DKIM Signing - storing keys in sql table?
Hans Spaans via amavis-users
amavis-users at amavis.org
Wed Sep 4 15:00:26 CEST 2013
Thomas Johnson via amavis-users schreef op 2013-08-29 21:36:
> We're interested in adding DKIM signing, but we've got a huge number
> of domains, and storing the keys in files and reloading amavisd-new
> isn't practical. We've looked at opendkim, which does support this,
> but we'd prefer to keep all this sort of thing in one place, in
> amavisd-new.
>
> Are there any plans to add the ability to store the keys in a sql
> table? Either in the policy table directly, or in a separate table?
Using the policy table would only make sense for the DKIM-selector
maybe, but not for the keys as you want to be able to do a controlled
key roll-over.
* Say key submit.0.example.org is active.
* You create key for submit.1.example.org
* Publish the pub key in DNS for submit.1.example.org
* Change DKIM-selector from submit.0 to submit.1 so amavis will start
using it;
* Remove key submit.0.example.org after normally 21 days (see validity
of the key for that number)
You may also want to keep record of signatures for a key and how old it
is so you can do a roll-over after 100.000 e-mails or every 400 days. I
just picked those numbers, but it is something to consider as keys will
get compromised, need a bigger bitsize, etc.
Hans
More information about the amavis-users
mailing list