807013 - Use DKIM on mozilla's smtps

Status: NEW

(Infrastructure & Operations :: Infrastructure: Mail, task)

Description

[Guillaume Destuynder [:kang] [this account is no longer active]]

SPF bug: https://bugzilla.mozilla.org/show_bug.cgi?id=240169  it also includes some information about DKIM.
This is the DKIM bug.  Summary:

Key should be 1024bit or higher (1024 recommended as higher may break some dns resolution of some MTAs)
selectors may include the key generation date, so that we're able to refresh the key every X month.
Different smtps may have different selectors (and thus keys), for example the smtp used by human users to send emails vs the smtps used by internal hosts to send emails

Comment 1

[Ed Morley [:emorley]]

Is this something that will be easier for us to do, once we switch to Google Apps? :-)

Comment 2

[Dave Miller [:justdave]]

(In reply to Ed Morley (moved to Treeherder) [:edmorley] from comment #1)
> Is this something that will be easier for us to do, once we switch to Google
> Apps? :-)

It'll probably be harder because the mail coming out of apps will probably get signed by Google.  But I don't know for sure, they might let us supply our own key in Enterprise Apps.  Certainly something to check on.

Comment 3

[Ed Morley [:emorley]]

I've just read up a bit more on this, and it appears that whilst you cannot specify your own key within Google Apps (https://support.google.com/a/answer/174126), you can have multiple DKIM keys specified in DNS, differentiated by TXT record name, and then the signed mail refers to which key should be used. So this should still be doable after all :-)

See:
http://dkim.org/specs/draft-ietf-dkim-deployment-11.html#rfc.section.4.1
http://www.dkim.org/info/dkim-faq.html#technical

Comment 4

[Ed Morley [:emorley]]

Or I could just have read comment 0 more thoroughly, oops.

Comment 5

[Ludovic Hirlimann [:Usul]]

(In reply to Ed Morley (away until 3rd Jan) [:edmorley] from comment #3)
> I've just read up a bit more on this, and it appears that whilst you cannot
> specify your own key within Google Apps
> (https://support.google.com/a/answer/174126), you can have multiple DKIM
> keys specified in DNS, differentiated by TXT record name, and then the
> signed mail refers to which key should be used. So this should still be
> doable after all :-)
I used it for my own domain and it was nice. So ++ for enabling it in gapps.

Comment 6

[Ed Morley [:emorley]]

Could we make this infra-group bug open or at least mozilla-employee? There's nothing confidential in it at the moment, and I imagine most work would occur in dep bugs. It's just I've linked to here from a Yammer thread, but only after realised that most people won't be able to view the bug.

Comment 7

[Ed Morley [:emorley]]

Is this bug for both "enable DKIM on the Mozilla google apps account" and "enable DKIM on Mozilla's own SMTP server"? If we do the latter, does that cover bugzilla.mozilla.org bugmails too?

The reason I'm interested in this bug is that to fix bug 1102364 and bug 1100476, we have to meet the Google requirements for using the action buttons, one of which is "emails are sent with SPF or DKIM enabled".

Comment 8

[Ed Morley [:emorley]]

(In reply to Ed Morley [:edmorley] from comment #7)
> Is this bug for both "enable DKIM on the Mozilla google apps account" and
> "enable DKIM on Mozilla's own SMTP server"? If we do the latter, does that
> cover bugzilla.mozilla.org bugmails too?
> 
> The reason I'm interested in this bug is that to fix bug 1102364 and bug
> 1100476, we have to meet the Google requirements for using the action
> buttons, one of which is "emails are sent with SPF or DKIM enabled".