dkim 2048 bits - migration and zone file generation changes

* Add a migration to delete any existing DKIM key so that existing machines get a fresh 2048-bit key. (Sadly we don't support key rotation so the change is immediate.)
* Because the DNS record for a 2048-bit key is so much longer, the way we read OpenDKIM's DNS record text file had to be modified to combine an arbitrary number of TXT record quoted ("...") strings.
* When writing out the TXT record value, the string must be split into quoted ("...") strings with a maximum length of 255 bytes each, per the DNS spec.
* Added a changelog entry.

setup/dkim.sh

@@ -35,12 +35,17 @@ RequireSafeKeys         false
 EOF
 fi
 
-# Create a new DKIM key. This creates
-# mail.private and mail.txt in $STORAGE_ROOT/mail/dkim. The former
-# is the actual private key and the latter is the suggested DNS TXT
-# entry which we'll want to include in our DNS setup.
+# Create a new DKIM key. This creates mail.private and mail.txt
+# in $STORAGE_ROOT/mail/dkim. The former is the private key and
+# the latter is the suggested DNS TXT entry which we'll include
+# in our DNS setup. Note tha the files are named after the
+# 'selector' of the key, which we can change later on to support
+# key rotation.
+#
+# A 1024-bit key is seen as a minimum standard by several providers
+# such as Google. But they and others use a 2048 bit key, so we'll
+# do the same. Keys beyond 2048 bits may exceed DNS record limits.
 if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
-	# Should we specify -h rsa-sha256?
 	opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
 fi
 

setup/migrate.py

@@ -95,6 +95,11 @@ def migration_7(env):
 	# Save.
 	conn.commit()
 
+def migration_8(env):
+	# Delete DKIM keys. We had generated 1024-bit DKIM keys.
+	# By deleting the key file we'll automatically generate
+	# a new key, which will be 2048 bits.
+	os.unlink(os.path.join(env['STORAGE_ROOT'], 'mail/dkim/mail.private'))
 
 def get_current_migration():
 	ver = 0