X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/2a9d222af6d22606b62557b74e41b6e0e583edf8..4fe4d0b16321e3af984c3e595aaafbf60a0d0259:/doc/doc-docbook/spec.xfpt diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 726f3af8a..814afc1eb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11595,10 +11595,15 @@ preserve some of the authentication information in the variable user/password authenticator configuration might preserve the user name for use in the routers. Note that this is not the same information that is saved in &$sender_host_authenticated$&. + When a message is submitted locally (that is, not over a TCP connection) the value of &$authenticated_id$& is normally the login name of the calling process. However, a trusted user can override this by means of the &%-oMai%& command line option. +.new +This second case also sets up inforamtion used by the +&$authresults$& expansion item. +.wen .vitem &$authenticated_fail_id$& .cindex "authentication" "fail" "id" @@ -38932,6 +38937,21 @@ is set. .endlist .new +To generate keys under OpenSSL: +.code +openssl genrsa -out dkim_rsa.private 2048 +openssl rsa -in dkim_rsa.private -out /dev/stdout -pubout -outform PEM +.endd +Take the base-64 lines from the output of the second command, concatenated, +for the DNS TXT record. +See section 3.6 of RFC6376 for the record specification. + +Under GnuTLS: +.code +certtool --generate-privkey --rsa --bits=2048 --password='' -8 --outfile=dkim_rsa.private +certtool --load-privkey=dkim_rsa.private --pubkey-info +.endd + Note that RFC 8301 says: .code Signers MUST use RSA keys of at least 1024 bits for all keys. @@ -38947,18 +38967,16 @@ for some transition period. The "_CRYPTO_SIGN_ED25519" macro will be defined if support is present for EC keys. -As of writing, producing EC key materials is not well supported -by the major libraries. GnuTLS 3.6.0 can create a private key: +OpenSSL 1.1.1 and GnuTLS 3.6.0 can create Ed25519 private keys: .code +openssl genpkey -algorithm ed25519 -out dkim_ed25519.private certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private .endd -To help in producing the required public key value for a DNS record -the release package &_util/_& directory contains source for a utility -buildable with GnuTLS 3.6.0; -use it like this: +To produce the required public key value for a DNS record: .code -ed25519_privkey_pem_to_pubkey_raw_b64 dkim_ed25519.private +openssl pkey -outform DER -pubout -in dkim_ed25519.private | tail -c +13 | base64 +certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64 .endd .wen