Package: dkimproxy
Version: 1.4.1-3
Severity: important
Dear Maintainer,
I was instructed to install dkimproxy while evaluating OpenSMTPD.
It pretends to work, but creates rsa-sha1 signatures by default, and
it is impossible to override without editing the initscript.
However, RFC8301 section 3.1 says:
"""
DKIM supports multiple digital signature algorithms. Two algorithms
are defined by this specification at this time: rsa-sha1 and
rsa-sha256. Signers MUST sign using rsa-sha256. Verifiers MUST be
able to verify using rsa-sha256. rsa-sha1 MUST NOT be used for
signing or verifying.
DKIM signatures identified as having been signed with historic
algorithms (currently, rsa-sha1) have permanently failed evaluation
as discussed in Section 3.9 of [RFC6376].
"""
In other words, the default signatures use a prohibited algorithm.
I would also become happy if the OpenSMTPD manual page smtpd(8) starts
recommending some other way to make DKIM signatures.
-- System Information:
Debian Release: 10.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.3.12-arch1-1 (SMP w/8 CPU cores; PREEMPT) # LXC container
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE # wireguard
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dkimproxy depends on:
ii adduser 3.118
ii liberror-perl 0.17027-2
ii libmail-dkim-perl 0.54-1
ii libnet-server-perl 2.009-1
ii libtext-wrapper-perl 1.05-2
ii lsb-base 10.2019051400
ii openssl 1.1.1d-0+deb10u2
ii perl 5.28.1-6
ii ssl-cert 1.0.39
Versions of packages dkimproxy recommends:
pn amavisd-new <none>
dkimproxy suggests no packages.
-- Configuration Files:
/etc/default/dkimproxy changed [not included]
/etc/dkimproxy/dkimproxy_out.conf changed [not included]
/etc/init.d/dkimproxy changed [not included]
-- no debconf information
--
Alexander E. Patrakov
