Feature Request: DKIM - support ed25519 and dual signing

DerDanilo

Renowned Member
Jan 21, 2017
476
132
83
- PMG should also support signing with ed25519 keys.
- It is advisable to sign with rsa AND ed25519 since not all receiving servers are capable of checking ed25519 keys. (Dual Signing)
- This should be configurable

RFC 8301
https://datatracker.ietf.org/doc/html/rfc8301#section-3.2

RFC 8463
https://datatracker.ietf.org/doc/html/rfc8463

RFC8463 even states that rsa is absolete if I understand correctly.

https://certified-senders.org/de/bl...mit-beruecksichtigung-des-dkim-crypto-update/

Thanks

---

https://bugzilla.proxmox.com/show_bug.cgi?id=3624
 
Last edited:
If you already made a bugzilla entry why repost it here again? Please avoid clogging communication channels with repetition of the same thing, thanks!
To get user feedback for this, since it may be of interest for PMG users. If this is not desired I may refrain from it for future cases.
 
To get user feedback for this, since it may be of interest for PMG users
Hmm, if you want to get feedback from other users I'd propose to explicitly mention that, as it's written now it reads like a request to devs, not to other users so actual feedback from them (besides a cheap +1) may be limited.
In addition to that it could have some benefits to do a feedback thread for a potential request before opening the bugzilla enhancement requests, so that opinions and are already on the table and can be condensed in BZ.
 
  • Like
Reactions: DerDanilo
Hmm, if you want to get feedback from other users I'd propose to explicitly mention that, as it's written now it reads like a request to devs, not to other users so actual feedback from them (besides a cheap +1) may be limited.
In addition to that it could have some benefits to do a feedback thread for a potential request before opening the bugzilla enhancement requests, so that opinions and are already on the table and can be condensed in BZ.
I will keep that in mind for further requests. Thanks.

I think that PMG should support recommended settings according to RFCs. Additionally it should support ways to work with badly configured external Mailservers that a PMG admin has no way of fixing (and it's not his responsibility).
Hence the request to allow dual signing with a RSA and a ed25519 key.
Most probably this will also cause issues with some servers but should at least allow a smooth transition to ed only keys over a couple of years.

What do you think about that?
 
- PMG should also support signing with ed25519 keys.
- It is advisable to sign with rsa AND ed25519 since not all receiving servers are capable of checking ed25519 keys. (Dual Signing)
- This should be configurable
I'd agree that this might be a nice addition (and considered it when initially implementing the DKIM support) - however currently the main blocker is that the Mail:DKIM implementation does not have ed25519 support (and from a quick search there is also no perl library supporting ed25519 packaged in debian, and there are no openssl-bindings for ed25519 (the rsa part uses Crypt::OpenSSL::RSA))

This means that implementing this is quite a bit more involved than it might seem from the outside.

Additionally from a quick glance through my mailboxes - I think that currently the deployment of ed25519 DKIM signatures is not quite common (I did not see one mail with a ed25519 signature) - so I'd not consider it an urgent enhancement.

Else - I do agree that dual signing would be a necessity, as well as having it configurable.

RFC8463 even states that rsa is absolete if I understand correctly.
I think the obsoletion remark you're referring to is that the RSA spec in rfc3447 has been replaced by the RSA spec in rfc8017 - not that RSA is obsoleted in general.
 
  • Like
Reactions: flames
Thanks for your detailed explanation and thought on the subject.
I hope that PMG will support ed based keys as soon as the requirement for it is becoming more important and not with a delay as many other competitor products often have.

I think the obsoletion remark you're referring to is that the RSA spec in rfc3447 has been replaced by the RSA spec in rfc8017 - not that RSA is obsoleted in general.
Correct. Thanks for clearing that up!

Thanks for updating the BZ report and keeping it postponed until further notice so we don't forget about it.
 
  • Like
Reactions: Stoiko Ivanov

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!