Implement DKIM signing support

This support is based on github.com/foxcpp/go-msgauth fork until
emerison/go-msgauth#13 gets merged.

Further extensions are required to make sure only messages we can
actually "take responsibility for" are signed.

RSA-2048 is used as a default algorithm when generating new keys.
RSA-4096 can cause trouble with UDP-only DNS due to responses being
bigger than 512 octets. RSA-1024 is too weak and explicitly
disallowed in maddy for new keys. It could be possible to use Ed25519
but support is not widely deployed yet (according to warning in rspamd
docs dated 2019-09). Users concerned about security of RSA-2048 can
switch to RSA-4096 or Ed25519, keeping relevant problems in mind.

Ed25519 key format uses PKCS#8, this seems to be different from other
implementations that just dump key material into a file without any
wrapping. Interoperability is not considered to encourage key
rotation when migration, which is a good thing to do anyway.

There is no option to use "body limit", since it is dangerous
and go-msgauth/dkim does not support it for signing.

The default set of signed header fields is the list used by rspamd.
Most "core" fields are oversigned to provide strict integrity.
"Conditional oversigning" similar to rspamd is not implemented, though
it may be useful, further research is required.

Multi-tentant configuration with DKIM and DMARC is much more verbose,
configuration example is added to config.d/multitentant-dkim.conf to
explain how to make it work.

.gitignore

@@ -25,9 +25,6 @@ cmd/maddy/maddy
 cmd/maddyctl/maddyctl
 cmd/maddy-*-helper/maddy-*-helper
 
-# Config files
-*.conf
-
 # Certificates and private keys.
 *.pem
 *.crt

README.md

@@ -32,13 +32,14 @@ have any questions or just want to talk about maddy.
 - Minimal configuration changes required to get almost complete email stack running
 - [MTA-STS](https://www.hardenize.com/blog/mta-sts) support
 - DNS sanity checks for incoming deliveries
-- Built-in [DKIM](https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/) verification support
+- Built-in [DKIM](https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/)
+  verification and signing support
 - [Subaddressing](https://en.wikipedia.org/wiki/Email_address#Sub-addressing)
   (aka plus-addressing) support
 
 Planned features:
 - Built-in [DKIM](https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/) signing
-- [DMRAC](https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/) policy support
+- [DMARC](https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/) policy support
 - Built-in [backscatter](https://en.wikipedia.org/wiki/Backscatter_(e-mail)) mitigation
 - Address aliases support
 - DANE support
@@ -184,6 +185,15 @@ directives below.
 Note that it will require users to specify the full address as a username when
 logging in.
 
+### DKIM & DMARC
+
+DMARC requires domain specified in From header to match domain used to make
+the DKIM signature. This gets tricky with default configuration that signs
+all messages with a single key. However, this is possible to configure
+maddy to use different keys, it is just a bit verbose. 
+See [config.d/multitentant-dkim.conf](config.d/multitentant-dkim.conf) for
+example of such configuration.
+
 ## maddyctl utility
 
 To manage virtual users, mailboxes and messages maddyctl utility

config.d/multitentant-dkim.conf

@@ -0,0 +1,60 @@
+$(local_domains) = example.org example.com
+
+(submission_delivery) {
+	destination $(local_domains) {
+		deliver_to local_mailboxes
+	}
+	default_destination {
+		deliver_to remote_queue
+	}
+}
+
+submission tls://0.0.0.0:465 {
+	auth local_authdb
+
+	# Handle messages from example.org according to this block.
+	source example.org {
+		modify {
+			# Sign messages using example.org key with default selector.
+			sign_dkim example.org default
+		}
+		import submission_delivery
+	}
+
+	# Handle messages from example.com according to this block.
+	source example.com {
+		modify {
+			# Sign messages using example.org key with default selector
+			sign_dkim example.com default
+		}
+		import submission_delivery
+	}
+
+	# ... etc, duplicate this block for all domains you handle messages for ...
+
+	default_source {
+		reject
+	}
+}
+
+## These blocks are defined in default configuration
+## we include them for completeness.
+
+sql local_mailboxes local_authdb {
+	driver sqlite3
+	dsn example.db
+}
+queue remote_queue {
+    target remote
+    bounce {
+        destination $(local_domains) {
+            deliver_to local_mailboxes
+        }
+        default_destination {
+            reject 550 5.0.0 "Refusing to send DSNs to non-local addresses"
+        }
+    }
+}
+remote {
+	authenticate_mx mtasts dnssec
+}

go.mod

@@ -28,3 +28,5 @@ require (
 	google.golang.org/appengine v1.6.2 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 )
+
+replace github.com/emersion/go-msgauth => github.com/foxcpp/go-msgauth v0.2.1-0.20191026194926-ce292b9df55e

go.sum

@@ -64,6 +64,8 @@ github.com/foxcpp/go-imap-sql v0.3.2-0.20191013180616-e44020418817 h1:Am+dCUvt/w
 github.com/foxcpp/go-imap-sql v0.3.2-0.20191013180616-e44020418817/go.mod h1:ooCDdmcUlEhvNl57ROzeZTpqJuoMP3HNd03kemcF4AE=
 github.com/foxcpp/go-imap-sql v0.3.2-0.20191013200128-9f708775d60a h1:bxaVAOKzjZwUguQ2n8TxZxJY41/Ii15seh8v+0OAUyM=
 github.com/foxcpp/go-imap-sql v0.3.2-0.20191013200128-9f708775d60a/go.mod h1:ooCDdmcUlEhvNl57ROzeZTpqJuoMP3HNd03kemcF4AE=
+github.com/foxcpp/go-msgauth v0.2.1-0.20191026194926-ce292b9df55e h1:3BiGBbt1vAR25ycdDf+f7rAKmHHc32QIZJhR9FzTCC4=
+github.com/foxcpp/go-msgauth v0.2.1-0.20191026194926-ce292b9df55e/go.mod h1:7r9HUSXL1dq+KK7Xqg0JlyBxNFGf5+JouRvSz4wBZCQ=
 github.com/frankban/quicktest v1.5.0/go.mod h1:jaStnuzAqU1AJdCO0l53JDCJrVDKcS03DbaAcR7Ks/o=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=

maddy.conf

@@ -7,7 +7,9 @@ tls cert_file_path pkey_file
 # server.
 hostname mx1.example.org
 
-# Primary domain is used as a sender of autogenerated messages.
+# Primary domain is used as a sender of autogenerated messages and
+# ADMD for DKIM signatures. You might want to change later when
+# managing multiple domains.
 $(primary_domain) = example.org
 
 # All domains we want to receive messages for.
@@ -70,6 +72,10 @@ submission tls://0.0.0.0:465 {
     # Use sql module for authentication.
     auth local_authdb
 
+    modify {
+    	sign_dkim $(primary_domain) default
+    }
+
     # All messages for the recipients at $(local_domains) should be
     # delivered to local mailboxes directly.
     destination $(local_domains) {

maddy.go

@@ -15,6 +15,7 @@ import (
 	_ "github.com/foxcpp/maddy/endpoint/imap"
 	_ "github.com/foxcpp/maddy/endpoint/smtp"
 	_ "github.com/foxcpp/maddy/modify"
+	_ "github.com/foxcpp/maddy/modify/dkim"
 	_ "github.com/foxcpp/maddy/storage/sql"
 	_ "github.com/foxcpp/maddy/target/queue"
 	_ "github.com/foxcpp/maddy/target/remote"

man/maddy-filters.5.scd

@@ -106,7 +106,7 @@ specified in EHLO/HELO command.
 By default, quarantines messages coming from servers with mismatched or missing
 PTR record, use 'fail_action' directive to change that.
 
-# DKIM authorization module (verify_dkim)
+# DKIM authentication module (verify_dkim)
 
 This is the check module that performs verification of the DKIM signatures
 present on the incoming messages.
@@ -163,6 +163,144 @@ Action to take when there are not valid signatures in a message.
 Note that DMARC policy of the sender domain can request more strict handling of
 broken DKIM signatures.
 
+# DKIM signing module (sign_dkim)
+
+sign_dkim module is a modifier that signs messages using DKIM
+protocol (RFC 6376).
+
+```
+sign_dkim {
+    debug no
+    domain example.org
+    selector default
+    key_path dkim-keys/{domain}-{selector}.key
+    oversign_fields ...
+    sign_fields ...
+    header_canon relaxed
+    body_canon relaxed
+    sig_expiry 120h # 5 days
+    hash sha256
+    newkey_algo rsa2048
+}
+```
+
+## Inline args 
+
+When inline definitions are used, domain and selector can be specified
+in arguments, so actual sign_dkim use can be shortened to the following: 
+```
+modify {
+    sign_dkim example.org selector
+}
+```
+
+## Configuration directives
+
+*Syntax*: debug _boolean_ +
+*Default*: global directive value
+
+Enable verbose logging for sign_dkim.
+
+*Syntax*: domain _string_ +
+*Default*: not specified
+
+*REQUIRED.*
+
+ADministrative Management Domain (ADMD) taking responsibility for signed
+messages. Should be specified either as a directive or as an inline
+argument.
+
+*Syntax*: selector _string_ +
+*Default*: not specified
+
+*REQUIRED.*
+
+Identifier of used key within the ADMD.
+Should be specified either as a directive or as an inline argument.
+
+*Syntax*: key_path _string_ +
+*Default*: dkim_keys/{domain}_{selector}.key
+
+Path to private key. It should be in PKCS#8 format wrapped in PAM encoding.
+If key does not exist, it will be generated using algorithm specified
+in newkey_algo.
+
+*Syntax*: oversign_fields _list..._ +
+*Default*: see below
+
+Header fields that should be signed n+1 times where n is times they are
+present in the message. This makes it impossible to replace field
+value by prepending another field with the same name to the message.
+
+Fields specified here don't have to be also specified in sign_fields.
+
+Default set of oversigned fields:
+- Subject
+- To
+- From
+- Date
+- MIME-Version
+- Content-Type
+- Content-Transfer-Encoding
+- Reply-To
+- Message-Id
+- References
+- Autocrypt
+- Openpgp
+
+*Syntax*: sign_fields _list..._ +
+*Default*: see below
+
+Header fields that should be signed n+1 times where n is times they are
+present in the message. For these fields, additional values can be prepended
+by intermediate relays, but existing values can't be changed.
+
+Default set of signed fields:
+- List-Id
+- List-Help
+- List-Unsubscribe
+- List-Post
+- List-Owner
+- List-Archive
+- Resent-To
+- Resent-Sender
+- Resent-Message-Id
+- Resent-Date
+- Resent-From
+- Resent-Cc
+
+*Syntax*: header_canon relaxed|simple +
+*Default*: relaxed
+
+Canonicalization algorithm to use for header fields. With 'relaxed', whitespace within
+fields can be modified without breaking the signature, with 'simple' no 
+modifications are allowed.
+
+*Syntax*: body_canon relaxed|simple +
+*Default*: relaxed
+
+Canonicalization algorithm to use for message body. With 'relaxed', whitespace within
+can be modified without breaking the signature, with 'simple' no 
+modifications are allowed.
+
+*Syntax*: sig_expiry _duration_ +
+*Default*: 120h
+
+Time for which signature should be considered valid. Mainly used to prevent 
+unauthorized resending of old messages.
+
+*Syntax*: hash _hash_ +
+*Default*: sha256
+
+Hash algorithm to use when computing body hash.
+
+sha256 is the only supported algorithm now.
+
+*Syntax*: newkey_algo rsa4096|rsa2048|ed25519 +
+*Default*: rsa2048
+
+Algorithm to use when generating new key.
+
 # Sender/recipient replacement modules (replace_sender, replace_rcpt)
 
 These are modules that simply replace matching address value(s) with another

modify/dkim/dkim.go

@@ -0,0 +1,282 @@
+package dkim
+
+import (
+	"crypto"
+	"errors"
+	"io"
+	"strings"
+	"time"
+
+	"github.com/emersion/go-message/textproto"
+	"github.com/emersion/go-msgauth/dkim"
+	"github.com/foxcpp/maddy/buffer"
+	"github.com/foxcpp/maddy/config"
+	"github.com/foxcpp/maddy/log"
+	"github.com/foxcpp/maddy/module"
+	"github.com/foxcpp/maddy/target"
+)
+
+const Day = 86400 * time.Second
+
+var (
+	oversignDefault = []string{
+		// Directly visible to the user.
+		"Subject",
+		"Sender",
+		"To",
+		"Cc",
+		"From",
+		"Date",
+
+		// Affects body processing.
+		"MIME-Version",
+		"Content-Type",
+		"Content-Transfer-Encoding",
+
+		// Affects user interaction.
+		"Reply-To",
+		"In-Reply-To",
+		"Message-Id",
+		"References",
+
+		// Provide additional security benefit for OpenPGP.
+		"Autocrypt",
+		"Openpgp",
+	}
+	signDefault = []string{
+		// Mailing list information. Not oversigned to prevent signature
+		// breakage by aliasing MLMs.
+		"List-Id",
+		"List-Help",
+		"List-Unsubscribe",
+		"List-Post",
+		"List-Owner",
+		"List-Archive",
+
+		// Not oversigned since it can be prepended by intermediate relays.
+		"Resent-To",
+		"Resent-Sender",
+		"Resent-Message-Id",
+		"Resent-Date",
+		"Resent-From",
+		"Resent-Cc",
+	}
+
+	hashFuncs = map[string]crypto.Hash{
+		"sha256": crypto.SHA256,
+	}
+)
+
+type Modifier struct {
+	instName string
+
+	domain         string
+	selector       string
+	signer         crypto.Signer
+	oversignHeader []string
+	signHeader     []string
+	headerCanon    dkim.Canonicalization
+	bodyCanon      dkim.Canonicalization
+	sigExpiry      time.Duration
+	hash           crypto.Hash
+
+	log log.Logger
+}
+
+func New(_, instName string, _, inlineArgs []string) (module.Module, error) {
+	m := &Modifier{
+		instName: instName,
+		log:      log.Logger{Name: "sign_dkim"},
+	}
+
+	switch len(inlineArgs) {
+	case 2:
+		m.domain = inlineArgs[0]
+		m.selector = inlineArgs[1]
+	case 0:
+		// whatever
+	case 1:
+		fallthrough
+	default:
+		return nil, errors.New("sign_dkim: wrong amount of inline arguments")
+	}
+
+	return m, nil
+}
+
+func (m *Modifier) Name() string {
+	return "sign_dkim"
+}
+
+func (m *Modifier) InstanceName() string {
+	return m.instName
+}
+
+func (m *Modifier) Init(cfg *config.Map) error {
+	var (
+		hashName        string
+		keyPathTemplate string
+		newKeyAlgo      string
+	)
+
+	cfg.Bool("debug", true, false, &m.log.Debug)
+	cfg.String("domain", false, false, m.domain, &m.domain)
+	cfg.String("selector", false, false, m.selector, &m.selector)
+	cfg.String("key_path", false, false, "dkim_keys/{domain}_{selector}.key", &keyPathTemplate)
+	cfg.StringList("oversign_fields", false, false, oversignDefault, &m.oversignHeader)
+	cfg.StringList("sign_fields", false, false, signDefault, &m.signHeader)
+	cfg.Enum("header_canon", false, false,
+		[]string{string(dkim.CanonicalizationRelaxed), string(dkim.CanonicalizationSimple)},
+		dkim.CanonicalizationRelaxed, (*string)(&m.headerCanon))
+	cfg.Enum("body_canon", false, false,
+		[]string{string(dkim.CanonicalizationRelaxed), string(dkim.CanonicalizationSimple)},
+		dkim.CanonicalizationRelaxed, (*string)(&m.bodyCanon))
+	cfg.Duration("sig_expiry", false, false, 5*Day, &m.sigExpiry)
+	cfg.Enum("hash", false, false,
+		[]string{"sha256"}, "sha256", &hashName)
+	cfg.Enum("newkey_algo", false, false,
+		[]string{"rsa4096", "rsa2048", "ed25519"}, "rsa2048", &newKeyAlgo)
+
+	if _, err := cfg.Process(); err != nil {
+		return err
+	}
+
+	if m.domain == "" {
+		return errors.New("sign_domain: domain is not specified")
+	}
+	if m.selector == "" {
+		return errors.New("sign_domain: selector is not specified")
+	}
+
+	m.hash = hashFuncs[hashName]
+	if m.hash == 0 {
+		panic("sign_dkim.Init: Hash function allowed by config matcher but not present in hashFuncs")
+	}
+
+	keyValues := strings.NewReplacer("{domain}", m.domain, "{selector}", m.selector)
+	keyPath := keyValues.Replace(keyPathTemplate)
+
+	signer, err := m.loadOrGenerateKey(m.domain, m.selector, keyPath, newKeyAlgo)
+	if err != nil {
+		return err
+	}
+	m.signer = signer
+
+	return nil
+}
+
+func (m *Modifier) fieldsToSign(h textproto.Header) []string {
+	// Filter out duplicated fields from configs so they
+	// will not cause panic() in go-msgauth internals.
+	seen := make(map[string]struct{})
+
+	res := make([]string, 0, len(m.oversignHeader)+len(m.signHeader))
+	for _, key := range m.oversignHeader {
+		if _, ok := seen[strings.ToLower(key)]; ok {
+			continue
+		}
+		seen[strings.ToLower(key)] = struct{}{}
+
+		// Add to signing list once per each key use.
+		for field := h.FieldsByKey(key); field.Next(); {
+			res = append(res, key)
+		}
+		// And once more to "oversign" it.
+		res = append(res, key)
+	}
+	for _, key := range m.signHeader {
+		if _, ok := seen[strings.ToLower(key)]; ok {
+			continue
+		}
+		seen[strings.ToLower(key)] = struct{}{}
+
+		// Add to signing list once per each key use.
+		for field := h.FieldsByKey(key); field.Next(); {
+			res = append(res, key)
+		}
+	}
+	return res
+}
+
+type state struct {
+	m    *Modifier
+	meta *module.MsgMetadata
+	log  log.Logger
+}
+
+func (m *Modifier) ModStateForMsg(msgMeta *module.MsgMetadata) (module.ModifierState, error) {
+	return state{
+		m:    m,
+		meta: msgMeta,
+		log:  target.DeliveryLogger(m.log, msgMeta),
+	}, nil
+}
+
+func (s state) RewriteSender(mailFrom string) (string, error) {
+	return mailFrom, nil
+}
+
+func (s state) RewriteRcpt(rcptTo string) (string, error) {
+	return rcptTo, nil
+}
+
+func (s state) RewriteBody(h textproto.Header, body buffer.Buffer) error {
+	id := s.meta.OriginalFrom
+	if !strings.Contains(id, "@") {
+		id += "@" + s.m.domain
+	}
+
+	opts := dkim.SignOptions{
+		Domain:                 s.m.domain,
+		Selector:               s.m.selector,
+		Identifier:             id,
+		Signer:                 s.m.signer,
+		Hash:                   s.m.hash,
+		HeaderCanonicalization: s.m.headerCanon,
+		BodyCanonicalization:   s.m.bodyCanon,
+		HeaderKeys:             s.m.fieldsToSign(h),
+	}
+	if s.m.sigExpiry != 0 {
+		opts.Expiration = time.Now().Add(s.m.sigExpiry)
+	}
+	signer, err := dkim.NewSigner(&opts)
+	if err != nil {
+		s.m.log.Printf("%v", strings.TrimPrefix(err.Error(), "dkim: "))
+		return err
+	}
+	if err := textproto.WriteHeader(signer, h); err != nil {
+		s.m.log.Printf("I/O error: %v", err)
+		signer.Close()
+		return err
+	}
+	r, err := body.Open()
+	if err != nil {
+		s.m.log.Printf("I/O error: %v", err)
+		signer.Close()
+		return err
+	}
+	if _, err := io.Copy(signer, r); err != nil {
+		s.m.log.Printf("I/O error: %v", err)
+		signer.Close()
+		return err
+	}
+
+	if err := signer.Close(); err != nil {
+		s.m.log.Printf("%v", strings.TrimPrefix(err.Error(), "dkim: "))
+		return err
+	}
+
+	h.Add("DKIM-Signature", signer.SignatureValue())
+
+	s.m.log.Debugf("signed, identifier = %s", id)
+
+	return nil
+}
+
+func (s state) Close() error {
+	return nil
+}
+
+func init() {
+	module.Register("sign_dkim", New)
+}

modify/dkim/dkim_test.go

@@ -0,0 +1,34 @@
+package dkim
+
+import (
+	"reflect"
+	"sort"
+	"testing"
+
+	"github.com/emersion/go-message/textproto"
+)
+
+// TODO: Add tests that check actual signing once
+// we have LookupTXT hook for go-msgauth/dkim.
+
+func TestFieldsToSign(t *testing.T) {
+	h := textproto.Header{}
+	h.Add("A", "1")
+	h.Add("c", "2")
+	h.Add("C", "3")
+	h.Add("a", "4")
+	h.Add("b", "5")
+	h.Add("unrelated", "6")
+
+	m := Modifier{
+		oversignHeader: []string{"A", "B"},
+		signHeader:     []string{"C"},
+	}
+	fields := m.fieldsToSign(h)
+	sort.Strings(fields)
+	expected := []string{"A", "A", "A", "B", "B", "C", "C"}
+
+	if !reflect.DeepEqual(fields, expected) {
+		t.Errorf("incorrect set of fields to sign\nwant: %v\ngot:  %v", expected, fields)
+	}
+}

modify/dkim/keys.go

@@ -0,0 +1,172 @@
+package dkim
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/pem"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+func (m *Modifier) loadOrGenerateKey(expectedDomain, expectedSelector, keyPath, newKeyAlgo string) (crypto.Signer, error) {
+	// Notes:
+	// . PKCS #8 (RFC 5208) is a superset of PKCS #1 (RFC 3447).
+	// . DKIM records use ASN.1 DER (as in PKCS#1) wrapped in base64 for keys.
+	// . For ed25519, no additional encoding is used.
+
+	f, err := os.Open(keyPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return m.generateAndWrite(expectedDomain, expectedSelector, keyPath, newKeyAlgo)
+		}
+		return nil, err
+	}
+	defer f.Close()
+
+	pemBlob, err := ioutil.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(pemBlob)
+	if block == nil {
+		return nil, fmt.Errorf("sign_dkim: %s: invalid PEM block", keyPath)
+	}
+
+	if block.Type == "ENCRYPTED PRIVATE KEY" {
+		return nil, fmt.Errorf("sign_dkim: %s: encrypted, can't use", keyPath)
+	}
+	if block.Type != "PRIVATE KEY" && block.Type != "RSA PRIVATE KEY" {
+		return nil, fmt.Errorf("sign_dkim: %s: not a private key", keyPath)
+	}
+
+	if val := block.Headers["X-DKIM-Selector"]; val != "" && val != expectedSelector {
+		return nil, fmt.Errorf("sign_dkim: %s: selector mismatch, want %s, got %s", keyPath, expectedSelector, val)
+	}
+	if val := block.Headers["X-DKIM-Domain"]; val != "" && val != expectedDomain {
+		return nil, fmt.Errorf("sign_dkim: %s: domain mismatch, want %s, got %s", keyPath, expectedDomain, val)
+	}
+
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("sign_dkim: %s: %w", keyPath, err)
+	}
+
+	switch key := key.(type) {
+	case *rsa.PrivateKey:
+		if err := key.Validate(); err != nil {
+			return nil, err
+		}
+		return key, nil
+	case ed25519.PrivateKey:
+		return key, nil
+	case *ecdsa.PublicKey:
+		return nil, fmt.Errorf("sign_dkim: %s: ECDSA keys are not supported", keyPath)
+	default:
+		return nil, fmt.Errorf("sign_dkim: %s: unknown key type: %T", keyPath, key)
+	}
+}
+
+func (m *Modifier) generateAndWrite(domain, selector, keyPath, newKeyAlgo string) (crypto.Signer, error) {
+	wrapErr := func(err error) error {
+		return fmt.Errorf("sign_dkim: generate %s: %w", keyPath, err)
+	}
+
+	m.log.Printf("generating a new %s keypair...", newKeyAlgo)
+
+	var (
+		pkey     crypto.Signer
+		dkimName = newKeyAlgo
+		err      error
+	)
+	switch newKeyAlgo {
+	case "rsa4096":
+		dkimName = "rsa"
+		pkey, err = rsa.GenerateKey(rand.Reader, 4096)
+	case "rsa2048":
+		dkimName = "rsa"
+		pkey, err = rsa.GenerateKey(rand.Reader, 2048)
+	case "ed25519":
+		_, pkey, err = ed25519.GenerateKey(rand.Reader)
+	default:
+		err = fmt.Errorf("unknown key algorithm: %s", newKeyAlgo)
+	}
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	keyBlob, err := x509.MarshalPKCS8PrivateKey(pkey)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	// 0777 because we have public keys in here too and they don't
+	// need protection. Individual private key files have 0600 perms.
+	if err := os.MkdirAll(filepath.Dir(keyPath), 0777); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	dnsPath, err := writeDNSRecord(keyPath, dkimName, pkey)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	f, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0600)
+	if err != nil {
+		return nil, wrapErr(err)
+	}
+
+	if err := pem.Encode(f, &pem.Block{
+		Type: "PRIVATE KEY",
+		Headers: map[string]string{
+			"X-DKIM-Domain":   domain,
+			"X-DKIM-Selector": selector,
+		},
+		Bytes: keyBlob,
+	}); err != nil {
+		return nil, wrapErr(err)
+	}
+
+	m.log.Printf("generated a new %s keypair, private key is in %s, TXT record with public key is in %s,\n"+
+		"put its contents into TXT record for %s._domainkey.%s to make signing and verification work",
+		newKeyAlgo, keyPath, dnsPath, selector, domain)
+
+	return pkey, nil
+}
+
+func writeDNSRecord(keyPath, dkimAlgoName string, pkey crypto.Signer) (string, error) {
+	var (
+		keyBlob []byte
+		pubkey  = pkey.Public()
+	)
+	switch pubkey := pubkey.(type) {
+	case *rsa.PublicKey:
+		keyBlob = x509.MarshalPKCS1PublicKey(pubkey)
+	case ed25519.PublicKey:
+		keyBlob = pubkey
+	default:
+		panic("sign_dkim.writeDNSRecord: unknown key algorithm")
+	}
+
+	dnsPath := keyPath + ".dns"
+	if filepath.Ext(keyPath) == ".key" {
+		dnsPath = keyPath[:len(keyPath)-4] + ".dns"
+	}
+	dnsF, err := os.Create(dnsPath)
+	if err != nil {
+		return "", err
+	}
+	keyRecord := fmt.Sprintf("v=DKIM1; k=%s; p=%s", dkimAlgoName, base64.StdEncoding.EncodeToString(keyBlob))
+	if _, err := io.WriteString(dnsF, keyRecord); err != nil {
+		return "", err
+	}
+	return dnsPath, nil
+}

modify/dkim/keys_test.go

@@ -0,0 +1,88 @@
+package dkim
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/foxcpp/maddy/testutils"
+)
+
+func TestKeyLoad_new(t *testing.T) {
+	m := Modifier{}
+	m.log = testutils.Logger(t, m.Name())
+
+	dir, err := ioutil.TempDir("", "maddy-tests-dkim-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	signer, err := m.loadOrGenerateKey("example.org", "default", filepath.Join(dir, "testkey.key"), "ed25519")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	recordBlob, err := ioutil.ReadFile(filepath.Join(dir, "testkey.dns"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	var keyBlob []byte
+	for _, part := range strings.Split(string(recordBlob), ";") {
+		part = strings.TrimSpace(part)
+		if strings.HasPrefix(part, "k=") {
+			if part != "k=ed25519" {
+				t.Fatalf("Wrong type of generated key, want ed25519, got %s", part)
+			}
+		}
+		if strings.HasPrefix(part, "p=") {
+			keyBlob, err = base64.StdEncoding.DecodeString(part[2:])
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+	}
+
+	blob := signer.Public().(ed25519.PublicKey)
+	if string(blob) != string(keyBlob) {
+		t.Fatal("wrong public key placed into record file")
+	}
+}
+
+const pkeyEd25519 = `-----BEGIN PRIVATE KEY-----
+X-DKIM-Domain: example.org
+X-DKIM-Selector: default
+
+MC4CAQAwBQYDK2VwBCIEIJG9zs4vi2MYNkL9gUQwlmBLCzDODIJ5/1CwTAZFDm5U
+-----END PRIVATE KEY-----`
+
+const pubkeyEd25519 = `5TPcCxzVByMyRsMFs5Dx23pnxKilI+1UrGg0t+O2oZU=`
+
+func TestKeyLoad_existing(t *testing.T) {
+	m := Modifier{}
+	m.log = testutils.Logger(t, m.Name())
+
+	dir, err := ioutil.TempDir("", "maddy-tests-dkim-")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	if err := ioutil.WriteFile(filepath.Join(dir, "testkey.key"), []byte(pkeyEd25519), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	signer, err := m.loadOrGenerateKey("example.org", "default", filepath.Join(dir, "testkey.key"), "ed25519")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	blob := signer.Public().(ed25519.PublicKey)
+	if signerKey := base64.StdEncoding.EncodeToString(blob); signerKey != pubkeyEd25519 {
+		t.Fatalf("wrong public key returned by loadOrGenerateKey, \nwant %s\ngot  %s", pubkeyEd25519, signerKey)
+	}
+}