Re: [exim] Help with dual-key DKIM

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Perry Naseck
Datum:  
To: exim-users
Betreff: Re: [exim] Help with dual-key DKIM
Thank you all very much for your pointers.

I switched to SQLite with the following schema:

CREATE TABLE `dkim` (
    `domain`    INTEGER NOT NULL,
    `selector`    TEXT,
    `privkey`    TEXT,
    `strict`    INTEGER NOT NULL DEFAULT 0,
    `canon`    TEXT DEFAULT 'relaxed'
);

An example row:

domain=example.com selector=20210724_1_rsa privkey=example.com/example.com_20210724_1_rsa.pem strict=0 canon=relaxed

This is my new config:

DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_SELECTOR = <\n ${lookup sqlite {/etc/exim4/dkim/KeyTable.db select selector from dkim where domain='$dkim_domain';}{$value}fail}
DKIM_FILE = ${lookup sqlite {/etc/exim4/dkim/KeyTable.db select privkey from dkim where domain='$dkim_domain' and selector='$dkim_selector';}{/etc/exim4/dkim/$value}fail}
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}
DKIM_CANON = ${lookup sqlite {/etc/exim4/dkim/KeyTable.db select canon from dkim where domain='$dkim_domain' and selector='$dkim_selector';}{$value}fail}
DKIM_STRICT = ${lookup sqlite {/etc/exim4/dkim/KeyTable.db select strict from dkim where domain='$dkim_domain' and selector='$dkim_selector';}{$value}fail}

This config successfully dual signs messages with both RSA and ed25519 keys. Note I am not using sqlite_dbfile because Debian stable has Exim v4.92 at the moment.

I originally attempted CDB and couldn't get it all to work, but I like SQLite a bit better since it is a bit less tedious to update/edit. It would be nice to know if there is a speed difference, though this is a very small, personal mail server so it won't matter much in this particular case. I suppose Redis would be the fastest, but that is no longer as simple as a single-file DB.

Thanks again,
Perry

On 7/26/21 9:27 AM, Jeremy Harris via Exim-users wrote:
> On 26/07/2021 14:16, Graeme Fowler via Exim-users wrote:
>> So… if there are lines after the first match, they’ll never be reached. As Jeremy states, wrong tool for the job.
>>
>> If you want to persevere with lsearch, make your key (the bit before the colon) unique and set multiple values,
>
> The alternative will be something closer to a real database (than the flat file accessed
> by lsearch), which can return multiple results for a single query.  Sqlite, CDB, LMDB, Postgres, etc.