• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Enhance keylength of Domainkeys for more security

  • Thread starter Deleted member 121791
  • Start date
D

Deleted member 121791

Guest
Currently Plesk uses 768bit for sha-rsa private keys of created all Domainkey for signing.
You can check it:
root@server1234 ~ # openssl rsa -in /etc/domainkey/example.org/default -text
Private-Key: (768 bit)


The short keys are violating RFC 4871 see Section 3.3.3

How can the keylength be extended?
This is a must for secure signing mails with DKIM/Domainkeys.

See also
http://www.h-online.com/security/news/item/Mathematician-exposes-weak-DKIM-keys-1736423.html
http://tools.ietf.org/html/rfc4871#section-3.3.3
 
---------------------------------------------------------------
PRODUCT, VERSION, MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk Panel, 11.0.9, #21, Debian 6.0.6, Linux 2.6.32-5-amd64 #1 SMP x86_64 GNU/Linux

PROBLEM DESCRIPTION
Key length of private key of Domainkeys is too short (<1024bit) and results in weak mail signatures for outgoing mails

STEPS TO REPRODUCE
1. Open Control panel for a domain with no current Domainkey set
2. Select Mail tab
3. Select Change settings
4. Activate [x] Use DomainKeys spam protection system to sign outgoing e-mail messages
5. Hit OK button
6. Open connection to server in ssh shell
7. show information of private key with openssl: openssl rsa -in /etc/domainkeys/domain.tld/default -text

ACTUAL RESULT
root@srv12 /etc/domainkeys/domain.tld # openssl rsa -in default -text
Private-Key: (768 bit)
modulus:
......
......


EXPECTED RESULT
Should be Private-Key: (1024 bit)
or greater key length for more security!

ANY ADDITIONAL INFORMATION
According to RFC 4871 Sec. 3.3.3 length of key for Domainskeys should be greater or equal to 1024 bits
<http://tools.ietf.org/html/rfc4871#section-3.3.3>
Using weak keys in digital signing fo mails results in crackable signatures.
RSA 768 can be cracked <http://www.h-online.com/security/news/item/768-bit-RSA-cracked-898986.html>

Plesk should generate longer keys for more security in digital signing of mails.

--------------------------------------------------------------
 
Thanks, I have forwarded report to developers (#122108). I will update thread with results as soon as I receive them.
 
Can you please let us know when this becomes available?
It's a quite important matter I would say.
 
It will be implemented in one of nearest Plesk 11.5 update.
 
I think it's already fixed in Plesk 11.5.30. Though only for new mailnames. Alternatively you need to turn DK on/off to generate new keys.
 
Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks
 
Hi,

we just installed Plesk 11.5.30 Update #9 to 'resolve' this issue and the key length of the private key is still 768 bit.

How should we resolve this issue ?

Thanks

Just to add

Even when creating a new domain and a new mailname, the private key length is still 768 bit.

-- EDIT --

Oh I apologies, didnt note that I am posting in the Linux part of the forum.

We are using Plesk for Windows, should this not apply ??
 
Last edited:
Back
Top