summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2018-12-04 12:49:10 +0100
committerGuilhem Moulin <guilhem@fripost.org>2018-12-04 12:49:12 +0100
commitb2121dfdc4320f2fca66091f04076e95425d48c0 (patch)
treecf8fb7d4ad24aabe80d21add28a2d8396ab5f96d
parent49307bd84426efe2a06677eb26d9f723f5257018 (diff)
Rotate DKIM keys: upgrade to rsa2048 and change selector.
-rw-r--r--e-post/doman.mdwn19
1 files changed, 16 insertions, 3 deletions
diff --git a/e-post/doman.mdwn b/e-post/doman.mdwn
index 57d7100..f809478 100644
--- a/e-post/doman.mdwn
+++ b/e-post/doman.mdwn
@@ -129,15 +129,28 @@ When you're using our Mail Submission Agent (`smtp.fripost.org`, see our
[webmail](https://mail.fripost.org) to send an email, you might have
noticed a "DKIM-Signature" field in the mail header on the receiver side:
- DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; ...; s=20140703; ...
+ DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; …; s=8f00fb94ec6c37aacb48bd43e073f9b7; …
This field was added just before your mail left Fripost's infrastructure. The
selector and signing domain, respectively given by "s=" and "d=", provide a way
for the receiver to fetch the public part of the key used to sign the message
from the signing domain's DNS zone:
- $ dig +short 20140703._domainkey.fripost.org TXT
- "v=DKIM1\; k=rsa\; t=s\; s=email\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUIUVYm2WCwrXYd+cEIpKPSaxm5MxqFP3Ie7nAo+ZCLgt+oEPTuGA2dwqXAo04BeJERDKV5AGNusdn0EObjFApQZGtD7ROPrdtSMsQsOC2jDrk/FVIBWjk8NeXXA8eFHBLgB4WhByerrHYvCKO4wR5N6bT+y/QDWl868WM7ejEHwIDAQAB"
+ $ dig 8f00fb94ec6c37aacb48bd43e073f9b7._domainkey.fripost.org TXT +short \
+ | sed 's/" "//g' | tr -d '"' \
+ | fold -w64 | sed '1s/.*/ ( "&"/; 1!s/.*/ "&"/; $s/$/ )/'
+ ( "v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A"
+ "MIIBCgKCAQEApmCWIVZt+L/bJ5+abvdmFm6Er/9g6e4WX2HKyeIfC5eDaPbUyHqH"
+ "SY7xzWNiU+cbBvny8BASkdWsclLdoiuMJ6Yes5VSzkH6j2gp9Uuy7d6p61Jbrizi"
+ "7/CQzCZfhi5uGKiGtV2g+V/sIuXekm9Q+Q2eqjj/6hUHGDPTTKEFlgruyaS6y+Ke"
+ "s+sJYjMG62lbTOKL5TjY6z0Gr2AMfglBUj9QWD5jm+bH0clE1HZq51mxXQbV2v/7"
+ "JEHjznR0nSB+jY2EV7g/MXM8DwJCDH4ZcknoH0NrcJRjuRt8ndufnx4Qh0t7qqWw"
+ "mGF0jZOcZxHeODfkUlLxQ4SCMVeqV/SSTwIDAQAB" )
+
+(Where the Resource Record is formatted in to a parentheses-enclosed list
+of chunks, cf. [RFC 1035 sec. 5.1](https://tools.ietf.org/html/rfc1035#section-5.1).)
+The public part of our DKIM keys can also be found
+[there](https://git.fripost.org/fripost-ansible/tree/certs/dkim).
See RFCs [6376](https://tools.ietf.org/html/rfc6376) and
[7001](https://tools.ietf.org/html/rfc7001) for references. The