Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Dossy Shiobara via Assp-user 

Eric,

While there are probably some hints of "all your eggs in one [encryption 
key] basket" concerns, the underlying machinery does not prevent you 
from using the same key pair for signing emails for multiple domains.


One piece of advice is to use CNAMEs to point your various domains at a 
canonical TXT record that contains your public key, so that if you ever 
do rotate your key (either after a breach, or just out of good security 
hygiene), you only have to update that one canonical TXT record that all 
the CNAMEs point to, rather than N number of TXT records, one per domain.


HTH, HAND,

Dossy


On 3/31/21 4:59 PM, Eric Germann wrote:
Issue is fixed.  It was a record formatting issue in BIND that clipped 
the record (before the one that only showed v=DKIM1)


I route several domains thru this box.  Is there any issue with using 
the same private key and published public key for each domain.


Formatting the DNS record is a PITA.

Sorry for the flurry of questions.  Thanks for the heads up to chase 
down DNS.


--
Dossy Shiobara |  "He realized the fastest way to change
do...@panoptic.com |   is to laugh at your own folly -- then you
http://panoptic.com/   |   can let go and quickly move on." (p. 70)
  * WordPress * jQuery * MySQL * Security * Business Continuity *

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
Issue is fixed.  It was a record formatting issue in BIND that clipped the 
record (before the one that only showed v=DKIM1)

I route several domains thru this box.  Is there any issue with using the same 
private key and published public key for each domain.

Formatting the DNS record is a PITA.

Sorry for the flurry of questions.  Thanks for the heads up to chase down DNS.

Eric


> On Mar 31, 2021, at 4:22 PM, Eric Germann  wrote:
> 
> Fixed that now.  I was working on wrapping in the DNS to get it to load.
> 
> Eric
> 
> 
>> On Mar 31, 2021, at 3:11 PM, Dossy Shiobara > > wrote:
>> 
>> 
>> 
>> On 3/31/21 12:57 PM, Eric Germann wrote:
>>> [...]
>>> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
>>> 
>>> [...]
>>> 
>>> My public key is published in the DNS for .com .  
>>> I’ve verified it’s there by doing a "dig @nameserver 
>>> dkim._domainkey..com  +short".  It matches 
>>> what is in the DKIM generator.
>> 
>> You tried to obscure the domain name but you missed redacting it one place.  
>> If that domain name is the actual one you're working with, then your DNS 
>> entry is incomplete:
>> 
>> ```
>> $ dig dkim._domainkey.semperen.com  txt 
>> +short
>> "v=DKIM1"
>> ```
>> 
>> Compare that to the published DKIM key for my domain, panoptic.com 
>> :
>> 
>> ```
>> $ dig default._domainkey.panoptic.com  txt 
>> +short
>> "v=DKIM1\; k=rsa\; 
>> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM"
>>  
>> "yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE"
>>  
>> "y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa"
>>  "50F0L9kMwGyfqVTUaE+KcEQIDAQAB"
>> ```
>> 
>> Not sure if the lack of public key published in your DNS entry would result 
>> in a "bad RSA signature" failure on validation, but there's no way to 
>> validate the signature without your public key published properly.
>> 
>> HTH, HAND,
>> 
>> Dossy
>> 
>> -- 
>> Dossy Shiobara |  "He realized the fastest way to change
>> do...@panoptic.com  |   is to laugh at your 
>> own folly -- then you
>> http://panoptic.com/    |   can let go and quickly 
>> move on." (p. 70) 
>>   * WordPress * jQuery * MySQL * Security * Business Continuity *
> 

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
Fixed that now.  I was working on wrapping in the DNS to get it to load.

Eric


> On Mar 31, 2021, at 3:11 PM, Dossy Shiobara  wrote:
> 
> 
> 
> On 3/31/21 12:57 PM, Eric Germann wrote:
>> [...]
>> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
>> 
>> [...]
>> 
>> My public key is published in the DNS for .com .  I’ve 
>> verified it’s there by doing a "dig @nameserver dkim._domainkey..com 
>>  +short".  It matches what is in the DKIM 
>> generator.
> 
> You tried to obscure the domain name but you missed redacting it one place.  
> If that domain name is the actual one you're working with, then your DNS 
> entry is incomplete:
> 
> ```
> $ dig dkim._domainkey.semperen.com txt +short
> "v=DKIM1"
> ```
> 
> Compare that to the published DKIM key for my domain, panoptic.com:
> 
> ```
> $ dig default._domainkey.panoptic.com txt +short
> "v=DKIM1\; k=rsa\; 
> p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM"
>  
> "yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE"
>  
> "y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa"
>  "50F0L9kMwGyfqVTUaE+KcEQIDAQAB"
> ```
> 
> Not sure if the lack of public key published in your DNS entry would result 
> in a "bad RSA signature" failure on validation, but there's no way to 
> validate the signature without your public key published properly.
> 
> HTH, HAND,
> 
> Dossy
> 
> -- 
> Dossy Shiobara |  "He realized the fastest way to change
> do...@panoptic.com  |   is to laugh at your 
> own folly -- then you
> http://panoptic.com/    |   can let go and quickly move 
> on." (p. 70) 
>   * WordPress * jQuery * MySQL * Security * Business Continuity *

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Dossy Shiobara via Assp-user 



On 3/31/21 12:57 PM, Eric Germann wrote:

[...]
In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain

[...]

My public key is published in the DNS for .com . 
 I’ve verified it’s there by doing a "dig @nameserver 
dkim._domainkey..com  +short".  It 
matches what is in the DKIM generator.


You tried to obscure the domain name but you missed redacting it one 
place.  If that domain name is the actual one you're working with, then 
your DNS entry is incomplete:


```
$ dig dkim._domainkey.semperen.com txt +short
"v=DKIM1"
```

Compare that to the published DKIM key for my domain, panoptic.com:

```
$ dig default._domainkey.panoptic.com txt +short
"v=DKIM1\; k=rsa\; 
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmjlAjovTKKp1Nx74U4Atv4QEalKWvG0w6AwLLuecBLSwes2wi+C6ov9+LwaOPFRkM" 
"yzpzRQkeAz26LsB3otCVpraSqsaNTkJkOi7BNrMeefQmMV7VETy9Q9bu9y62DYsnsQTJbyGigJzPZUOxRgFobZcNFO3ysIEbwHgau8dOkZMqBGL4dq2uHJTJsHmcdiE" 
"y8X2DsHoRpg5M26YPuvsLRYS+7qzSAPaXzq42zNScL5a6KCqu2t77HFz0tw6kSL3NbzrErAjsXZR828Wky/BeguwgK1m8CM7VIcpc0vHoYscbl2glOw6PJIhFPkMKSa" 
"50F0L9kMwGyfqVTUaE+KcEQIDAQAB"

```

Not sure if the lack of public key published in your DNS entry would 
result in a "bad RSA signature" failure on validation, but there's no 
way to validate the signature without your public key published properly.


HTH, HAND,

Dossy

--
Dossy Shiobara |  "He realized the fastest way to change
do...@panoptic.com |   is to laugh at your own folly -- then you
http://panoptic.com/   |   can let go and quickly move on." (p. 70)
  * WordPress * jQuery * MySQL * Security * Business Continuity *

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user

Re: [Assp-user] ASSP and DKIM Signing

2021-03-31 Thread Eric Germann 
One added note/question.  If I remove the dkim private key, my understanding is 
assp is to create them on startup.

Two questions

1.  Is this accurate and if it isn’t doing it, how does one force it?
2.  If I run more than one domain thru ASSP and want them signed (defined in 
dkimconfig.txt), where do the autogenerated certs put their keys?  If they’re 
in dlim-pub, how do you distinguish them for each domain?

Thanks


> On Mar 31, 2021, at 12:57 PM, Eric Germann  wrote:
> 
> Hello all,
> 
> I’m pulling my hair out with DKIM in ASSP and not sure where else I can look.
> 
> Inbound DKIM works fine.  Mail validates and passes.
> 
> Outbound mail is a different story.
> 
> In /usr/local/assp/dkim/dkimconfig.txt I have the following for my domain
> 
> http://.com/>>
>   
> Algorithm=rsa-sha1
> Method=relaxed/relaxed
> Headers=From:Subject:To
> KeyFile=/usr/local/assp/certs/dkim-dkim-.com.key
> Mode=DKIM
>   
> http://semperen.com/>>
> 
> The key is 2048 bits and is generated by 
> https://easydmarc.com/tools/dkim-record-generator 
> .  I trimmed down the 
> Headers to just From, Subject and To which shouldn’t be calculated or change 
> at all.
> 
> I know it’s picking up the key because when it’s in place, it generates a 
> “bad RSA signature” in https://dkimvalidator.com/results 
> .  If I remove the private key file, no 
> sig is generated in the headers at all.  Google also shows only the SPF 
> header as matching and completely skips over the DKIM status when the key 
> file is missing.  DMARC passes because the policy is set to SPF or DKIM need 
> to pass, not both.  rsa-sha1 is listed in the DKIM sig and k=rsa is in the 
> public key.
> 
> My public key is published in the DNS for .com .  I’ve 
> verified it’s there by doing a "dig @nameserver dkim._domainkey..com 
>  +short".  It matches what is in the DKIM 
> generator.
> 
> I know the DKIM generator is generating valid sigs because it outputs the 
> public and private keys in PEM format also.  I’m able to sign a file and 
> decode it with the public and private keys just fine.
> 
> So, I’m at wits end.  Is there a way to mimic what Mail:DKIM is doing?  Is it 
> as simple as extracting the headers to From, Subject and To in that order 
> then trying to sign them from the command line.
> 
> Any other debugging advice?
> 
> Thanks in advance for any advice.
> 
> Eric
> 
> 
> 

___
Assp-user mailing list
Assp-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-user