For those that may be looking and find this issue... if you are using your own domain, and can control dns, you can setup your outbound to relay through sendgrid (or mailgun). Most BBSes will be within their free tier. Just make sure to also set the right options flags in sbbs.ini in addition to the relay entries.
Why created with no comments? There's no mention of what DKIM is, why Synchronet would benefit from supporting it, any sort of idea of what that support would look like, what Synchronet should do when authentication fails, etc. This "issue" has no actionable information in it, it's just a request that a developer do a bunch of work for no stated reason.
You make a valid point, I should've added more commentary in it. The advantage of DKIM is to ensure a full chain of trust for a message. If we send a message outbound, that message today may be validated with an SPF (DNS TXT record), maybe even a DMARC (DNS TXT record), but the DKIM comes directly from the source as well as a selector key in DNS (TXT record). By adding DKIM, the receiver knows that the message is authentic. To the same point, any incoming message can also be validated utilizing the reverse methodology.
How do you imagine the private key be managed and DNS record published? Currently there's two private keys in Synchronet, the SSH and the SSL ones. In both of these cases, they're generated on demand and encrypted with the sysop password. The TXT record needs to have propagated before DKIM signatures are valid, so generating on demand doesn't make a lot of sense. Further, Synchronet isn't a DNS server and doesn't update DNS records currently except for the .synchro.net domain via the dynamic DNS script.
On the incoming side, if the message does not validate, what action should be taken? When should the verficiation be done? How should this information be presented in the BBS interface?
If we're going to sign and validate messages, why not add PGP support instead of DKIM? Don't we care more about the person sending the email than the system claiming to originate it?
The advantage of DKIM is to ensure a full chain of trust for a message.
It seems like it's a signature added on submission, so the chain ends at the email server itself.
the receiver knows that the message is authentic.
Where "authentic" means "send via the email server at a given domain". While this isn't nothing, I'm not sure it's very much either. How is the lack of this authentication presented to users? How does this vary from the authentication failing? That is to say, if the DNS record is obsolete, does it look worse to the end user if the DKIM fails than if it's simply not present?
Instead of having an argument about the merits of DKIM, please read this. Honestly, no one cares about PGP, but more and more mail servers are looking for SPF, DMARC, and DKIM.
Ok, so to be clear, by ignoring the first two paragraphs of my comment, you're saying that you have no idea what support for DKIM would/should look like in Synchronet and by brushing off the last half of my comment you're saying that you have no interest in explaining why adding support to Synchronet would be worth the effort? I just want to be sure I understand your position here.
No, I understand where you are coming from. I will explain.
The private key can be created with either OpenSSL or a Synchronet-based variant. This would be stored in SBBSCTRL. The public key, which would also be stored in SBBSCTRL would require the Sysop to manually add it to their DNS configuration for their domain.
All outgoing messages would be signed with the public key and the specific selector defined within a DKIM configuration file we'd also store in SBBSCTRL.
All inbound messages would be checked for SPF, DMARC, and DKIM based upon the selector and public key incorporated in the message. If the message passes each, the message's reputation is increased. If it fails, message reputation decreases.
For example, here is a message sent via my BBS to my personal e-mail address on Gmail. I am using SendGrid for DKIM support:
Delivered-To: brklauss@gmail.com
Received: by 2002:a05:600c:19c9:0:0:0:0 with SMTP id u9csp2534343wmq;
Tue, 16 Feb 2021 15:39:59 -0800 (PST)
X-Google-Smtp-Source: ABdhPJx7xkH71Ok7TfzUHEPQwaxQwdOpjL7wj4e/53ift4wl6c0IkcQLu0eDaXB1URURWjUgJ/Vf
X-Received: by 2002:aa7:c78e:: with SMTP id n14mr23321838eds.31.1613518799034;
Tue, 16 Feb 2021 15:39:59 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1613518799; cv=none;
d=google.com; s=arc-20160816;
b=GxkQ31+vcB2ZSuXQ1TtXjUIMdd4hpk7Umg3IAza/hOWfEm3uyAJJP8RShg24BAgaNa
YdNLsVzUO8BN6kRz/zwuhyZpiMm1e0brZJ1PPrt8Xml+IbdIG1j9fDgnFwrJ37gl1ulR
oOSSaPXD0qz/JB+9MVBuChBSuBohvV2MNmf+V3WGWXGKhAA+UYGGIIBcF6KlOlnHiL3i
y+Vb6IMCAnRvFuRBWYXIMRPRWHBaAVC2u3QxdiTX3kEhTIKrfceTbU62QF0gXIMAdTZ8
KjJmE6zoshURsG6UcR6umEebk5BtWzYRs1xjU8C+h94IzMcCpLkhzRtzN+55IkcZVqgY
3cQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=content-transfer-encoding:to:message-id:subject:organization:from
:date:dkim-signature:dkim-signature;
bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
b=WZiFmVHfCFBdxrsXt5rMgoxpCN2GjEcO9TAHesf/YTAUhR5utkTKrLUTauNcUROKxe
0EfEzSI6Gr9LfZ+PMLxMUErfTjb4MpTBhKyIZpeYSpOfc9iUTiFbGgUCDjJnIV2w92Tn
xSn/KpdpjeWuh4ePlj7DVhJ7OSUAifeFDNNN7jaqATbeaww+ob8xiEtQJL6/0GrA6UcE
KBheFJ+D58HKrBQrmaM14jcjEEgTVIDyFxWW/oPhizwqSfeB2BIeZimk1ryyWIhtOyXd
M9Kc4RqbMNQ26FcC7a3C94xFbyfA1y0lxARyUQKu7hyR5MLBF17X9AFxQNDqIHlIi405
D2Mw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@caughtinadream.com header.s=s1 header.b=dosxvfjP;
dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=dQZYKBps;
spf=pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) smtp.mailfrom="bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=caughtinadream.com
Return-Path: bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com
Received: from wrqvxtdp.outbound-mail.sendgrid.net (wrqvxtdp.outbound-mail.sendgrid.net. [149.72.167.211])
by mx.google.com with ESMTPS id cf25si350650ejb.193.2021.02.16.15.39.58
for brklauss@gmail.com
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 16 Feb 2021 15:39:58 -0800 (PST)
Received-SPF: pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) client-ip=149.72.167.211;
Authentication-Results: mx.google.com;
dkim=pass header.i=@caughtinadream.com header.s=s1 header.b=dosxvfjP;
dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=dQZYKBps;
spf=pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) smtp.mailfrom="bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com";
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=caughtinadream.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=caughtinadream.com;
h=from:subject:x-feedback-id:to:content-type:content-transfer-encoding;
s=s1; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
b=dosxvfjPzEFqit0KF7ENjoQz7mCdIl7ZHaEawzS+iYneT0GpDvzqjxp4f0GVABVx/IJ4
gfBzUQ5GSYt6klOtJbzAKFe+dbHAA02kaCSz6e6AR37jCEvirseo5RQtDvyrDkpFIS9uQx
jX2nuQf/kYh1SQTfcs2s8bZZ6HYdXMOI0=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info;
h=from:subject:x-feedback-id:to:content-type:content-transfer-encoding;
s=smtpapi; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=;
b=dQZYKBpsaKciWFvBWJ1xJZr7x24lS9jFLheyNdQJiA8ZOgGMJGOkJ7YMz7+FNzgXRrLA
Df3SWM0oPoKcoORBtMnt7DKiHb4O2Kwmf4PXwp81k9bE8Rygcb9WJFfPnzC/FwWyl5g1it
JeK4TDAUK2p9ur2gxR1HoN21/UJ/Ci+Ck=
Received: by filterdrecv-p3las1-c477c4585-j7t5v with SMTP id filterdrecv-p3las1-c477c4585-j7t5v-19-602C57CD-28
2021-02-16 23:39:57.325399191 +0000 UTC m=+607919.338513971
Received: from caughtinadream.com (unknown)
by ismtpd0007p1sjc2.sendgrid.net (SG) with ESMTP id tCRoSjJoQRuGrc9yiqr2mw
for brklauss@gmail.com; Tue, 16 Feb 2021 23:39:57.106 +0000 (UTC)
Date: Tue, 16 Feb 2021 23:39:57 +0000 (UTC)
From: Brian Klauss Brian.Klauss@caughtinadream.com
Organization: Caught in a Dream
Subject: Test Message
Message-ID: 602C57CB.35@caughtinadream.com
X-Originator-Info: account=1; login-id=Dream Master; server=caughtinadream.com; client=c-73-217-59-236.hsd1.co.comcast.net; addr=73.217.59.236; prot=Telnet; port=52531; time=20210216233932Z
X-FTN-PID: Synchronet 3.18c-Linux master/5379321a Feb 8 2021 GCC 7.3.1
X-Feedback-ID: 20263340:SG
X-SG-EID:
=?us-ascii?Q?dkvBTF00wWJ1U=2FXqF+eOSrBY5UyTMov7GLjiYXu6uW9eVdxubzIqXmQhxj750p?=
=?us-ascii?Q?AHlCxTknN6Wcryw2H4BdSwaOapGjw50rInLGE9n?=
=?us-ascii?Q?cbGb=2Fp6oRNu=2FER9vQGHHh7kq2jDp9mcUN=2FjAJN9?=
=?us-ascii?Q?N38t19Csbjh7G+DaaDUGTeF9dz4YT2EloJvyvwf?=
=?us-ascii?Q?KHJAwiC6RL5JoCDG+Ub5g+wL8k3UfyzqTHHsFaL?=
=?us-ascii?Q?mnyEWB71sM82i0SForTI1qCKEGneHdfpNqHce1e?=
=?us-ascii?Q?kW0W83yqrzXMcV3Dl11xQ=3D=3D?=
To: brklauss brklauss@gmail.com
X-Entity-ID: 9SDT/t7dA4TjvOpqwqLxJQ==
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
This is a test message.
As you can see, the DKIM signature is part of the message envelope.
My DNS records for DKIM include the following (and because I am having it hosted on SendGrid):
Ok so for the receive side, it seems like this can be easily provided using a mail filter such as the included SpamAssasin client. I'm not sure that there's any advantage to having the support baked into Synchronet, especially since there would be multiple reputation sources all of which need to be balanced against each other, and I don't think Synchronet has that concept at this time.
As for the transmit side, it looks like there's a number of SMTP relays (such as amavisd-new) that handle DKIM signing. These should be easy to use with the Synchronet relay server settings, so it's not clear what adding the support to Synchronet would add to such a setup.
So the only real outstanding question is why Synchronet should get a new DKIM implementation rather than using the already existing solutions? What advantages would there be since DKIM would be disabled by default and require manual configuration anyway?
Actually, looking through the software link on the page you provided, there's a number of two-way SMTP proxies that would do all the DKIM "stuff" in one package.
I would make one suggestion... if you're using synchro.net dyndns, it would be nice if the public key could be sent as part of the update, so that synchro.net dns can add it directly. Maybe even add an SPF record with SPF A ~ALL or similar. Would do a lot for being able to better support bbses using that system.
As to why, similar to why integrate letsencrypt, when there are/were existing solutions to generate keys and reverse-proxy even over adding https for example. To make it easier for those sysops using synchronet to integrate the security measures.
Also, many of the major mail providers are less likely to send DKIM signed messages to the spam bucket, or outright deny the email altogether. I'm using an outbound relay for this myself, but can see the reasoning behind having the option in the box.