Topic: Upgrade to 9.2 with DKIM enabled?

[DanB35]

My SME 9.1 server has DKIM enabled as per https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version.3C0.96.  Am I right in thinking that, prior to upgrading to 9.2, I should remove the template fragment created here (/etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/local/69dkim_sign), and once the upgrade is complete, proceed with the instructions at https://wiki.contribs.org/Email#DKIM_Setup_-_qpsmtpd_version_.3E.3D_0.96 to enable it (and update my DNS records accordingly)?

[Daniel B.]

Yes, that's what I'd recommend

[DanB35]

Well, that ran into an unexpected glitch.  My DNS host (at my current service level) limits TXT records to 255 characters long.  With my previous configuration, the default._domainkey entry fit within that limit.  Now, it's around 400 characters long.  Any way to shrink that record?

[mmccarn]

There's a way to split up a single DKIM record in order to deal with this situation.

I had to call Network Solutions tech support and open a case to get it done about 18 months ago -- although they have since updated their interface to allow creation and management of long DKIM records.

Here's a link that at least starts on explaining the process:
https://serverfault.com/questions/255580/how-do-i-enter-a-strong-long-dkim-key-into-dns

[DanB35]

Thanks, interesting thought.  But I'm dealing with a web-based DNS manager (easydns.org), and it looks like this would still have me entering ("blah" "blah" "blah") rather than just blahblahblah.  I don't think that buys me anything, as the entry in that text box needs to be < 256 characters.

[Daniel B.]

Using the qpsmtpd-print-dns command, you'll get the entry splitter in a format bind would accept. But yes some providers can't deal with keys like this. You can create your own 1024bits key if needed. Have a look at /var/service/qpsmtpd/run and use the same command, but with 1024 instead of 2048

[Daniel B.]

Eg:

Code: [Select]

/usr/bin/openssl genrsa -out /home/e-smith/dkim_keys/default/private 1024
/usr/bin/openssl rsa -in /home/e-smith/dkim_keys/default/private \
        -out /home/e-smith/dkim_keys/default/public -pubout
chown qpsmtpd:qpsmtpd /home/e-smith/dkim_keys/default/private
chmod 400 /home/e-smith/dkim_keys/default/private


[mmccarn]

Another thought occurred to me - you might be able to get DKIM working again by copying your old keys to the new locations.

According to the wiki page, your old keys should be found here:
/var/service/qpsmtpd/config/dkimkeys/

The new keys appear to be stored here:
/home/e-smith/dkim_keys/default

[Jean-Philippe Pialasse]

That what i did after moving the newly generated. This might be documented.

[Stefano]

Or we'd create a migration script..

[Jean-Philippe Pialasse]

Or we'd create a migration script..

the problem with customization is that it is difficult to plan how exactly the custom files have been organized, and the migration script might do more harm than good.

Some might have copied the key multiple time, other might have link it, some might have only one key for all the domain configured, some one key per domains, some other might have a mix of dedicated keys and shared keys.

Hence, the current situation might be the wiser approach.

[holck]

Another thought occurred to me - you might be able to get DKIM working again by copying your old keys to the new locations.

According to the wiki page, your old keys should be found here:
/var/service/qpsmtpd/config/dkimkeys/

The new keys appear to be stored here:
/home/e-smith/dkim_keys/default

Here is what worked for me:

The old DKIM-keys were found in /var/service/qpsmtpd/config/dkimkeys/ with names like

• dkim.public
• myserver.com.private
• myserver.eu.private

The file dkim.public was copied to /home/e-smith/dkim_keys/default/public, replacing the previous file there
One of the *.private files was copied to /home/e-smith/dkim_keys/default/private, again replacing the previous file there.

This seems to work