1 Topic by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Topic: 1024+ bit DKIM keys TXT entries

Hi,

DKIM keys generated in iRedMail 0.9.0 were 1024 bits.

DKIM keys generated in iRedMail 0.9.1 appear to be larger than 1024 bits and cannot fit in a DNS TXT entry for some DNS servers.

Does anyone else have this issue?

Does anyone have suggestions (other than generating a DKIM key of no more than 1024 bits or switching DNS servers)?

==== Required information ====
- iRedMail version: 0.9.1
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Apache
- Linux/BSD distribution name and version: Ubuntu 14 LTS
- Related log if you're reporting an issue:
====

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 1024+ bit DKIM keys TXT entries

DKIM key length is now 2048.

I have no experience with too long TXT entry issue, maybe others can help.

3 Reply by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: 1024+ bit DKIM keys TXT entries

Moniker.com (and am sure other DNS server providers) limit TXT entries to 255 characters. 255 characters cannot fit a 2048 bit DKIM key.

Will post a good tutorial for generating a DKIM key (with a specific bit number) when/if find one.

4 Reply by SteveLuxe (edited by SteveLuxe 2015-06-19 21:01:08)

  • SteveLuxe
  • Member
  • Offline
  • Registered: 2015-06-02
  • Posts: 115

Re: 1024+ bit DKIM keys TXT entries

If you don't have the ability to change your DKIM key length with your DNS server provider, you could always try installing OpenDKIM, make the keys 1024 bit, and follow this tutorial. I opted to use OpenDKIM, rather than Amavis for my DKIM signing, and this tutorial worked great for me. This should get you around your limitations:

https://www.digitalocean.com/community/ … ian-wheezy

Give that a try, and see if it gets you any further, schnappi. smile Hope that helps! I know that you're using Ubuntu, but the setup steps should be virtually identical, even though this tutorial is for Debian.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 1024+ bit DKIM keys TXT entries

If 1024 bit is ok, you can re-generate DKIM key with below command:

# amavisd-new genrsa /path/to/dkim_key.pem 1024

6 Reply by jamesaepp

  • jamesaepp
  • Member
  • Offline
  • Registered: 2015-09-17
  • Posts: 1

Re: 1024+ bit DKIM keys TXT entries

ZhangHuangbin wrote:

If 1024 bit is ok, you can re-generate DKIM key with below command:

# amavisd-new genrsa /path/to/dkim_key.pem 1024

Hi. I'm also interested in this thread. You say to generate a new DKIM, but where do I put it? I assume that after I create the key I must put it somewhere specific so that the mail servers know what to check and verify for spam purposes. I don't know much about DKIM, so are there specific steps you can provide for "downgrading" the 2048 key to a 1024 key?

Unless OP SteveLuxe or schnappi can provide their steps.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 1024+ bit DKIM keys TXT entries

Hi jamesaepp,

Check our tutorial here:
http://www.iredmail.org/docs/setup.dns.html

8 Reply by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: 1024+ bit DKIM keys TXT entries

Never generated new DKIM keys. Never upgraded from  iRedMail 0.9.0.

9 Reply by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: 1024+ bit DKIM keys TXT entries

Finally generated new DKIM keys instead of using same one across domains. Was incredibly easy following instructions here: http://www.iredmail.org/docs/sign.dkim. … omain.html

To answer jamesaepp you need to generate a new 1024 bit DKIM key if you currently a a 2048 bit DKIM key and just direct the the 1024 bit key to be used in your amavisd.conf file.

Frist generate a new 1024 bit DKIM key:
sudo amavisd-new genrsa /var/lib/dkim/domain.com2.pem 1024

Look for this line in your amavisd.conf file and just edit to reflect new DKIM file:
dkim_key('domain.com', "dkim", "/var/lib/dkim/domain.com2.pem");

One could also just overwrite the existing key when creating a new one and no change would be needed in the amavisd.conf file.

10 Reply by schnappi

  • schnappi
  • Member
  • Offline
  • Registered: 2015-02-13
  • Posts: 153

Re: 1024+ bit DKIM keys TXT entries

By the way this is a BIND issue. If you run your own BIND server you can have a 4096 bit DKIM key just use multiple lines like this:

"v=DKIM1; p="
"key"
"key continued"
"key continued"
"key continued"
"key continued"
"key continued"
"key continued"
"key continued"
"key continued"