On Thu 14/Mar/2019 20:30:49 +0100 David L Neil wrote:
> Is it possible, and are there any security objections to, generating keys and
> opendkim keyfiles (etc) on one machine, for deployment to another?
Sure. The only security concern is that private keys are kept private.
> What I would like to do is:
> 1 use my personal machine to keep a list of opendkim deployments on multiple
> physical servers
Good.
> 2 periodically generate new keys
Good practice. Note that the mail server usually is completely unaware of public keys publication. You tell the server to use a private key and it does as commanded. DNS settings should have been done the day before (or an adequate interval of time before).
> 3 build the necessary files locally (BASH/Python script)
I use Murray's opendkim-genkey[*]. It is a Perl script whose core consists of the openssl call that actually generates the key:
$status = system("openssl rsa -in " . $selector . ".private -pubout -out " . $selector . ".public -outform PEM > /dev/null 2>&1");
Keys should be transformed in a format suitable for DNS (the public key) and for the DKIM signer (the private key).
[*]
https://github.com/trusteddomainproject/OpenDKIM/blob/master/opendkim/opendkim-genkey.in
> 4 deploy at appropriate times-of-day
Check what is the highest TTL among your servers, and schedule a longer interval between key publication and private key deployment. There is nothing wrong in having new public keys collecting mold on the DNS for as long as needed, before private keys are deployed.
> Assume all hardware is 64-bit, the OpSys may differ between CentOS7 and
> Fedora29, time zones differ hugely. The 'generator' machine does not run
> opendkim, the email servers do. (um, well, yes...)
Fine
> Better still: has it already been done/is there some web-based service I've not
> yet found?
You mean a public service? Sure you must be joking :-)
Best
Ale
--
Received on Sat Mar 16 2019 - 17:18:43 PST