Discussion:
email dkim signing failing with 6.8
flipchan
2021-05-22 09:44:22 UTC
Permalink
Hi all,


I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim
signatures to my emails. I have tried to debug it but im not really
getting anywhere. dkimproxy_out is running without complains.

Does anyone see what im doing wrong?


mail# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
#table other-relays file:/etc/mail/other-relays

pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"

listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
#mask-src
listen on vio0 port 25 hostname example.com tls pki mail.example.com
filter "rspamd"
# auth-optional

#action "mbox" mbox alias <aliases>
#action "relay" relay

#match for local action "mbox"
#match for any action "relay"
#match !from src <other-relays> mail-from "@example.com" for any \
 #     reject

listen on lo0 port 10028 tag DKIM

action "mbox" mbox alias <aliases>
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027
match from any for domain example.com action "mbox"

match auth from any for any action "relay"
match for local action "mbox"
match tag DKIM for any action "relay"
#match tag dkim for any action "relay"
#match tag DKIM for any action "outbound"
#match for any action relay_dkim
match auth from any for any action "relay_dkim"
mail#
dkim_signing.conf    redis.conf
mail# cat /etc/rspamd/local.d/dkim_signing.conf
domain {
    example.com {
        path = "/var/dkimproxy/default.private";
        selector = "default";
    }
}
mail# uname -a
OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64



Thanks!

Sincerely,

Flipchan
flipchan
2021-05-23 10:32:18 UTC
Permalink
Yeah, it was all working until I upgraded to 6.8, can someone else that
is running opensmtpd with dkim send me their smtpd.conf? I assume I have
written some rule wrong, not sure where doe
I'm not sure what you're doing, but you show a piece of rspamd config
for your signing, while you claim to use dkimproxy_out. I haven't used
dkimproxy_out in a long time (basically since I wrote filter-dkimsign)
but last time I used dkimproxy_in it worked as expected for rsa.
Also note that dkimproxy doesn't have had a new release since 2011,
which doesn't have to mean anything, but is usually not a great sign.
If you really want to continue using dkimproxy I'd suggest running
/usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf --user=_dkimproxy --group=_dkimproxy
and see what it spews out.
Personally I'd replace dkimproxy with either (filter-)respamd or
filter-dkimsign depending on your needs.
Post by flipchan
Hi all,
I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim
signatures to my emails. I have tried to debug it but im not really
getting anywhere. dkimproxy_out is running without complains.
Does anyone see what im doing wrong?
mail# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
#table other-relays file:/etc/mail/other-relays
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
#mask-src
listen on vio0 port 25 hostname example.com tls pki mail.example.com
filter "rspamd"
# auth-optional
#action "mbox" mbox alias <aliases>
#action "relay" relay
#match for local action "mbox"
#match for any action "relay"
  #     reject
listen on lo0 port 10028 tag DKIM
action "mbox" mbox alias <aliases>
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027
match from any for domain example.com action "mbox"
match auth from any for any action "relay"
match for local action "mbox"
match tag DKIM for any action "relay"
#match tag dkim for any action "relay"
#match tag DKIM for any action "outbound"
#match for any action relay_dkim
match auth from any for any action "relay_dkim"
mail#
dkim_signing.conf    redis.conf
mail# cat /etc/rspamd/local.d/dkim_signing.conf
domain {
     example.com {
         path = "/var/dkimproxy/default.private";
         selector = "default";
     }
}
mail# uname -a
OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
Thanks!
Sincerely,
Flipchan
David Anthony
2021-05-23 12:59:25 UTC
Permalink
Hello,

1. Install *opensmtpd-filter-dkimsign*
2. Read */usr/local/share/doc/pkg-readmes/opensmtpd-filter-dkimsign*

I hope this is helpful.

-dma
Post by flipchan
Yeah, it was all working until I upgraded to 6.8, can someone else
that is running opensmtpd with dkim send me their smtpd.conf? I assume
I have written some rule wrong, not sure where doe
I'm not sure what you're doing, but you show a piece of rspamd config
for your signing, while you claim to use dkimproxy_out. I haven't used
dkimproxy_out in a long time (basically since I wrote filter-dkimsign)
but last time I used dkimproxy_in it worked as expected for rsa.
Also note that dkimproxy doesn't have had a new release since 2011,
which doesn't have to mean anything, but is usually not a great sign.
If you really want to continue using dkimproxy I'd suggest running
/usr/local/bin/dkimproxy.out --conf_file=/etc/dkimproxy_out.conf
--user=_dkimproxy --group=_dkimproxy
and see what it spews out.
Personally I'd replace dkimproxy with either (filter-)respamd or
filter-dkimsign depending on your needs.
Post by flipchan
Hi all,
I upgraded from 6.6 to 6.8 and dkim magically stopped appending the dkim
signatures to my emails. I have tried to debug it but im not really
getting anywhere. dkimproxy_out is running without complains.
Does anyone see what im doing wrong?
mail# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
#table other-relays file:/etc/mail/other-relays
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
#mask-src
listen on vio0 port 25 hostname example.com tls pki mail.example.com
filter "rspamd"
# auth-optional
#action "mbox" mbox alias <aliases>
#action "relay" relay
#match for local action "mbox"
#match for any action "relay"
   #     reject
listen on lo0 port 10028 tag DKIM
action "mbox" mbox alias <aliases>
action "relay" relay
action "relay_dkim" relay host smtp://127.0.0.1:10027
match from any for domain example.com action "mbox"
match auth from any for any action "relay"
match for local action "mbox"
match tag DKIM for any action "relay"
#match tag dkim for any action "relay"
#match tag DKIM for any action "outbound"
#match for any action relay_dkim
match auth from any for any action "relay_dkim"
mail#
dkim_signing.conf    redis.conf
mail# cat /etc/rspamd/local.d/dkim_signing.conf
domain {
      example.com {
          path = "/var/dkimproxy/default.private";
          selector = "default";
      }
}
mail# uname -a
OpenBSD mail.firosolutions.com 6.8 GENERIC#5 amd64
Thanks!
Sincerely,
Flipchan
flipchan
2021-05-25 13:51:59 UTC
Permalink
Awesome!! This worked, thanks a lot!
Post by flipchan
Yeah, it was all working until I upgraded to 6.8, can someone else
that is running opensmtpd with dkim send me their smtpd.conf? I
assume I have written some rule wrong, not sure where doe
The config is all over the place. There is the rspamd filter and there
is DKIM tagging with a match rules order that can't reach the tagging.
It's like Martijn van Duren said, you are clearly using rspamd and not
dkimproxy_out, which means your debugging is way off.
But thinks got easier anyway. Please install filter-dkimsign.
# pkg_add opensmtpd-filter-dkimsign
Remove everything dkim and rspamd from your current smtpd.conf.
Add
filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \
               -k /var/dkimproxy/default.private -c relaxed/relaxed" \
               user _dkimsign group _dkimsign
and edit the line
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "rspamd"
to
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "dkimsg"
Or
# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases
pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"
filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \
               -k /var/dkimproxy/default.private -c relaxed/relaxed" \
               user _dkimsign group _dkimsign
listen on vio0 port 587 hostname example.com tls-require pki
mail.example.com auth filter "dkimsg"
listen on vio0 port 25 hostname example.com tls pki mail.example.com
action "mbox" mbox alias <aliases>
action "relay" relay
match from any for domain example.com action "mbox"
match for local action "mbox"
match auth from any for any action "relay"
If you really need rspamd for spam filtering add it back in and add
the filter only to "listen on vio0 port 25". Otherwise uninstall it,
since even in "standby" it produces lots of DNS traffic.
HTH
Loading...