From 7626b0e0e7821b7e88db887de69733e75ff24319 Mon Sep 17 00:00:00 2001 From: Stefan Schueffler Date: Tue, 2 Jul 2024 18:57:32 +0200 Subject: [PATCH] Add support for configurable DKIM key sizes In order to support DKIM RSA key sizes other than 1024, a new config variable default_dkim_key_size has been introduced. The default value still is 1024 to make it backwards compatible, but it now supports e.g. 2048 or 4096 bit keys as well. At the time of this commit (mid-2024), having 2048 bit keys is recommended by the National Institute of Standards and Technology (NIST) --- app/models/domain.rb | 2 +- doc/config/yaml.yml | 2 ++ lib/postal/config_schema.rb | 5 +++++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/models/domain.rb b/app/models/domain.rb index fcd4eb305..a67b0233e 100644 --- a/app/models/domain.rb +++ b/app/models/domain.rb @@ -82,7 +82,7 @@ def parent_domains end def generate_dkim_key - self.dkim_private_key = OpenSSL::PKey::RSA.new(1024).to_s + self.dkim_private_key = OpenSSL::PKey::RSA.new(Postal::Config.postal.default_dkim_key_size).to_s end def dkim_key diff --git a/doc/config/yaml.yml b/doc/config/yaml.yml index 1035ec99f..05fa70d24 100644 --- a/doc/config/yaml.yml +++ b/doc/config/yaml.yml @@ -23,6 +23,8 @@ postal: use_local_ns_for_domain_verification: false # Append a Resend-Sender header to all outgoing e-mails use_resent_sender_header: true + # The default size for new DKIM keys + default_dkim_key_size: 1024 # Path to the private key used for signing signing_key_path: $config-file-root/signing.key # An array of SMTP relays in the format of smtp://host:port diff --git a/lib/postal/config_schema.rb b/lib/postal/config_schema.rb index af3c7330e..703abfe0f 100644 --- a/lib/postal/config_schema.rb +++ b/lib/postal/config_schema.rb @@ -66,6 +66,11 @@ module Postal default true end + integer :default_dkim_key_size do + description "The default size for new DKIM keys" + default 1024 + end + string :signing_key_path do description "Path to the private key used for signing" default "$config-file-root/signing.key"