Set up new dkim milter #582
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The existing `opendkim` milter is no longer maintained. This commit introduces a role which deploys `dkim-milter`. As-is, it is not a complete replacement, since the role does not (yet) migrate keys of the old `opendkim` setup.
github-actions
bot
added
the
group: ansible
OctoDNS Plan for
|
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | _acme-challenge | TXT | 120 | DpNMkDbvV6A8DYCi5m-qERyNTtO9E28w2fqc1P-COvA; NYdLAk9Q7_b9CbgybIhPXI6ZkAH7SwNOHV4uSKmX1ls | |
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=2, Existing=34, Meta=False
pythondiscord.org.
cloudflare
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=1, Existing=4, Meta=False
pydis.wtf.
cloudflare
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=1, Existing=44, Meta=False
|
Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation? Can we still copy failing domains into a mailbox? Are we still performing validation of inbound email? |
|
Hi!
Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation?
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
Can we still copy failing domains into a mailbox?
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
Are we still performing validation of inbound email?
Yes, anything failing validation is rejected at heaven's gate.
|
|
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
Sounds good, I'm not super fussed over this one.
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?).
We should probably configure some DKIM rejection alerts if we don't have
the visibility from mail being copied.
Our OpenDMARC deployment does handle some of this (maybe more than I
think?) so I will go away and check what OpenDKIM handles and what
OpenDMARC handles.
Basically, as long as instead of rejecting we put stuff into mailq
(which might be the behaviour, I was unsure where "heaven's gate" is in
this instance.
…On 4/20/25 20:09, jchristgit wrote:
jchristgit left a comment (python-discord/infra#582)
Hi!
> Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation?
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
> Can we still copy failing domains into a mailbox?
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
> Are we still performing validation of inbound email?
Yes, anything failing validation is rejected at heaven's gate.
|
|
On Sun, Apr 20, 2025 at 12:37:41PM -0700, Joe Banks wrote:
jb3 left a comment (python-discord/infra#582)
> I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
> -> https://codeberg.org/glts/dkim-milter
Sounds good, I'm not super fussed over this one.
> Could you clarify what you mean with "failing domains" - like anything failing validation?
> I don't think this supports that either, sorry. But again, we could ask upstream?
Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?).
I read a bit through OpenDMARC docs and tutorials together with OpenDKIM. I understand that this might be handled by OpenDMARC.
In other news, OpenDMARC is not maintained anymore either. https://github.com/trusteddomainproject/OpenDMARC
Can you feel the pillars of our creation crumbling, Joe? Can you feel how it all ceases to matter?
Can you feel the floor you are standing on vanishing beneath your feet?
Can you feel how you are slowly sucked into the void?
Can you feel how we will all suffocate?
Anyways, maybe, if you're interested, we could also build our own mail authentication daemon.
I have a local thing that uses https://github.com/stalwartlabs/mail-auth. It's not very complicated.
I think Rust is a good pick for this, as much as I like Erlang and Python. It needs to be fast. C scares me a bit.
What do you think?
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing
opendkimmilter is no longer maintained.This commit introduces a role which deploys
dkim-milter.As-is, it is not a complete replacement, since the role does not (yet)
migrate keys of the old
opendkimsetup.