Mailinabox: MiaB should append, rather than overwrite, the DKIM KeyTable

Created on 19 Apr 2017  路  9Comments  路  Source: mail-in-a-box/mailinabox

I added a custom DKIM key to my MiaB server a few weeks back, so that I could get it to work with my DNS that only supports 1024-bit keys. See https://discourse.mailinabox.email/t/dkim-signature-header-exists-but-is-not-valid/1968/5?u=alexweissman.

It was working great, but then people started complaining to me that messages had been going into spam again. I checked my DKIM config to make sure that I wasn't going crazy, and I noticed that KeyTable didn't have the correct path to my custom DKIM key (despite the fact that I am _sure_ I correctly set it, originally).

Upon digging into the source, it looks like MiaB overwrites KeyTable whenever do_dns_update is called. I would propose one of two solutions:

  • Append, rather than overwrite, KeyTable when new domains are added;
  • Provide a means of adding custom DKIM keys, that MiaB could account for whenever it needs to update the KeyTable.

Most helpful comment

I can confirm about Namecheap only using 1024 bit keys. See here:

https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain

I also tried several ways of using a 2048 bit key, but they have a limit on the length of a txt record, and quietly truncate any record longer than a certain length after submitting it. Took me a bit to realize why it wasn't working....

All 9 comments

You may be right, but it seems like a lot of extra coding to take a step backwards in the long run. Are you using AWS Route 53 by chance? If so, check this https://github.com/mail-in-a-box/mailinabox/issues/1152 and it seems other DNS have similar work arounds, for example this symantec article offers a similar solution for use on windows DNS server: https://support.symantec.com/en_US/article.TECH123082.html

I'm using Namecheap. I've tried the technique of splitting up the key into multiple parts, but that didn't work either - they simply do not support 2048-bit keys!

I can confirm about Namecheap only using 1024 bit keys. See here:

https://www.namecheap.com/support/knowledgebase/article.aspx/317/2237/how-do-i-add-txtspfdkimdmarc-records-for-my-domain

I also tried several ways of using a 2048 bit key, but they have a limit on the length of a txt record, and quietly truncate any record longer than a certain length after submitting it. Took me a bit to realize why it wasn't working....

Assuming Namecheap is the only DNS server you are using for your MiaB served domains, you can fix this by editing setup/dkim.sh.

Relevant code on lines 49-51:

if [ ! -f "$STORAGE_ROOT/mail/dkim/mail.private" ]; then
        opendkim-genkey -b 2048 -r -s mail -D $STORAGE_ROOT/mail/dkim
fi

@myfirstnameispaul it's been a while since I've looked at this - would I need to delete the old 2048-bit key to get this to trigger?

@alexweissman Correct, if it sees mail/dkim/mail.private, then it will not generate new keys. Technically, you don't need to delete, just not have a file at that location.

Have you been able to determine when setup/dkim.sh is actually run? I've been tinkering with modifying my dns_update.py, but I can't get it to even do something as simple as write to a log file. So, I'm starting to suspect that it's not getting executed and that something else (perhaps dkim/sh) is responsible for altering my KeyTable instead.

@alexweissman You need to run the full setup - it seems to be designed to only change things not already configured (sorry, don't recall specific file at this moment).

Thanks! I actually ended up setting up a primary DNS with Cloudflare, which does accept the 2048-bit keys.

Was this page helpful?
0 / 5 - 0 ratings