On Monday, October 30, 2023 3:10:22 PM EDT Viktor Dukhovni via Postfix-users wrote: > On Mon, Oct 30, 2023 at 10:06:46AM +0100, Jens Hoffrichter via Postfix-users wrote: > > We are looking into implementing DKIM signing for one of our services, > > and there are multiple ways to implement that. > > > > So far I have found that you can do it with opendkim and amavis - any > > recommendation for one or the other, or maybe something completely > > different I haven't found yet? > > Both OpenDKIM and dkimpy-milter work reasonably well, but the former is > IIRC no longer actively maintained. Note, though have similar > configuration formats, they're not quite identical. Where the > OpenDKIM signers file wants: > > domain keyname > > the opendkimpy-milter wants: > > *@domain keyname > > Scott Kitterman, when he gets around to reading this thread will I hope > have more to say the subject. > > Though dkimpy-milter is likely the more future-proof choice, perhaps > OpenDKIM is slightly more polished at present, be it also dated ( > lacking some of the newer algorithms). > > For signing, lack of bleeding-edge algorithms is less important, so if > you're not also validating, OpenDKIM would be sufficient.
I've implemented the options from OpenDKIM that I thought made sense. If it's in the documentation for dkimpy-milter as implemented, it should work fine. If you need something I didn't document as implemented from OpenDKIM, then you should stick with OpenDKIM. Neither milter deals with EAI email well. I think my approach to signing both RSA and ed25119 in a single instance is better than the OpenDKIM approach that requires multiple milter instances. Due to limited ed25119 support, you don't want to do ed25119 only. If you're allergic to Python, then you want to stick with OpenDKIM. I guess (from reading the thread) if you think the fact that I wrote the SPF RFC and some SPF related software means I can't write DKIM related software (really?), then you should stick with OpenDKIM. OpenDKIM is faster, but I think DNS performance tends to dominate, at least for DKIM verification, so that may or may not matter. If there's something you don't like about dkimpy-milter and you're going to write something about "if you don't change X, I'll switch to something else", go ahead and use the something else. Scott K _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
