Feature Request: DKIM - support ed25519 and dual signing

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
- PMG should also support signing with ed25519 keys.
- It is advisable to sign with rsa AND ed25519 since not all receiving servers are capable of checking ed25519 keys. (Dual Signing)
- This should be configurable

RFC 8301
https://datatracker.ietf.org/doc/html/rfc8301#section-3.2

RFC 8463
https://datatracker.ietf.org/doc/html/rfc8463

RFC8463 even states that rsa is absolete if I understand correctly.

https://certified-senders.org/de/bl...mit-beruecksichtigung-des-dkim-crypto-update/

Thanks

---

https://bugzilla.proxmox.com/show_bug.cgi?id=3624
 
Last edited:

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
If you already made a bugzilla entry why repost it here again? Please avoid clogging communication channels with repetition of the same thing, thanks!
To get user feedback for this, since it may be of interest for PMG users. If this is not desired I may refrain from it for future cases.
 

t.lamprecht

Proxmox Staff Member
Staff member
Jul 28, 2015
5,210
1,515
164
South Tyrol/Italy
shop.proxmox.com
To get user feedback for this, since it may be of interest for PMG users
Hmm, if you want to get feedback from other users I'd propose to explicitly mention that, as it's written now it reads like a request to devs, not to other users so actual feedback from them (besides a cheap +1) may be limited.
In addition to that it could have some benefits to do a feedback thread for a potential request before opening the bugzilla enhancement requests, so that opinions and are already on the table and can be condensed in BZ.
 
  • Like
Reactions: DerDanilo

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
Hmm, if you want to get feedback from other users I'd propose to explicitly mention that, as it's written now it reads like a request to devs, not to other users so actual feedback from them (besides a cheap +1) may be limited.
In addition to that it could have some benefits to do a feedback thread for a potential request before opening the bugzilla enhancement requests, so that opinions and are already on the table and can be condensed in BZ.
I will keep that in mind for further requests. Thanks.

I think that PMG should support recommended settings according to RFCs. Additionally it should support ways to work with badly configured external Mailservers that a PMG admin has no way of fixing (and it's not his responsibility).
Hence the request to allow dual signing with a RSA and a ed25519 key.
Most probably this will also cause issues with some servers but should at least allow a smooth transition to ed only keys over a couple of years.

What do you think about that?
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
6,850
1,038
164
- PMG should also support signing with ed25519 keys.
- It is advisable to sign with rsa AND ed25519 since not all receiving servers are capable of checking ed25519 keys. (Dual Signing)
- This should be configurable
I'd agree that this might be a nice addition (and considered it when initially implementing the DKIM support) - however currently the main blocker is that the Mail:DKIM implementation does not have ed25519 support (and from a quick search there is also no perl library supporting ed25519 packaged in debian, and there are no openssl-bindings for ed25519 (the rsa part uses Crypt::OpenSSL::RSA))

This means that implementing this is quite a bit more involved than it might seem from the outside.

Additionally from a quick glance through my mailboxes - I think that currently the deployment of ed25519 DKIM signatures is not quite common (I did not see one mail with a ed25519 signature) - so I'd not consider it an urgent enhancement.

Else - I do agree that dual signing would be a necessity, as well as having it configurable.

RFC8463 even states that rsa is absolete if I understand correctly.
I think the obsoletion remark you're referring to is that the RSA spec in rfc3447 has been replaced by the RSA spec in rfc8017 - not that RSA is obsoleted in general.
 
  • Like
Reactions: flames

DerDanilo

Renowned Member
Jan 21, 2017
450
105
63
Thanks for your detailed explanation and thought on the subject.
I hope that PMG will support ed based keys as soon as the requirement for it is becoming more important and not with a delay as many other competitor products often have.

I think the obsoletion remark you're referring to is that the RSA spec in rfc3447 has been replaced by the RSA spec in rfc8017 - not that RSA is obsoleted in general.
Correct. Thanks for clearing that up!

Thanks for updating the BZ report and keeping it postponed until further notice so we don't forget about it.
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!