[pmg-devel] [PATCH pmg-api/pmg-gui v2] add initial DKIM-Signing Support
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Oct 15 21:46:39 CEST 2019
This patchset adds initial support for signing outbound e-mails with DKIM.
Design choices:
While initially planning to implement this by rendering the config for one
of the available dkim-signing milters and hooking it into the outbound postfix
instance via the templating system (master.cf.in) a few reasons changed my mind
in favor of using perl's Mail::DKIM::Signer inside pmg-smtp-filter instead:
* both milter-options considered had a few drawbacks for our use-case
- opendkim seems a bit behind on the latest changes to DKIM (2 new RFCs w.r.t.
DKIM have come out recently [0,1] and it seems the debian maintainer might
not have the time/energy to keep on maintaining it [2]
- dkimpy-milter (a rather recent reimplementation of opendkim's feature set)
is still lacking 2-3 crucial features (SigningTable/KeyTable support),
which, while not needed for the current feature set, might become a burden
further down the road. Also the logging and configuration were a bit terse
(even for my taste) - The upside of dkimpy-milter is that it implements
rfc8463 (ed25519+sha256 - making for much shorter public-keys), something
that I only found in rspamd otherwise
* adding yet another moving part and running service also has its drawback
* OTOH Mail::DKIM integrates quite straight-forward into pmg-smtp-filter
(by using SpamAssassin most of it's dependencies are already loaded into
memory anyways).
* Additionally inside pmg-smtp-filter we have quite good knowledge of a mail
(e.g. knowing if it arrived on the internal or external port, or a direct
view of all domains for which the PMG is relaying).
* Last but not least Mail::DKIM seems quite active (it's last release is
on 08.10.2019 :)
The current implementation should give most users enough for their needs:
* It can either sign all mails sent by users in a certain list of domains
(/etc/dkim/domains) with a fall-back to the RelayDomains (the one PMG
receives mail for seem like a good default choice for the domains PMG
can sign mails for)
* Alternatively it can sign all incoming mails (with the sender's domain taken
for the signature's d= flag (the domain in which a verifier looks for the
public key to verify the signature)
* The user can create a new selector (meaning the selector name, which is part
of the DNS-record and also inside the signature header, and the private key
used for signing), which is then used to sign all mails. (when generating
a new private key all domains signed by it need to create/update the fitting
DNS-record anyways).
* the signature algorithm is fixed to rsa-sha256 (see [1], and sadly Mail::DKIM
has no support yet for ed25519+sha256).
* the key-size can be (1024|2048|4096) bits (the 1024 is still there for
compatibility with DNS-providers not having support for TXT records >255
bytes).
The first 2 patches address also #2371, since I needed to reload pmg-smtp-filter
for config changes anyways.
I did some preliminary testing - the generated signatures get verified by
opendkim and rspamd.
Thanks to Dominik for supporting me with the GUI-part and for the very
thorough code-review of v1 and the valuable suggestions!
Changes v1 -> v2:
* mostly incorporated Dominik's feedback
* instead of saving the config-options affecting pmg-smtp-filter inside
the PMG::Config object, the code now writes a 'config-file' into /run when
pmg-smtp-filter starts, or when the relevant settings change. This makes for
a simpler and cleaner handling of config-updates. It also removed the need
for the original patch 3 (reloading the config in all cluster-synchronization
points.
* PMG::DKIMSign::sign_entity got added giving all points where mail should
get signed a single method to call
* the key-size restrictions were changed (only a lower bound of 1024 is now
enforced (since I just found out that you can very well create RSA-keys
with e.g. 1077 bits...)
* synchronization of directories in a cluster was changed to use `rsync -aq`
instead of looping over all files and symlinks inside a directory.
This makes for a change of semantics, but I think the regression risk
is rather small (it would affect users who have put a large directory
hierarchy below '/etc/pmg/templates' (and even then they already sync
it across nodes -now it gets additionally copied from
'/etc/pmg/master/templates' to '/etc/pmg/templates'
* the patch for proxmox-widget-toolkit was dropped since it was already
applied
Feedback appreciated!
[0] https://tools.ietf.org/html/rfc8301
[1] https://tools.ietf.org/html/rfc8463
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900774;msg=5
pmg-api:
Stoiko Ivanov (11):
refactor reload_rule_db
fix #2371: reload pmg-smtp-filter on config change
add DKIM options to PMG::Config
add PMG::DKIMSign module
DKIM sign outbound mail if configured
refactor API2::Domains for reuse in DKIMSign
add API2/DKIMSignDomains endpoints
add DKIM API paths
pmgconfig: add dkim commands
add /etc/pmg/dkim to cluster-sync
pmgproxy: add proxmox-widget-toolkit css path
debian/dirs | 1 +
src/Makefile | 3 +
src/PMG/API2/Config.pm | 7 +
src/PMG/API2/DKIMSign.pm | 126 +++++++++++
src/PMG/API2/DKIMSignDomains.pm | 19 ++
src/PMG/API2/Domains.pm | 359 +++++++++++++++++---------------
src/PMG/CLI/pmgconfig.pm | 7 +
src/PMG/Cluster.pm | 41 ++--
src/PMG/Config.pm | 98 +++++++++
src/PMG/DBTools.pm | 11 +-
src/PMG/DKIMSign.pm | 177 ++++++++++++++++
src/PMG/RuleDB/Accept.pm | 14 +-
src/PMG/RuleDB/BCC.pm | 11 +
src/PMG/Service/pmgproxy.pm | 2 +
src/PMG/Utils.pm | 13 ++
src/bin/pmg-smtp-filter | 8 +
16 files changed, 691 insertions(+), 206 deletions(-)
create mode 100644 src/PMG/API2/DKIMSign.pm
create mode 100644 src/PMG/API2/DKIMSignDomains.pm
create mode 100644 src/PMG/DKIMSign.pm
pmg-gui:
Stoiko Ivanov (3):
refactor RelayDomains:
MailProxyConfiguration.js: whitespace cleanup
Add DKIM Tab to MailProxy configuration
js/DKIMSettings.js | 190 +++++++++++++++++++++++++++++++++++
js/MailProxyConfiguration.js | 13 ++-
js/MailProxyDKIMPanel.js | 43 ++++++++
js/Makefile | 2 +
js/RelayDomains.js | 27 ++---
pmg-index.html.tt | 1 +
6 files changed, 260 insertions(+), 16 deletions(-)
create mode 100644 js/DKIMSettings.js
create mode 100644 js/MailProxyDKIMPanel.js
--
2.20.1
More information about the pmg-devel
mailing list