[pmg-devel] applied: [PATCH pmg-api/pmg-gui/pmg-docs v4] add initial DKIM-Signing Support

Dietmar Maurer dietmar at proxmox.com
Wed Oct 23 12:00:52 CEST 2019 

applied

> On 21 October 2019 19:23 Stoiko Ivanov <s.ivanov at proxmox.com> wrote:
> 
>  
> This patchset adds initial support for signing outbound e-mails with DKIM.
> 
> Changes v3 -> v4:
> * added onlineHelp anchors to the GUI
> * fixed the documentation to be in accordance with the code
> 
> Changes v2 -> v3:
> * fixed the points where I oversaw Dominik's feedback on v1 (sorry!)
> * incorporated feedback on v2 - Thanks!
> * added initial documentation patch
> * tested it on a freshly setup container as well..
> 
> Changes v1 -> v2:
> * mostly incorporated Dominik's feedback
> * instead of saving the config-options affecting pmg-smtp-filter inside
>   the PMG::Config object, the code now writes a 'config-file' into /run when
>   pmg-smtp-filter starts, or when the relevant settings change. This makes for
>   a simpler and cleaner handling of config-updates. It also removed the need
>   for the original patch 3 (reloading the config in all cluster-synchronization
>   points.
> * PMG::DKIMSign::sign_entity got added giving all points where mail should
>   get signed a single method to call
> * the key-size restrictions were changed (only a lower bound of 1024 is now
>   enforced (since I just found out that you can very well create RSA-keys
>   with e.g. 1077 bits...)
> * synchronization of directories in a cluster was changed to use `rsync -aq`
>   instead of looping over all files and symlinks inside a directory.
>   This makes for a change of semantics, but I think the regression risk
>   is rather small (it would affect users who have put a large directory
>   hierarchy below '/etc/pmg/templates' (and even then they already sync
>   it across nodes -now it gets additionally copied from
>   '/etc/pmg/master/templates' to '/etc/pmg/templates'
> * the patch for proxmox-widget-toolkit was dropped since it was already
>   applied
> 
> Design choices:
> While initially planning to implement this by rendering the config for one
> of the available dkim-signing milters and hooking it into the outbound postfix
> instance via the templating system (master.cf.in) a few reasons changed my mind
> in favor of using perl's Mail::DKIM::Signer inside pmg-smtp-filter instead:
> * both milter-options considered had a few drawbacks for our use-case
>   - opendkim seems a bit behind on the latest changes to DKIM (2 new RFCs w.r.t.
>     DKIM have come out recently [0,1] and it seems the debian maintainer might
>     not have the time/energy to keep on maintaining it [2]
>   - dkimpy-milter (a rather recent reimplementation of opendkim's feature set)
>     is still lacking 2-3 crucial features (SigningTable/KeyTable support),
>     which, while not needed for the current feature set, might become a burden
>     further down the road. Also the logging and configuration were a bit terse
>     (even for my taste) - The upside of dkimpy-milter is that it implements
>     rfc8463 (ed25519+sha256 - making for much shorter public-keys), something
>     that I only found in rspamd otherwise
> * adding yet another moving part and running service also has its drawback
> 
> * OTOH Mail::DKIM integrates quite straight-forward into pmg-smtp-filter
>   (by using SpamAssassin most of it's dependencies are already loaded into
>   memory anyways).
> * Additionally inside pmg-smtp-filter we have quite good knowledge of a mail
>   (e.g. knowing if it arrived on the internal or external port, or a direct
>   view of all domains for which the PMG is relaying).
> * Last but not least Mail::DKIM seems quite active (it's last release is
>   on 08.10.2019 :)
> 
> The current implementation should give most users enough for their needs:
> * It can either sign all mails sent by users in a certain list of domains
>   (/etc/dkim/domains) with a fall-back to the RelayDomains (the one PMG
>   receives mail for seem like a good default choice for the domains PMG
>   can sign mails for)
> * Alternatively it can sign all incoming mails (with the sender's domain taken
>   for the signature's d= flag (the domain in which a verifier looks for the
>   public key to verify the signature)
> * The user can create a new selector (meaning the selector name, which is part
>   of the DNS-record and also inside the signature header, and the private key
>   used for signing), which is then used to sign all mails. (when generating
>   a new private key all domains signed by it need to create/update the fitting
>   DNS-record anyways).
> * the signature algorithm is fixed to rsa-sha256 (see [1], and sadly Mail::DKIM
>   has no support yet for ed25519+sha256).
> * the key-size can be (1024|2048|4096) bits (the 1024 is still there for
>   compatibility with DNS-providers not having support for TXT records >255
>   bytes).
> 
> The first 2 patches address also #2371, since I needed to reload pmg-smtp-filter
> for config changes anyways.
> 
> I did some preliminary testing - the generated signatures get verified by
> opendkim and rspamd.
> 
> 
> Thanks to Dominik for supporting me with the GUI-part and for the very
> thorough code-review of v1 and v2 and the valuable suggestions!
> 
> Feedback appreciated!
> 
> [0] https://tools.ietf.org/html/rfc8301
> [1] https://tools.ietf.org/html/rfc8463
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900774;msg=5
> 
> pmg-api:
> Stoiko Ivanov (11):
>   refactor reload_rule_db
>   fix #2371: reload pmg-smtp-filter on config change
>   add DKIM options to PMG::Config
>   add PMG::DKIMSign module
>   DKIM sign outbound mail if configured
>   refactor API2::Domains for reuse in DKIMSign
>   add API2/DKIMSignDomains endpoints
>   add DKIM API paths
>   pmgconfig: add dkim commands
>   add /etc/pmg/dkim to cluster-sync
>   pmgproxy: add proxmox-widget-toolkit css path
> 
>  debian/dirs                     |   1 +
>  src/Makefile                    |   3 +
>  src/PMG/API2/Config.pm          |   7 +
>  src/PMG/API2/DKIMSign.pm        | 127 +++++++++++
>  src/PMG/API2/DKIMSignDomains.pm |  19 ++
>  src/PMG/API2/Domains.pm         | 359 +++++++++++++++++---------------
>  src/PMG/CLI/pmgconfig.pm        |   7 +
>  src/PMG/Cluster.pm              |  41 ++--
>  src/PMG/Config.pm               |  94 +++++++++
>  src/PMG/DBTools.pm              |  11 +-
>  src/PMG/DKIMSign.pm             | 177 ++++++++++++++++
>  src/PMG/RuleDB/Accept.pm        |  14 +-
>  src/PMG/RuleDB/BCC.pm           |  11 +
>  src/PMG/Service/pmgproxy.pm     |   2 +
>  src/PMG/Utils.pm                |  13 ++
>  src/bin/pmg-smtp-filter         |   8 +
>  16 files changed, 688 insertions(+), 206 deletions(-)
>  create mode 100644 src/PMG/API2/DKIMSign.pm
>  create mode 100644 src/PMG/API2/DKIMSignDomains.pm
>  create mode 100644 src/PMG/DKIMSign.pm
> 
> pmg-gui:
> Stoiko Ivanov (3):
>   refactor RelayDomains:
>   MailProxyConfiguration.js: whitespace cleanup
>   Add DKIM Tab to MailProxy configuration
> 
>  js/DKIMSettings.js           | 201 +++++++++++++++++++++++++++++++++++
>  js/MailProxyConfiguration.js |  13 ++-
>  js/MailProxyDKIMPanel.js     |  44 ++++++++
>  js/Makefile                  |   2 +
>  js/RelayDomains.js           |  33 +++---
>  pmg-index.html.tt            |   1 +
>  6 files changed, 276 insertions(+), 18 deletions(-)
>  create mode 100644 js/DKIMSettings.js
>  create mode 100644 js/MailProxyDKIMPanel.js
> 
> pmg-docs:
> Stoiko Ivanov (1):
>   Add DKIM documentation
> 
>  asciidoc/asciidoc-pmg.conf |  1 +
>  gen-pmg.conf.5-opts.pl     |  6 ++++
>  pmgconfig.adoc             | 56 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 63 insertions(+)
> 
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pmg-devel mailing list
> pmg-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

More information about the pmg-devel mailing list