2

I found this site. But if I use it, doesn't it mean that port25.com would know and be able to use my private key?

ironic
  • 121

3 Answers3

7

You can use that to generate a sample configuration, but should use openssl to generate your real keys.

\\ Generate a private key
openssl genrsa -out domainname.com.key 1024

\\ Generate a public key
openssl rsa -in domainname.com.key -out rsa.public -pubout -outform PEM

After running those you'll have two files:

# lc
total 3
-rw-r--r--  1 chris  chris   887B Jun  5 15:51 domainname.com.key
-rw-r--r--  1 chris  chris   272B Jun  5 15:51 rsa.public

With contents like:

# cat *
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC7aa4feMEPMy5NXPvaMAPvboFkQqRqCVTMnMeSr4L4oqvd7nou
06nozt6nLtQZnA/KBLDy0ypq2ewTv5te+He5UIDW+VWoaHgZV1FXtfl5f12Ne4bO
FVk8XwaIKBJQgtA5iJKoBGxg4A2VoCwxUdW9+LukTtAlFANPdvyCnMsVDQIDAQAB
AoGACGnAFU2YbRRBGdv4uly5cIAnctbDBreQhPbsxpr2aC71RCs2dO+vivHucNbb
UqL82nbHcr8kAlPyExjg4qyIw0c8JC8AgPKQulmH8K5F1sIFuaJT/3ey/syjT7MS
uKmoCtT5XoagTCOiOpclhCA9ixtFjg4+dlkQiLgEXQq8rgkCQQDgC3v8fh3lbiXB
fkuE1IaP1mJRwnb1QfZdAa3zM+rk2gG15C1/VYTb4tzscddHcU2/yJ3XOjCBXkMp
2LMVkQ43AkEA1iSnz1woQ+TNn7gN6euaXaXT+Aap/ZeqSCTYQjuG0vrf2Ub5Nw04
m143GmWpa4fS08eTczCeHtZRWAJ6gVV02wJAaScatyPeFjt/PvRur1YsHcBJ/wOd
X3jpDzflk5rPaT+kw+DnNbdGlwlAFT1NA/v6uMOIyWZHM8CxFyfczYd6OwJAW0cu
nG284AvENiN/EsmRd/96VcuJZAXk2HGUGM9EzeOPzQ66peOl0Fwdgsv4plQz4n+8
cyozDBPwgmI0E7L4ZwJAWFloVLmfMK7S6JF3ADN5Pze9R64Uv84Y5nIpWbyDU6RQ
+T7EHSqk7+ajlNetb/6atX4SXK0AK39QjOiOpF9MSw==
-----END RSA PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7aa4feMEPMy5NXPvaMAPvboFk
QqRqCVTMnMeSr4L4oqvd7nou06nozt6nLtQZnA/KBLDy0ypq2ewTv5te+He5UIDW
+VWoaHgZV1FXtfl5f12Ne4bOFVk8XwaIKBJQgtA5iJKoBGxg4A2VoCwxUdW9+Luk
TtAlFANPdvyCnMsVDQIDAQAB
-----END PUBLIC KEY-----
Chris S
  • 78,185
3

Yes, if you use their wizard and add the DKIM record it provides they will have all they need to send validly signed mail from your domain.

In general, something strange is going on if someone else is providing you with what is supposedly your private key.

From my point of view, port25.com having that wizard makes them look unprofessional, possibly even suspicious. Even if you trust them (maybe you have a business relationship with them?), they deliver the keys to you in the plain over the Internet.

Håkan Lindqvist
  • 35,461
-2

port25.com is asking you to provide a DomainKey Selector (e.g., key1) - which is NOT the same as private key that you generated using openssl or some other tools.

To make it easier, try use more native tools instead: DKIM Core Tools

  • Generate a DKIM Core Key
  • Check a published DKIM Core Key
  • Check a DKIM Core Key Record

DKIM Core Technical Specification covers following:

1.  Create the selector and associated key pair
2.  Publish the public key
3.  Attach the token to the email
3.1 Find the body hash
3.2 Find the header hash
3.2 Generate the DKIM-Signature header
3.3 Multiple Tokens
alexus
  • 13,374
  • After I enter domain and selector, it gives me private/public pair. Is it safe to use them on my actual site? – ironic Jun 05 '14 at 16:12
  • Yes it is, if you so concert about that you can always go route that @chris-s described (assuming you're technical enough) or you can use tools that provided by DKIM team for everyone to use in order to simplify process. – alexus Jun 05 '14 at 16:18
  • But if I use the keys which they give me, what would stop them(except reputation concerns, and the fact that this is a useless thing to do) if they want use the private key to sign a message on my behalf? – ironic Jun 05 '14 at 16:24
  • @ironic if it'll help you sleep better and the fact that you think so highly about people who invented DKIM and created tools to make YOUR life easier, go ahead and generate it locally; Technology wise it'll work exactly the same, no difference, also keep in mind DKIM folks can't just use that certificate on it's own, you also need to make some DNS changes and they have no control over it, only domain owners have that kind of access. – alexus Jun 05 '14 at 16:33
  • sorry, I do not understand your statement that it is technology-wise the same: in one case my keys are generated on my server, in other - on server which is not my. Usually, private keys should be private, so no one else can pretend to be 'me'. Is there something special about DKIM, which makes it work another way? Sorry, I am just very new to this area and want to understand how it works, and which usage would be safe and why. – ironic Jun 05 '14 at 16:39
  • @ironic, the point is keys are not the only one thing that requires for DKIM, you also need to add DNS records and without that keys are useless, so just having key wouldn't help someone to pretend like you as that wouldn't match DNS record. you should probably read up more on DKIM and how it works. – alexus Jun 05 '14 at 16:42
  • @alexus If you go to that site and enter the domain name and the selector and then use the keys that they generated for you it seems that they can be relatively sure that you will add the DNS DKIM records for those keys with that domain name and selector and they are in possession of those keys. There is nothing more that they need to know. – Håkan Lindqvist Jun 05 '14 at 17:01
  • @hakan-lindqvist as I mention earlier, if you so paranoid about that you can generate it local as Chris suggested it. I personally dont think folks at DKIM stores those keys and using them for something no good, but that could be just me and I don't know what I'm talking about... Lets say they start doing that and I notice that, you can always go and re-generate key again and make another DNS change. – alexus Jun 05 '14 at 17:11
  • @alexus Whether the OP is paranoid or not isn't really a factor as the question was whether the folks at port25.com could abuse having "your" private key generated by that wizard. It seems quite clear that they could. – Håkan Lindqvist Jun 05 '14 at 17:39
  • 1
    -1 No, if you use that Port25's website they will have your private key. Did you even look at the site he linked to? There's a big difference between "I don't think they keep the keys" and "I can guarantee nobody else has your keys". – Chris S Jun 05 '14 at 18:13
  • @alexus in my opinion, it has nothing to do with being paranoid. generating private keys for anything, by a 3rd party, and sent in clear text over HTTP, not only promotes poor security practices, but is exactly the rationale that ends up in having your service compromised.

    note: there is a "testing" flag for domains testing DKIM, and in this case, these keys would suffice.

    but when going Live, one should ALWAYS generate ANY security key locally. period.. full stop. doing otherwise is simply irresponsible system administrator action.

     – RapidWebs Jun 05 '14 at 18:18
  • Guys Guys, I'm not saying generating keys with 3rd party website is a thing to do, but what I am saying: There are people who's technical level isn't where they'd want it to be, so for them there are web based tools that are very useful and will help to get their job done, but at the end of the day one can always regenerate it again and replace existing key and of course there are NO guarantees for anything. – alexus Jun 05 '14 at 19:31