shithub: sirjofri

--- /dev/null

+++ b/changeblog/1740150466.txt

@@ -1,0 +1,74 @@

+Mail Server DKIM

+Some mail providers want it, others demand it: DKIM.

+Upas is quite an old mail system, but it ‥has‥ dkim support.

+However, documentation for upas in general is rare, so I'll try to note down how to sign your outgoing mail in a 9front mail system.

+This post ist not only for you, but also for me in five years.

+### Theory: DKIM on Plan 9

+Upas is distributed with an additional tool ‥‥‥upas/dkim‥‥‥, which we will use here.

+The tool expects the private key in factotum.

+How you get the key into the factotum is up to you as it depends on various factors.

+I'll just show you which key to generate and how to use it.

+DKIM uses your domain and a specific ‥selector‥ as an identifier.

+While it is pretty clear what the domain is, the selector is just a name for a specific key.

+It is possible to have multiple DKIM keys, and this is sometimes needed when rotating your keys.

+Everything else is just calling ‥‥‥dkim‥‥‥ in your ‥‥‥remotemail‥‥‥.

+### Implementation

+To generate keys, run the following commands:

+[[[ms

+.P1

+auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=example.com'

+  > dkimprivatekey

+auth/rsa2asn1 -f spki dkimprivatekey | auth/pemencode DKIM >dkimpubkey

+.P2

+]]]

+[[[ebook

+<code><pre>

+auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=example.com'

+  > dkimprivatekey

+auth/rsa2asn1 -f spki dkimprivatekey | auth/pemencode DKIM >dkimpubkey

+</pre></code>

+]]]

+This will generate the private key you should feed into the factotum, as well as a public key file in PEM format.

+We don't need the PEM format specifically, but it's an easy way to create a Base64 encoded version of the public key, which is what we need.

+Just forget about the specific and only copy the key itself to the DNS entry.

+The DNS entry must be a TXT entry named ‥‥‥SELECTOR._domainkey.example.com‥‥‥ with the content: ‥‥‥v=DKIM1; k=rsa; p=YOURPUBLICKEY‥‥‥.

+This DNS entry will be used by the receiving servers to verify your mail.

+Keep note of the ‥SELECTOR‥ as it is the name of this specific key, and you'll use it to tell the receiving server which key you used for signing.

+To sign your mails, open your ‥‥‥/mail/lib/remotemail‥‥‥ file and edit the call to ‥‥‥smtp‥‥‥ with something similar to this:

+[[[ms

+.P1

+/bin/upas/smtp -f -C -s -h $fd $addr $sender $*

+   | /bin/upas/dkim -s SELECTOR -d example.com

+   | /bin/upas/smtp -C -s -h $fd $addr $sender $*

+.P2

+]]]

+[[[ebook

+<code><pre>

+/bin/upas/smtp -f -C -s -h $fd $addr $sender $*

+   | /bin/upas/dkim -s SELECTOR -d example.com

+   | /bin/upas/smtp -C -s -h $fd $addr $sender $*

+</pre></code>

+]]]

+You can see, your mail is processed by two calls to ‥‥‥smtp‥‥‥, with a call to ‥‥‥dkim‥‥‥ in between.

+The first call doesn't ‥send‥ the mail, it only processes it (the ‥‥‥-f‥‥‥ flag) to add additional headers.

+The call to ‥‥‥dkim‥‥‥ then processes the headers and adds the DKIM signature header to your mail.

+Last, the second call to ‥‥‥smtp‥‥‥ finally sends the processed mail to the receiving server.

--- a/mkfile

+++ b/mkfile

@@ -104,8 +104,12 @@

 changeblog/%.ms:Q: changeblog/%.txt

-		./txt2ms -v 'firstheader=1' changeblog/$stem.txt

-	} > $target

+		title=`{

+			sed '2q' changeblog/$stem.txt | tr -d $nl

+		}

+		echo '# '^$"title

+		sed '1d;s/^##/#/g' changeblog/$stem.txt

+	} | ./txt2ms > $target

 	echo '√ '^$target^' prepared'

 changeblog/%.ht:Q: changeblog/%.txt

--

⑨

shithub: sirjofri_de