From b2121dfdc4320f2fca66091f04076e95425d48c0 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 4 Dec 2018 12:49:10 +0100 Subject: Rotate DKIM keys: upgrade to rsa2048 and change selector. --- e-post/doman.mdwn | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/e-post/doman.mdwn b/e-post/doman.mdwn index 57d7100..f809478 100644 --- a/e-post/doman.mdwn +++ b/e-post/doman.mdwn @@ -129,15 +129,28 @@ When you're using our Mail Submission Agent (`smtp.fripost.org`, see our [webmail](https://mail.fripost.org) to send an email, you might have noticed a "DKIM-Signature" field in the mail header on the receiver side: - DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; ...; s=20140703; ... + DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fripost.org; …; s=8f00fb94ec6c37aacb48bd43e073f9b7; … This field was added just before your mail left Fripost's infrastructure. The selector and signing domain, respectively given by "s=" and "d=", provide a way for the receiver to fetch the public part of the key used to sign the message from the signing domain's DNS zone: - $ dig +short 20140703._domainkey.fripost.org TXT - "v=DKIM1\; k=rsa\; t=s\; s=email\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUIUVYm2WCwrXYd+cEIpKPSaxm5MxqFP3Ie7nAo+ZCLgt+oEPTuGA2dwqXAo04BeJERDKV5AGNusdn0EObjFApQZGtD7ROPrdtSMsQsOC2jDrk/FVIBWjk8NeXXA8eFHBLgB4WhByerrHYvCKO4wR5N6bT+y/QDWl868WM7ejEHwIDAQAB" + $ dig 8f00fb94ec6c37aacb48bd43e073f9b7._domainkey.fripost.org TXT +short \ + | sed 's/" "//g' | tr -d '"' \ + | fold -w64 | sed '1s/.*/ ( "&"/; 1!s/.*/ "&"/; $s/$/ )/' + ( "v=DKIM1; k=rsa; t=s; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A" + "MIIBCgKCAQEApmCWIVZt+L/bJ5+abvdmFm6Er/9g6e4WX2HKyeIfC5eDaPbUyHqH" + "SY7xzWNiU+cbBvny8BASkdWsclLdoiuMJ6Yes5VSzkH6j2gp9Uuy7d6p61Jbrizi" + "7/CQzCZfhi5uGKiGtV2g+V/sIuXekm9Q+Q2eqjj/6hUHGDPTTKEFlgruyaS6y+Ke" + "s+sJYjMG62lbTOKL5TjY6z0Gr2AMfglBUj9QWD5jm+bH0clE1HZq51mxXQbV2v/7" + "JEHjznR0nSB+jY2EV7g/MXM8DwJCDH4ZcknoH0NrcJRjuRt8ndufnx4Qh0t7qqWw" + "mGF0jZOcZxHeODfkUlLxQ4SCMVeqV/SSTwIDAQAB" ) + +(Where the Resource Record is formatted in to a parentheses-enclosed list +of chunks, cf. [RFC 1035 sec. 5.1](https://tools.ietf.org/html/rfc1035#section-5.1).) +The public part of our DKIM keys can also be found +[there](https://git.fripost.org/fripost-ansible/tree/certs/dkim). See RFCs [6376](https://tools.ietf.org/html/rfc6376) and [7001](https://tools.ietf.org/html/rfc7001) for references. The -- cgit v1.2.3