[pmg-devel] [PATCH api/gui/widget-toolkit] add initial DKIM-Signing Support

Stoiko Ivanov s.ivanov at proxmox.com
Mon Oct 7 21:28:44 CEST 2019

This patchset adds initial support for signing outbound e-mails with DKIM.

Design choices:
While initially planning to implement this by rendering the config for one
of the available dkim-signing milters and hooking it into the outbound postfix
instance via the templating system (master.cf.in) a few reasons changed my mind
in favor of using perl's Mail::DKIM::Signer inside pmg-smtp-filter instead:
* both milter-options considered had a few drawbacks for our use-case
  - opendkim seems a bit behind on the latest changes to DKIM (2 new RFCs w.r.t.
    DKIM have come out recently [0,1] and it seems the debian maintainer might
    not have the time/energy to keep on maintaining it [2]
  - dkimpy-milter (a rather recent reimplementation of opendkim's feature set)
    is still lacking 2-3 crucial features (SigningTable/KeyTable support),
    which, while not needed for the current feature set, might become a burden
    further down the road. Also the logging and configuration were a bit terse
    (even for my taste) - The upside of dkimpy-milter is that it implements
    rfc8463 (ed25519+sha256 - making for much shorter public-keys), something
    that I only found in rspamd otherwise
* adding yet another moving part and running service also has its drawback

* OTOH Mail::DKIM integrates quite straight-forward into pmg-smtp-filter
  (by using SpamAssassin most of it's dependencies are already loaded into
  memory anyways).
* Additionally inside pmg-smtp-filter we have quite good knowledge of a mail
  (e.g. knowing if it arrived on the internal or external port, or a direct
  view of all domains for which the PMG is relaying).
* Last but not least Mail::DKIM seems quite active (it's last release is
  on 08.10.2019 :)

The current implementation should give most users enough for their needs:
* It can either sign all mails sent by users in a certain list of domains
  (/etc/dkim/domains) with a fall-back to the RelayDomains (the one PMG
  receives mail for seem like a good default choice for the domains PMG
  can sign mails for)
* Alternatively it can sign all incoming mails (with the sender's domain taken
  for the signature's d= flag (the domain in which a verifier looks for the
  public key to verify the signature)
* The user can create a new selector (meaning the selector name, which is part
  of the DNS-record and also inside the signature header, and the private key
  used for signing), which is then used to sign all mails. (when generating
  a new private key all domains signed by it need to create/update the fitting
  DNS-record anyways).
* the signature algorithm is fixed to rsa-sha256 (see [1], and sadly Mail::DKIM
  has no support yet for ed25519+sha256).
* the key-size can be (1024|2048|4096) bits (the 1024 is still there for
  compatibility with DNS-providers not having support for TXT records >255

The first 3 patches address also #2371, since I needed to reload pmg-smtp-filter
for config changes anyways.

I did some preliminary testing - the generated signatures get verified by
opendkim and rspamd.

Thanks to Dominik for supporting me with the GUI-part!

Feedback appreciated!

[0] https://tools.ietf.org/html/rfc8301
[1] https://tools.ietf.org/html/rfc8463
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900774;msg=5

Stoiko Ivanov (12):
  refactor reload_rule_db
  fix #2371: reload pmg-smtp-filter on config change
  add reload method to PMG::Config
  add DKIM options to pmg.conf
  add PMG::DKIMSign module
  DKIM sign outbound mail if configured
  refactor API2::Domains for reuse in DKIMSign
  add API2/DKIMSignDomains endpoints
  add DKIM API paths
  pmgconfig: add dkim commands
  add /etc/pmg/dkim to cluster-sync
  pmgproxy: add proxmox-widget-toolkit css path

 src/Makefile                    |   3 +
 src/PMG/API2/Cluster.pm         |   3 +-
 src/PMG/API2/Config.pm          |   7 +
 src/PMG/API2/DKIMSign.pm        | 125 +++++++++++
 src/PMG/API2/DKIMSignDomains.pm |  19 ++
 src/PMG/API2/Domains.pm         | 363 +++++++++++++++++---------------
 src/PMG/CLI/pmgcm.pm            |   4 +-
 src/PMG/CLI/pmgconfig.pm        |   7 +
 src/PMG/Cluster.pm              |  67 +++---
 src/PMG/Config.pm               |  78 +++++++
 src/PMG/DBTools.pm              |  11 +-
 src/PMG/DKIMSign.pm             | 150 +++++++++++++
 src/PMG/RuleDB/Accept.pm        |  16 +-
 src/PMG/RuleDB/BCC.pm           |  12 ++
 src/PMG/Service/pmgmirror.pm    |   4 +-
 src/PMG/Service/pmgproxy.pm     |   2 +
 src/PMG/Utils.pm                |  13 ++
 src/bin/pmg-smtp-filter         |  14 +-
 18 files changed, 686 insertions(+), 212 deletions(-)
 create mode 100644 src/PMG/API2/DKIMSign.pm
 create mode 100644 src/PMG/API2/DKIMSignDomains.pm
 create mode 100644 src/PMG/DKIMSign.pm

Stoiko Ivanov (2):
  refactor RelayDomains:
  Add DKIM Tab to MailProxy configuration

 js/DKIMSettings.js           | 207 +++++++++++++++++++++++++++++++++++
 js/MailProxyConfiguration.js |   5 +
 js/MailProxyDKIMPanel.js     |  43 ++++++++
 js/Makefile                  |   2 +
 js/RelayDomains.js           |  27 +++--
 pmg-index.html.tt            |   1 +
 6 files changed, 273 insertions(+), 12 deletions(-)
 create mode 100644 js/DKIMSettings.js
 create mode 100644 js/MailProxyDKIMPanel.js

Stoiko Ivanov (1):
  add pmx-hint css class

 css/ext6-pmx.css | 4 ++++
 1 file changed, 4 insertions(+)


More information about the pmg-devel mailing list