On Fri, May 10, 2024 at 10:19:22AM +0100, Kirill A. Korinsky wrote: > On Fri, 10 May 2024 06:57:20 +0100, > Matthieu Herrb <matth...@openbsd.org> wrote: > > > > https://www.rfc-editor.org/rfc/rfc6376#section-3.3 says that > > rsa-sha256 SHOULD be used. Unfortunatly Mail::DKIM::Signer uses > > rsa-sha1 by default when no algorithm is specifed. > > > > Update the dkimproxy.out sample config... > > > > Make aboutmy.email (and other checkers) happier, and hopefully less > > rejects by hotmail/google and co... > > > > comments? ok? > > > > I'd like to point that using anything else whan RSA with SHA256 leads to > issues. The cause is OpenDKIM which is widley used. It had well known issue > with ed25519 [1] which probably will be fixed in the next release. > > Anyway, the last release had happened in 2015 and this project seems to be > not that alive, so, no hope that it will be released and distributed soon. > > My point: let add reference to this issue and suggest to use only RSA/SHA256. > > Footnotes: > [1] https://github.com/trusteddomainproject/OpenDKIM/issues/6 > Hi,
Afaict dkimpproxy is not using opendkim but p5-Mail-DKIM. dkimproxy itself also hasn't seen a update since many years, but the underlying perl lib has been last updated last january (and could use an update in the port). So unless you imply that because many people use opendkim, ed25519 based signatures shouldn't be used at all I'm not sure I understand what you're saying. -- Matthieu Herrb
