Greetings, I'd like to announce a two new filters for OpenSMTD which better to use together: auth and sign.
auth is a filter which verify DKMI, ARC and SPF, and iprev. It adds Authentication-Results header or ARC-Authentication-Results. sign is a filter which adds DKMI or ARC signature, or ARC seal. For example, I run configuration: filter "auth" proc-exec "filter-auth" listen on egress port smtp ... filter { admdscrub, "auth", dnsbl } filter sign_ed25519 proc-exec "filter-sign -a ed25519-sha256 -D /etc/mail/domains \ -s 20240125ed25519 -k /etc/mail/dkim/20240125.ed25519.key" user _dkimsign group _dkimsign filter sign_rsa proc-exec "filter-sign -a rsa-sha256 -D /etc/mail/domains \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_auth proc-exec "filter-auth -A" filter arc_sign proc-exec "filter-sign -A -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter arc_seal proc-exec "filter-sign -S -a rsa-sha256 -d mx.catap.net \ -s 20240125rsa -k /etc/mail/dkim/20240125.rsa.key" user _dkimsign group _dkimsign filter sign chain { sign_ed25519 sign_rsa arc_auth arc_sign arc_seal } listen on egress port submission ... filter sign Here all incomming messages is autorised by adding Authentication-Results, and all outcomming messages: - signed by two DKMI signature with correct domain (list in /etc/mail/domains) - signed by one ARC signature with domain mx.catap.net - seal by one ARC seal with domain mx.catap.net Yeah, it is possible to use different selectors for ARC signature and seal, but I haven't tested it. The code is based on Martijn van Duren's filter-dkimsign, filter-dkimverify and filter-spf, and I also used some pices from spfwalk.c from OpenSMTPD. Man pages for both filters are updated. Thus, sign filter is drop-in replacment for filter-dkimsign. Code available here: - https://github.com/catap/opensmtpd-filter-auth - https://github.com/catap/opensmtpd-filter-sign I also attached ports for OpenBSD which I used to run it. How stable it is? Well, enough to share and ask for feedback. It may contains bugs, but it should be fine to use. Produced signature was tested against gmail, yahoo, icloud.com and dkimpy and it holds. Anyway, outlook.com fails on ARC signature with errors 35 or 47 (what does it mean?) and produced invalid signature as the next in ARC chain (tested by dkimpy). Thus, this email were sent via server which uses that filters, so, headers from this email a good example. -- wbr, Kirill
filters.tgz
Description: Binary data