- 
          
- 
                Notifications
    You must be signed in to change notification settings 
- Fork 5
Set up new dkim milter #582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
| OctoDNS Plan for  | 
| Operation | Name | Type | TTL | Value | Source | 
|---|---|---|---|---|---|
| Delete | _acme-challenge | TXT | 120 | DpNMkDbvV6A8DYCi5m-qERyNTtO9E28w2fqc1P-COvA; NYdLAk9Q7_b9CbgybIhPXI6ZkAH7SwNOHV4uSKmX1ls | |
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB | 
Summary: Creates=0, Updates=0, Deletes=2, Existing=34, Meta=False
pythondiscord.org.
cloudflare
| Operation | Name | Type | TTL | Value | Source | 
|---|---|---|---|---|---|
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB | 
Summary: Creates=0, Updates=0, Deletes=1, Existing=4, Meta=False
pydis.wtf.
cloudflare
| Operation | Name | Type | TTL | Value | Source | 
|---|---|---|---|---|---|
| Delete | _acme-challenge | TXT | 120 | bAMtYtCdS3WoIRItvSJ-J3JijCtFx-iUsyvd0jYTVdM | |
| Delete | cf2024-1._domainkey | TXT | 300 | v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiweykoi+o48IOGuP7GR3X0MOExCUDY/BCRHoWBnh3rChl7WhdyCxW3jgq1daEjPPqoi7sJvdg5hEQVsgVRQP4DcnQDVjGMbASQtrY4WmB1VebF+RPJB2ECPsEDTpeiI5ZyUAwJaVX7r6bznU67g7LvFq35yIo4sdlmtZGV+i0H4cpYH9+3JJ78km4KXwaf9xUJCWF6nxeD+qG6Fyruw1Qlbds2r85U9dkNDVAS3gioCvELryh1TxKGiVTkg4wqHTyHfWsp7KD3WQHYJn0RyfJJu6YEmL77zonn7p2SRMvTMP3ZEXibnC9gz3nnhR6wcYL8Q7zXypKTMD58bTixDSJwIDAQAB | 
Summary: Creates=0, Updates=0, Deletes=2, Existing=45, Meta=False
| Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation? Can we still copy failing domains into a mailbox? Are we still performing validation of inbound email? | 
| Hi! Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation? I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
-> https://codeberg.org/glts/dkim-milter
 Can we still copy failing domains into a mailbox? Could you clarify what you mean with "failing domains" - like anything failing validation?
I don't think this supports that either, sorry. But again, we could ask upstream?  Are we still performing validation of inbound email? Yes, anything failing validation is rejected at heaven's gate. | 
|  I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
 -> https://codeberg.org/glts/dkim-milter
 Sounds good, I'm not super fussed over this one.  Could you clarify what you mean with "failing domains" - like anything failing validation?
 I don't think this supports that either, sorry. But again, we could ask upstream? Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?).
We should probably configure some DKIM rejection alerts if we don't have
the visibility from mail being copied.
Our OpenDMARC deployment does handle some of this (maybe more than I
think?) so I will go away and check what OpenDKIM handles and what
OpenDMARC handles.
Basically, as long as instead of rejecting we put stuff into mailq
(which might be the behaviour, I was unsure where "heaven's gate" is in
this instance.… On 4/20/25 20:09, jchristgit wrote:
 jchristgit left a comment (python-discord/infra#582)
 Hi!
> Remind me, does this replace the sending of DKIM reports to sender domains when we fail validation?
 I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
 -> https://codeberg.org/glts/dkim-milter
> Can we still copy failing domains into a mailbox?
 Could you clarify what you mean with "failing domains" - like anything failing validation?
 I don't think this supports that either, sorry. But again, we could ask upstream?
> Are we still performing validation of inbound email?
 Yes, anything failing validation is rejected at heaven's gate.
 | 
| On Sun, Apr 20, 2025 at 12:37:41PM -0700, Joe Banks wrote:
jb3 left a comment (python-discord/infra#582)
> I'm afraid not, no. But maybe we could 1. open an upstream issue and / or contribute it?
> -> https://codeberg.org/glts/dkim-milter
Sounds good, I'm not super fussed over this one.
> Could you clarify what you mean with "failing domains" - like anything failing validation?
> I don't think this supports that either, sorry. But again, we could ask upstream?
Also sounds good for asking upstream.
My concern is that we risk creating an invisible delivery problem here.
For example, this sounds like it would instantly auto-reject your
mailing list mails without it being visible (copied into an inbox like
it currently is, though this might be OpenDMARC?). I read a bit through OpenDMARC docs and tutorials together with OpenDKIM. I understand that this might be handled by OpenDMARC.
In other news, OpenDMARC is not maintained anymore either. https://github.com/trusteddomainproject/OpenDMARC
Can you feel the pillars of our creation crumbling, Joe? Can you feel how it all ceases to matter?
Can you feel the floor you are standing on vanishing beneath your feet?
Can you feel how you are slowly sucked into the void?
Can you feel how we will all suffocate?
Anyways, maybe, if you're interested, we could also build our own mail authentication daemon.
I have a local thing that uses https://github.com/stalwartlabs/mail-auth. It's not very complicated.
I think Rust is a good pick for this, as much as I like Erlang and Python. It needs to be fast. C scares me a bit.
What do you think? | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR replaces the deprecated opendkim milter with a new dkim-milter role for managing DKIM key generation and service configuration. Key changes include:
- Addition of variables and configuration files for dkim-milter.
- Implementation of tasks to install dependencies, generate keys, and set up service templates.
- Updates to handlers and playbook to integrate the new dkim-milter role.
Reviewed Changes
Copilot reviewed 4 out of 6 changed files in this pull request and generated 1 comment.
| File | Description | 
|---|---|
| ansible/roles/dkim-milter/vars/main.yml | Introduces configuration variables for domains, signings, and selector. | 
| ansible/roles/dkim-milter/tasks/main.yml | Implements tasks to install packages, create users/directories, generate keys, and configure services. | 
| ansible/roles/dkim-milter/handlers/main.yml | Defines handlers for service reload/restart of dkim-milter. | 
| ansible/playbook.yml | Updates playbook to replace opendkim with dkim-milter. | 
Files not reviewed (2)
- ansible/roles/dkim-milter/templates/dkim-milter.conf.j2: Language not supported
- ansible/roles/dkim-milter/templates/dkim-milter.service.j2: Language not supported
| with_items: | ||
| - "{{ dkim_milter_domains }}" | ||
| args: | ||
| creates: /etc/dkimkeys/{{ item }}/{{ dkim_milter_selector }}.pem | 
    
      
    
      Copilot
AI
    
    
    
      Apr 27, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 'creates' path appears inconsistent with the key generation location in the command (which is /etc/dkim-milter/keys). Consider updating the path to match the expected directory.
| creates: /etc/dkimkeys/{{ item }}/{{ dkim_milter_selector }}.pem | |
| creates: /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.pem | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately, I think it's right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, in its screenful of absolutely pointless fluff, it manages to produce something of value. This is roughly similar to talking to a Microsoft representative.
The existing `opendkim` milter is no longer maintained. This commit introduces a role which deploys `dkim-milter`. As-is, it is not a complete replacement, since the role does not (yet) migrate keys of the old `opendkim` setup.
6098411    to
    fed57b4      
    Compare
  
    6c2d3f4    to
    637c5d0      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
| ExecReload=/bin/kill -HUP $MAINPID | ||
| Restart=on-failure | ||
|  | ||
| # schizophrenia | 
    
      
    
      Copilot
AI
    
    
    
      Sep 27, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment 'schizophrenia' is inappropriate and unprofessional. Consider removing it or replacing it with a clear explanation of why system protection is being configured.
| # schizophrenia | |
| # Restrict access to the system for security | 
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem | ||
| {% endfor %} | ||
| {% for item in dkim_milter_extra_signings %} | ||
| {% set keyname = (item['domain'] | replace(".", "_")) %} | ||
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem | 
    
      
    
      Copilot
AI
    
    
    
      Sep 27, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The key file path references {{ keyname }}.pem but the key generation task creates files in subdirectories like /etc/dkim-milter/keys/{{ item }}/{{ dkim_milter_selector }}.private. The path structure is inconsistent and will cause the milter to fail finding the keys.
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem | |
| {% endfor %} | |
| {% for item in dkim_milter_extra_signings %} | |
| {% set keyname = (item['domain'] | replace(".", "_")) %} | |
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}.pem | |
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}/{{ dkim_milter_selector }}.private | |
| {% endfor %} | |
| {% for item in dkim_milter_extra_signings %} | |
| {% set keyname = (item['domain'] | replace(".", "_")) %} | |
| {{ keyname }} < /etc/dkim-milter/keys/{{ keyname }}/{{ dkim_milter_selector }}.private | 
| group: root | ||
| mode: 0o755 | ||
| vars: | ||
| dkim_milter_version: 0.2.0-alpha.1 | 
    
      
    
      Copilot
AI
    
    
    
      Sep 27, 2025 
    
  
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using an alpha version in production deployment could lead to instability issues. If Rust was used for this milter implementation, you'd benefit from memory safety guarantees and better error handling that could make alpha versions more reliable. Consider evaluating the stability of this alpha release or pinning to a stable version when available.
The existing
opendkimmilter is no longer maintained.This commit introduces a role which deploys
dkim-milter.As-is, it is not a complete replacement, since the role does not (yet)
migrate keys of the old
opendkimsetup.