I'm looking for advice. I have recently created a bunch of keys for the
different domains that use my EXIM SMTP server. That's all working fine
(looking at DMARC reports). Now I'd like to renew the keys once a month.
I've been reading...
https://www.sidn.nl/en/news-and-blogs/hands-on-implementing-spf-dkim-and-dmarc-in-exim
- which is possibly the most comprehensive article I've seen.
I'm reading the following...
4.12 DKIM key pair rollover
Of course, when you change your DKIM key pair, the public key in the
DKIM record needs to be changed as well. That implies performing a minor
rollover when you make the change: the new DKIM record needs to be
published alongside the old one before the key pair is changed. The new
key pair cannot be activated on the server until the TTL
<
https://en.wikipedia.org/wiki/Time_to_live> has expired and the old
DKIM information has been flushed from all DNS caches. If the new key
pair is activated too soon, you run the risk that validating mail
servers will not accept a DKIM signature based on the new key pair, due
to a mismatch with the old information. If you use a new selector for
your new key pair, you don't have to wait for all DNS caches to clear
before you start using your new key pair. The reason being that no DNS
information will have been cached for the new selector. Once you've
activated the new key pair, the old DKIM record shouldn't be deleted
immediately. Mail can sometimes be in transit for several days before
finally being delivered or bounced. We recommend retaining the old DKIM
record for at least a week.
-oOo-
... so I'd look at keeping the selector the same (it's hard coded in
exim.conf) and so my understanding is,
Initial Creation:
create the domain.pem & domain.pub parts, create and publish the
DKIM DNS record with the PUB data as "mail.__domainkey" (where
"mail" is my selector).
Rollover:
@ day 30, Create a new domain.per & domain.pub, create and publish a
second DKIM DNS record. Use the same selector - etc. Immediately
remove the old domain.per & domain.pub.
@ day 38 - remove the old DKIM DNS record.
So I'd have two DNS records for that domain both with the same selector
for 8 days (in case e-mail that were signed prior today 30 take a while
to get to their destination)
Is this fine?
If I have to have a different selector for a new DKIM key pair - and I'm
signing about 40 domains - is there a suggested way to manage the
currently hard coded line in exim.conf of:-
remote_smtp:
driver = smtp
dnssec_request_domains = *
hosts_try_dane = *
return_path = ${address:$reply_address}
message_size_limit = ${if > {$max_received_linelength}{998} {1}{0} }
dkim_domain = ${lc:${domain:$h_from:}}
*dkim_selector = mail*
dkim_private_key = ${if
exists{/etc/exim/dkim/${lc:${domain:$h_from:}}.pem}{/etc/exim/dkim/${lc:${domain:$h_from:}}.pem}{0}}
dkim_canon=relaxed
The 40 odd domains are going to have different rotation times..
--
Mark James ELKINS - Posix Systems - (South) Africa
mje@??? Tel: +27.826010496 <tel:+27826010496>
For fast, reliable, low cost Internet in ZA:
https://ftth.posix.co.za
<
https://ftth.posix.co.za>
