Package: wnpp Severity: wishlist Owner: Edmund Lodewijks <[email protected]> X-Debbugs-Cc: [email protected]
* Package name : phoenixdkim Version : 1.0.0 Upstream Contact: Edmund Lodewijks <[email protected]> * URL : https://www.phoenixdkim.org/ * License : BSD-3-clause and SOSL (Sendmail Open Source License) -- Same as the `opendkim` package that is currently in repos Programming Lang: C, Lua, Perl -- (Core milter and library are C; miltertest scripts and the Lua filter hooks are Lua 5.4; phoenixdkim-keygen is Perl. C is the primary.) Description : DomainKeys Identified Mail (DKIM) signing and verifying milter PhoenixDKIM is a standalone, security-focused DKIM signing and verification milter that grew out of the OpenDKIM codebase and has since taken its own direction. It uses the OpenSSL 3 / LibreSSL EVP API, signs and verifies with RSA and Ed25519 (RFC 8463), and can dual sign a message with both algorithms at once. Its security defaults are deliberately strict: RSA-SHA1 is never validated (RFC 8301) and RSA keys below 2048 bits are rejected. DKIM provides a way for senders to confirm their identity when sending email by adding a cryptographic signature to the headers of the message, allowing receivers to verify that a message was authorised by the owner of the signing domain and was not altered in transit. Keys can be served from flat files, LMDB, Redis, an HTTP/HTTPS service or HashiCorp Vault, with zero-downtime key rotation across multiple valid selectors. Verification is DNSSEC-aware. Operational metrics are available, all dependency-free, through a Prometheus text-file exporter, an embedded Prometheus /metrics scrape endpoint, or a StatsD pusher, and policy can be scripted in Lua 5.4. The package plugs into any Milter-aware MTA such as Postfix or Sendmail, and supports both signing and verification. PhoenixDKIM is a security-focused DKIM milter: OpenSSL 3 / LibreSSL EVP crypto, Ed25519 and dual signing (RFC 8463), strict defaults (no RSA-SHA1 validation per RFC 8301, 2048-bit minimum), DNSSEC-aware verification, pluggable key backends (files, LMDB, Redis, HTTP, Vault) with zero-downtime rotation, dependency-free metrics (Prometheus text-file, embedded /metrics scrape endpoint, or StatsD), reproducible builds, and Lua 5.4 policy scripting. It grew out of the OpenDKIM codebase but has taken its own direction; it is not a drop-in replacement and is intended to coexist with OpenDKIM. This fork was created to bring the software up-to-date and make it safe as an Internet facing software. The build system was changed from Autotools to CMake, as I am more familiar with it. Tests were added and others were updated. Many build profiles for AddressSanitizer, UBSan, ThreadSanitizer, MemorySanitizer, Valgrind/Helgrind, and libFuzzer fuzz targets, alongside hardened-build options (FORTIFY, stack-protector, stack-clash, non-exec stack, CET). Builds are reproducible (bit-for-bit, including the Debian packages). It provides some other features than OpenDKIM does, and is different from Rspamd in that it only does DKIM signing and verifying. I have been using it in production. I would need a sponsor. Since I am upstream and use it on my Debian mail server, I think I will be the right person to maintain this. A co-maintainer is always welcome in case I were to be incapacitated somehow.
