changeblog/1740150466

Mail Server DKIM

Fri, 21 Feb 25 16:07:46 CET

Some mail providers want it, others demand it: DKIM.

Upas is quite an old mail system, but it has dkim support. However, documentation for upas in general is rare, so I'll try to note down how to sign your outgoing mail in a 9front mail system. This post ist not only for you, but also for me in five years.

Theory: DKIM on Plan 9

Upas is distributed with an additional tool upas/dkim, which we will use here. The tool expects the private key in factotum. How you get the key into the factotum is up to you as it depends on various factors. I'll just show you which key to generate and how to use it.

DKIM uses your domain and a specific selector as an identifier. While it is pretty clear what the domain is, the selector is just a name for a specific key. It is possible to have multiple DKIM keys, and this is sometimes needed when rotating your keys.

Everything else is just calling dkim in your remotemail.

Implementation

To generate keys, run the following commands: 

auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=example.com'
  > dkimprivatekey
auth/rsa2asn1 -f spki dkimprivatekey | auth/pemencode DKIM >dkimpubkey

This will generate the private key you should feed into the factotum, as well as a public key file in PEM format.

We don't need the PEM format specifically, but it's an easy way to create a Base64 encoded version of the public key, which is what we need. Just forget about the specific and only copy the key itself to the DNS entry.

The DNS entry must be a TXT entry named SELECTOR._domainkey.example.com with the content: v=DKIM1; k=rsa; p=YOURPUBLICKEY.

This DNS entry will be used by the receiving servers to verify your mail. Keep note of the SELECTOR as it is the name of this specific key, and you'll use it to tell the receiving server which key you used for signing.

To sign your mails, open your /mail/lib/remotemail file and edit the call to smtp with something similar to this: 

/bin/upas/smtp -f -C -s -h $fd $addr $sender $*
   | /bin/upas/dkim -s SELECTOR -d example.com
   | /bin/upas/smtp -C -s -h $fd $addr $sender $*

You can see, your mail is processed by two calls to smtp, with a call to dkim in between. The first call doesn't send the mail, it only processes it (the -f flag) to add additional headers.

The call to dkim then processes the headers and adds the DKIM signature header to your mail.

Last, the second call to smtp finally sends the processed mail to the receiving server.

Comment: Fediverse Post