Thanks for this, Phil. Very helpful to see how you approached it.
It seems that there is no question that ed25519 keys work, it's just my
platform
that seems to be choking.
Using either exim 4.88 or exim 4.93 I get the same issue.
Suspect my distro build uses openssl instead of gnutls and my version
of openssl is 1.1.0 but ed25519 support is in 1.1.1
So, either I build exim to use gnutls, or I upgrade openssl to 1.1.1
That's my plan, and will report back on results.
On 04/03/2020 23:26, Phil Pennock via Exim-users wrote:
On 2020-03-04 at 09:06 +0000, Graham McAlister via Exim-users wrote:
Has anyone successfully used Exim and DKIM with ed25519 keys? Any pointers?
Yes. I dual-sign. It's amusing to see all the status reports from
systems which don't implement Ed25519. At least most of them now will
accept seeing the RSA signature and accept it as good enough, so ignore
the failure from the Ed25519 side.
I've attached `/etc/exim/dk/Makefile` from my own mailhub; there's other
process flow to get the secrets safely stashed away, etc. A couple of
hard-coded paths you'll need to update: I doubt that
`OPENSSL:=/opt/openssl-1.1.1/bin/openssl` works for you.
Oh, it's a BSD Makefile. I don't think GNU make likes the `.for`
syntax. So unless you're on a BSD, this will at best provide you with a
crib source.
Running `make` will make the new RSA and Ed25519 keys for "this month".
I use dYYYYMM as the selector for RSA and dYYYYMMe2 as the selector for
Ed25519.
`make list-current` gets me the exact input I use for my DKIM selector
lookup input (it actually makes a CDB from this).
The actual key generation is done with:
( umask 027 && $(OPENSSL) genpkey -algorithm ed25519 > ${.TARGET} )
Git history of the secrets archive shows that I have been running with
this since making the d201804 keys. It's been working fine in all that
time.
-Phil
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
