• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Enhance keylength of Domainkeys for more security

  • Thread starter Deleted member 121791
  • Start date
D

Deleted member 121791

Guest
Currently Plesk uses 768bit for sha-rsa private keys of created all Domainkey for signing.
You can check it:
root@server1234 ~ # openssl rsa -in /etc/domainkey/example.org/default -text
Private-Key: (768 bit)

The short keys are violating RFC 4871 see Section 3.3.3

How can the keylength be extended?
This is a must for secure signing mails with DKIM/Domainkeys.

See also
http://www.h-online.com/security/news/item/Mathematician-exposes-weak-DKIM-keys-1736423.html
http://tools.ietf.org/html/rfc4871#section-3.3.3
 
---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk Panel, 11.0.9, #21, Debian 6.0.6, Linux 2.6.32-5-amd64 #1 SMP x86_64 GNU/Linux

PROBLEM DESCRIPTION
Key length of private key of Domainkeys is too short (<1024bit) and results in weak mail signatures for outgoing mails

STEPS TO REPRODUCE
1. Open Control panel for a domain with no current Domainkey set
2. Select Mail tab
3. Select Change settings
4. Activate [x] Use DomainKeys spam protection system to sign outgoing e-mail messages
5. Hit OK button
6. Open connection to server in ssh shell
7. show information of private key with openssl: openssl rsa -in /etc/domainkeys/domain.tld/default -text

ACTUAL RESULT
root@srv12 /etc/domainkeys/domain.tld # openssl rsa -in default -text
Private-Key: (768 bit)
modulus:
......
......


EXPECTED RESULT
Should be Private-Key: (1024 bit)
or greater key length for more security!

ANY ADDITIONAL INFORMATION
According to RFC 4871 Sec. 3.3.3 length of key for Domainskeys should be greater or equal to 1024 bits
<http://tools.ietf.org/html/rfc4871#section-3.3.3>
Using weak keys in digital signing fo mails results in crackable signatures.
RSA 768 can be cracked <http://www.h-online.com/security/news/item/768-bit-RSA-cracked-898986.html>

Plesk should generate longer keys for more security in digital signing of mails.

--------------------------------------------------------------
 
Thanks, I have forwarded report to developers (#122108). I will update thread with results as soon as I receive them.
 
Can you please let us know when this becomes available?
It's a quite important matter I would say.
 
It will be implemented in one of nearest Plesk 11.5 update.
 
I think it's already fixed in Plesk 11.5.30. Though only for new mailnames. Alternatively you need to turn DK on/off to generate new keys.
 
Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks
 
AndreasY said:
Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks
Click to expand...

Just to add

Even when creating a new domain and a new mailname, the private key length is still 768 bit.

-- EDIT --

Oh I apologies, didnt note that I am posting in the Linux part of the forum.

We are using Plesk for Windows, should this not apply ??
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Enhance keylength of Domainkeys for more security
Replies
1
Views
1K
AndreasY
A
Back
Top