rodolphe
/
opensmtpd-filter-dkimout
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
DKIM filter for OpenSMTPD
116 Commits 1 Branch 0 Tags 8.6 MiB
Rust 89.2%
Python 10.8%
Go to file
Rodolphe Bréard 917da842e6 Update cargo-deny 2024-03-23 12:34:46 +01:00
.github/workflows Update dependencies 2024-03-23 12:12:59 +01:00
man/en Add a man page 2023-04-16 18:37:42 +02:00
migrations Add a published flag to keys 2023-04-10 11:11:00 +02:00
src Update the sqlx dependency 2023-09-20 19:18:13 +02:00
tests Add a third test email with HTML and dot-escaped data 2023-04-30 23:12:53 +02:00
.gitignore First commit 2023-03-19 14:59:32 +01:00
Cargo.toml Update dependencies 2024-03-23 12:12:59 +01:00
LICENSE-APACHE-2.0.txt Include the licenses 2023-03-26 14:51:39 +02:00
LICENSE-MIT.txt Include the licenses 2023-03-26 14:51:39 +02:00
README.md Update dependencies 2024-03-23 12:12:59 +01:00
build.rs Connect to the key database 2023-04-09 17:21:17 +02:00
deny.toml Update cargo-deny 2024-03-23 12:34:46 +01:00
rustfmt.toml First commit 2023-03-19 14:59:32 +01:00

README.md

Filter DKIMout

Build Status Minimum rustc version License MIT OR Apache 2.0

DKIM filter for OpenSMTPD.

Project status

This is a work in progress, it is not supposed to work yet.

Building and packaging

cargo build --release

Packagers may want to set the VARLIBDIR to a custom value (default is /var/lib):

VARLIBDIR="/usr/local/var/lib" cargo build --release

Frequently Asked Questions

Does this filter signs outgoing emails using DKIM or check the DKIM signature of incoming emails?

It only signs outgoing emails.

Why create another filter for that?

Currently, the options to sign outgoing emails with DKIM are the following:

DKIMproxy is not an OpenSMTPD filter and is therefore more inconvenient to use. Moreover, its development stopped in 2013 and it is therefore dangerous to use.

The two other are fine, however I think they lack a few features, like automatic key rotation and publication of obsolete private keys.

Why would anyone publish private keys, even obsolete ones? Are you crazy?

DKIM's goal is to fight spam, that's all, and for that it only need the keys to be safe when the recipients receives the email. But because it includes a cryptographic proof over the content it is being used for other usages, mostly as a legal proof long after the email has been sent and received. Publishing the obsolete/revoked private keys allows the sender to regain deniability.

Matthew Green wrote an excellent article on this subject: Ok Google: please publish your DKIM secret keys.

Where is the documentation?

The complete documentation can be found in the filter-dkimout (8) man page.

One of my keys has been compromised, how do I revoke it?

Keys are stored in an SQLite format 3 database. You may access it using the sqlite3 CLI tool or any other compatible tool.

The simplest way to revoke a key is to set its not_after field at the current timestamp. A new key will automatically be generated. You may also set the revocation field to a different timestamp in order to publish the key when desired.

UPDATE key_db \
SET \
    not_after = unixepoch(), \
    revocation = unixepoch('now', '+20 days') \
WHERE \
    selector = 'dkim-755512d8f51b4da6936d565a1ddbaf17';