Thanks for this, Phil. Very helpful to see how you approached it.
It seems that there is no question that ed25519 keys work, it's just my
platform
that seems to be choking.
Using either exim 4.88 or exim 4.93 I get the same issue.
Suspect my distro build uses openssl instead of gnutls and my version
of openssl is 1.1.0 but ed25519 support is in 1.1.1
So, either I build exim to use gnutls, or I upgrade openssl to 1.1.1
That's my plan, and will report back on results.
On 04/03/2020 23:26, Phil Pennock via Exim-users wrote:
> On 2020-03-04 at 09:06 +0000, Graham McAlister via Exim-users wrote:
>> Has anyone successfully used Exim and DKIM with ed25519 keys? Any pointers?
> Yes. I dual-sign. It's amusing to see all the status reports from
> systems which don't implement Ed25519. At least most of them now will
> accept seeing the RSA signature and accept it as good enough, so ignore
> the failure from the Ed25519 side.
>
> I've attached `/etc/exim/dk/Makefile` from my own mailhub; there's other
> process flow to get the secrets safely stashed away, etc. A couple of
> hard-coded paths you'll need to update: I doubt that
> `OPENSSL:=/opt/openssl-1.1.1/bin/openssl` works for you.
>
> Oh, it's a BSD Makefile. I don't think GNU make likes the `.for`
> syntax. So unless you're on a BSD, this will at best provide you with a
> crib source.
>
> Running `make` will make the new RSA and Ed25519 keys for "this month".
> I use dYYYYMM as the selector for RSA and dYYYYMMe2 as the selector for
> Ed25519.
>
> `make list-current` gets me the exact input I use for my DKIM selector
> lookup input (it actually makes a CDB from this).
>
> The actual key generation is done with:
>
> ( umask 027 && $(OPENSSL) genpkey -algorithm ed25519 > ${.TARGET} )
>
> Git history of the secrets archive shows that I have been running with
> this since making the d201804 keys. It's been working fine in all that
> time.
>
> -Phil
>