1), "TXT", val, "Recommended. Provides a way for recipients to verify that this machine sent @%s mail." % domain))
@ -373,9 +373,16 @@ $TTL 1800 ; default time to live
zone += subdomain zone += subdomain
zone += "\tIN\t" + querytype + "\t" zone += "\tIN\t" + querytype + "\t"
if querytype == "TXT": if querytype == "TXT":
value = value.replace('\\', '\\\\') # escape backslashes # Divide into 255-byte max substrings.
value = value.replace('"', '\\"') # escape quotes v2 = ""
value = '"' + value + '"' # wrap in quotes while len(value) > 0:
s = value[0:255]
value = value[255:]
s = s.replace('\\', '\\\\') # escape backslashes
s = s.replace('"', '\\"') # escape quotes
s = '"' + s + '"' # wrap in quotes
v2 += s + " "
value = v2
zone += value + "\n" zone += value + "\n"
# DNSSEC requires re-signing a zone periodically. That requires # DNSSEC requires re-signing a zone periodically. That requires

View File

@ -35,13 +35,18 @@ RequireSafeKeys false
EOF EOF
fi fi
# Create a new DKIM key. This creates # Create a new DKIM key. This creates mail.private and mail.txt
# mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former # in $STORAGE_ROOT/mail/dkim. The former is the private key and
# is the actual private key and the latter is the suggested DNS TXT # the latter is the suggested DNS TXT entry which we'll include
# entry which we'll want to include in our DNS setup. # in our DNS setup. Note tha the files are named after the
# 'selector' of the key, which we can change later on to support
# key rotation.
#
# A 1024-bit key is seen as a minimum standard by several providers
# such as Google. But they and others use a 2048 bit key, so we'll
# do the same. Keys beyond 2048 bits may exceed DNS record limits.
if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
# Should we specify -h rsa-sha256? opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
opendkim-genkey -r -s mail -D $STORAGE_ROOT/mail/dkim
fi fi
# Ensure files are owned by the opendkim user and are private otherwise. # Ensure files are owned by the opendkim user and are private otherwise.

View File

@ -95,6 +95,11 @@ def migration_7(env):
# Save. # Save.
conn.commit() conn.commit()
def migration_8(env):
# Delete DKIM keys. We had generated 1024-bit DKIM keys.
# By deleting the key file we'll automatically generate
# a new key, which will be 2048 bits.
os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private'))
def get_current_migration(): def get_current_migration():
ver = 0 ver = 0