Hi all, I’ve been very happy with OpenSMTPd on both OpenBSD and FreeBSD for a long time now but have recently come unstuck with DKIM signing on FreeBSD. I started out using dkimproxy successfully, then “filter dkim-sign” came along and it was even better. But as of OpenSMTPd 6.6, the opensmtpd-extras dkim filter has been deleted and its FreeBSD port has gone too.
Word on the street seemed to be to use rspamd for DKIM signing, but that's a hell of a big hammer. Resigned to my fate, I set up rspamd on FreeBSD 12.1 and got it working with a few test messages. But I then found that the system’s automated nightly emails were all coming up "dkim=fail”. No matter what I tried, I couldn’t replicate it manually - sending as root, sending to the same gmail group, whatever. All my test messages would still come up “dkim=pass”. Before I got to the bottom of that issue, a bigger one showed up. A recent minor pkg upgrade seems to have caused rspamd to regularly crash with glib; rspamd_glib_printerr_function: ** ERROR:/wrkdirs/usr/ports/mail/rspamd/work/rspamd-2.4/src/libstat/tokenizers/tokenizers.c:397:rspamd_tokenize_text: assertion failed: (U_SUCCESS (uc_err)) I’ve had no luck finding a fix for that yet, but I feel like I’m at a crossroads. I understand that with their limited time, the OpenSMTPd developers decided to leave as much as possible to rspamd, but what a shame DKIM signing is in that category too. Does anyone really consider DKIM signing an optional feature any more? I see that everything’s good on OpenBSD thanks to Martijn’s dkim filter, but there's no port of it on FreeBSD and my initial efforts to create one showed that it’s not a job for a first-time porter. So I now don’t know whether to try looking into milter support for OpenDKIM, or revert back to dkimproxy, or maybe even compile and run an old OpenSMTPd version like the 6.1 port which works flawlessly on FreeBSD 11.3. It seems weird to me that so few OpenSMTPd users seem to have been affected by this change. A lot of you must be on platforms other than OpenBSD. Perhaps I’m unusual in wanting to only do outbound? Of course rspamd is just part of the deal for inbound. Maybe outbound-only people are relaying straight to Mailgun so they don’t need to worry about SPF/DKIM/DMARC? It is tempting. Cheers, Sam