Downgrade DKIM to 1024?


#1

My DNS provider, Namecheap, doesn’t allow records longer than 255 characters, so 2048-bit DKIM key is not an option.

Also, local BIND is problematic as I am using DDNS.

Is there any way to downgrade DKIM to 1024-bit?


#2

The relevant code to change the DKIM key bit size is here: setup/dkim.sh line #50

Not sure what you mean by local BIND being problematic. What are you expecting happens and what happens instead?


Spf / dkim / dmarc
#3

Have you tried this:

https://kb.isc.org/article/AA-00356/0/Can-I-have-a-TXT-or-SPF-record-longer-than-255-characters.html


#4

@cromulus Thanks for the location. I’m just not sure it is a good idea to run a DNS server on a dynamic IP address, plus I don’t want to replace my network gateway, pfSense, with MiaB, which I think I would have to do to give MiaB port 53, though I haven’t looked too closely.

@crc32 That article is referring 255-character strings. My issue is that my DNS service provider (Namecheap) doesn’t allow records longer than 255 characters. Two different issues.


#5

@cromulus How to I tell MaiB to generate a new key? I tried mailinabox --configure and that didn’t do it.


#6

Yes, MIAB should be run on a machine with a publicly available, static IP address.

Linode, Digital Ocean, OVH, etc.

It is emphatically not meant to be run at home, and it most certainly would not be a replacement for pfsense.

What keys do you want to regenerate? The ssl certificates?

generally speaking, just run the installation instructions again and it should get everything setup: curl -s https://mailinabox.email/setup.sh | sudo bash


#7

I’ve built my own mail servers before, though not from my residential ISP, so I have some idea what I’m getting into. I like that with MiaB, someone else is dealing with the config headaches. (o;

SSL certs won’t provision. See:

To get MiaB to generate a new DKIM key, I had to erase /home/user-data/mail/dkim/mail.private before running the setup.


#8

No, running DNS on a dynamic IP address is not a good idea. All these TTL’s trying to keep up with ever changing ip addresses is sub-optimal to say the least. The PFsense router however is not the problem. No need to replace the gateway. Just forward port 53 (TCP and UDP) to the MIAB server on the inside, or better, on the DMZ if you have it on your gateway and DNS works fine.

@cromulus, I am trying to understand why MIAB is emphatically not meant to be run at home. I do understand the constraints, but if they are met with your home connection there is really no better place to run MIAB then at home. Email is designed with the possibility of servers being unavailable for a couple of hours every now and then. I would argue that my current ‘home’ connection has a much better on-time and throughput than network connections had back in the day that email was conceived.

Apart from that I find it a bit awkward that while one of the goals of MIAB is to get email out of the cloud and decentralized again the general advice is to use cloud services to do so.

Maybe we should start to advocate that home connections that do meet the specs are fine to use with MIAB?

Kind regards,

Paul


#9

Well, 99% of home users have “residential” networks. That means a few things:

  1. port 25 (smtp) is blocked outbound, so you won’t be able to send email
  2. the IP address is likely listed in spam blacklists, as residential ISPs add them to the list.
  3. residential ISPs use dhcp, which means that your IP address will change. The nature of DNS is such that if you use a dynamic IP address as your name server, a whole bunch of things will break for an extended period of time every time your IP address changes, which could be daily.

So, it’s a good idea to run MIAB at home if and only if: you have a static IP and port 25 isn’t blocked and your IP isn’t in a spam blacklist.

If all of those conditions are met, then yes, go for it. Otherwise, you need a “real” internet connection, which, unfortunately, residential ISPs don’t provide.


#10

Note, MIAB automatically checks for outbound port 25 connectivity and if your IP is in a spam blacklist. It can’t know if your IP is assigned via dhcp and likely to change.


#11

@Woody If you know your connection meets the specifications, you probably are paying extra for it, know all about it, and have specifically spent more money so that their connection doesn’t have the same limitations as a standard residential ISP connection.

The concern is an onslaught of people installing MIAB on their raspberry-pi’s (not that you can, MIAB doesn’t run on ARM) at home and generating an unmanageable amount of support requests.


#12

The port blocking policies are changing. I have Charter, and they used to block nearly everything, but now they don’t block anything.

Spamhaus used to have my IP address on the PBL, though it is on SORBS dul. Gmail put my first email in the Inbox, while Yahoo! needed a little convincing - just went in and declared the 4 emails I’d sent not spam, problem solved.

Although my TOS does state that I’m not supposed to run a server on my network, they don’t seem to care about servers just serving personal services. I think they are more concerned with someone running a real site or service that generates traffic that matters. The facts are that some days I’ve got ~500 kbps sustained inbound web crawler blocked garbage noise, and a typical evening is >30 mbps sustained streaming video, hours of Skype video (house mates are from other countries), hours of YouTube video uploads maxing upload capacity, etc. A personal mail server uses an immeasurable percentage of the traffic, and can’t possibly be worth the headache of dealing with customer support over the matter. I think this is why opened the ports up, but no way to know.


#13

However, I definitely agree about the number of support issues that could potentially be generated. Probably the best way to handle it, if you ever go that far, is a go/no-go test. One thing doesn’t work, just print “MiaB can never work on this Internet connection. No support options available.”


#14

We have exactly that test, however, it cannot detect a dynamic IP addresses.

See test here: https://github.com/mail-in-a-box/mailinabox/blob/master/management/status_checks.py


#15

@cromulus, I don’t know the numbers, but you might be right about the 99%. I am probably spoiled; my ISP was founded by a group of hackers back in 1993. Their motto always was to provide an open internet for everyone. On their residential connections the IP address (although using DHCP) never changes, as long as you don’t move house. All ports are open; you can close them if you like. Reverse DNS is supported on their connections for both ipv4 and ipv6.The latter is natively supported.

Although I was a little wary after reading the first item on the pre-flight checklist I installed a MIAB server on this connection. And boy am I happy I tried that. It turns out that MIAB was made for this. It enables me to get all of my business mail (and that of the rest of my household) out of the cloud and back into my own wiring closet. That saves me €6,66 a month for two Google Apps subscriptions alone. More if I move other domains I own and that now reside on servers elsewhere to the box. And the functionality is better. Faster. Integration between smartphone and desktop mail client works great. So far I really am very enthusiastic about MIAB. Let me know if there is something I can do for this project.


#16

Even Charter now rarely changes IP addresses. I’ve probably had my current IP address for at least a couple of years.

When I first got their service in 2005, I would get a new IP address almost daily, sometimes more often, and for no apparent reason. Then the they seemed to get a little better hold on it and I would only get a new IP address when the cable modem was rebooted. (Sadly, I had to do that often back then and for various reasons.) Now, the IP address survives even extended power outages (I have ~2 hours UPS, so quite long). That said, the last change came completely sporadically one night.

Given this, I’m reasonably comfortable putting a mail server up and trying my luck that they won’t brutally enforce their TOS. Namecheap has a default TTL of 180 on DDNS, so even the most ignorant of caching services should be able to deal.


#17

I too find MIAB to solve a whole bunch of problems and save me a bundle of money.

@JoshData asked for help supporting and maintaining MIAB, so I’ve taken it upon myself to donate a few hours a month to try to help out in the support forum (here) and also on GitHub issues.

Also, the code base is pretty approachable (bash and some straightforward python).

Right now, a major push is testing and once the testing framework lands in the master branch, I imagine that adding tests will be a tremendous value add to the project.

@openletter Go forth and serve email. I’d just double check that your IP isn’t on any blacklists. Due to the prevalence of malware, many ISPS add their entire residential net block to blacklists proactively.


#18

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.