Adding DKIM to news articles #gnus #dkim
Recently I had a monologue on the Gnus development list, where I lamented the munging of the From: header in my emails to the Emacs development mailing list when sent through Gmane using nntp, and proceeded to solve the problem.
Since then I've discovered, and fixed, a line-ending problem, so I thought I would document the entire solution in a little more detail here.
There are three steps to perform on the machine running Gnus (in this case, my laptop):
- Install and configure opendkim, generate key
- Update DNS of your domain
- Integrate signing of news articles in Gnus
Install and configure opendkim, generate key
Installing is just sudo apt install opendkim.
In /etc/opendkim/ I have three files:
internalhosts containing the IP-addresses of my laptop (where Gnus
runs):
127.0.0.1
tullinup.koldfront.dk
192.168.0.102
keytable defining where to find the key corresponding to a domain:
koldfront.dk koldfront.dk:news:/etc/dkimkeys/koldfront.dk.news.private
and finally signingtable, saying what addresses to sign with what
domain:
*@koldfront.dk koldfront.dk
In /etc/opendkim.conf I have changed these lines:
Selector news
SignatureAlgorithm rsa-sha256
InternalHosts /etc/opendkim/internalhosts
KeyTable /etc/opendkim/keytable
SigningTable refile:/etc/opendkim/signingtable
Generate key
To generate the key, I went to the directory /etc/dkimkeys, and ran
this command:
opendkim-genkey -b 2048 -d koldfront.dk -s koldfront.dk.news
Notice that I am using the selector news, separate from the selector
my mail server uses to sign outgoing email (mail). This way I don't
have to share, and keep in sync, private keys between the machines.
Make sure the generated private key, koldfront.dk.news.private is
owned by opendkim.opendkim and has permissions -rw-------.
Also generated by the command is a file called koldfront.dk.news.txt,
this contains the information that goes in DNS.
Update DNS
I run my own DNS servers, so I copied the content of the .txt file to my
bind zonefile /etc/bind/db.koldfront.dk, with a slight adjustment to
the "hostname". I think that is necessary because of the -s argumen I
gave opendkim-genkey - I had to change koldfront.dk.news._domainkey IN TXT to news._domainkey.koldfront.dk. IN TXT.
After remembering to bump the serial field in the zonefile, it's just a
matter of telling bind to reload the zone, so it can be resigned for
DNSSEC and distributed to the two other DNS servers, i.e. rndc reload koldfront.dk IN internet.
Integration in Gnus
The final step is to make Gnus sign outgoing news articles - to do that
I added a function to the message-send-news-hook, which runs
opendkim, as the opendkim user, on the article, and adds the header
generated to it.
(add-hook 'message-send-news-hook 'asjo-add-dkim-signature)
(defun asjo-add-dkim-signature ()
"Add a DKIM-signature: header"
(save-excursion
(message-goto-eoh)
(insert (asjo-generate-dkim-signature))))
(defun asjo-generate-dkim-signature ()
"Genedate DKIM signature from current buffer by calling opendkim."
(save-excursion
(shell-command-on-region (point-min) (point-max) "sudo -u opendkim /usr/sbin/opendkim -bs -t - | awk 'NR > 1' | sed 's/\r//'" " *asjo-generate-dkim-output")
(with-current-buffer " *asjo-generate-dkim-output"
(buffer-string))))
The thing I missed in the first iteration was that opendkim outputs
lines ending with \r\n, and Gnus expects just \n in the article buffer,
so I had to strip them.
I found this when I posted to an nntp-based blog-engine I am developing, which balked at the line endings!
Conclusion
When I write to the Emacs development list via Gmane/nntp, the From:-lines are no longer munged, as that is only necessary if SPF fails (it does almost by definition for a mailing list forwarding emails) and there were no DKIM-signature - and I've now added the latter.
Success!
Unfortunately it's not really feasible for this to work "out-of-the-box" in a news reader, because the public key needs to be added to DNS, which - while simple - is not something the news reader can do automatically.
I guess the installation could be made "less systemwide" by having the key in my home directory and using a configuration referring to that, but since I'm the primary user of my laptop, it's fine.
Add comment
How to in excruciating detail…
To avoid spam many websites make you fill out a CAPTCHA, or log in via an account at a corporation such as Twitter, Facebook, Google or even Microsoft GitHub.
I have chosen to use a more old school method of spam prevention.
To post a comment here, you need to:
- Configure a newsreader¹ to connect to the server
- Open the newsgroup called
¹ Such as Thunderbird, Pan, slrn, tin or Gnus (part of Emacs).koldfront.dkon port1119using nntps (nntp over TLS).lantern.koldfrontand post a follow up to the article.Or, you can fill in this form: