Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-69513

Add ability to add dkim signatures using phpmailer

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide

      End to end testing of DKIM involves setting up DNS records on a real domain and might be a bit onerous for a test here.

      1) Setup a moodle which sends real emails

      2) Note the domain of the noreply user, eg lets assume it is noreply@moodle.myschool.edu.au and so the sending domain is moodle.myschool.edu.au

      3) Choose a DKIM selector, this is arbitrary but is usually some sort of date related string such as '2020sep', set this in the 'emaildkimselector' field here:

       /admin/settings.php?section=outgoingmailconfig

      4) Turn on debugging:

      $CFG->debug = (E_ALL | E_STRICT);

      5) Send a test email (Note the /admin/testoutgoingmailconf.php overrides the debug level and will never emit these debug messages)

      php -r "define('CLI_SCRIPT',1);require('config.php'); email_to_user((object)['id'=>-1,'email' => 'youremail@test.com'], core_user::get_support_user(), 'subject', 'body');"

      6) Confirm that you get a debugging message similar to this:

      Email DKIM selector chosen due to brendan+noreply@catalyst-au.net but no certificate found at /var/lib/sitedata/moodle.local/dkim/catalyst-au.net/2020sep10.private

      7) Now setup a DKIM public and private key pair:

      Now in sitedata we need to create a folder to hold the DKIM certificate with a subdirectory matching the domain:

      mkdir -p /path/to/sitedata/dkim/moodle.myschool.edu.au

      Next in this directory generate the private key and public key DNS record using the opendkim-genkey tool:

      opendkim-genkey -b 2048 -r -s 2020sep -d moodle.myschool.edu.au -v

      This should result in two files like this:

      /path/to/sitedata/dkim/moodle.myschool.edu.au/2020sep.txt
      /path/to/sitedata/dkim/moodle.myschool.edu.au/2020sep.private

       

      8) Re test the emails to confirm that you see the DKIM signature in the email headers

       

      Optional steps if you have a full proper domain and DNS records:

      9) Add the DNS record with a short TTL created in the .txt file in step 5 to your domain. In the example above the record would go into

      2020sep._domainkey.moodle.myschool.edu.au{{}}

      10) Confirm that this record is available and correctly parsing using this 3rd party DKIM tool:

      https://mxtoolbox.com/dkim.aspx

      11) Wait some time for the ttl til filter through then send a second test email to a remote email which is know to do DKIM validation, (eg most of them, Gmail does)

      12) Confirm using that remote email that the validation is correct, ie in Gmail open the email, click the '...' on the right, then 'Show original' and in the headers it should say:

      DKIM: 'PASS' with domain moodle.myschool.edu.au

       

       

      Show
      End to end testing of DKIM involves setting up DNS records on a real domain and might be a bit onerous for a test here. 1) Setup a moodle which sends real emails 2) Note the domain of the noreply user, eg lets assume it is noreply@moodle.myschool.edu.au  and so the sending domain is moodle.myschool.edu.au 3) Choose a DKIM selector, this is arbitrary but is usually some sort of date related string such as '2020sep', set this in the 'emaildkimselector' field here:  /admin/settings.php?section=outgoingmailconfig 4) Turn on debugging: $CFG->debug = (E_ALL | E_STRICT); 5) Send a test email (Note the /admin/testoutgoingmailconf.php overrides the debug level and will never emit these debug messages) php -r "define('CLI_SCRIPT',1);require('config.php'); email_to_user((object) ['id'=>-1,'email' => 'youremail@test.com'] , core_user::get_support_user(), 'subject', 'body');" 6) Confirm that you get a debugging message similar to this: Email DKIM selector chosen due to brendan+noreply@catalyst-au.net but no certificate found at /var/lib/sitedata/moodle.local/dkim/catalyst-au.net/2020sep10.private 7) Now setup a DKIM public and private key pair: Now in sitedata we need to create a folder to hold the DKIM certificate with a subdirectory matching the domain: mkdir -p /path/to/sitedata/dkim/moodle.myschool.edu.au Next in this directory generate the private key and public key DNS record using the opendkim-genkey tool: opendkim-genkey -b 2048 -r -s 2020sep -d moodle.myschool.edu.au -v This should result in two files like this: /path/to/sitedata/dkim/moodle.myschool.edu.au/2020sep.txt /path/to/sitedata/dkim/moodle.myschool.edu.au/2020sep.private   8) Re test the emails to confirm that you see the DKIM signature in the email headers   Optional steps if you have a full proper domain and DNS records: 9) Add the DNS record with a short TTL created in the .txt file in step 5 to your domain. In the example above the record would go into 2020sep._domainkey. moodle.myschool.edu.au {{}} 10) Confirm that this record is available and correctly parsing using this 3rd party DKIM tool: https://mxtoolbox.com/dkim.aspx 11) Wait some time for the ttl til filter through then send a second test email to a remote email which is know to do DKIM validation, (eg most of them, Gmail does) 12) Confirm using that remote email that the validation is correct, ie in Gmail open the email, click the '...' on the right, then 'Show original' and in the headers it should say: DKIM: 'PASS' with domain moodle.myschool.edu.au    
    • Affected Branches:
      MOODLE_310_STABLE, MOODLE_400_STABLE
    • Fixed Branches:
      MOODLE_310_STABLE
    • Pull 3.10 Branch:
      MDL-69513-dkim-settings-MOODLE_310_STABLE
    • Pull Master Branch:
      MDL-69513-dkim-settings

      Description

      It would be nice to move the dkim signing into the application layer which would make the setup a little smoother. Phpmailer already supports this, its just wiring mostly.

      There is the simpler version:

      1) Add settings to a path to a pem file, the pass phrase and the dkim selector and pass them through to phpmailer

      opendkim-genkey -b 2048  -r -s testselector -d example.com -v

       

      The more advanced version:

      2) auto generate the pem file on the fly and allow it to be regenerated

      3) also generate the dkim public key dns record in the admin gui

      4) have a check which asserts the dns record is correct

       

      Temporary dev wiki docs:

      https://docs.moodle.org/dev/User:Brendan_Heywood/DKIM

       

        Attachments

        1. checkDNS.png
          checkDNS.png
          213 kB
        2. noDKIMSignature.png
          noDKIMSignature.png
          52 kB
        3. signature.png
          signature.png
          93 kB
        4. siignatureNoDNS.png
          siignatureNoDNS.png
          57 kB

          Issue Links

            Activity

              People

              Assignee:
              brendanheywood Brendan Heywood
              Reporter:
              brendanheywood Brendan Heywood
              Peer reviewer:
              Nicholas Hoobin
              Integrator:
              Víctor Déniz Falcón
              Tester:
              Víctor Déniz Falcón
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                9/Nov/20

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day
                  1d