Hi Patrick, Thank you very much for this list, this was very helpful and exactly what I was looking for.
Currently, we are only looking into signing mails, not validating signatures, as we are expanding a currently legacy system which is supposed to be superseded next year, and we hadn't planned on implementing DKIM anymore at all - but Google's announcement about the new specifications for bulk senders changed our trajectory there very quickly...... I'm currently leaning towards trying dkimpy-milter, as it seems to be something still in active development, and if things go wrong, it is always good that the maintainer of the software is still responding ;) I'm just a bit worried about the size of the dependencies I need for that - I haven't looked into it yet, but from experience tend python projects to pull a lot of dependencies. And as I need to build my own RPM packages for this, it might not be feasible to go with something very big. But this is all pointing me in the right direction, thanks to everyone contributing to the discussion! Jens On Mon, Nov 6, 2023 at 11:51 AM Patrick Ben Koetter via Postfix-users <[email protected]> wrote: > > * Jens Hoffrichter via Postfix-users <[email protected]>: > > Hi! > > > > We are looking into implementing DKIM signing for one of our services, > > and there are multiple ways to implement that. > > > > So far I have found that you can do it with opendkim and amavis - any > > recommendation for one or the other, or maybe something completely > > different I haven't found yet? > > amavis:: > amavis does nor support ED25519 and will very likley never will. There's a > none open DMARC / DKIM / SPF addon but I doubt the company who built that > will ever open source it. > opendkim:: > opendkim supports RSA-SHA256 and a (few years old) BETA also supports > ED25519-SHA256. Last time I had a look the BETA was still BETA though I > can confirm it works very reliably even on larger platforms (ISP). > dkimpy-milter:: > dkimpy-milter supports RSA-SHA256 and ED25519-SHA256. If you have > experience running opendkim you will feel at home using dkimpy-milter. > dkimpy-milter used to have and I don't know if it still has problems > handling email message headers containing UTF-8 chars when there shouldn't > be any, like in a Subject that reads "Passwort zurücksetzen", which MUST > be ISO encoded, but then there are developers who don't know that and … > dkimpy-milter crashes because of the way Python 3.x handles UTF-8. I've > no idea if Scott has found time to address and fix that. > rspamd:: > rspamd supports RSA-SHA256 and ED25519-SHA256 though the documentation > hardly mentions this fact. If you want to add signatures to outbound > messages only you might turn off all other scanning (spam, malware, …) > rspamd provides to increase performance and avoid false positives or > unwanted learning. > > My recommendation: Use rspamd if you are using it anyway on your platform. It > handles email reliably and supports RSA-SHA256 and ED25519-SHA256. If you need > a DKIM signer on servers that relay outbound mail only use opendkim's BETA. > > p@rick > > -- > [*] sys4 AG > > https://sys4.de, +49 (89) 30 90 46 64 > Schleißheimer Straße 26/MG,80333 München > > Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 > Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief > Aufsichtsratsvorsitzender: Florian Kirstein > > _______________________________________________ > Postfix-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
