• DKIM Support

    From Brian Klauss@1:103/705 to GitLab issue in main/sbbs on Wed Feb 3 23:33:23 2021
    open https://gitlab.synchro.net/main/sbbs/-/issues/215

    Support DKIM for in and outbound messaging.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Michael J. Ryan@1:103/705 to GitLab note in main/sbbs on Fri Feb 5 08:07:00 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1473

    For those that may be looking and find this issue... if you are using your own domain, and can control dns, you can setup your outbound to relay through sendgrid (or mailgun). Most BBSes will be within their free tier. Just make sure to also set the right options flags in sbbs.ini in addition to the relay entries.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Bob Roberts@1:103/705 to Michael J. Ryan on Fri Feb 5 14:07:38 2021
    Re: DKIM Support
    By: Michael J. Ryan to GitLab note in main/sbbs on Fri Feb 05 2021 08:07 am

    For those that may be looking and find this issue... if you are using your own domain, and can control dns, you can setup your outbound to relay through sendgrid (or mailgun). Most BBSes will be within their free tier.

    How do you handle inbound SMTP? My ISP blocks port 25, so I have to relay it to a different port via a middle man.

    ---
    þ Synchronet þ Halls of Valhalla =San=Francisco= hovalbbs.com:2333
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to Bob Roberts on Fri Feb 5 17:18:21 2021
    Re: DKIM Support
    By: Bob Roberts to Michael J. Ryan on Fri Feb 05 2021 02:07 pm

    Re: DKIM Support
    By: Michael J. Ryan to GitLab note in
    main/sbbs on Fri Feb 05 2021 08:07 am

    For those that may be looking and find this issue... if you are using your own domain, and can control dns, you can setup your outbound to relay through sendgrid (or mailgun). Most BBSes will be within their free tier.

    How do you handle inbound SMTP? My ISP blocks port 25, so I have to relay it to a different port via a middle man.

    For the unfortunate: https://wiki.synchro.net/howto:vert_mx
    --
    digital man

    Rush quote #26:
    Too many hands on my time, too many feelings, too many things on my mind
    Norco, CA WX: 63.9øF, 49.0% humidity, 7 mph ENE wind, 0.00 inches rain/24hrs --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Tracker1@1:103/705 to Bob Roberts on Mon Feb 8 17:49:51 2021
    On 2/5/2021 3:07 PM, Bob Roberts wrote:
    How do you handle inbound SMTP? My ISP blocks port 25, so I have
    to relay it to a different port via a middle man.

    If you're using synchro.net's dyndns support, you can ask Digital Man to
    relay to you on port 25, if your using your own dns, then you can still
    setup dynamic dns with synchro.net and have your main domain's mx point
    to DM to direct through you. Note: you can also relay out through vert
    as well, if you're using *.synchro.net for your BBS mail.

    Alternatively, would suggest considering a $5-10 VPS to run the BBS on, assuming you're familiar/comfortable with Linux.
    --
    Michael J. Ryan (tracker1)
    +o roughneckbbs.com
    ---
    ï¿­ Synchronet ï¿­ Roughneck BBS - roughneckbbs.com
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab issue in main/sbbs on Sun Feb 14 12:48:21 2021
    close https://gitlab.synchro.net/main/sbbs/-/issues/215
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab note in main/sbbs on Sun Feb 14 13:26:40 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1595

    Why closed with no comment?
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Rob Swindell@1:103/705 to GitLab issue in main/sbbs on Mon Feb 15 21:07:25 2021
    reopen https://gitlab.synchro.net/main/sbbs/-/issues/215

    Support DKIM for in and outbound messaging.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 12:04:10 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1610

    Why created with no comments? There's no mention of what DKIM is, why Synchronet would benefit from supporting it, any sort of idea of what that support would look like, what Synchronet should do when authentication fails, etc. This "issue" has no actionable information in it, it's just a request that a developer do a bunch of work for no stated reason.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Brian Klauss@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 12:56:26 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1615

    You make a valid point, I should've added more commentary in it. The advantage of DKIM is to ensure a full chain of trust for a message. If we send a message outbound, that message today may be validated with an SPF (DNS TXT record), maybe even a DMARC (DNS TXT record), but the DKIM comes directly from the source as well as a selector key in DNS (TXT record). By adding DKIM, the receiver knows that the message is authentic. To the same point, any incoming message can also be validated utilizing the reverse methodology.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 14:02:32 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1616

    How do you imagine the private key be managed and DNS record published? Currently there's two private keys in Synchronet, the SSH and the SSL ones. In both of these cases, they're generated on demand and encrypted with the sysop password. The TXT record needs to have propagated before DKIM signatures are valid, so generating on demand doesn't make a lot of sense. Further, Synchronet isn't a DNS server and doesn't update DNS records currently except for the .synchro.net domain via the dynamic DNS script.On the incoming side, if the message does not validate, what action should be taken? When should the verficiation be done? How should this information be presented in the BBS interface?If we're going to sign and validate messages, why not add PGP support instead of DKIM? Don't we care more about the person sending the email than the system claiming to originate it?> The advantage of DKIM is to ensure a full chain of trust for a message.It seems like it's a signature added on submission, so the chain ends at the email server itself.> the receiver knows that the message is authentic.Where "authentic" means "send via the email server at a given domain". While this isn't nothing, I'm not sure it's very much either. How is the lack of this authentication presented to users? How does this vary from the authentication failing? That is to say, if the DNS record is obsolete, does it look worse to the end user if the DKIM fails than if it's simply not present?
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Brian Klauss@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 15:04:24 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1617

    Instead of having an argument about the merits of DKIM, please read [this](http://dkim.org). Honestly, no one cares about PGP, but more and more mail servers are looking for SPF, DMARC, and DKIM.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 15:21:43 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1618

    Ok, so to be clear, by ignoring the first two paragraphs of my comment, you're saying that you have no idea what support for DKIM would/should look like in Synchronet and by brushing off the last half of my comment you're saying that you have no interest in explaining why adding support to Synchronet would be worth the effort? I just want to be sure I understand your position here.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Brian Klauss@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 15:48:19 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1619

    No, I understand where you are coming from. I will explain.The private key can be created with either OpenSSL or a Synchronet-based variant. This would be stored in SBBSCTRL. The public key, which would also be stored in SBBSCTRL would require the Sysop to manually add it to their DNS configuration for their domain.All outgoing messages would be signed with the public key and the specific selector defined within a DKIM configuration file we'd also store in SBBSCTRL.All inbound messages would be checked for SPF, DMARC, and DKIM based upon the selector and public key incorporated in the message. If the message passes each, the message's reputation is increased. If it fails, message reputation decreases.For example, here is a message sent via my BBS to my personal e-mail address on Gmail. I am using SendGrid for DKIM support:Delivered-To: brklauss@gmail.comReceived: by 2002:a05:600c:19c9:0:0:0:0 with SMTP id u9csp2534343wmq; Tue, 16 Feb 2021 15:39:59 -0800 (PST)X-Google-Smtp-Source: ABdhPJx7xkH71Ok7TfzUHEPQwaxQwdOpjL7wj4e/53ift4wl6c0IkcQLu0eDaXB1URURWjUgJ/VfX-Received: by 2002:aa7:c78e:: with SMTP id n14mr23321838eds.31.1613518799034; Tue, 16 Feb 2021 15:39:59 -0800 (PST)ARC-Seal: i=1; a=rsa-sha256; t=1613518799; cv=none; d=google.com; s=arc-20160816; b=GxkQ31+vcB2ZSuXQ1TtXjUIMdd4hpk7Umg3IAza/hOWfEm3uyAJJP8RShg24BAgaNa YdNLsVzUO8BN6kRz/zwuhyZpiMm1e0brZJ1PPrt8Xml+IbdIG1j9fDgnFwrJ37gl1ulR oOSSaPXD0qz/JB+9MVBuChBSuBohvV2MNmf+V3WGWXGKhAA+UYGGIIBcF6KlOlnHiL3i y+Vb6IMCAnRvFuRBWYXIMRPRWHBaAVC2u3QxdiTX3kEhTIKrfceTbU62QF0gXIMAdTZ8 KjJmE6zoshURsG6UcR6umEebk5BtWzYRs1xjU8C+h94IzMcCpLkhzRtzN+55IkcZVqgY 3cQw==ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:to:message-id:subject:organization:from :date:dkim-signature:dkim-signature; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; b=WZiFmVHfCFBdxrsXt5rMgoxpCN2GjEcO9TAHesf/YTAUhR5utkTKrLUTauNcUROKxe 0EfEzSI6Gr9LfZ+PMLxMUErfTjb4MpTBhKyIZpeYSpOfc9iUTiFbGgUCDjJnIV2w92Tn xSn/KpdpjeWuh4ePlj7DVhJ7OSUAifeFDNNN7jaqATbeaww+ob8xiEtQJL6/0GrA6UcE KBheFJ+D58HKrBQrmaM14jcjEEgTVIDyFxWW/oPhizwqSfeB2BIeZimk1ryyWIhtOyXd M9Kc4RqbMNQ26FcC7a3C94xFbyfA1y0lxARyUQKu7hyR5MLBF17X9AFxQNDqIHlIi405 D2Mw==ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@caughtinadream.com header.s=s1 header.b=dosxvfjP; dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=dQZYKBps; spf=pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) smtp.mailfrom="bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=caughtinadream.comReturn-Path: <bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com>Received: from wrqvxtdp.outbound-mail.sendgrid.net (wrqvxtdp.outbound-mail.sendgrid.net. [149.72.167.211]) by mx.google.com with ESMTPS id cf25si350650ejb.193.2021.02.16.15.39.58 for <brklauss@gmail.com> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 16 Feb 2021 15:39:58 -0800 (PST)Received-SPF: pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) client-ip=149.72.167.211;Authentication-Results: mx.google.com; dkim=pass header.i=@caughtinadream.com header.s=s1 header.b=dosxvfjP; dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=dQZYKBps; spf=pass (google.com: domain of bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com designates 149.72.167.211 as permitted sender) smtp.mailfrom="bounces+20263340-0b30-brklauss=gmail.com@mx1.caughtinadream.com"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=caughtinadream.comDKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=caughtinadream.com; h=from:subject:x-feedback-id:to:content-type:content-transfer-encoding; s=s1; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; b=dosxvfjPzEFqit0KF7ENjoQz7mCdIl7ZHaEawzS+iYneT0GpDvzqjxp4f0GVABVx/IJ4 gfBzUQ5GSYt6klOtJbzAKFe+dbHAA02kaCSz6e6AR37jCEvirseo5RQtDvyrDkpFIS9uQx jX2nuQf/kYh1SQTfcs2s8bZZ6HYdXMOI0=DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info; h=from:subject:x-feedback-id:to:content-type:content-transfer-encoding; s=smtpapi; bh=wE7NXSkgnx9PGiavN4OZhJztvkqPDlemV3OGuEnLwNo=; b=dQZYKBpsaKciWFvBWJ1xJZr7x24lS9jFLheyNdQJiA8ZOgGMJGOkJ7YMz7+FNzgXRrLA Df3SWM0oPoKcoORBtMnt7DKiHb4O2Kwmf4PXwp81k9bE8Rygcb9WJFfPnzC/FwWyl5g1it JeK4TDAUK2p9ur2gxR1HoN21/UJ/Ci+Ck=Received: by filterdrecv-p3las1-c477c4585-j7t5v with SMTP id filterdrecv-p3las1-c477c4585-j7t5v-19-602C57CD-28 2021-02-16 23:39:57.325399191 +0000 UTC m=+607919.338513971Received: from caughtinadream.com (unknown) by ismtpd0007p1sjc2.sendgrid.net (SG) with ESMTP id tCRoSjJoQRuGrc9yiqr2mw for <brklauss@gmail.com>; Tue, 16 Feb 2021 23:39:57.106 +0000 (UTC)Date: Tue, 16 Feb 2021 23:39:57 +0000 (UTC)From: Brian Klauss <Brian.Klauss@caughtinadream.com>Organization: Caught in a DreamSubject: Test MessageMessage-ID: <602C57CB.35@caughtinadream.com>X-Originator-Info: account=1; login-id=Dream Master; server=caughtinadream.com; client=c-73-217-59-236.hsd1.co.comcast.net; addr=73.217.59.236; prot=Telnet; port=52531; time=20210216233932ZX-FTN-PID: Synchronet 3.18c-Linux master/5379321a7 Feb 8 2021 GCC 7.3.1X-Feedback-ID: 20263340:SGX-SG-EID: =?us-ascii?Q?dkvBTF00wWJ1U=2FXqF+eOSrBY5UyTMov7GLjiYXu6uW9eVdxubzIqXmQhxj750p?= =?us-ascii?Q?AHlCxTknN6Wcryw2H4BdSwaOapGjw50rInLGE9n?= =?us-ascii?Q?cbGb=2Fp6oRNu=2FER9vQGHHh7kq2jDp9mcUN=2FjAJN9?= =?us-ascii?Q?N38t19Csbjh7G+DaaDUGTeF9dz4YT2EloJvyvwf?= =?us-ascii?Q?KHJAwiC6RL5JoCDG+Ub5g+wL8k3UfyzqTHHsFaL?= =?us-ascii?Q?mnyEWB71sM82i0SForTI1qCKEGneHdfpNqHce1e?= =?us-ascii?Q?kW0W83yqrzXMcV3Dl11xQ=3D=3D?=To: brklauss <brklauss@gmail.com>X-Entity-ID: 9SDT/t7dA4TjvOpqwqLxJQ==Content-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitThis is a test message.As you can see, the DKIM signature is part of the message envelope.My DNS records for DKIM include the following (and because I am having it hosted on SendGrid):s1._domainkey.caughtinadream.com CNAME s1.domainkey.u20263340.wl091.sendgrid.nets2._domainkey.caughtinadream.com CNAME s2.domainkey.u20263340.wl091.sendgrid.netThe s1 and s2 are the selectors for the DKIM public keys.The answer for s1 is:s1.domainkey.u20263340.wl091.sendgrid.net. 1800 IN TXT "k=rsa; t=s; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCWgFE3NLmoljx9/R/iA8J2Jig76jGymxBP17FUYAA6ZBtKXqb6S05QovodpvqC0DltrJOA7IFbZCljdiTQ4QO80GzvY6w5SkYCkcS5bvUlDWSY9CsTIsZqOC8ho8QJhlcdnluwK7sOC5frHAeCBxBMMhcXvu3MZ+Qh6NcWChDGVQIDAQAB"The hash and key match, the message is valid. If it doesn't, message isn't valid.I answer everything this time?Brian...
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 16:29:34 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1621

    Ok so for the receive side, it seems like this can be easily provided using a mail filter such as the included SpamAssasin client. I'm not sure that there's any advantage to having the support baked into Synchronet, especially since there would be multiple reputation sources all of which need to be balanced against each other, and I don't think Synchronet has that concept at this time.As for the transmit side, it looks like there's a number of SMTP relays (such as amavisd-new) that handle DKIM signing. These should be easy to use with the Synchronet relay server settings, so it's not clear what adding the support to Synchronet would add to such a setup.So the only real outstanding question is why Synchronet should get a new DKIM implementation rather than using the already existing solutions? What advantages would there be since DKIM would be disabled by default and require manual configuration anyway?
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Deucе@1:103/705 to GitLab note in main/sbbs on Tue Feb 16 16:45:02 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1622

    Actually, looking through the software link on the page you provided, there's a number of two-way SMTP proxies that would do all the DKIM "stuff" in one package.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Michael J. Ryan@1:103/705 to GitLab note in main/sbbs on Thu Feb 18 10:43:35 2021
    https://gitlab.synchro.net/main/sbbs/-/issues/215#note_1627

    I would make one suggestion... if you're using synchro.net dyndns, it would be nice if the public key could be sent as part of the update, so that synchro.net dns can add it directly. Maybe even add an SPF record with `SPF A ~ALL` or similar. Would do a lot for being able to better support bbses using that system.As to why, similar to why integrate letsencrypt, when there are/were existing solutions to generate keys and reverse-proxy even over adding https for example. To make it easier for those sysops using synchronet to integrate the security measures.Also, many of the major mail providers are less likely to send DKIM signed messages to the spam bucket, or outright deny the email altogether. I'm using an outbound relay for this myself, but can see the reasoning behind having the option in the box.
    --- SBBSecho 3.12-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)