Skip to content

dknewkey.8

Manvendra Bhangui edited this page Dec 13, 2024 · 9 revisions

NAME

dknewkey - create a new domain key

SYNOPSIS

dknewkey [-t type] [-d domain | --domain domain] [-b | --bits bits] [-f | --force] [-e | --enforce] selector

or

dknewkey [-p | --print] [-d domain | --domain domain] [selector]

or

dknewkey [-r | --remove] [-d domain | --domain domain] selector

DESCRIPTION

dknewkey generates new DKIM keys and prints the associated DNS record (public key) on stdout. For RSA keys, it defaults to 2048 bit key size. This is controlled by the bits variable. ed25519 keys do not have a variable size. For RSA keys k=sha256 is now included in the public DNS record to prevent inadvertent use with the now obsolete sha1 hash algorithm (See RFC 8301).

selector is the file which will hold the private key. Additionally selector.pub containing the public key will be created. bits is the number of bits in the key. If not specified, defaults to 1024. To implement domainkeys you can use envrules in qmail-smtpd or spawn-filter to set the DKSIGN, DKIMSIGN variable to the path of the signature file holding the private key.

dknewkey uses the following openssl command to generate the private/public keys

  • openssl -genrsa -out selector bits # for RSA

  • openssl genpkey -algorithm Ed25519 -out selector # for Ed25519

  • openssl rsa -in selector -out selector.pub -pubout -outform PEM

When run as root, dknewkey creates the private and public key files with root:qcerts permission and 0640 as the mode for the private key. This ensures that only the root user or users having qcerts as a supplementary group can access this file.

OPTIONS

-p | --print
print DKIM public key for selector selector, domain domain. If selector is not provided, all selectors will be printed. If domain is not provided, all selectors for all domains will be printed.

-r | --remove
remove DKIM keys for selector selector, domain domain

-t type | --type type
Key type to use for cryptography method. Valid values are rsa and ed25519. Defaults to rsa.

-d domain | --domain domain
domain name for the DKIM key. The private key selector, public key selector.pub will be created in the directory /etc/indimail/control/domainkeys/domain.

If this is not specified, the private key selector, public key selector.pub will be created in the directory /etc/indimail/control/domainkeys.

-b | --bits keysize
Specify the key size for the DKIM record. Default is 1024

-f | --force
Force creation of DKIM key even if it exists. Without this, dknewkey will not overwrite an existing DKIM key

-e | --enforce
Create a production key. This will not have the t=y in the selector record

SEE ALSO

qmail-dkim(8), qmail-smtpd(8), qmail-queue(8), spawn-filter(8), dkim(8), openssl(1)

Clone this wiki locally