Set up new dkim milter #582
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
group: ansible
OctoDNS Plan for
|
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | _acme-challenge | TXT | 120 | DpNMkDbvV6A8DYCi5m-qERyNTtO9E28w2fqc1P-COvA; NYdLAk9Q7_b9CbgybIhPXI6ZkAH7SwNOHV4uSKmX1ls | |
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=2, Existing=34, Meta=False
pythondiscord.org.
cloudflare
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=1, Existing=4, Meta=False
pydis.wtf.
cloudflare
| Operation | Name | Type | TTL | Value | Source |
|---|---|---|---|---|---|
| Delete | _acme-challenge | TXT | 120 | bAMtYtCdS3WoIRItvSJ-J3JijCtFx-iUsyvd0jYTVdM | |
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB |
Summary: Creates=0, Updates=0, Deletes=2, Existing=45, Meta=False
|
Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation? Can we still copy failing domains into a mailbox? Are we still performing validation of inbound email? |
|
Hi!
Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation?
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
Can we still copy failing domains into a mailbox?
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
Are we still performing validation of inbound email?
Yes, anything failing validation is rejected at heaven's gate.
|
|
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
Sounds good, I'm not super fussed over this one.
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?).
We should probably configure some DKIM rejection alerts if we don't have
the visibility from mail being copied.
Our OpenDMARC deployment does handle some of this (maybe more than I
think?) so I will go away and check what OpenDKIM handles and what
OpenDMARC handles.
Basically, as long as instead of rejecting we put stuff into mailq
(which might be the behaviour, I was unsure where "heaven's gate" is in
this instance.
…On 4/20/25 20:09, jchristgit wrote:
jchristgit left a comment (python-discord/infra#582)
Hi!
> Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation?
I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
> Can we still copy failing domains into a mailbox?
Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?
> Are we still performing validation of inbound email?
Yes, anything failing validation is rejected at heaven's gate.
|
|
On Sun, Apr 20, 2025 at 12:37:41PM -0700, Joe Banks wrote:
jb3 left a comment (python-discord/infra#582)
> I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
> -> https://codeberg.org/glts/dkim-milter
Sounds good, I'm not super fussed over this one.
> Could you clarify what you mean with "failing domains" - like anything failing validation?
> I don't think this supports that either, sorry. But again, we could ask upstream?
Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?).
I read a bit through OpenDMARC docs and tutorials together with OpenDKIM. I understand that this might be handled by OpenDMARC.
In other news, OpenDMARC is not maintained anymore either. https://github.com/trusteddomainproject/OpenDMARC
Can you feel the pillars of our creation crumbling, Joe? Can you feel how it all ceases to matter?
Can you feel the floor you are standing on vanishing beneath your feet?
Can you feel how you are slowly sucked into the void?
Can you feel how we will all suffocate?
Anyways, maybe, if you're interested, we could also build our own mail authentication daemon.
I have a local thing that uses https://github.com/stalwartlabs/mail-auth. It's not very complicated.
I think Rust is a good pick for this, as much as I like Erlang and Python. It needs to be fast. C scares me a bit.
What do you think?
|
There was a problem hiding this comment.
Pull Request Overview
This PR replaces the deprecated opendkim milter with a new dkim-milter role for managing DKIM key generation and service configuration. Key changes include:
- Addition of variables and configuration files for dkim-milter.
- Implementation of tasks to install dependencies, generate keys, and set up service templates.
- Updates to handlers and playbook to integrate the new dkim-milter role.
Reviewed Changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| ansible/roles/dkim-milter/vars/main.yml | Introduces configuration variables for domains, signings, and selector. |
| ansible/roles/dkim-milter/tasks/main.yml | Implements tasks to install packages, create users/directories, generate keys, and configure services. |
| ansible/roles/dkim-milter/handlers/main.yml | Defines handlers for service reload/restart of dkim-milter. |
| ansible/playbook.yml | Updates playbook to replace opendkim with dkim-milter. |
Files not reviewed (2)
- ansible/roles/dkim-milter/templates/dkim-milter.conf.j2: Language not supported
- ansible/roles/dkim-milter/templates/dkim-milter.service.j2: Language not supported
| with_items: | ||
| - "{{ dkim_milter_domains }}" | ||
| args: | ||
| creates: /etc/dkimkeys/{{ item }}/{{ dkim_milter_selector }}.pem |
There was a problem hiding this comment.
The 'creates' path appears inconsistent with the key generation location in the command (which is /etc/dkim-milter/keys). Consider updating the path to match the expected directory.
Suggested change
| creates: /etc/dkimkeys/{{ item }}/{{ dkim_milter_selector }}.pem | |
| creates: /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.pem |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
Yes, in its screenful of absolutely pointless fluff, it manages to produce something of value. This is roughly similar to talking to a Microsoft representative.
The existing `opendkim` milter is no longer maintained. This commit introduces a role which deploys `dkim-milter`. As-is, it is not a complete replacement, since the role does not (yet) migrate keys of the old `opendkim` setup.
jchristgit
force-pushed
the
new-dkim-milter
branch
from
6098411 to
fed57b4
Compare
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The existing
opendkimmilter is no longer maintained.This commit introduces a role which deploys
dkim-milter.As-is, it is not a complete replacement, since the role does not (yet)
migrate keys of the old
opendkimsetup.